Koh Kok Tian, Deputy CEO of CIO Academy Asia, kicked off the event by sharing insights from industry research, including that from the CIO Academy Asia Tech Trends and Priorities Survey 2019, which found that business technology leaders are very wary of the security threats and risks they have to contend with as they deploy advanced technologies such as artificial intelligence (AI), Clouds and Internet of Things (IoT).
“According to Juniper Research, by 2022, data breaches will cost organisations, globally, a cumulative total of US$8 trillion in fines, lost business and remediation costs,” Koh said.
However, the risks may be necessary, he added. “The figures are big, yes, but they do not outstrip the market opportunities created by the rise of data science. So, we should not hurriedly lock up our environments just because there’s a potential for breaches.”
Network Isolation: A Key Requirement for the Modern Security Architecture
The first keynote of the day came from Amir Ben-Efraim, Co-founder and CEO of Menlo Security, who made a case for network isolation as the most effective approach to countering cyberattacks. “The Internet bears a lot of risk and connecting to it is a high-wire act,” he said. “The world collectively spends a ton on cybersecurity. Every year, US$20 billion is being spent on network security alone, but–if you consider the number of breaches today–you can tell that it’s not working.”
The problem, Ben-Efraim argued, was a systemic one. ““We have a faulty architecture—the architecture that assumes it can identify good and the bad. This whole detection-based approach that we’ve been employing for the last 20 years is broken—and that’s why we keep getting breached again and again and again,” he said.
His solution? The network isolation model. “What if you could actually air gap your network, kind of cut the cord (virtually not physically) to the outside world but still retain the ability for end users to do their job? We’ve created the global isolation cloud,” he said. “Isolation means the workload is no longer run on your endpoint. When your end user tries to connect to the Internet or download a PDF, the session actually runs on our isolation cloud and only visuals come down to the end user. The net result is the end user gets to the operation of actually running and connecting to a web session or opening an email that happens in the safety of virtual machines in the cloud. This allows you to achieve that air gap, but still get that interactivity or connectivity that the end user can continue using the Internet and email that they’re used to but do so in a way that’s safe. It’s an architecturally safe channel that takes malware down to zero.”
Using his company’s global network isolation platform as a reference point, Ben-Efraim ran down the list of what can be achieved with network isolation on the cybersecurity front: improved security with total elimination of breaches due to email and web; reduced burden on security teams who have 90 percent fewer alerts to tend to and therefore less work doing triage, forensics and remediation; and, total elimination of zero day threats and the inhouse work associated with protection against them.
According to Ben-Efraim, this model is ideal for protecting the networks of organisations leveraging services on the cloud. Because the global isolation cloud stands between the enterprise network and its users and their cloud services, it not only provides greater security but also lowers latency for end users. He contrasted this with the currently more common setup where users getting to their business cloud services have to, either go through their enterprise network (which slows down access) or, worse, go directly via the web to the sites (which increases the risk of breaches).
Ben-Efraim then talked through the journey toward full network isolation on Menlo’s platform and the use case of a customer, the US Department of Defense, before concluding.
Managing Risks with Threat Intelligence
Kaspersky Lab’s Head of Presales for Asia-Pacific, Leonard Sim, offered an approach to addressing security issues at both the organisational and technical levels and having an ‘intelligence-driven’ security operation centre that manages (SOC) updated intelligence on threats, proactively hunts them down, equips security teams with the knowhow to tackle them, and provides for an incident response framework that minimises the damage and costs they incur.
Sim drew a stark contrast between conventional approaches to security and what he was proposing. The conventional is marked by being reactive to threats, having no strategic overview, handling incident prioritisation inefficiently and constantly suffering from a lack of expert manpower/expertise, he pointed out. And the ‘intelligence-driven’ solution would provide for advanced analytics, dynamic countermeasure abilities, high operations automation, and continuous adaptation capabilities.
Why the emphasis on threat intelligence? “The threat landscape is expansive. At Kaspersky we discover more than 300,000 carriers of malware every day,” said Sim, pointing to the vast increase in the numbers and types of threat actors, ranging from the lone hacker all the way to nation states, and the growing multitude of entry points to enterprise networks today. “And you need to have a holistic view—internal and external. Yes, with your current security solution, you can see everything happening internally and you have full control internally. But if you do not know what the threat actors out there are trying to do, how are you going to instrument your security to stand against them?”
Sim drew his presentation to a close with a list of criteria for selecting a strong ‘threat intelligence’ solution.
Panel Discussion: Key Imperatives to Secure the Digital Customer Experience
CIO Academy Asia’s P. Ramakrishna (Rama) led a compelling conversation–between Suchit Mishra, Head of Information Security at Grab; Murari Kalyanaramani, Executive Director of Security Technology Services at Standard Chartered Bank; Gaurav Mahendru, Senior Advisory Solution Consultant of Security and Risk at ServiceNow; Tom Sprenger, CTO of AdNovum; and, Kevin O’Leary, Field Chief Security Officer of Palo Alto Networks–about the complex issues around enhancing and ensuring information security at the enterprise without negatively affecting user and customer experience.
Kalyanaramani of Standard Chartered Bank was asked how he approaches security issues associated with having to work with business and technology partners on industrywide initiatives. Pointing to how the whole approach in banking to third-party risk management had evolved significantly over the past few years, he said: “In the past, it was mostly about providers doing simple business process outsourcing work. Looking at the whole threat landscape and what has been happening in the industry has made us challenge our own assumptions around what the scope of our own third-party risk management processes should be.”
A great deal more due diligence has to be paid to knowing and tracking the third-party contracts, the stipulated coverage and obligations, and seeing to it that they are met. As a result, there are differences in how he manages different third-party relationships, particularly when time comes for reviews. “That would depend on the type of contract we have with them. In some cases, we can do a full onsite audit. In some cases, it’s about trusting the vendor.”
ServiceNow’s Mahendru offered his perspective on the difficulty CIOs may have as they go about mitigating the risks of working with third parties on bringing new technologies into their organisations’ setups. “From an organisational perspective, it’s very crucial how you ensure your level of protection, your methods and your thought processes around security and risks are also matched by your partners,” said Mahendru, noting that ascertaining whether partners are meeting one’s standards are not being done now as well as it could be–given that it is done manually by staff using email and checking the standards compliance status of their partners off Excel spreadsheets–and that calling upon the services of companies who evaluate technology vendors and give them security ratings could well be advantageous.
In response to a question regarding how Grab goes about evaluating how secure its vendors are and ensuring the security of the technologies they purchase, Mishra said that his team typically exercises a great deal of due diligence to ascertain that they “agree on the same security tenets” and that they are at the same level security standards- wise. “Are they following the same Internet security standards? Do they have frameworks? Are they interoperable?…We have a list of things we look for,” he said. And once, Grab has contracted a vendor, “we have checks and balances in places, in the form of security audits and technical assessments,” to ensure they keep delivering to those security standards and requirements, Mishra said. “In fact, in some cases we put our vendors onto a Bug Bounty programme, and we tell them that if we find a security bug they will have to pay for the bounty. We will not pay for it.”
Secure Blockchain for Business
The programme concluded with two highly interactive workshops, the first of which was led by Sprenger of AdNovum, who presented a primer on the use and value of blockchains in security and worked with the audience to envision how blockchain technology can transform their respective business ecosystems. He briefed the audience on the more common blockchain applications today, the two types of blockchains (the open public and the private consortium), and, the core elements of a blockchain, before making a segue into whether and how blockchains can strengthen security and trust within a business ecosystem.
“You hear a lot about how blockchains are secure. Is it true? In some areas, it is,” Sprenger said. He cited a number of ways blockchains by definition mean better security and higher trust among parties. Among them, how: the immutability of transaction data in blockchains (i.e. once data passes the consensus mechanisms and is written into the chain, it can no longer be modified) can ensure the integrity and traceability of data; being based on peer-to-peer transactions and not requiring a centralised system and entity makes it a very difficult target to hack since it does not present a single “central instance” but many that have to be attacked; and, by giving all parties the same view of the data it assures transparency and verifiability via a consensus algorithm and process.
Sprenger proceeded to talk about AdNovum’s involvement in the application of blockchains in the development of a platform for the automotive ecosystem in Switzerland called cardossier, and shared what AdNovum and its partners had learnt from their work in the ongoing initiative. These include a deep understanding of the major security considerations–such as those with respect to cryptography, consensus algorithms, identity and access management, code development practices, data integrity maintenance and assurance, and the need for blockchain firewalls–and key challenges (such as those to do with governance of the ecosystem, data privacy and regulatory compliance, and management of operation and incident responses) associated with a blockchain project of its scale.
Sprenger also brought up, in addition to cardossier, the cases of Nestle and Walmart applying blockchains to their food supply chains to maintain secure digital records and enhance the traceability of food items, and that of shipping and logistics company Maersk using blockchain technology in their cargo documentation system. He then asked the delegates of each table how they saw blockchain changing their respective business ecosystems, and the challenges (in security and other areas) they expect to have to meet as they set about adopting blockchain.
Highlight responses from delegates to the questions include those from the table with a mix of participants from the FSI and government sectors. As a group, they acknowledged that there are clearly use cases where blockchain would be valuable, especially where a high level of traceability, data aggregation and speed, and the legality and integrity of the information are needed. They also stressed that the value proposition, definition and incentivisation of the participants in the blockchain has to be very explicit in order to ensure support and success of the blockchain initiative. The challenges cited included potential issues with internal governance (as blockchain initiatives in a corporate context could well exclude security’s involvement until it passes the proof of concept stage and enters production when security flaws may surface), and where and who–the participants and/or the underlying technology provider–to lay accountability and liability on when a blockchain network fails.
Digital Transformation: Balancing digital trust and cyber risk
O’Leary of Palo Alto Networks began his session by offering some insights on the day’s prevalent attitudes and approaches to information security and digital trust, and ideas on how to look at digital transformation and its impact on the overall performance and future of organisations. Security concerns are a major inhibiting factor to digital transformation efforts, and enterprises need to set in place a digital trust framework that not only focuses on cyberattack prevention but also enables them to respond to adverse events and address their impact sufficiently well, he said. Digital trust is a huge responsibility for IT to hold, he added, because security and trust are attributes of a business and have a direct impact on the branding, reputation and overall performance of the organisation.
To get the audience thinking about the importance of digital trust, O’Leary presented a chart illustrating the standing of different types of businesses and entities among Chief Information Security Officers (CISOs) in the US and Asia-Pacific, excluding Japan (referencing the IDC Digital Trust Index), that indicated an overall lack of trust in most market segments. He then offered up a chart of CISOs’ top objectives (also based on IDC numbers) in which ‘Digital Trust’ ranks among the lowest in priority.
“What are we focusing on here?” O’Leary asked rhetorically. “It’s almost as if in our heads we are just ticking some boxes: it’s very important that we comply with regulations, it’s very important that I secure things to the nth degree…because–if we go back to the previous slide–I don’t trust anybody.” That attitude and resulting approach “actually pulls back digital transformation efforts, making us less likely to try something different and more likely to just play catch up, keep pace with our competitors,” he added.
Moving on, O’Leary quickly took the audience through what digital transformation truly means–enabling enterprises to use new technologies to innovate at an accelerated pace, serve customers better, drive business growth and slash costs–and what it requires: substantial changes in not just the people, processes and technologies but also the culture of each organisation. He then briefly described the role that the Cloud and artificial intelligence can play in enabling digital transformation efforts and elaborated on McKinsey’s three categories of digital transformation activity: Foundations, Core and New Frontiers.
Rounding up his presentation, he asked the delegates to: define what digital transformation is in their context, identify their greatest areas of risk, and work out an approach to protecting their digital assets.
The highlight response from the delegates came from Rama’s table, which expressed apprehension about the role of the CIO due to changes brought on by the forces of digital transformation within organisations today. “What used to be the traditional role of the CIO is slowly diminishing,” with the rise in importance of specialist roles, such as Chief Information Security Officers and Chief Data Officers etc, said Rama. “And with that, budget allocation is also shifting. Some of the digital-related budgets are now with the business units, rather than just with the CIOs. That will have an impact on the kind of data being collected and also on issues of accountability. When there is misuse of data, who is going to be responsible for it, ultimately?”