June 15, 2017
At the Computerworld Malaysia's Security Summit in April this year, digital transformation's impact on increased vulnerabilities held the top spot during discussions. "Digital technology is the key driver to Malaysia's transformation," declared CyberSecurity Malaysia chief executive officer Dato' Dr Haji Amirudin bin Abdul Wahab in his keynote opening address.
"The Internet of Things (IoT) is bringing on more devices and more connectivity, but also opens up more vulnerabilities with new avenues for more advanced and disastrous cyberattacks that can turn the Internet of Things into the Internet of Threats," said Dr Amirudin, adding that state-level and critical infrastructure vulnerabilities have also moved higher up the board (see exclusive interview - Malaysia at risk: CyberSecurity Malaysia chief covers espionage and state level attacks).
In this Computerworld Malaysia 'rapid fire' interview, Malaysia-headquartered Hong Leong Bank's Head of Group IT Security Suresh Ramasamy shared some of his perspective into these and other 'unknown security fears' in the transformation era.
Hong Leong Bank Berhad (Hong Leong Bank), a public listed company on BursaMalaysia, is a member of the Hong Leong Group Malaysia, which has been in the financial services industry since 1968 through Hong Leong Finance Berhad.
Photo - Suresh Ramasamy, GSS IT Security (GITS), Head of Group IT Security, Hong Leong Bank Berhad
Let's start with a brief rundown of what drives you in your role?
[SR:] I've been involved in security since the days of the DH2 virus, and in computing since the days of Sinclair's ZX Spectrum. After DH2 virus chewed up my 500 lines of code for my assignment, I took it as a personal goal to go deep into security. Right now, after many years, I am currently the Head of Group IT Security for Hong Leong Bank Berhad. The day to day challenges of new findings, security enhancements and happenings keeps me on my toes, as well as fuels my interest in security, especially in banking sector where the threats are most evident everywhere.
What would be your recent career highlights?
In my current role, there are two projects which stands out against all else (not that anything else doesn't matter). Firstly, the evolution of data science and machine learning in cyber security and how evolution of threats require evolution of the security personnel, and the technology behind it. Secondly, threat intelligence as a whole is as effective as how it's presented in a simplistic terms.
Today, we are constantly flooded with information (and misinformation) which forms our perception of this virtual world. Making sense and meaning requires high degree of capabilities and intelligence. The next step would be to visualize, and create meaningful representation in a manner which key stakeholders (such as the Board members) can appreciate the value of Security to the Business.
Let's talk about some of the current security and your thoughts of challenges for this year.
The Proliferation of IoX (internet of anything) creates an opportunity for the world to be more connected, as well as create catastrophic disaster. We've seen how lack of security in these devices cause security issues (such as the MIRAI botnet).
The threat landscape has vastly changed, with the introduction of nation state players, who have (almost) infinite resources for hacking in the name of national security. The future will certainly be marred by IoX security issues, as well as threat from Nation State players, with countries vying for the ultimate cyber-weaponry supremacy (the new age nukes in the form of Zero Day vulnerabilities, seen evident in the recent ShadowBroker leak).
To drill down a little more, what steps have you been taking?
The fear of the unknown plagues all CISOs. Always there is the question of "is there something going on that I am not aware of?" haunting the back of our minds...such as zero day based attacks.
To face this, fundamental security concepts need to be constantly enforced - such as patch management, clear network demarcation, and excellent visibility on what's happening within and outside of the corporate infrastructure. And, of course, having a team that is motivated and driven through constant learning to keep abreast with new threats, while always being mindful of internal threats.
To put it bluntly, have the 'good' guys become better organised?
It's actually interesting to see that the bad guys have become even more professional. Malware sellers have professional support models and helpdesks to give quality service to their customers. That's easy, coming from a point of profit only.
The good guys, however, aren't up to that level yet. Probably due to the fear of being stigmatised by media when negative security incidents (or possible leaks) come out into the open.
A good start is to create self-governed forums within the respective industries by keeping aside competitive mind-set, but promote a collaborative knowledge sharing to help each other since most of us are facing the same issues. The good guys are getting organised, seen visible through many channels of OSINT (Open Source Intelligence), and more research brings to light issues that plague today's cyber world.
What's your helicopter take on the industry in Malaysia within the current global operating environment?
Technology and Methodology is evolving rapidly. While security today complements IT, it's still seen as an afterthought, rather than forethought. Probably because organisations want "speed to market" and worry about issues later.
At times, it takes an incident before any organisation realises the need for a CISO...
right after any breach, you're sure to find a job advert for a CISO on your favourite job-board. The same goes for budgets and focus for compliance related activities. And this lacks sustenance, just like any other compliance related roles, which requires the right constant tone from the top.
And what do think of security adoption being touted as a strategic business driver or enabler?
I agree with this. I would relate to security being the forefront of business in creating a trustworthy relationship with the customer. The business that will succeed is the business that gives trustworthy services and creates a strong bond with the customer. Trust is just like glass. Once shattered, difficult to piece it together.
What's your advice for your peers: do we need different approaches for state-level attacks, for instance?
Invest in areas which gives visibility on what's happening to your organisation.
Over-reliance towards security infrastructure (such as firewall/IPS) creates a false sense of security as most new attacks focuses on bypassing these infrastructure in place.
Ensure fundamental controls such as ID/privilege account management (look at 2 factor authentication), patch management, network segmentation will easily frustrate any attacker trying to get access into your environment.
Think of defence-in-depth (like peeling the layers of onion, rather than an egg) as a strategy.
And to end for now: what's your takeaway?