The Phoenix Project, an IT novel by devops expert Gene Kim, is a cautionary tale for Lee Han Ther on how to be\u2014and not be\u2014a CISO. The novel emphasises the heightened importance of CISOs adopting a more flexible posture in ensuring that security is supporting and protecting\u2014not frustrating and thwarting\u2014business strategy.Lee is head of cybersecurity architecture and strategy at Maxis, a major telecommunications provider in Malaysia. He observes that the novel\u2019s fictional CISO (John Pesche) \u201cevolved from being a show-stopper to an enabler to the business and a partner to the technology team\u201d. Lee notes that Pesche may be a fictional character, but too many real-life CISOs share his flawed approach to managing security.\u201cI would measure success in security in a form of trust and value you have gained from your stakeholders and peers,\u201d Lee says. For Lee, that means aligning to the bigger picture, which requires holistic thinking. CISOs of course should think through the metrics required to effectively measure security investment levels, and CISOs should be able to focus on their own and their team\u2019s technical skills.But those skills are table stakes today, Lee says. More is needed to support and protect the business strategy. \u201cIT security executives must now be inquisitive, collaborative, and gritty. The cybersecurity space is evolving very rapidly both from a threat and technology controls angle, meaning successful modern-day IT security executives need to be curious and dive deep, rather than have a surface-level understanding,\u201d Lee says.In managing multiple stakeholders\u2014such as internal colleagues, business users, and regulatory and audit third parties\u2014Lee stresses the importance of CISOs cutting through the technical hype to identify common business objectives, working in collaboration with the wider organisation to achieve cybersecurity goals.\u201cIT security investment is required to reduce the risk of related cyber threats while building security into our services and fortifying business operations,\u201d Lee says.A security approach that supports wider digital ambitionsUnlike the fictional character of Pesche\u2014security leaders can assume a \u201cvital role\u201d in the digital transformation process by spearheading efforts to build secure products and services from the outset, driven by increased speed to market and a protected remote workforce, Lee says.This is in addition to creating resilient infrastructure to support cloud-migration efforts and minimise internal disruption, prioritising the deployment of solutions capable of providing both \u201csecurity and usability\u201d in equal measure.By adopting a more flexible posture internally, Lee and the wider security team is supporting digital transformation efforts within Maxis, spearheaded by a new cloud-first strategy and a 5G telecommunications network rollout.At the heart of the provider\u2019s digital strategy is plans to integrate data analytics across every aspect of the business \u2014consumers, enterprises, network, retail channels, and employees\u2014following the internal adoption of Google Cloud. Announced in September 2020, the aim is to transition all of the company\u2019s business intelligence, data analytics, and machine learning on-premises workloads to the cloud. Supporting the Google Cloud migration efforts requires increased emphasis on strengthening internal security capabilities.The COVID-19 pandemic was another instance of where the Maxis security team needed to support broader business needs. To support remote work while protecting employees from cybersecurity risks away from the office and preventing potential leakage of sensitive data, the Maxis security team enabled stricter security configurations for the Microsoft 365 migration and provided the staff cybersecurity awareness sessions covering data protection, phishing, and access management. According to the company\u2019s annual report, 99% of employees are now compliant with policy requirements.That strengthened security for remote work is critical because the pandemic triggered a new way of working in Malaysia, evident through continued government-mandated movement-control orders. According to government agency CyberSecurity Malaysia findings, cyberattackers often used COVID-19 as a theme in phishing, scam domains, and malware, alongside targeting infrastructure in vulnerable sectors such as healthcare.\u201cMy advice is for organisations to move to security-as-a-service [SecaaS] while consolidating security technologies and implementing zero-trust architecture,\u201d Lee says. \u201cMoving to SecaaS will remove dependencies in relation to managing on-premises infrastructure required to support security offerings. SecaaS is much more scalable and allows the security team opportunity to focus efforts on improving, refining, and fine-tuning the application layer.\u201dFrom a product perspective, Lee emphasises the importance of ensuring cybersecurity portfolios are strategic and in sync, noting that most businesses house more than 15 security tools in jumbled vendor portfolios. Having \u201ca large number of unintegrated security technologies increases complexity, staffing requirements, and \u2018noisy\u2019 alerts which prevent security professionals from focusing on valid incidents,\u201d he says.In addition to often having too many tools, many are not used to their full extent. According to IDG\u2019s 2020 security priorities research, 41% of IT security decision-makers across Asia don\u2019t \u201cfully utilise\u201d all the features included in purchased security technologies and services. What\u2019s more, 20% of purchased security technologies and services are underresourced in terms of people, support services, or deployment.The types of security tools needed are also changing, Lee says. \u201cDue to the proliferation of cloud applications and the expansion of network boundaries, we can no longer rely only on network security controls.\u201d Instead, \u201c[we need] all-round identity and context-based products or services for logical access.\u201dNew security threats, new roleIn his current role, Lee holds responsibility for driving security architecture, technology innovation, and strategy at Maxis, helping teams design, deploy, and securely operate solutions across IT, the cloud, and telecommunications networks.\u201cMy role has changed tremendously,\u201d Lee says. He began as an IT auditor, then became a penetration tester, then an internal security compliance manager, and then a consultant. Now, Lee is head of\u00a0cybersecurity architecture and strategy. \u201cAs an auditor, understanding issues and controls served well in providing the fundamental to cybersecurity risk management,\u201d he says. \u201cThen some exposure to the offensive side of cybersecurity helps better understand the mindset of an attacker.\u201dFor the leadership aspect of the CISO role, Lee says, \u201cthe career path of a cybersecurity leader differs from others, but to be successful, ideally one is required to be very well-rounded in terms of governance, risk, and compliance, security strategy and technology, cyber defence, application security, and security operations.\u201dThe roles in his security team have changed as well. \u201cMost traditional security roles start out focused on security compliance, penetration testing, and minimal security operations, mainly antivirus and firewall. Due to the advancement of technology resulting in the increase in threat surface and dedicated security solutions for various cybersecurity domains, I now see many cybersecurity roles which did not exist before.\u201dFor security strategy, Lee says it is important to balance the implementation of new technologies whilst accounting for previous investments and legacy infrastructure. \u201cThere is no right or wrong answer here,\u201d he says. \u201cWe need to analyse the business needs and financial investment both in terms of capital and operating expenditure, plus the implementation effort, speed to deploy ongoing service requirements, and the ability to harmonise with technologies and security solutions.\u201dAs an example of balancing old and new, he cites the traditional technology of data loss prevention (DLP), in which automated policies assess data to determine what rules apply to it to be protected before it leaves the organisation. Meanwhile, newer technologies such as information protection act as a mechanism which lives within the document itself. Given the increased use of cloud collaboration tools and personal devices, Lee notes the value of using a combination of both solutions. \u201cThis then depends how we can integrate the previous DLP investment with information protection.\u201dThe cybersecurity workforce challengeBeyond determining security approaches and appropriate technologies to secure the business as the threat landscape evolves and the organisation\u2019s digital strategy evolves as well, a CISO faces a major challenge in managing the cybersecurity workforce.Fatigue is a major issue, Lee says: The constant task of responding to breaches, revisiting innovation, and complying with regulatory requirements can become \u201cdraining and reactive\u201d. That reinforces the need for CISOs to take decisions based on risk, he says, to reduce the need to react after the fact.\u201cSecurity leaders must manage the load so that the team does not feel overwhelmed,\u201d Lee says. \u201cOnce the risk is quantified, it then needs to be prioritised based on urgency and importance. Leveraging technology which enables automation and machine learning can potentially reduce a lot of manual effort and allows the team to focus on value-added work.\u201d Those technologies include user behaviour analytics, extended detection and response, and security orchestration, automation, and response offerings.The other major CISO management challenge is the severe cybersecurity talent shortage in Malaysia and across Southeast Asia. To help address that shortage, Lee advocates exposing security roles to people operating on the periphery of the market, expanding the net to recruit talent. For example, \u201csoftware developers would be relevant for the application security team while cloud administrators can fit into a devsecops team,\u201d he says.