Tune in to this episode of Ask A CISO to hear:
- How Steven manages to do all that he does with the same 24 hours we have
- What is CII and how to address Supply Chain risks?
- What are two important cybersecurity considerations that need to be included in vendor tenders and contracts?
- Stakeholder management and establishing trust
- SMEs and Zero Trust
- The cybersecurity talent gap and retaining talent
- The importance of joining ecosystem initiatives
- Great advice all around
About The Guest: Steven Sim
Steven Sim is Global CISO at a large global logistics MNC, President of the ISACA Singapore Chapter, and Chair of the Executive Committee at OT-ISAC Singapore.
Steven has more than 24 years of experience in the cybersecurity field with large end-user enterprises and critical infrastructures, driven security governance and management initiatives, and headed incident response, security architecture, technology, and operations at local, regional, and global levels.
Outside of his professional work, Steven is a mentor with the ISACA Mentorship program, a CRISC Review Manual Subject Matter Expert Reviewer, and an ISACA Engage Topic Leader for Risk Management. He also lectures on an adjunct basis at the National University of Singapore Institute of System Sciences, is a regular speaker at both international and local conferences, is the author of published articles, undertakes industry advisory roles, and provides vCISO mentorship to SMEs and start-ups.
Steven has been recognized by the industry and peers for his work. He topped the inaugural IDG’s CSO30 ASEAN Awards 2021, a recipient of the ISACA Outstanding Chapter Leader Achievement Awards 2022, a recipient of 2022 Global Cybersecurity Leadership Award Winner – Editor’s Choice by CXOTV, is listed in Peerlyst 29 Highly Influential CISOs, a Singapore SkillsFuture Fellow and Professional (Leaders) Finalist in The Cybersecurity Awards 2018.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.Â
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.Â
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.Â
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.Â
Transcript
Mark
Welcome once again to the Ask A CISO podcast with Horangi Cyber Security, helping you navigate the rough waters of cybersecurity and get your ship to where it needs to go.
I'm Mark Fuentes, the Director of Cyber Operations here at Horangi Cyber Security, sitting in for the bossman Paul Hadjy. And today I have a really, really interesting guest with us. Someone who's quite active as well as our other guests are. Maybe even more so than our other guests in the cybersecurity community and the SME and startup communities as well.
Today I have Steven Sim. He's a global CISO at a large global logistics MMC. He's President of the Singapore chapter of ISACA. He's also Chair of the executive committee at OT-ISAC here in Singapore. He has over 24 years of experience in the cybersecurity field in large enterprises, critical infrastructure, doing governance and management work in large operations at local, regional, and global levels. He's led and participated in many programs and initiatives at ISACA such as mentorship programs. He's also the SME subject matter expert reviewer for the CRISC Review manual. He's also the engaged topic leader for risk management at ISACA. He's an adjunct lecturer at NUS Institute of System Sciences, and on top of that, he's authored many articles on the subjects of cybersecurity, risk management and he takes on many advisory roles throughout the SME and startup scene.
Having done all of that, of course, he's been showered with many awards and many honors. Among those, last year, he was the top of the list for IDG CSO30 ASEAN Awards. He also received the ISACA outstanding chapter leader achievement award this year. This year he also received the global cybersecurity leadership award, the Editor’s Choice by CXOTV. He's also listed by Peerlyst 29 as a highly influential CISO and Singapore's SkillsFuture Fellow and Professional (Leaders) Finalist in the 2018 Cybersecurity Awards.
It's a mouthful. There's a lot going on so we're really excited to have him.
Welcome, welcome, Steven. How are you?
Steven
Yep. I'm fine. Thanks for having me. Looking forward to the conversation with you, Mark.
Mark
Super honored and excited to have you on, so let's just dive into it.
With all of the stuff that you got going on, I mean you've got a lot of these responsibilities, how do you keep it all in order?
Steven
Yeah. A lot of the volunteering work needs time. I use the time after office hours, during lunch hours, like what we are doing now, weekends, midnights, and early mornings as well. So it helps also, working with a supportive company because working closely with the ecosystem itself that brings value back to my company, right, the enterprise that I am serving. It helps to test out and provide better clarity to the approaches that I have in mind, some of the thoughts that I have, and gives me also supportive evidence to implement and deploy strategies and approaches that are designed to my company's best benefit.
Mark
I meant, I noticed you didn't mention sleep in there. So, but that's, that's probably something that's a little bit lacking, right?
Steven
I don't sleep a lot, typically. I mean, many of the folks I know also sleep about four to five hours, some almost six hours.
Yeah. I'm getting older. As I age, I sleep less.
Mark
I'm noticing that as well as I age as well. And you know, I had a mentor that told me, Hey, we signed up for cybersecurity. That means we didn't sign up for much sleep. So yeah, definitely feeling it on this side as well. I wanted to bring the conversation over into CII.
As many of our listeners do already know CII stands for Critical Information Infrastructure, and that's, you know, it's a big deal in cybersecurity, but you know, for a lot of our viewers who just know the surface level about CII, what's actually the deep down, the meat?
What do people misunderstand and don't understand about CII?
Steven
Well, CII like what you actually pointed out, it's Critical Information Infrastructure, that's used to support critical infrastructure, and really refers to the whole digital infrastructure and cyber-physical infrastructure that, that supports the critical services, right? So it often focuses on services that are essential to a nation or a city. And the sectors may vary from nation to nation dependent on the risk appetite.
You cannot run away from utilities, power, water, and transport that are the underbellies of a thriving ecosystem. Folks typically tend to miss out is that CIIs are often supported by their supply chain, and the supply chain itself, even though they are not classified as CIIs, they are equally important because of the dependencies. And we have already seen what has happened over the last couple of years, right? Supply chain-related attacks, whether it's SolarWinds and so forth or Log4J.
Therefore the focus has to go beyond the CII itself, but also the surrounding ecosystem of hardware providers, software providers, as well as service providers, including Cloud Service Providers.
Mark
So when you talk about, yeah, this is a big thing, everyone's been dealing, you know, everyone had to deal with Log4J. SolarWinds was huge. What, as you know, since we who work at this end of the supply chain, we're the end users, right?
What would you say to the rest of us? Like what can we do about addressing supply chain risk?
Steven
Well, there's a lot that can be said and done. One of the recent articles that I have read made mentioned that in the U.S., despite the fact that SBOM (Software Bill of Materials) has been mandated early last year, but that didn't actually help in the case of Log4J. So I think there's still a fair bit of ironing out the kinks along the way, and definitely public-private partnership is essential to come up with more palatable, pragmatic, and effective controls that really address supply chain attacks, right?
So, there's a lot of things going on in this space. The governments are coming out with more regulations, whether it's the U.S. or the UK, even in Singapore itself, we are having a licensing scheme for penetration testing service providers as well as Managed SOC Service Providers. So that's just the beginning, right?
So, over time, there's going to be more and more scrutiny and leveling up of the supply chain itself. I was sharing about the Singapore regulations. We also have the cybersecurity labeling scheme, right, for IoT devices. As we move towards Supply Chain 4.0, that is supply chain on top of industrialization 4.0. So we use a lot more cloud, a lot more industrial Internet of Things, sensors, and so forth. So it becomes very important to make sure that many of these equipment are at least secure-by-design upfront, right?
And with the eroding parameters, with what COVID has shown us, that the fact that Zero Trust and ... has to be put in place, right? To be able to manage the increased attack surface while keeping the business going, because businesses really need to stay ahead of its competitors through digital transformation and whatever or everything or anything 4.0, right?
And it's inevitable that attack surfaces will increase alongside the growing adoption of, say, IT/OT convergence, OT, and cloud. And so when we look at risk itself, we have to look at it in totality. There is no hundred percent security. If you ask any of the cybersecurity professionals out there, they will tell you that as a fact. So it is about optimizing risk for businesses. As a business, we need to take risks. The only way to be a hundred percent secure is not to run a business, right?
Mark
That's right. So we used to say the only way to, the only way to really achieve total security is to turn it off, right? It brings to mind something as you talk about it, you know, every year we get new buzzwords, there's new, hot and interesting subject matter, and, as we all know, it changes the attack surface, right?
But what I've come to realize as we move on is, you know, as ... For as long as Horangi's been around and we've been around since 2016, we're quite young. We've always assumed the stance that you're just gonna have to assume that a breach will happen, right? So we focus more on fast response and fast recovery, right, which was the buzzword back then, right?
Resilience. Resilience was the buzzword, and then we've gotten all these new, you know, IT/OT convergence, all this other stuff that changes the attack surface, but from my perspective, it hasn't changed the game. The game is still resilience and like you said, we can't anticipate all the risks and the changes in risk to the supply chain, but we have to add supply chain risks to our BCP. We have to add it to our IR exercises. We have to practice and see, okay, once we understand, once we get notification of a supply chain risk or something that's within our systems, how do we respond?
How do we recover from that? Cause it's all about resilience. It's all about maintain ... like you said, running the business while having to deal with the supply chain risk, changing attack surface, attacks as well, so ...
Steven
I think we really have to step through the whole NIST pillars. Yes, there's a lot of focus on detect, respond, and recovery as we focus a lot more on assume breach. In fact, some folks have actually forgotten that assume breach is actually part of Zero Trust. So we don't trust even our own networks. We don't trust our suppliers. So we are assuming that they are breached, and assuming breach means that we need to constantly perform Compromise AssessmentsCompromise Assessments, continuous threat hunting, relying on threat intelligence, and being able to sift out any likelihood of attacks that, especially those sophisticated attacks that have a long dwell time, be able to contain them fast, detect fast, contain fast, and not to mention resilience, like what you have fully pointed out.
Resilience has always been the most important piece because if a breach is inevitable, it is about the business being resilient, being able to recover through its business continuity plan. So that resilience part has to be by design, right?
Mark
Yeah.
Steven
But having said that, the initial parts, the shift-left approach is still important, even for supply chain attacks.
Mark
100%.
Steven
Yeah. So beyond SOC2SOC2 reports that you attest your vendors and so forth, right? You want to look at also some of the aspects, key aspects. Two outstanding ones that, I feel that is very important to me, it's the disclosure of vulnerability, as well as the time-to-breach notification.
So the first one, the disclosure of vulnerabilities, I mean, we have seen supply chain attacks that went sour because the vendor itself hasn't disclosed that Zero Day vulnerabilites. They only disclose it only when the patch is up.
Mark
Yeah.
Steven
By then it was too late, so quite a number of telcos were actually breached a couple of years back because of that supply chain attack. So the need for the vendors to report vulnerabilities as they are identified and being able to share compensating controls is very important for the consumer and enterprise to be able to make that well-informed decision on what to do with it, assess the risk. Do you want to draw a breach or what?
So that's the first point. The second point is on breach notification. How fast the vendor tells you that there is a breach in their environment also provides you with that capability of detect fast respond fast. Right?
Mark
That's right.
Steven
You may want to disconnect, you wanna assess whether the vendor has everything under control. You wanna assess whether you need to disconnect your network completely from the vendor for the time being and mitigate lateral movement into your own networks.
Mark
Yeah.
Steven
So those two metrics and requirements, they are important to be added to the terms and conditions that you list out as alongside your tender specifications, during your tendering process, and put them in the contracts.
Mark
That's huge, and that's something, you know, we, you know, we always have these cybersecurity conversations. Never do we really touch on third-party, third-party risk contracts, procurement, right? The type of cybersecurity requirements we need to be putting into our contracts. I think those out there listening, you guys should be taking notes on that.
That's a big, big piece that often gets overlooked because a lot of times what I see in a lot of my organizations is there's kind of a brick wall between your legal and your procurement teams and your security teams. So, at very minimum, you know, the security team will demand that there are certain clauses in the contracts, but past that we don't see much collaboration between those two silos, actually.
Steven
Yeah, I think a big part of a successful cybersecurity program and a successful cybersecurity organization or digital security organization is in stakeholder management.
Mark
Yes. Yes.
Steven
Many of the CISOs they have risen up the ranks from the technical side of things, whether they were ... they'd have been a firewall administrator or incident responder, they'd have worked their way up the ranks. And as they step up the career ladder, it becomes very important for them to be able to speak that business lingo and to be able to manage stakeholders, work with them not against them, always cultivating the notion that cybersecurity is a business differentiator.
Mark
That's right.
Steven
Not just an enabler. Differentiator.
If you are having products, you can be better than competitor because you have better security in place, which is one of the reasons why ISACA has focused a lot on digital trust in recent times. They came up with a paper on digital trust itself.
Mark
Yep.
Steven
How do you establish trust with your consumers, with your customers and how you, do you establish trust post-incident is very important.
Mark
Quite important. And that's something and like you said, it's something because a lot of us in the cybersecurity field are highly technical, came up from technical backgrounds, a lot of us have a hard time learning that people piece because we always thought we were just gonna sit here in our technology domain, but that's not the case, right?
We have to learn about people and processespeople and processes as well, so right.
Steven
Definitely, technologies and so forth. Like for instance, we talk about Zero Trust where we talk about how malware spreads. We can use COVID as seeing how COVID has spread, and explaining Zero Trust in the form of wearing masks, or using segregation, segregating folks into quarantine rooms and these are all micro-segmentation and so forth, reducing the blast rate, the attack surface and things like that. Yeah. Use terms that they are, they are understandable.
So like I shared earlier, resilience is coming back, the same old same old, but that stepping up game is the only constant, right? I mean, it's always a cat and mouse game, right?
Mark
Yeah. There's always escalation, right?
Steven
Yeah. Right, right. So when automotives have been invented, nowadays we, I mean this is a common analogy that many cybersecurity folks would use: driving your car to work. None of us give it a lot of thought, right? We actually understand the risk but the maturity of the controls that are put in place, putting on the seatbelt has become second nature. Having the ABS and all those, those are security by design.
Mark
Right, right.
Steven
That actually helps the car to move faster, and by the same token, the business to be able to move more agile-ly with cybersecurity put in place and with autonomous vehicles coming on stream and so forth, there are new challenges and over time the controls will mature accordingly.
So similarly, supply chain risks are a pain right now but over time I believe we'll reach a stable state to be able to ...
Mark
It'll become second nature to our users. Okay.
Steven
That's right.
Mark
All right. Yeah. Well, actually that, a couple times you mentioned and it brought a question to my mind. A couple times you mentioned Zero Trust, right? Zero Trust architecture, Zero Trust, and everyone knows the word and it's a really cool buzzword but in my opinion, a large number of players in the industry are actually not yet mature in their Zero Trust journey.
What have you seen in your part of ISACA, you see many startupsstartups, SMEs, you see many enterprises. Do you see a lot of people who really have a good grasp with Zero Trust and are implementing it greatly in their organizations, or do you see them more on the lower maturity levels or ... what are you seeing?
Steven
Yeah, I think you're spot on. Zero Trust really means different things to different people. Vendors are speaking about how their products have been able to help enterprises deploy Zero Trust easily and effectively. I see Zero Trust with different levels of maturity, and most important and foremost is the mindset and the principle behind Zero Trust, right?
You always want to verify your accessors, the applications, the users, right? The services, and also look at that assume breach part of what I shared earlier that's often overlooked is that assume breach portion. So I see companies and enterprises at varying levels of maturity, some have bought into that principle.
Yes, because the buzzword is there, so the Board is asking about it and the management will have to convey the message that, yes, the company is deploying Zero Trust, but no enterprise that I'm aware of have said that they are fully mature in their Zero Trust journey. They have ZTNA, Zero Trust Network Architecture deployed everywhere, and so forth, right?
So it is a journey that takes time and it all starts off with that mindset and that mindset also cuts across not just cybersecurity professionals, but also the end users, the Board, everybody else on what it really means to the enterprise itself. What it really means when you connect to your supply chain? Why do you need to deploy ...
Why do you need to subscribe to threat intelligence?
Mark
Right.
Steven
Deploy threat huntingthreat hunting. Why do you need to perform proper teaming exercises? Right.
All these are actually encapsulated in the whole Zero Trust phase.
Mark
It's just so many, there's so many moving parts and there's so many components to it, and they're constantly evolving over time. It's just so hard for me to see that anybody who's really doing it at that optimizing level, you know?
Steven
Right. But it doesn't need to be very difficult, right?
So for small and medium enterprises, you do not need to like replace, refresh all your switches and, and look at software-defined networking, micro-segmentation, and so forth. A simple approach could be simply to deploy the Windows Defender, used to be called the Windows
Mark
Firewall. It's been been a while, but yeah. Yeah.
Steven
Defender and many other names before that as well. So, deploying that will actually limit the blast radius. So if you look at the attacks that have occurred previously, wiper worms like NotPetya. It took just 7 minutes to encrypt 45,000 PCs and 4,000 servers in one specific company.
That's fast, right?
Mark
Yeah. But why did that happen? It is using SMB, Windows SMB messaging to spread laterally. So if different systems have no business to talk to one another, even in an OT environment, the human-machine interfaces of one machinery may not require communications with another human-machine interface of another machinery, and they are often running on Windows.
And insecure-by-design, Windows machines that are legacy there of an earlier version, Windows 7, Windows 8, and so on.
Mark
Yep.
Steven
So the way to protect these systems, you apply the concept of Zero Trust, you limit the assesses to it. You shield these vulnerable HMIs that are often, you cannot patch it as, as fast as you want, because those patches will need certification by the OT vendors, and OT vendors will take a long time.
Why?
Yeah, because they wanna make sure that it doesn't cause safety issues.
Mark
Right.
Steven
Because when you talk about OT security, safety and availability is always the top two priorities and as a result, you need to shield off the insecure equipment with a secure jump holes, and you would also want to limit the communications between this machinery and other machineries. So in the event you have, touch wood, ransomware or wiperware attack on one machine, the ability for that attack to laterally move to another machine is greatly mitigated, because you already limit the blast radius through whether it's Windows firewalls, or through port security and things like that.
It, it doesn't mean that you need to go all the way out to purchase sophisticated solutions, right?
Mark
You just need ... You just need smart controls, right? It doesn't necessarily need to be expensive. It doesn't need to be sophisticated. They just need to do the job, and I think that's another thing that we overlook a lot. A lot of practitioners, they throw money at the problem or they think the new cool tool is a thing, but they lose sight of the actual objective of what they're trying to do. This thing needs to operate and it needs to operate securely.
Mark
Sometimes your control could just be time. Maybe it only needs access two or three times a week. Maybe you can turn it off for the rest of the week and then make the tax surface smaller. Maybe, like you said, minimize it to the things that only need access to it then that certainly shrinks that attack surface. You don't need to particularly buy SDN or whatever for that one piece, right?
Steven
Yeah. A lot of the issues are not with technology itself. It's actually with the people, the mindset and process, right. I mean, a lot of technologies I've seen implemented in many organizations, they are not fully utilized because of ... a simple example: I mean, I have known of firewalls, IPS is the topnotch, right? The rule is any, any effect, right? The rule is so actually, yeah,
Mark
It's just a pass-through, right?
Steven
Yeah, that's right. And it is really about that conversation and the ability to take ownership, right? Who is to set the rules? If nobody wants to set rules, even for threat hunting, you need to set rules to correlate, to be able to put different metrics and telemetry of different confidence levels, put together and make a decision when do you want to trigger an automated containment such as from a SOAR, right? Security Orchestration, Automation, and Response system, like and so forth, right?
Somebody must take ownership. If nobody takes ownership, it becomes a white elephant.
Mark
Yes.
Steven
You have the technology, but it's not effectively in use.
Mark
And this happens a lot.
Steven
Yeah.
Mark
We see in a lot of organizations that people have stacks and stacks of technology that are a white elephant, like you said. I've never actually had heard anyone mention it that way, but yes, it's, it becomes this, I call it a hot potato, right? Everyone passes it around. Nobody wants to hold onto it but yes, this is a big thing in these large organizations, and I think that it speaks a lot to the cybersecurity talent gap as well. There are a lot of people that just don't have, they don't have confidence in their ability to manage these things and that's why these things, or maybe there really just aren't anybody in the organization that can sit there and write an entire ACL or 12 of them for different subnets and stuff like that, right?
There's just this big gap of talent. How do you see that affecting the organizations that you work with?
Steven
Yeah, so talent is multifaceted. It comes whether you are talking about the qualifications or the experience, so, in terms of, I'll talk about the latter first. So for, in terms of experience, I think it's very important to be aware of and participate in ecosystem initiatives.
So the reason why I joined ISACA Singapore chapter eight, nine years, the Board eight, nine years ago. And prior to that, I've been a member of ISACA for 19 years.
Mark
Oh, wow.
Steven
Yeah. Years already. Because you can share best practices, share best practices where I know what works and what doesn't, and there are Chapter house rules. And it's not just ISACA, for OT-ISAC, it's information-sharing analysis center. In fact, any ISAC out there, they would have a safe harbor protocol that facilitates the sharing of best practices safely. Non-attributable as well as sharing of incidents and what you have learned from incidents, again in a non-attributable manner, and everybody can learn from that.
And that is the way the cybersecurity industry is looking at right now, the ability to ...
Mark
Share knowledge.
Steven
Yeah. And we use these terms called defend forward, beyond assume breach is defend forward as well as hunt forward. And what it means is to tip the scales of asymmetry. We always say the hackers just need to find one hole in the fence.
Mark
Yep.
Steven
Whereas we have to make sure everything is secure and whatnot so we are the losing end, but we have to consider the fact that the hackers, they have to design and come out with tools and tactics, right? Every time they come out with a new tactic, everytime they come out with a new technique, and they attack a specific enterprise.
If that enterprise is part of the community sort of, and share this tactic and technique with the rest of the ecosystem, what happens is through the ISAC, everybody will level up their protection capability against these specific tactic and technique, and what results is that this specific attack and technique is rendered useless against anyone else in the world.
Mark
Yep.
Steven
And therefore the attacker will have to come up with another new technique or tactic. And that's precisely the notion of, partly the notion of defend forward as well as hunt forward, right?
Mark
Yep. It's kinda attacking their wallets, right? Because it becomes costly for them to keep going.
Steven
That's right. So that is on the experience part of things. In terms of qualifications, there's no lack of certifications out there, ISACA certifications, and there are also conversion programs. So for instance, at the ISACA Singapore chapter, we have a SheLeadsTech conversion program that help converts, even Housewives, right? And give them opportunities and place them into internship programs with our partnering companies to be able to learn as well having the opportunity to intern and showcase their capabilities with an organization, which they can potentially be a permanent employee of in future.
So looking extensively into diversity becomes very important, and that diversity is not just focusing on gender. We are also increasingly exploring neurodiversity. There're excellent analysts out there. with different backgrounds.
Beyond that, what COVID has taught us is also that you do not need a headcount to be physically present in all your premises to be able to work. So remote working has become a reality. For instance, I have colleagues who are working in Poland.
Mark
Yeah, same, not Poland, but I mean all over the world. We have colleagues all over the world. We've become a distributed workforce.
Steven
But having said that, retention is also important. It's not just about upscaling, cross scaling, as well as training staff and finding sources of mass sourcing and outsourcing. But it's also about the ability to retain staff. So, rotating staff, so that they're not facing alert fatigue. If they are SOC analystsSOC analysts, you should try to rotate them to do other kind of work such as maybe become a red team, do VAPT red-teaming exercises, right?
Mark
Yeah.
Steven
To make it interesting for them. And, and very importantly, one of the most important aspects of retaining staff is to ensure that your staff finds purpose in their role in the organization, so that through that purpose, they will not be swayed by another better pay somewhere else and pulled, just pulled them along ...
Mark
Because somebody always has more money, right? Like you can't really retain staff with money, but I think you're right. What they're looking for is purpose. They're looking for impact, right?
Steven
Yep.
Mark
They want to know that the fruits of their labor are going to something greater than themselves. And I think in the past, a lot of SOCs, MSSPs, a lot of these organizations that have a lot of these cybersecurity professionals, they did not really do that part well. And that's why there's ... There used to be, like when I started out in cybersecurity in the 2000s, it was unheard of for you to stay in one company for longer than two years. You would just jump just to get a change of your day, get a raise, but nowadays we're starting to understand better that, you know what, if you can tell your teammates and your coworkers, like, look, this is what all of our work goes towards.
You know, if you, if you know, because they used to say, okay, if I do a really good day and I do a lot of work or I do a bad day and I do less work, it's the same day for me, doesn't change. This is what adds to that fatigue. It adds to that just feeling of not being fulfilled in your job, right?
Steven
Yeah. Indeed, culture is absolutely important.
Mark
A hundred percent.
Steven
Having that risk-based culture. And being able to have risk ownership driven top down, that's important. If nobody owns the risk, it becomes a very hard journey. Everybody pushing the, like what you mentioned earlier, hot potatoes, right? Everybody passing the hot potato and nobody wants to own. So having that risk framework, or the right risk framework in place is important, so ISACA has a risk framework that talks about risk ownership, who is accountable, who is responsible at the various levels.
So when a RACI is clear, who is Responsible, Accountable, Consulted, Informed, and some of the enterprises, like my own add an additional column called support. It really helps to move things forward. You don't end up with meetings after meetings, just finger-pointing and deliberating who should be doing it a certain ...
Mark
Right. RACI is quite clear. Like there's no, there doesn't have any passing or point finger-pointing. It says right here in the matrix.
Steven
Right. And then you move beyond that and really reap benefits for the business and the ability to optimize risk, knowing that you are not here to do, overdo cybersecurity as well. You are here as a business enabler.
Mark
That's right.
Steven
As well as value for the business.
Mark
And this that's another thing I like to tell my teammates, right? It's not ... our job, our objective, our job here is not, it's actually not to secure the organization. It's to make sure the organization meets its objectives securely, right?
Steven
Absolutely right. It is about meeting that risk appetite. I sometimes have to play the virtual CISO role for a number of SMEs, and one commonality I found from these discussions is that many times they don't have the register, enterprise risk formulated out.
Mark
I see the same thing.
Steven
That is the goal post that you have to set in place first.
Mark
Right.
Steven
And understanding the enterprise's risk appetite and tolerance would help the risk teams, the cyber teams, define the right level of controls to be able to meet that appetite. Yeah, meet that appetite, not too much, not overdo it, but, and also not, not doing too little of it and really effectiveness is not about how secure you are. It's about your ability to align with the enterprise risk appetite.
Mark
That's, yeah, that's right.
And actually, I'll take it even further, because I do the same thing. I act as a virtual CISO for a lot of organizations. The risk register's missing but not just that, there's the asset register. The asset management is missing and also the data mapping is missing. So you don't know how your data flows to your organization. You don't know what your assets or what your crown jewels are at all. And then you don't even know what your risk is, but you want a pen test right now.
Like you want a pen test? Like I think it's because a lot of people don't find that to be the cool stuff of cybersecurity. So they kind of just glaze over it and they go straight to, everyone wants to do a pen-test. Everybody wants to do a red teamred team.
Steven
You have to tell people that blue teams are sexy as well. Blue is a sexy color, not just red.
Mark
Yes. Blue is also sexy. You know? I think that's, I see a lot of that as well, and you're right. You know I've talked to a lot of folks just like yourself who are super experienced, seen a lot of organizations. You guys have seen it all, and it always comes back to doing the fundamentals right, right? Like I say often to my clients, you wanna rush out there and you wanna buy a pen-test, a red team, You wanna buy a million-dollar firewall, but most of your cybersecurity can get done with a piece of paper and a pen.
What are my assets? What's my data? How does it flow, and what's the risk?
Steven
A lot of these things can be written down with a piece of paper and a pencil.
Steven
Yeah.
Mark
And you'll do most of your journey, your beginning journey there, actually.
Steven
Yes, you're absolutely right. I think being able to threat model and perform a business impact assessment upfront and determining where you are in that risk matrix is absolutely important, and how you manage that risk itself. It's always a risk conversation rather than a security conversation.
Mark
100%. Cause at the end of the day, actually all of us are actually just risk managers.
We're actually getting towards the end of our time. I had a lot of OT-ISAC questions and ISACA questions for you lined up, but I got kind of lost in the conversation. I think what this means is we gotta have you on again, if you're down for it.
Steven
It's a great conversation.
Mark
I think there's a lot more we can talk about. I think there's a lot. We went everywhere from CII to, you know, to red teaming, to the skills gap to everything. We've been across the board.
If there was one thing you want to leave all of our viewers with, and our listeners with today, what's the big message today for you to let everyone know?
Steven
I would say, like what we have discussed in the last 10, 20 minutes or so, it's very important to look at a business from a business perspective. Think about the business from the ability to optimize the business risk, right?
Mark
Yeah.
Steven
And focus on the fundamentals and it is not just about secure by design. Secure by design is good, but it gives the notion that it seems to be one-off, and we have seen how many of the Amazon cloud buckets became leaky and so forth.
Mark
Yeah.
Steven
Security is a continuous journey, so we need to look at security by deployment, as well as resilience by design as well.
Mark
Yes.
Steven
So, so the eventuality of a breach, the ability to bounce back up, being able to contain and detect fast, contain fast and recover fast. So business community planning, based on your business impact and assessment, having come up with the right business continuity plans is absolutely important. And in the risk governance process, please do not look at cyber insurance as a panacea, right?
It has never been an ... insurance has been, always been very difficult.
Mark
Yeah.
Steven
You cannot base on past incidents to determine what is the premium and so forth. It's a very volatile market. If there's anything to go by, the hackers have been interviewed, right? I think a gang has been interviewed and so forth and they have shared that they'll target clientele of insurance companies, some insurance companies.
Why?
Because payouts.
Mark
They pay!
Steven
Yeah. I remember when one of the big insurance companies decided not to pay because they, they feel that they are being seen as abetting terrorism, the hackers went after the insurance companies and ransomwared ransomwared them. So ultimately, like what you have roughly put down, going back to those fundamentals, making sure you look at the NIST framework or any other framework such as COBIT and step through that governance step-by-step and look at elevating your maturity over time to meet that risk appetite.
Mark
Most definitely.
Steven Sim, ladies and gentlemen, just dropping the knowledge, guys. You should take all of that to heart. Those are all 100% on the point.
It's been such a pleasure having you, Steven. We hope to have you again, if you'd be so gracious to lend us some more time, we would love to have you
Steven
Sure. That was a very enjoyable conversation. Look forward to having the next one with you.
Mark
Yeah. Awesome. That's great.
So yeah, for all of you out there, this has been another episode of Ask a CISO. We'll see you on the next one.
