CGD cybersecurity summit 2019: Risk Management in Technology

CGD’s 4th annual cybersecurity summit this year, was titled, “Cyber Resiliency &Technology Risk Management”, and there is good reason for this.

Ever since, Bank Negara, had announced the Risk Management in Technology (RMiT) framework earlier this year, the whole local industry, and not just financial services, have been abuzz about its implications upon the way they currently procure technology, and protect their assets.

CGD’s co-founder, Rodney Lee breaks it down to the following:

Out of the 144 clauses within the document, over 130 are compulsory.

This is enough to throw any organisation into a tizzy, trying to comply with the new legislation, and the following burning question starts to emerge in the process:

What are the headliners ie. What should organisations tackle first?

In February of this year, EITN had reported multinational law firm Baker McKenzie as observing that boards of directors will have overall responsibility and oversight for the implementation of a robust technology risk management framework.

Rodney’s 2 cents about this, is that a board of directors is the most challenging hurdle to cross before any organisation can get started on the RMiT, because board directors never had to be involved like this before.

Moving forward, at least one IT-literate board member, is a good idea.

Financial institutions are also required to designate a Chief Information Security Officer, who among other things will enforce compliance with a technology risk management framework (TRMF) and cyber resilience framework (CRF).

The number of requirements to comply with at the moment is daunting, but Rodney advised financial institutions to take a long-term view of managing compliance to the RMiT as well as a mid-term view to fulfil a list of prioritised ones.

“Take stock and start from where you can, and use what’s available first,” he said.

Don’t forget to breathe

The threat landscape right now has evolved beyond imagination.

It has become scarier than even werewolves, if werewolves existed in the first place. The point is, there is no one silver bullet to take care of all our cybersecurity concerns right now.

To put things in perspective, here is a video of Dr. Suresh’s presentation during the CGD annual summit.

According to him, attacks are going to be more persistent and much more far-reaching than ever before.

Case in point is the Indian nuclear plant that denied being attack recently. It claimed that an attack was impossible because all their systems are air-gapped aka not connected to the Internet.

Later, the relevant authorities confirmed that Yes, the nuclear plant Had been Attacked.

So, irrespective of which industry you are in, government, non-government, financial services, utilities and everything else, you are fair game.

Dr. Suresh pointed out that recently even, we have seen nation states – the guys whom we thought are not going to target us – are now actively targetting us.

The “silver bullet” that you are going to want to use would depend on what asset you want to protect.

On that note, here is a final video which talks about the use of cloud computing technologies

It responds to the question of “How do we  ensure cloud providers do not pose a threat to the client organisation?”

In summary, cloud is not easy. It is much more complex than on-premises IT, Dr. Suresh said.

(Editor’s note: Suresh Ramasamy is the Head, Group IT Security, Hong Leong Bank Berhad. Opinions expressed were his own and do not represent the views or opinions of his employer).