Decryption of the Cyber Security for the business and IT leaders

Frankie Shuai, Former Director of Cyber & Technology Risk at UBS.

Frankie Shuai, Former Director of Cyber & Technology Risk at UBS.

1. Are they any major challenges and trends in the Cyber Security area you would like to share?

Frankie: The cyber security landscape has been evolved significantly in the past few years. When digital transformation becomes the main stream across industries, cyber security has also become the critical agenda topic even in the board room discussion. Let me name a few challenges we have seen so far across the industries:

Firstly, attack surface exposure has been increased when we are moving the system and data to the cloud, when our employees are connecting to the corporate network at any place by using any device, and when there are more connections & dependency on the third party partners & suppliers in the whole product or service ecosystem.

Secondly, cyber-attacks have also been more sophisticated in the form of phishing, malware, ransomware, etc. Don’t forget when we are on the digital transformation journey, those cyber attackers are also on their digital transformation journey. Many years ago, they might have people manually draft and send you the phishing email to conduct the social engineering attack. Nowadays, they might even use Artificial Intelligence to generate the sophisticated and tailed phishing email to you, that’s the spear phishing.

Last but not least, for the industries heavily regulated, like financial industry, regulators are also paying more attention to the cyber security, data privacy, operational resilience, etc. A good cyber security leader, should also be an expert to understand clearly what are the expectations from regulators, what’s the cyber security risk appetite in the organization and what’s the cyber security advice could bring to the business to enable business growth in the compliant manner.

2. What keeps you up at night when it comes to some of the major predicaments in Cyber Security?

Frankie: Cyber-attack is no longer the matter of WHETHER, but the matter of WHEN. So when real cyber-attack happens - What’s the next? Do we have plan B? What are the critical processes and critical assets impacted we have to prioritize and recover them from the attack first? What are the key stakeholders we have to engage and notify? The list of the these questions are growing and keeping us up at night. But as the cyber security leaders, we have to prepare them, not randomly but based on the protocol we have well defined, trained and exercised.

3. What are the important factors could help make the cyber security initiative successful?

Frankie: There might be many success factors, but in many organizations across industries, there might be 2 common baseline factors to make project success, they are PEOPLE and CULTURE. People is the most valuable asset and culture is the best oil of the organization. When two of them come together, the united power will be amplified to enable the business growth in the safe & sound manner. I’m fortunate to be able to work with a lot of smart and great leaders and experts in the cybersecurity domain so far. One great character about them is promoting the strong & positive people connection and inclusive culture. They are able to understand the organization’s business thoroughly from strategy to execution. Understand where and how critical business assets and processes are running. Thinking and talking like a business partner is key to get support from the business side for cyber security professionals. It’s about connecting the people in the inclusive way, so that the cyber security risk could be well articulated in the business world. We could use the cyber thread landscape, data analytics, and risk appetite as the elements to the tell the story that could be understood and adopted. Remember, talking in the jargon could only be understood within our limited cyber security teams, but not the wider business partner teams. People need to be connected and included and after that, the project run by people could be successful.

4. Anything would make you excited for the future of the Cyber Security space?

Frankie: There’re enough talks in the industry about technological trends like cloud computing, Artificial Intelligence, Machine Learning, etc. I will not repeat these buzzwords here, but would like to share that Quantum computing is one of emerging technologies I would encourage to take a look. Quantum computing might disrupt the foundation of today’s data encryption / protection algorithm we have rely on heavily for many years in the cyber security world.

In 2019, Google announced that its Sycamore quantum computer had completed a task in 200 seconds that would take a conventional computer 10,000 years. If the commercialization and mass production of quantum computing arrives in the long run, today’s encrypt key might be not able to claim secure any more. As the cybersecurity practitioners, we should keep the eye closely on these disruptive technologies, see how they will impact us and if any emerging solution coming up, how we could leverage.

5. Cyber Security leaders in the enterprise not only need hard skills on the technical expertise and knowledge, but also soft skills like aligning with business priority, communicating well with non-tech stakeholder, etc. Any other soft skills cyber security leaders could consider to improve?

Frankie: Totally agree here. I just shred one thing as the example, it’s too common that people might overlook, but it’s very important for all the stakeholders -- this is same language. Sometimes, people might assume something for granted and it will cause confusion if not everyone is on the same page even on the same topic. Let me share one real life example of same language, it’s stock exchange’s stock price color code. In US, Europe and Singapore, we know the green color means the stock price is up and red color means the stock price is down. But if you go to exchanges in China, Taiwan and Japan you will find they are following the other way that red color means the stock price is up and green color means going down. And if you go to Korea’s exchange, you will find, for them red color means going up but blue color means going down. So same color might have the complete opposite meanings in different countries. So let’s use the same language with the same meaning to avoid the confusion.