IT heads ponder Cybersecurity in a Future Tech World
An EC Council panel discussion recently about top information security priorities in 2018, saw IT decision makers from Malaysia and even Singapore, sit down to try crystalise the answers.
For global energy player, Petronas, their stance towards emerging threats is to prepare for them.
Petronas’ Head of Information Security and Risk Management, Vicknaeswaran Sundararaju, said, “We identify possible threats and put in place the mitigations we have for them.”
He also shared how the type of risk energy players face, usually involves getting information out of plants.
“Setups (of these plants) rarely change, so there is insight when we explore how to get data out. So, preparedness is key to help us mitigate (threats),” he said, adding that profiling may be one step to do this.
CEO of Cyhre, Lance Smith, thought about encryption, when the moderator raised the question of whether CISOs are aware of the threats they are exposed to, and what’s in and out of their control.
He said, “When travelling and visiting with CISOs, we often see during conversations, a lack of technology understanding around (Internet) protocols. These are the things that help communications work.
“Often there is so much surrendered to IT, or vendors that build these things. And so, here begins the trust situation in the system that ‘hopefully it works’.”
The Internet protocol for example, which Smith described as a broken network. ‘CISO need to take and shape policy… (by) understanding protocols and have it become part of policy. (But) it’s mystical because it’s technical.”
That said, Smith said he thinks CISOs can become oriented around how to become empowered with the use of encryption, for example move some workloads to a cloud platform, or establish a private cloud that encrypts workloads.
“There is an international aspect where encryption can play an important role as well,” he said, referring to regulation which require sensitive data to remain within a country.
EPF’s Head of Information Security, Jasmine Goh, said, “There’s always concern about how to protect data. Technologies like tokenisation or encryption in the cloud, may help.”
She also added that financial organisations tend to only have non-critical information on the cloud, although with digital transformation being a strategy most businesses are embarking upon, there may have to be more use of cloud technologies.
“We have to convince business users that we have private cloud within the organisation.”
Security for Internet of Things
EC Council’s founder Jay Bavisi had said, “(In terms of Distributed Denial of Service attacks), the kind of terabytes that IoT can unleash can be pretty high.” He shared this during his keynote introduction, where he also pointed out that IoT devices can propagate attacks.
We are talking about millions, if not billions of devices that are currently being sent out into the world, in different industries, to help organisations collect information, derive better insights, and make better decisions. Currently, automation is also used heavily alongside IoT technologies, in sectors like manufacturing.
It’s worth noting that a number of nations, having set their sights upon achieving Industrial Revolution or IR 4.0, where IoT and cloud computing play very crucial roles, and where massive automation and massive data exchanges are expected to happen.
Petronas’ Vicknaeswaran compared security information technology (IT) with security for operational technology (OT), “For OT, security infrastructure and tools are still lagging in parallel. And also systems are monitored by engineers who have a different focus from security administrators.”
Smith opined, “The ecosystem needs to be considered for IoT attacks,” and brought attention to the role that telco players can play – seeing threats and alerting clients.
An all-important question also arises – who is introducing the IoT devices? Is it vendors, employees, or the business? Because with all the focus upon IoT, let’s not forget the BYOD trend some organisations practice, which introduces outside devices into an organisation’s environment, and which could be seen as being as risky, if not riskier than IoT.
With these two trends ongoing, how will the CISO know what the threats are?
Before IT organisations arm themselves to the teeth trying to keep the bad guys out, Deutsche Bank AG’s APAC CISO, Yuen Ka Wei, highlighted the need to look at the situation from a different perspective, “Cybersecurity is a business enabler. It isn’t something to stop you, but enable you.”
SME Bank’s Head of IT Security, Taufik Nordin, said, “We have to have visibility into infrastructure to mitigate risk earlier. With the right solutions and processes in place, it helps.”