Role of Leadership in Mitigating Cybersecurity Risks

Frankie Shuai, Director, Cyber & Technology Risk, Singapore and ANZ, UBS (UBSG: SWX)

Frankie Shuai, Director, Cyber & Technology Risk, Singapore and ANZ, UBS (UBSG: SWX)

Frankie Shuai is the Director of Cyber & Technology Risk at UBS, one of the world’s largest private bank. Based in Singapore, Shuai has over two decades of leadership experience in banking and IT sectors. He is a digital transformation and innovation specialist, with several patents regarding next-gen wiresless networking filed at U.S.A patent office.

1. What is your approach to keeping the plans you created and implemented aligned with the market changes?

The list of challenges or changes for the cyber security leaders is getting longer year by year, just name a few in the past 2 years during pandemic and then share some approaches how to deal with them.

Firstly, there’s increased attack surface exposure when the system & data are moving to the cloud, when the employees are connecting to the corporate network at any time, at any place, by using any device, and when there are more connections & dependency on the partners & suppliers in the whole product or service ecosystem.

Secondly, there’re more sophisticated cyber-attacks in the form of phishing, malware, ransomware, etc. Don’t forget when we are on the digital transformation journey, those cyber attackers are also on their digital transformation journey that they might also use Artificial Intelligence (AI) and/ or Machine Learning (ML) in their attack to steal the credentials , data and/or financial assets from us.

Last but not least, for the industries heavily regulated, like financial industry, regulators are also paying more attention to the cyber security, data privacy, operational resilience, etc. A cyber security leader, should also be an expert to understand clearly what are the expectations from regulators and what’s the impact on the cyber security framework and implementation in the organization.

To overcome all of above and other challenges in the list, there’s no one fit all solution in place. But some best practice could be thought of like getting management support, understanding the business, process and data criticality and then implementing risk based prevention and protection measures, rethinking the network access in the way of Zero Trust Network Access (ZTNA), raising the awareness of employee – don’t forget, everyone is a risk manager in the organization but not just those staff with the title “risk manager”.

2. Diverse leadership journey in information/cyber security, data analytics, risk and control, regulatory compliance.

I believe one of the most important characters of a great leader is to think from and contribute back to the professional community if possible.

As the industry association leader, I held the Vice President (VP) voluntary role of PMI (Project Management Institute) Singapore Chapter in 2020/21. It’s one of the largest international association’s local chapters in Singapore. My VP role was to make sure the PMI Singapore chapter could run for the best interest of 2000+ chapter members and promote the project management professional networking & growth across industries in Singapore. Among those 2000+ members, quite a lot are Cyber Security engineers, managers and executives. Cyber Security is the science, but also the arts. The essence of project management methodologies and best practice have been value added skillset to help those Cyber Security professionals further develop & grow themselves in their career journey.

3. What are your plan of action and how do you execute in this sector?

As the professional cyber security and technology risk leader in the industry, I like to learn and practice those common good examples observed in those great people, just name a few:

Firstly, good understanding of the business. We are not the leaders sitting in the black room alone to come out of the security policy from the sky and implement the security controls in the silo way. We should understand the organization’s business thoroughly from strategy to execution. We should also understand where and how the critical business assets and process are running. Thinking and talking like a business partner is the key to get the support from business side.

Secondly, forward thinking mindset. We should think how to enable the business progress in the safe and compliant way. Saying NO is easy, but that’s not the end of story. we should encourage our cyber security team to think whether could turn NO to Yes and if YES, then how to implement when they engage the business. Even there’s no one fit all solution in place, we should be able to prioritize the cyber threads to align with organization’s risk appetite, and then advice the relevant and appreciate controls.

A Cyber Security Leader, Should Also be an Expert to Understand Clearly What are the Xpectations From Regulators and What’s the Impact on the Cyber Security Framework and Implementation in the Organization

Thirdly, team builder and innovation catalyst. To maintain and grow the leading the cyber security team, we need to be a strong communicator and leader to hire, train and grow the staff in the team. We should also be able to promote the innovation culture within the team. Innovation here is the rocket science, but thinking out of the box and looking for the opportunity to optimize the operation of the cyber security in the organization.

4. What advances do you want to see in later years?

I’m fortunate to be able to work with a group of smart and hardworking global leaders and experts in the cyber security domain. As the team, we discuss and solve the real challenges in the ever changing threat landscape and the solutions we are implementing could also benefit and enable the business. All of these are my motivation and passion to be part of cybersecurity industry. I am glad to see more and more young talents would like to join this industry in the past few years and more might come to us in the future, that’s great! But when some of us are searching for the new talents, sometimes we might have paid too much attention on the past education, certification and experience of the candidates. But don’t forget, cyber security is the science, but also the arts. Passion and communication skillset are also important factors we should think when we are interviewing the candidates.