The financial sector in Asia is evolving rapidly, amidst strong challenges from cyber-threats and a global pandemic.
As cyber-attacks continue to increase in severity and frequency, how is the situation impacting digitalization across the financial sector?
This, and the rapid changes required in response to the COVID-19 pandemic, is seeing the role of CISOs changing.
Meanwhile, the Monetary Authority of Singapore recently announced revisions to the Technology Risk Management Guidelines to enforce stronger risk mitigation for financial institutions (FIs) in Singapore. How timely is this move and what will it hold for the future of FIs in Singapore and the region?
CybersecAsia discussed these questions and more with Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black.
There has been much discussion about the changing roles of CIOs – and now CISOs – in organizations as we embrace the digital economy. How do you see CISOs playing a bigger role in spearheading businesses?
Kellermann: The importance of security has been steadily increasing in recent years, but with COVID-19, IT security has only become even more of a business imperative. Over the last year, we have seen an emergence of more destructive attacks, including island-hopping – which involves a bad actor compromising a third party to gain access to the supply chain of an organization.
Island-hopping attacks should be a wake-up call for CIOs, because they need to realize now that their digital transformation efforts that they have been pioneering and accelerating, can and will be used to attack their customers.
The board needs to recognize now that the infrastructure of an organization will be hijacked to attack their customers – it is the inevitable dark side of digital transformation. The more prominent the brand the higher the likelihood.
Cybersecurity governance must be improved, and this starts with elevating the CISOs’ role in boardrooms. Once beholden to CIOs and often seen as operating below the usual C-Suite, CSOs and CISOs have truly come into their own as executives with real decision-making responsibilities. This includes budget allocation and even in some cases veto power over CIO decisions that might pose serious challenges or risks to security.
What should be top-of-mind for corporate boards of financial institutions in 2021? Would adopting a defensive mindset be a necessity, and why is that important today?
Kellermann: Cybercriminals are evolving in both attack sophistication and organization. The financial sector is the most secure industry in the world, but it is also being targeted by cybercriminals and nation-states. Financial institutions must pay close attention to how they respond to these threat actors and what their ultimate goal is — hijacking digital transformation efforts via various tactics, including island hopping.
Cybersecurity is now a brand protection imperative. The trust and confidence in the safety and soundness of your institution will depend on it. Boards should strengthen corporate governance by promoting the CISO and empowering him or her with greater authority, a separate budget, and a larger team. In addition, weekly threat hunting must be conducted, and the Board should be briefed on these hunts on a monthly basis.
How should public and private sectors work together to defend against increasingly sophisticated cyber-attacks?
Kellermann: Knowledge sharing is one of the key ways that public and private sectors can collaborate to strengthen defences against threat actors. There is no doubt that threats are increasing and evolving in sophistication. Sharing knowledge and expertise on these threats can help sectors collaborate and build better defences. We all face a common adversary in cyber attackers and need to harness a united front to overcome vulnerabilities.
Public sectors should also lead private sectors by example, by setting guidelines and enforcing regulations that encourage stronger cybersecurity postures. Singapore, for instance, has made great strides in this area. Last year, the government launched its Safe Cyberspace Masterplan that builds on an earlier cybersecurity strategy.
The government’s approach to cybersecurity can help to provide guidance for the private sectors when businesses develop their own security strategies and frameworks.
How would the Monetary Authority of Singapore’s latest regulations shape the future of cybersecurity for FIs in Singapore? Regionally, how could financial organizations prepare for this future?
Kellermann: The revisions to MAS’ technology risk management guidelines address a highly destructive and growing challenge – island-hopping attacks. Singapore is the financial hub of Asia, and threat actors follow the money. While the industry continues to accelerate its digital transformation, it is also important to address the growing reliance on third-party service providers and the security required to ensure system resilience and maintain data confidentiality.
For many years, organizations have been cobbling together their security. Whether it was for perimeter defence or compliance, businesses have purchased and failed to integrate products, many of which required humans to monitor and manage.
Today’s threat landscape requires security to take on more responsibility and operate in a strategic way. Security teams must be working in tandem with business leaders to shift the balance of power from attackers to defenders.
Collaborating with IT teams will be critical, as businesses will need to work to remove the complexity that is weighing down the current model.
Building security intrinsically into the fabric of the enterprise – across applications, clouds, and devices – can help teams significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.