A Decryption of Cyber Security for Business and IT leaders

Frankie Shuai, Former Director of Cyber & Technology Risk, UBS

Frankie Shuai, Former Director of Cyber & Technology Risk, UBS

With two decades of experience in the field of information security and finance, Frankie Shuhai is seasoned digital transformation expert and an award-winning cyber security leader. He actively advocates the importance of bridging the gap between cyber security and business agenda at industry forums. Furthermore, Shuhai’s roles as the people-enabler and innovation catalyst, during his leadership tenure in corporate giants like UBS, Citibank, and Microsoft, garnered him a spot among the Global 100 leaders in InfoSec.

1. Are they any major challenges and trends in the cyber security area you would like to share?

The cyber security landscape has evolved significantly in the past few years. When digital transformation became the mainstream across industries, cyber security has also become a critical agenda topic even in the board room discussion. Let me name a few challenges we have seen so far across the industries: -

Firstly, attack surface exposure increases when we move the system and data to the cloud. It also increases when our employees are connecting to the corporate network at any place by using any device, and when there are more connections and dependency on the third-party partners and suppliers in the whole product or service ecosystem.

Secondly, cyber-attacks have become sophisticated in the form of phishing, malware, ransomware, etc. Don’t forget when we are on the digital transformation journey, those cyber attackers are also on their digital transformation journey. Many years ago, they might have had people manually draft and send you phishing emails to conduct the social engineering attack. Nowadays, they might even use Artificial Intelligence to generate sophisticated and tailed phishing emails to you, otherwise known as spear phishing.

Last but not least, for the industries heavily regulated, like the financial industry, regulators are also paying more attention to cyber security, data privacy, operational resilience, and so on. A good cyber security leader should also be an expert to understand clearly what are the expectations from regulators, what’s the cyber security risk appetite in the organization, and what cyber security advice could bring to the business to enable business growth in a compliant manner.

2. What keeps you up at night when it comes to some of the major predicaments in Cyber Security?

Cyber-attack is no longer a matter of whether but a matter of when. So when a real cyber-attack happens - What’s next? Do we have plan B? What are the critical processes and critical assets impacted that we have to prioritize and recover from the attack first? What are the key stakeholders we have to engage and notify?

The list of these questions is growing and keeping us up at night. But as cyber security leaders, we have to prepare them, not randomly but based on the protocol we have well-defined, trained, and exercised.

3. What are the important factors that could help make the cyber security initiative successful?

There might be many success factors, but in many organizations across industries, there are two common baseline factors to make a project a success, that is people and culture. People are the most valuable asset and culture is the best oil of the organization. When the two of them come together, the united power is amplified to enable business growth in a safe and sound manner. I am fortunate to be able to work with a lot of smart and great leaders and experts in the cybersecurity domain so far. One great characteristic about them is promoting strong and positive people connection and inclusive culture. They are able to understand the organization’s business thoroughly from strategy to execution, and where and how critical business assets and processes are running. Thinking and talking like a business partner is key to getting support from the business side for cyber security professionals. It is about connecting people in an inclusive way so that the cyber security risk could be well articulated in the business world. We could use the cyber threat landscape, data analytics, and risk appetite as the elements to tell a story that can be understood and adopted. Remember, talking in jargon could only be understood within our limited cyber security teams, but not the wider business partner teams. People need to be connected and included and after that, the project run by people could be successful.

4. Is there anything that would make you excited about the future of the Cyber Security space?

There are enough talks in the industry about technological trends like cloud computing, artificial intelligence, machine learning, etc. I will not repeat these buzzwords here but would like to share that quantum computing is one of the emerging technologies I would encourage you to take a look at. Quantum computing might disrupt the foundation of today’s data encryption/protection algorithm we have relied on heavily for many years in the cyber security world.

As Cybersecurity Practitioners, We Should Keep an Eye Closely on Disruptive Technologies; See How They will Impact us, and Learn How to Leverage any Possible Emerging Solution

In 2019, Google announced that its Sycamore quantum computer had completed a task in 200 seconds that would take a conventional computer 10,000 years. If the commercialization and mass production of quantum computing arrives in the long run, today’s encrypt key might be not able to claim to secure anymore. As cybersecurity practitioners, we should keep an eye closely on these disruptive technologies, see how they will impact us and if any emerging solutions coming up, how we could leverage them.

5. Cyber Security leaders in the enterprise not only need hard skills on the technical expertise and knowledge, but also soft skills like aligning with business priority, communicating well with non-tech stakeholders, etc. Are there any other soft skills cyber security leaders could consider improving?

I totally agree here. I will share an example. The skill is too common that people might overlook, but it’s very important for all the stakeholders’ ¬– it is the same language. Sometimes, people might assume something for granted and it will cause confusion if not everyone is on the same page even if they are on the same topic. Let me share one real-life example of the importance of having the same language - it’s the stock exchange’s stock price color code. In the US, Europe, and Singapore, we know the green color means the stock price is up and the red color means the stock price is down. But if you go to exchanges in China, Taiwan, and Japan, you will find that they follow the other way. For them, red color means the stock price is up and green color means it is going down. And if you go to Korea’s exchange, you will find that red color means going up but blue color means going down. So the same color might have completely opposite meanings in different countries. So let’s use the same language with the same meaning to avoid confusion.