Top 2018 CISO Priorities Part 1: Everyone is an insider threat
A panel discussion about top CISO, or Chief Information Security Officer, priorities in 2018, saw IT decision makers from Malaysia and even Singapore, sit down to try crystalise the answers.
When it came to what were the biggest threats facing their respective organisations, everybody’s response was varied.
Petronas’ Head of Information Security and Risk Management, Vicknaeswaran Sundararaju, said, “Ignorant users are the biggest threat to the organisation.”
CIO of MatchMove Pay, Dr. Gajendran Kandasamy, who emphasised the protection of intellectual property or IP, said, “Everything is an internal risk. (We have to) put enormous responsibility to ensure risk is being managed.”
SME Bank’s Head of IT Security, Taufik Nordin, viewed data loss as a big threat, due to all the customer info that banks collect to be able to provide solutions to customers.
“We as heads of IT security, have to look at how to protect data, by looking at processes, technology and people. With the right ones, you can minimise the risk of data loss,” said Taufik.
CEO of Cyhre, Lance Smith, due to nature of his business sees supply chains, as a major contribution to cybersecurity risk, and thinks identity access management solutions, are key.
“When thinking about third-party breaches, who has access to data, and how to control them? This becomes defined by more IT deployments and installations… there is introduction of more hardware from the security aspect, which is another set of dynamics ie. how to ensure all firmware is u-to-date, and all patches deployed?
“This becomes another area of vulnerability.”
EPF’s Head of Information Security, Jasmine Goh, sees EPF as having a duty to comply with regulations like PDPA. “There is cybersecurity focus as well, because of all our investment activities.”
“For PDPA, we have processes people, and technologies like DLP (data loss prevention) solutions. But DLP is only a tool. There will be data owners and process of how these owners will challenge the validation. This will affect the future of data protection.”
Another financial institution, Deutsche Bank AG, also echoed regulatory compliance, as a key activity for them. It’s APAC CISO, Yuen Ka Wei, noted that in the 14 countries across APAC where they operate in, standard internal requirements will satisfy most regulations. “Then, we take care of those that do not.
“These are then worked into our global processes. Processes tend to be global, so if we do not work those little spikes in, branches will not be able to implement additional controls that satisfy local requirements.
When it comes to insiders, Yuen adopts the pragmatic view that they will be provided access and entitlement, “in order for them to do their work.”
“There is no question that we will give them the necessary. A legitimate insider will not perform malicious acts. In that same context, it’s only a click away for an attacker to gain access to what an insider has.
“So, in that respect, everyone is an insider threat, and we need to find a way to deal with it.”