A CISO’s Playbook: Defense – Dynamic Security Strategies for an uncertain future

Tobias Gondrom, Chief Information Security Officer at UOB, delivered a presentation around “A CISO’s Playbook: Defense – Dynamic Security Strategies for an uncertain future”

This session covered:

  • Cyber Risks
  • Threats
  • Being nimble for a hostile world
  • Agility & Automation
  • Priorities & Playbooks

Tobias Gondrom is the Group CISO at UOB. From 2015 to 2018, he has been the CTO Security at Huawei, responsible for the security of Huawei’s products and solutions, among them next-generation networking, SDN, NFV, IoT and more. He is a former global board member and former global chairman of OWASP (Open Web Application Security Project, with 40,000 security experts and over 200 chapters around the world). He has about 20 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations. Over the years, he has trained and advised more than a hundred CISOs and senior information security leaders around the world on the management and organization of security teams and programs. Since 2003 he is the chair of working groups of the IETF (www.ietf.org), including most recently the chair of the DOTS (DDoS Open Threat Signaling) WG, a member of the IETF security directorate, and was from 2014 to 2018 member of the IETF Administrative Oversight Committee (IAOC) and the chair of the IETF Trust.

Driving faster response to threats and vulnerabilities

Paul Petersen (Regional Director, APJ – Office of the CISO), Gaurav Mahendru (Sr. Advisory Solution Consultant, Security, and Risk) and Todd Rotger (Global Sales Leader, Security & Risk) at ServiceNow, delivered a roundtable discussion on “Driving faster response to threats and vulnerabilities”

Did you know there is a better way to manage your organisations end to end security posture while meeting compliance regulations? 

ServiceNow discussed enterprise security visibility and the challenges businesses face adhering to the ever-changing compliance landscape.

During this seminar, speakers shared specific use cases associated with key risk indicators that enable organisations to identify and report risks, prevent crises and mitigate them early. The webinar also covered:

  • Prioritising vulnerabilities
  • Centralise, automating and streamlining incident response and operations
  • Controlling risk exposure through real-time dashboards and continuous monitoring
  • Reporting to key stakeholders

ServiceNow (NYSE: NOW) makes work, work better for people. Our cloud-based platform and solutions deliver digital experiences that help people do their best work.

Security Considerations for Cloud Outsourcing

Solomon Tay, Head of IT Controls and Information Security at Singapore Exchange, delivered a workshop around “Security Considerations for Cloud Outsourcing”

During this session, the speaker discussed around the areas of consideration as part of the Singapore Financial Industry players’ journey into cloud outsourcing.

The adoption of Cloud can offer a number of advantages, including faster time to market, scalability, cost savings, enhanced security and access controls. The speaker shared on the areas of consideration when performing due diligence and implementing controls to address the typical characteristics of cloud services, such as multi-tenancy, data commingling and higher propensity for processing to be carried out in multiple locations.

27+ years of IT experience in delivering large-scale systems, re-engineering IT and Operational processes. Domain expertise in Government, Banking and Insurance sectors. I joined SGX in 2018 as Head of IT Controls and Information Security. Prior to SGX, I held senior IT positions in the financial sector including ANZ, CIMB Bank Berhad, Barclays PLC, Standard Chartered Bank, OCBC Bank and UOB Bank. I started my career in the government sector with the National Computer Board (Singapore) in 1990 as part of the Singapore Government’s Civil Service Computerization Programme (CSCP). I am passionate about simplifying processes, improving productivity, driving innovation and delivering robust and secure services for the business units. I am an active member of Standing Committee for CyberSecurity (SCCS) formed by the Association of Banks in Singapore. More recently, I I lead the subgroup for External and Partnership Services in the Industry Core Working Group for the new revision of MAS TRM in 2018. I am also an active member in ABS Cloud Computing Guidelines workgroup in crafting the new version 2.0. Participated in the ABS SCCS Study trip to UK in 2018.

What does cyber risk means to business

Theo Nassiokas, Director, APAC Cyber & Information Security at Barclays, delivered a presentation around “What does cyber risk means to business”

During this presentation, the audience learned about:

  • Defining cyber risk
  • Determining cyber risk profile
  • Threats, delivery methods and actors
  • Data used to measure cyber risks
  • Quantifying cyber risk in business terms
  • Cyber risk (GRC) tools and insurance

A technology risk and regulatory focused security leader with over 20 years of diverse experience, with accountability ranging from law enforcement and criminal intelligence to risk and security strategy and policy development and implementation within government and more recently, financial services organisations across Asia-Pacific. An acknowledged authority in the areas of security, risk, compliance and cybercrime, Theo has publicly spoken on these topics on many occasions. Theo holds an MBA (Tech Mgt) from La Trobe University and is Board Certified in Security Management (CPP) by ASIS International and a Certified Information Security Manager (CISM) by ISACA.

Future-proofing against Emerging Cyber-Physical Threats

Steven Sim, Vice President at ISACA Singapore Chapter, delivered a workshop around “Future-proofing against Emerging Cyber-Physical Threats”

With the advent of industrialization 4.0, the lines between cyber and physical continue to blur and this has become unavoidable. Against the gloom backdrop of an increasingly sophisticated threat landscape, re-alignment of security posture maturity is imperative. Threats especially the more recent NotPetya was a rude shout out that cyber resilience is ever more key to ensuring business continuity. During this session, Steven shared practical tips on protecting against such cyber-physical threats in a holistic manner.

Steven Sim drove information security initiatives, developed security standards, risk managed security threats, performed vulnerability research, promoted security awareness for Singapore and also led PSA Group’s IT Security Centre of Expertise to franchise best practices to other PSA terminals around the globe. He holds a Masters in Computing and is a certified CCISO, CGEIT, CRISC, CISM, CISA and CISSP. He also held certifications in industrial control security, malware analysis, incident handling, perimeter protection and audit. During his career, he developed a strategy for inexpensive automated containment of infected/vulnerable systems presented at FIRST conference aiding an NIQC gold win. Steven has also undertaken roles with various security associations including ISACA and SCS. At one point, he directed the setup of the largest honeynet project outside US. He is a Singapore SkillsFuture fellow and was a finalist for the Leaders category in the Inaugural The Cybersecurity Awards 2018 held in Singapore.

Digital Transformation – Are You Forgetting Something?

Anthony Lim, Director, Singapore at Cloud Security Alliance, delivered a workshop around “Digital Transformation – Are You Forgetting Something?”

Many organizations have been engaged in various aspects of digital transformation today and many vendors are egging them on. In the feverish embracement of new innovative technologies and services to reach out to new customers and markets and also enjoy operational efficiencies today, one needs to stop for a moment and consider the cybersecurity and governance considerations therein.

Anthony is a pioneer of cyber-security and governance in Singapore and Asia Pacific, with over 20 years’ professional experience, as a business leader, consultant, advocate, instructor and auditor. He has held inaugural senior executive roles for AP security business at IBM, CA and Check Point, co-authored an international technical professional certification for cloud security, is a university fellow, adjunct instructor and module developer for some tertiary academic & professional institutions. He is a long-time well-known speaker and content provider for many business, industry, government and academic conferences, workshops, executive roundtables, trainings, committees and media (print, broadcast, internet) and is interviewed often on national TV news.

Encryption needs to move beyond laptops and desktops

John Guo, Head of Professional Services, APAC at Thales e-Security, delivered a presentation around “Encryption needs to move beyond laptops and desktops”. 

Digital Transformation without data security is like driving off a cliff. Traditional security strategy is no longer effective as our networks are now borderless and data are spread across mobile, clouds, and networks. Organizations needs to protect their data regardless of where it’s used, shared or stored. In our rapidly digitalising world, cyber threats, laws and security are at the forefront of every business’ concerns. The exciting presentation by John Guo addressed these challenges, and explored the latest data security solutions we can adopt as we adapt with digital transformation.

John is an experienced security professional helping customers around the world enhance their security postures. He has worked for major security vendors and financial institutions from the Silicon Valley, Australia and across APAC. John’s main expertise is around data and network security.

Cyber-threats – How are they different across the sectors?

Paolo Miranda, Vice President, Partnership Director, (ISC)2 Singapore, moderated a panel discussion around “Cyber-threats – How are they different across the sectors?”

Panelists included:

David Gee, Head of Cyber Security (regional CISO), HSBC
Amanda Bluett, Head Cyber Defence and Assurance, CBRE
Ganesh Krishnaswamy, Chief Information Officer, NatSteel Holdings

This panel discussion addressed:

  • How are the cyber-threats different across the sectors? Do we see cross sector threats, do we have cases where as an example the FI sector gets hit first followed by the other sectors? Alternatively, do we have cases where the non-FI sector acts as a ‘test-bed’ for the treat-actors, before the actual attack on the FIs.
  • How could the sectors be working closer together, to share threat-indicators, and work cohesively?
  • Are regulators helping the FI sector, by pulling up the level of security hygiene? Should other regulators follow suit?
  • How are privacy laws different across the sectors, and how challenging has it been to implement PDPA or GDPR or other laws?
  • Insider threats versus cyber threats, what are the main pain areas across the sectors?

David is Head of Cybersecurity for HSBC Asia Pacific. He has worked on transformation from the CIO position for the last 19 years. Before joining HSBC, David was CIO and SVP at Metlife Japan, responsible for 8 million customers for the insurer’s largest retail market. David won CIO of the Year 2014, at Credit Union of Australia for successfully completing a large transformation programme that delivered new Core Banking, Online and Mobile Banking systems along with a total infrastructure revamp. David has a strong fintech background. He has been an advisor to many startups and consulted for VC firms. He has also been a partner-level IT consultant with KPMG, EY and ICG. David has been a regular writer for numerous IT publications including CIO Australia, Computerworld, ITNews and CSO (Cyber Security) magazines.

Amanda is an enthusiastic Information System Risk and Security practitioner. She has 18 years experience and have been involved in assisting some of the world’s largest businesses in all areas of the cyber security realm. Specialty areas include investigations, mobile forensics, internet intelligence, information system audit, information system analysis and risk management, information system security architecture, information governance and management, eDiscovery, security strategy, and enterprise security.

Ganesh has 19+ years of experience in IT, spanning global MNC’s across-industries covering, CPG, Telecommunication and Metals. He is passionate about providing best-in-class IT services that deliver a competitive advantage to the business and enable business growth. As the CIO for NatSteel he is also responsible for enabling the strategic objective of the organization to “Go Digital”.

Interview with Steven Sim, Vice President, ISACA Singapore Chapter

Steven Sim is the Vice President of the ISACA Singapore Chapter. ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. With over 2,300 members in Singapore, part of its mission is to provide high-quality learning opportunities and organizes an annual GTACS conference.

He has worked for over 20 years in the cybersecurity field with large end-user enterprises and have driven security governance and management initiatives at local, regional and global levels. He holds a computing masters and is certified in multiple governance and cybersecurity domains. He developed a strategy for inexpensive automated containment of infected/vulnerable systems (NIQCC gold win) and directed the largest honeynet project setup outside US. He is a SkillsFuture Fellow and was a Professional (Leaders) Finalist in the inaugural Cybersecurity Awards 2018 held in Singapore.

1) What do you feel are the biggest challenges IT leaders are currently faced with within their business?

Some IT leaders felt that IT security investments never appear enough and is eating into their bottom line. The challenge is often answering the question of how much security would be considered enough and how to future-proof their business in a more proactive rather than reactive approach.

2) As an IT leader, what do you feel businesses continue to get wrong when it comes to their IT strategy?

Some businesses continue to get misaligned with enterprise risk appetite. It is also a common issue with the adoption of technology without first having a clearly-defined problem statement as well as the lack of adequately trained people with the right mindset and sufficiently stream-lined processes supporting it.

3) What are the latest trends and behaviors you predict will be surfacing on the market over the coming 12 months?

The rise in threat sophistication and business impact bolstered by the embrace of industrialisation 4.0 would demand every organisation to look into adopting a robust cyber resiliency maturity program that is well aligned to enterprise risk and architected with layered defences cutting across protection, detection, response and recovery and supported by trained right-mindset people, quality processes and cost-effective technologies.

4) What is the best piece of advice you have received within your job over the years?

My dentist has this principle that “As human beings tend to be over-confident, therefore it is important to over-compensate” and I quote Andy Grove who said that “only the paranoid survive”. These are especially true in cyber security. Having said that, it has always been about the business, therefore it is really about the continual pursuit of that sweet spot where security can truly and fully be an enabler of the business.

5) What is one key takeaway you hope our IT audience leaves with after hearing your presentation on site?

I hope that the audience can walk away with a pragmatic approach to manage current and future emerging threats while continuing to grow their businesses.

Copyright 2022 ©Focus Network. All rights reserved