Closed Captioning Closed captioning available on our YouTube channel
You Might Like

CSO Executive Sessions / ASEAN: Thee Boon Hoo on cybersecurity technologies

CSO Online | Apr 13, 2022

Thee Boon Hoo – APAC Head of Cybersecurity at MUFG – joins Xiou Ann Lim for this CSO Executive Sessions interview. They discuss technological gaps in the financial services industry, the need for more robust means to verify user identity, and more.

Copyright © 2022 IDG Communications, Inc.

Hello, you're watching CSO Executive Sessions. I'm your host Ann and on the show, I speak to cybersecurity leaders across Southeast Asia and Hong Kong about leadership, technology and the latest trends in the industry. Joining me on the show is Thee Boon Hoo
who in Singapore, who is APAC Head of Cybersecurity
at the Mitsubishi UFJ Financial Group. And today, we'll be discussing technology. Great to have you on the show, Boon Hoo.

it is, and hello again. And yeah, happy to speak to you. Okay.

To start with, are there any technologies new or that have captured your interest recently? And can you tell us about them?

I think a lot of technology has been innovative and developed in the past few years, as cybersecurity itself is still a very hot market. Right? There's a lot of going concern, when there will be many efforts by companies to protect themselves, but the threats keep on going. And the industry continues to innovate, right. So there are some technologies that we saw that are quite interesting, but I think the first thing for any organization would be to really start with Security, Architecture blueprint. To really know your foundation, what do you have currently? And what are the problems statements that you have? Right? What are the problems that you want to solve and prioritize them, then to identify by followed by looking at what are the technology that can help you achieve that? So for example, if I take a look at the financial sector, and I think a lot of the issues now, due to the problem of trust, how do we trust someone that is transacting with us, whether from customers or whether customer itself to talk, transacting with another organization, because everything is conducted in cyberspace, and you other than relying on the passwords, even if we just even heading on MFA, you may not know if that person has been fished, just like the SMS phishing scam, it could be another person pretending to be dead, even that identity verification could have been undermined, and you're unable to really fully trust the the other party. So I think a lot of some of the new initiatives that I see in the industry in terms of looking at multi factor authentication that are relying on certain physical tokens encryption, they are able to be robust, and do not require the user to supply the information to the organization. Probably that is one of the ways that phishing, exploited. So that I think will be a way to interesting technology for us to look at security, at least providing the assurance to customers in terms of their transactions and who they are transacting with. The other thing that I'm also looking at interesting, it will be, for example, a lot of initiatives is now moving towards cloud cloud technology, whether from software as a service, or even for using containers and cloud in order to provide the agility to business transformation. So I think similarly, for cybersecurity. There's a lot of potential there, leveraging the cloud for to secure ourselves, not only the systems that we have, but also the security assets that are on the cloud. So and that also means that maybe, in due course, we may not have a lot of assets that we manage ourselves, we can leverage a lot of the security on top of the technology provided by the cloud providers in order to provide a safe computing environment. But I think that will also means that for professionals like us, we will have to look at changing ourselves in terms of our skill sets and the way we work, right, because when we move to the cloud, there will be a lot of technology that basically managed by the other third parties, right, then that means we are approaching third party risk management domain where we will have to use a different ways of helping the business to manage the risk. It's not so much about the technical networking concepts, but it's more about how do we ensure the service level agreement is met? Where are the assurance that we have the third parties managing our data separately from the other, so on and so forth? So I think with some of these new technologies that that we can adopt, changing the way the products and even the skill sets of people to be able to work well in this new environment. So it might be one day that we do not have carry anymore. personal laptops, ourself, everything is image spin up on the cloud. We don't protect them, and everything is not in our data center by somewhere else. So that I think would be the challenge for cybersecurity professionals. The GSA.

From that, do you have any other concerns as people increasingly adopt cloud technology, and even IoT and automation?

I think, in some sense, I, it's quite normal to see that during the wave of technology adoption, even the past few decades, the technology will always run ahead of the these security considerations, right. So even something that we have been using for so many years, like emails are started with, I think, not that many controls baked in. So therefore, we still have issues like email that being fished, cannot prove the identity of the person sending emails to you. Until I think in the past few years back certain technology I've been introduced to, to goose up the email security standard. So for that would be one of the concerns that I see where a lot of people are adopting new technologies, but they have to not have the appreciation of the risks and what it takes to secure it. Right. And if they, if many of the IT or even business units think that well, just leave it to the security professionals are a team to safeguard our sets of data, I think that will not be sustainable. Right. As we move towards more agility as we empower people to perform their own computing, infrastructure setup or development of services, I think we also should expect each one of us, not only cybersecurity professionals, but the wider it community to build up their security concepts and their knowledge. So only with that, then getting the new development, new technology they are deployed will be much more sustainable, and much more secure. Without the need to retroactively you know, patch and then provide fixes there. A lot of things has been already designed upfront without that controls in mind. So I think that would be the concerns that I will see, because it takes a lot of initiative and also understanding by the various parties to really inculcate and build up the security awareness and risk maturity among the various it disciplines where this may not be conveyed attorneys traditionally, you know, that's something that is really, that they're familiar with.

Now, with the technology landscape, constantly changing. How do you keep up with the latest updates?

I think for I also speak for many, cybersecurity professionals. Yeah, I think the one of the key traits that we have is the curiosity, the passion to learn, learn more. And I think it's, I think, at least for myself, I would confine the interest cybersecurity topics. I think you would get bored reading the same thing again and again. But what would interest the to me would be to know the wider technology landscape, right? What to in order for us to really provide this for the advice we need to know what are we actually securing and that means understanding some of the new technologies that are being adopted, whether it's microservices, whether it's technology, architecture, I think those are the things that at least for myself, I would be interested to go a bit deeper to know that so that if my conversation with my colleagues, at least we can able to speak the same language, we are able to understand each other and then so that they also appreciate what it takes to secure whatever they are rolling. But I think not only technology, looking at how the business is changing, what is the trends in terms of the financial services, that being innovative in the market now with all the competition coming up? I think looking at those issues, and and also not confining ourself to just technology. But there are similar problems that I see in cybersecurity, they could have been soft by the different industry, to looking at health care, for example, the whole COVID-19 pandemic. They faced teething issues such as supply chain congestion, auto next for delivery or vaccination, or even how do we verify and manage the different risks in the community and all those concepts experience from the healthcare industry? I think it will be a good There are less lessons for us to know. And then to see what can we do because in cybersecurity, I feel that we sometimes face the same issues. It's all about resource constrained. We have many things that rolling up, but we have bottlenecks and different different parts of the value chain and therefore the security or risk controls cannot be embedded in time. So, so many other industries. So how do we see and appreciate some of the innovation or some of the problem solving techniques that many other communities have done? And how do we then bring that to cybersecurity? So I feel that the for professional, the wider we read, the wider we expose ourselves to out there, I think there will only help help us in widening our our perspective.

How do you think relatively new technology like artificial intelligence is affecting cybersecurity? Right now? How does it help? And how does it harm us?

I think, for artificial intelligence is still early, early days, at least to me. I think we all we will always be attracted to the idea of a machine or an algorithm that can help us predict right predict when's the next cyber type of help us to predict that? Are we doing something that or are we forgetting to do something that will lead us to a data breach right, just like AI? Hopefully, we have AI to help us advise us on our health profile, should we do something before we had the next disease coming up. But I think this is still many years ahead. Although I do see that there's a lot of industry vendors is helping to grow this space, right where the from the hardware vendors don't get training up new hardware, they can process the data and the algorithm faster. At the same time, new AI methods are being developed, as of now, but as of now, I will say that the there's not many tangible business case, or at least value that we see at least for myself, in this space. But I do think that over time, like we have started with machine learning, we started getting a lot of data for analysis. I think that will only help right now. It'd be for cyberspace compared to other industries, like health care, where the data in healthcare are very much accessible, right over the years and experience of experiments and research. So the data availability, so on are a crucial element for AI to be able to provide that, that model or the insights that are valuable for us. Whereas for cyber security, I think there's still a lot of data, they're not being shared enough, right. So for there's no such data on a concentrated incident service providers to probably the extent of organizations that are able to harness the value of the data to provide a good optimal use of AI is still in that because of that, too. But I do see some initiatives or efforts from the industry in terms of putting pulling together the data to the talents in AI in order to help to provide a predictive model. I guess it is still early days on.

Speaking of sharing data, there are many people advocating the use of blockchain technology, who are claiming that it's safer and more secure. What are your thoughts on this?

I think blockchain technology, the concept itself is, is good because it relies uses encryption. And I think a lot of the problems in cybersecurity fundamentally are soft by using encryption, right in order to secure the data, you know, proof the integrity or the identity, the authenticity of the transaction. But I guess the problem is always the ecosystem around the technology, right? So blockchain is being used for NFT. Now, right? Non fungible tokens, you can buy a virtual image for certain money, and that will be proven to be yours, but how that how that ecosystem is being built? I think that is the question now, because there have been a lot of breaches, right in some of the cryptocurrency providers, because of even though they are using the right technology to secure the data, the transaction, but the access to it, right, the healthful controls that are governed is still something that has to be implemented and therefore that that's where the gap live. So I think blockchain goes to, to me at least I will see in the in the foreseeable future. blockchain will be the core technology to power many of the other innovations that's happening But the whether it is secure or not, I guess the question remains because of that ecosystem that needs to be developed.

For my next question, I'm going to ask if you can visualize the future and describe a cybersecurity technology that has not been invented yet. So can you mentally invent something that you think would solve problems for CISOs? Everywhere?

Oh, I think that that's the hardest question for me, because looking at all the problems currently, for technology that would be really fulfilled on the wish list that I have, or many professionals have to bet will be a tall order. But I think going back to, at least for one of the key problems that I see was due to the inability for us to verify the trust of the other party, especially in cyberspace. So I think that's a technology that will allow us or you individually to prove that who we are, and prove that that is that identity is not something that has been subjected to impersonation, or has been stolen and taken by somebody else. Right, I think that will go a long way to reduce the chance of fraud and enable all the various consumers or organizations to transact in a more in a more, a safer and more trusted manner. So I think that technology has not been developed yet. But there are some initiatives going on in terms of using cryptography, something that you have a token, but maybe something that leverages with biometrics for them, that and that is specifically uniquely to you and cannot be easily reproduced. And maybe in the end, that technology will have to use something like blockchain, in order to provide that integrity, you know, and to let everyone know that this is who he is, that but until that is reached, I think we will still used to have to do a lot of work to help protect ourselves and the organization.

Last question, do you have any advice to vendors on how they can better help CISOs and their teams,

people process technology are the three key pillars for cybersecurity. But I think there's a fourth pillar, which is the industry partners, or when there's a trusted partner that can help the organization, right, because of the skill sets and the experience that they have. And also there's just scale that they have dealt with, right, that provides that experience. And that victory is very valuable for organizations like us to leverage. So I think the vendors out there could also help us by looking at where we lack resources, right, providing people to help us. But also to know the every organization is different, even though we may all be in the same financial sector, but each bank for each insurer will have a different challenges operational complexity, governance structure. So I think, for a trusted partner, partner, they are able to advise us Well, we hope that that organization, able to know, get a deeper understanding of the challenges that we face, and able to provide pragmatic advice, not something that is so called best practice, because best practices may not be the best for our organization. But it should be something that is good practices that are relevant, and that we're able to implement a doc based on the level of maturity that we have, and how we can build that over time in a sustainable, sustainable men. And not just someone render the companies to pitch their latest product, that they're able to be the next silver bullet that solves everything. Because I think after decades of experience, we know that a solution or technology is just one part of the solution. Because once we implement it, we have to look at optimizing operationalizing it and as a lot of challenges where technology don't integrate well with each other or cannot keep up with the times. So that's where I think a vendor that can see that whole picture of not only short term, but the longer term for the client. I think there will be the vendors that will be very valuable and advisors are trusted advisors for organizations like like us.

Thank you Boon Hoo for sharing your thoughts with us today. It's been a real pleasure. Speaking with you. And to our viewers. As usual. If you have any suggestions or feedback on the show, questions you'd like me to ask our guests, you can reach out to me on LinkedIn. See you on the next episode. And thank you for watching.
Featured videos from