How Maxis’s cybersecurity team enable the Malaysian telco’s digital business

The Phoenix Project, an IT novel by devops expert Gene Kim, is a cautionary tale for Lee Han Ther on how to be—and not be—a CISO. The novel emphasises the heightened importance of CISOs adopting a more flexible posture in ensuring that security is supporting and protecting—not frustrating and thwarting—business strategy.

Lee is head of cybersecurity architecture and strategy at Maxis, a major telecommunications provider in Malaysia. He observes that the novel’s fictional CISO (John Pesche) “evolved from being a show-stopper to an enabler to the business and a partner to the technology team”. Lee notes that Pesche may be a fictional character, but too many real-life CISOs share his flawed approach to managing security.

“I would measure success in security in a form of trust and value you have gained from your stakeholders and peers,” Lee says. For Lee, that means aligning to the bigger picture, which requires holistic thinking. CISOs of course should think through the metrics required to effectively measure security investment levels, and CISOs should be able to focus on their own and their team’s technical skills.

But those skills are table stakes today, Lee says. More is needed to support and protect the business strategy. “IT security executives must now be inquisitive, collaborative, and gritty. The cybersecurity space is evolving very rapidly both from a threat and technology controls angle, meaning successful modern-day IT security executives need to be curious and dive deep, rather than have a surface-level understanding,” Lee says.

In managing multiple stakeholders—such as internal colleagues, business users, and regulatory and audit third parties—Lee stresses the importance of CISOs cutting through the technical hype to identify common business objectives, working in collaboration with the wider organisation to achieve cybersecurity goals.

“IT security investment is required to reduce the risk of related cyber threats while building security into our services and fortifying business operations,” Lee says.

A security approach that supports wider digital ambitions

Unlike the fictional character of Pesche—security leaders can assume a “vital role” in the digital transformation process by spearheading efforts to build secure products and services from the outset, driven by increased speed to market and a protected remote workforce, Lee says.

This is in addition to creating resilient infrastructure to support cloud-migration efforts and minimise internal disruption, prioritising the deployment of solutions capable of providing both “security and usability” in equal measure.

By adopting a more flexible posture internally, Lee and the wider security team is supporting digital transformation efforts within Maxis, spearheaded by a new cloud-first strategy and a 5G telecommunications network rollout.

At the heart of the provider’s digital strategy is plans to integrate data analytics across every aspect of the business —consumers, enterprises, network, retail channels, and employees—following the internal adoption of Google Cloud. Announced in September 2020, the aim is to transition all of the company’s business intelligence, data analytics, and machine learning on-premises workloads to the cloud. Supporting the Google Cloud migration efforts requires increased emphasis on strengthening internal security capabilities.

The COVID-19 pandemic was another instance of where the Maxis security team needed to support broader business needs. To support remote work while protecting employees from cybersecurity risks away from the office and preventing potential leakage of sensitive data, the Maxis security team enabled stricter security configurations for the Microsoft 365 migration and provided the staff cybersecurity awareness sessions covering data protection, phishing, and access management. According to the company’s annual report, 99% of employees are now compliant with policy requirements.

That strengthened security for remote work is critical because the pandemic triggered a new way of working in Malaysia, evident through continued government-mandated movement-control orders. According to government agency CyberSecurity Malaysia findings, cyberattackers often used COVID-19 as a theme in phishing, scam domains, and malware, alongside targeting infrastructure in vulnerable sectors such as healthcare.

“My advice is for organisations to move to security-as-a-service [SecaaS] while consolidating security technologies and implementing zero-trust architecture,” Lee says. “Moving to SecaaS will remove dependencies in relation to managing on-premises infrastructure required to support security offerings. SecaaS is much more scalable and allows the security team opportunity to focus efforts on improving, refining, and fine-tuning the application layer.”

From a product perspective, Lee emphasises the importance of ensuring cybersecurity portfolios are strategic and in sync, noting that most businesses house more than 15 security tools in jumbled vendor portfolios. Having “a large number of unintegrated security technologies increases complexity, staffing requirements, and ‘noisy’ alerts which prevent security professionals from focusing on valid incidents,” he says.

In addition to often having too many tools, many are not used to their full extent. According to IDG’s 2020 security priorities research, 41% of IT security decision-makers across Asia don’t “fully utilise” all the features included in purchased security technologies and services. What’s more, 20% of purchased security technologies and services are underresourced in terms of people, support services, or deployment.

The types of security tools needed are also changing, Lee says. “Due to the proliferation of cloud applications and the expansion of network boundaries, we can no longer rely only on network security controls.” Instead, “[we need] all-round identity and context-based products or services for logical access.”

New security threats, new role

In his current role, Lee holds responsibility for driving security architecture, technology innovation, and strategy at Maxis, helping teams design, deploy, and securely operate solutions across IT, the cloud, and telecommunications networks.

“My role has changed tremendously,” Lee says. He began as an IT auditor, then became a penetration tester, then an internal security compliance manager, and then a consultant. Now, Lee is head of cybersecurity architecture and strategy. “As an auditor, understanding issues and controls served well in providing the fundamental to cybersecurity risk management,” he says. “Then some exposure to the offensive side of cybersecurity helps better understand the mindset of an attacker.”

For the leadership aspect of the CISO role, Lee says, “the career path of a cybersecurity leader differs from others, but to be successful, ideally one is required to be very well-rounded in terms of governance, risk, and compliance, security strategy and technology, cyber defence, application security, and security operations.”

The roles in his security team have changed as well. “Most traditional security roles start out focused on security compliance, penetration testing, and minimal security operations, mainly antivirus and firewall. Due to the advancement of technology resulting in the increase in threat surface and dedicated security solutions for various cybersecurity domains, I now see many cybersecurity roles which did not exist before.”

For security strategy, Lee says it is important to balance the implementation of new technologies whilst accounting for previous investments and legacy infrastructure. “There is no right or wrong answer here,” he says. “We need to analyse the business needs and financial investment both in terms of capital and operating expenditure, plus the implementation effort, speed to deploy ongoing service requirements, and the ability to harmonise with technologies and security solutions.”

As an example of balancing old and new, he cites the traditional technology of data loss prevention (DLP), in which automated policies assess data to determine what rules apply to it to be protected before it leaves the organisation. Meanwhile, newer technologies such as information protection act as a mechanism which lives within the document itself. Given the increased use of cloud collaboration tools and personal devices, Lee notes the value of using a combination of both solutions. “This then depends how we can integrate the previous DLP investment with information protection.”

The cybersecurity workforce challenge

Beyond determining security approaches and appropriate technologies to secure the business as the threat landscape evolves and the organisation’s digital strategy evolves as well, a CISO faces a major challenge in managing the cybersecurity workforce.

Fatigue is a major issue, Lee says: The constant task of responding to breaches, revisiting innovation, and complying with regulatory requirements can become “draining and reactive”. That reinforces the need for CISOs to take decisions based on risk, he says, to reduce the need to react after the fact.

“Security leaders must manage the load so that the team does not feel overwhelmed,” Lee says. “Once the risk is quantified, it then needs to be prioritised based on urgency and importance. Leveraging technology which enables automation and machine learning can potentially reduce a lot of manual effort and allows the team to focus on value-added work.” Those technologies include user behaviour analytics, extended detection and response, and security orchestration, automation, and response offerings.

The other major CISO management challenge is the severe cybersecurity talent shortage in Malaysia and across Southeast Asia. To help address that shortage, Lee advocates exposing security roles to people operating on the periphery of the market, expanding the net to recruit talent. For example, “software developers would be relevant for the application security team while cloud administrators can fit into a devsecops team,” he says.