Tune in to this episode of Ask A CISO to hear:
- What is e-Discovery?
- Cyber Risk Management and building trust in Web3, the Metaverse, and decentralized spaces like cryptocurrency and NFTs
- What drives and decides the value of cryptocurrencies and NFTs?
- What the misconceptions about cyber risk management are and how to correct these misconceptions
- What companies should do to ensure that their cyber risk management policies are enforced throughout their organization
- Between People, Technology, and Processes, which is the one that Michael thinks is most crucial to the success of enforcing the organization's cyber risk management?
- Advice on preparing your organization for cyberattacks
- The security challenges are real and the future can sometimes look bleak, but there are also bright spots too. What are some technologies Michael feels can help face the challenges head-on?
Michael Lew is the CEO at Rajah & Tann Technologies and Chairman of the Cyber Risk sub-committee of the Singapore Fintech Association. He is also a founding member of ASEAN Legaltech and was President of the High Technology Crime Investigation Association (HTCIA Singapore Chapter).
He has more than 20 years of extensive experience in technology and cyber risk management, digital forensics, e-discovery, financial crime, and, in recent years, blockchain investigations.
Michael is also a leading cyber forensics expert in Asia who provides expert testimonies in courts and thought leadership in various publications.
Just last year, Michael was named as one of 30 people to watch in Asia in the business of Law by Asia Law Portal. Michael is one of the pioneers in Southeast Asia who specializes in Blockchain & Digital Assets investigation and obtained CCI certification (Certified Cryptocurrency Investigator).
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Paul
All right. Good afternoon, everyone, and welcome to the Ask A CISO podcast. I've got our esteemed guest with us today, Michael Lew.
He's the CEO at Rajah and Tann Technologies and Chairman of the Cyber Risk subcommittee of the Singapore FinTech Association where I also sit, under him. He's a founding member of the ASEAN Legaltech and was President of the High Technology Crime Investigation Association in Singapore, or HTCIA Singapore chapter.
He has more than 20 years of extensive experience in technology and cyber risk management, digital forensics, e-discovery, financial crime, and in recent years, blockchain investigations. Michael is also a leading cyber forensics expert in Asia. He provides expert testimonies in courts and thought leadership in various publications.
Just last year, Michael was named as one of the 30 people to watch in Asia in business law by Asia Law Portal. Michael is one of the pioneers in Southeast Asia who specializes in blockchain and digital assets investigation and obtained a CCI certification or a Certified CryptocurrencyCryptocurrency Investigator certification just recently.
So, congrats on that, Michael, and thanks for joining the podcast.
Michael
Yeah. Thanks, Paul. Thanks for the wonderful introduction.
Paul
Yeah, of course. So yeah, definitely, absolute pleasure to have you on our podcast and it was good to see you a couple of weeks back at the golf tournament.
Have we kind of sufficient, did I sufficiently cover your roles and accomplishments in the intro? Anything else that you wanna add about yourself or Rajah & Tann Tech?
Michael
No, it is well covered. Yeah. I just want to add that for this podcast, I like it to be more candid. So all the opinions that I express of my past experiences are my own.
Paul
Okay, cool. Yeah. Thanks for that note. So I guess, like talking about you more specifically, you're the co-author of a book called A Practical Guide To E-discovery In Asia. Can you tell us a bit more about the book and in particular, can you help inform our listeners as to what exactly is e-discovery and what is the role of e-discovery in general?
Michael
Sure. Not an issue.
So, e-discovery in fact is a very interesting topic and very close to my heart as well. You know, because when I started my career, the first thing we look into is the electronic evidence, because as you can imagine, many years ago, we've started with a lot of boxes of documents if you could still remember, that's where all the evidence are and the boxes are being stored in warehouses, cabinets and so on.
Then it comes to the stage where we want to start digitalizing documents where sort of important documents are being scanned and so that it could be sort of managed in the system or e-discovery system back then, but that has evolved over time.
So as you know, nowadays we produce less hardcopy documents. Even if you do have a hard copy document, there's always a digital or electronic form of the document or data, whether in the form of emails, in the form of chat, or in the form of your PDF and so on, so when it comes to e-discovery, the main thing is you have to follow the evidence.
So the first question is where the evidence are stored. So to answer that question, 20 years ago, again, like I said, the evidence was stored in boxes of documents and then it has evolved into being stored on computer, you know, hence computer forensics was born back then.
But of course, gradually, over time, it has also been used on a lot of data or evidence being stored in your tablets, hence digital forensic, right? So it could be on mobile phones, on tablets. And in fact, now, recent years, the evidence sources are on your servers or cloud so it may not be even in your office. So the data could be in the cloud server somewhere else being hosted. And of course, just fast forward a bit.
In the next five years, I foresee that a lot of this evidence or discovery will then possibly be on the blockchain as we embark into the whole Web3 and Metaverse so there'll be more crucial evidence to be discovered on the blockchain as well.
So that's just a highlight of what e-Discovery is. So in short, it's finding the right evidence source for the purpose of your discovery and why do we want to do that?
Because in the case of an investigation or litigation, it is always important to what, as they say, find the smoking gun. So you want to find the information or the data that can help you to prove or disprove the allegation, or to win, or even to lose your case if you do not have the right evidence source.
So, hence that's the importance of having a proper electronic discovery solution and also methodology.
Paul
Yeah. Yeah. Super interesting. And, yeah, I mean, some of the viewers may or may not know, but I spent a lot of time at Palantir and did a lot of stuff in the intelligence space, which is very similar to that. It's like reading reports, kind of building a case to prove or disprove something using what's in reports or what's in computers or how the computers are being used as well. So it's super interesting and something that's close to my heart also.
So thanks for that, the detailed explanation. I thought you explained it quite well also. So keeping, like kind of, switching into more crypto-focused stuff, and in speaking of more popular spaces, like the Metaverse and Web3, as they're constantly showing up in every conversation generally even at the SFA, what new challenges in your opinion are these gonna kind of bring about? And especially when I think about in terms of cyber risk and building trust?
Michael
Yeah, definitely. I mean, as you mentioned correctly, it has been a hot topic in terms of the Metaverse and Web3. In terms of cyber risk, it is very interesting because I think there's this mantra, I'm sure Paul are familiar with in cybersecurity that we do is called trust, but verify, you know, so we always have to trust and then verify it.
But when it comes to Web3 or Metaverse, in fact, you can throw that out the window, you know. In fact, what applies nowadays is don't trust and must verify, because that's just how it is, right?
Because when it comes to the Web3 or Metaverse, it's a lot about the community. So a lot of announcements and influencers, you know, can actually affect the prices or the value of your crypto or even your NFT. Again, NFT, I'm sure most of you would know is the Non-Fungible Token, right?
So again, it's being heavily traded along with the cryptocurrencies in the market now. So, how it is different from a centralized, let's say, stock where it's centralized, where there is exchange being backed by it. There's a listed company, you know who the CEO are and when they make an announcement, it has to go through sort of proper channel or even proper news media but the difference here, when it comes to Metaverse and Web3, it becomes very decentralized.
So a lot of the community, and the key here is the community because in a decentralized environment, the community is the key. So the community decides on how far that project or that cryptocurrency token will go. So you have seen really successful community like the NFT in terms of the CryptoPunks or the Bored Ape Yacht Club and so on, you know. So the community drives the value of that NFT, but the danger here is because it relies so much on the community, and then their means of communication through, let's say, Discord, or social media, Twitter.
So Twitter is a huge platform for the crypto community. But what if the information that is being disseminated or the announcements that's being disseminated is being, was hacked. So it is false news or false information and because the nature of the industry of the Metaverse and Web3 is 24/7, so it moves very quickly. So even if it is fake information or dis-information, you know, it will quickly affect the value or the price of any tokens, whether it's fungible tokens or Non-Fungible Tokens, so hence that is why I say that when it comes to this area, you have to don't trust and must verify, and it's been shown time and time again, there's a lot of accounts being hacked, a lot of misinformation and that really sort of affects the confidence or sentiment of the community.
Paul
Yeah, I totally agree. And, you know, play a lot in the crypto space personally. And Horangi does a lot of work with crypto companies around traditional, but also smart contractssmart contracts, and, yeah, still get a little bit nervous every time I'm spending money somewhere or like connecting my wallet to a website and Discord channels.
Yeah, Discord's great, but often very confusing because like, obviously, not looking at it 24/7, and sometimes like I have to go back and there's like 50,000 messages, right? So almost impossible to understand what's reality and what isn't. So I think a lot of work to be done there in this space in terms of communicating clearly, effectively in Discord and thinking of better ways to do it, but I share the challenge of, like, who is this actually coming from?
Is it the project owner or is it not? I think it is challenging and a hundred percent agree you to verify and, then trust versus the other way around. I think, like, returning to some of the stuff that Horangi focuses on, or where cloud security is still kind of a major issue, with like a lot of the cyber crimes expected to increase, what are some of the misconceptions about cyber risk management that you've kind of come across? And what should organizations and people do to correct these?
Michael
Yeah, I think that's a very interesting question when it comes to misconception because I think a lot of times we always feel that it's a one size fits all approach, you know, that, we'll have the best cybersecurity solutions and then we'll just apply firewall and spend on all the areas that we need to spend on and have all the cookie-cutter policies as well, but in reality, it's not the case because a lot of times, when it comes to the hackers or the nefarious actors, they are very clever in the sense that it's always social engineering, so it's always bespoke.
So they'll target you as you are, so they'll understand how the organization works. Where are your gaps? What is your loophole? And then that's where they attack, so because of that, I feel that we have to evolve. So the cyber risk management approach that was applied many years ago, it has started as a very reactive approach so we don't have to do much and we react to it but of course, in recent years, a lot of organization has gone from reactive to proactive, right.
So they have start engaging solutions like Horangi and they have looked into hiring their own cybersecurity team, also to continue monitoring in terms of activities, and then they have religiously done the penetration testingpenetration testing and so on. So a more proactive approach but there's still not enough because of what I was sharing in terms of how the perpetrator will attack the system.
So what companies or organization needs to do is not to stand still, but to apply what I call a more adaptive approach. So we have evolved from being reactive to proactive, and now it's time to be more adaptive. So, what do I mean by being adaptive?
Again, every organization is different. How you manage your data, how you manage your cybersecurity and your policies are different. So in terms of your cyber risk management, you should adapt to your policies and also to adapt to your sort of data management processes as well.
What do you think, Paul?
Paul
Yeah, yeah, definitely agree. I mean, I talk about this quite often on the podcast, but one important thing for me too, that I think like all companies and really individuals or families can implement is just thinking about security more.
So like in a company's perspective, Horangi is a security company, so it's kind of built into everything we do. But if you're not then like creating a cultureculture focused around security and having your people think, you know, much more of like a verify first before trusting approach especially in certain situations. And I think that just helps generally and, you know, it costs nothing and there's a bit of time element there, which does have a cost, but I think that that is a huge effect that you can put on the business and helps the business make better decisions throughout all the processes, not just like selection of security products and toolstools, because it's not the only thing that, that you can do to affect security, right?
Some of that may be just like having double checks on when you send money out of the company, right? Like those types of things that are really important in thwarting a lot of like basic sort of fraud or security issues. So I think culture, in my opinion, it's one of the biggest things.
And then there's all the technical stuff that you should also be doing. But yeah, culture, I think, has the biggest impact, especially if you're a smaller company, cuz like, as your company grows, it'll be ingrained then and help you make better decisions in the long term, but also agree with everything you said around the technical side of things as well.
In your experience when writing a cyber risk management policy and enforcing it, obviously, which is a different beast, what should organizations do to kind of ensure that their risk management policies are enforced throughout their activities?
Michael
Yeah. I think the first thing, I mean, of course, there's three critical factors.
One is the Technology, People, and ProcessesTechnology, People, and Processes, so having the right technology or solutions or cybersecurity solution that in effect is probably the easy part, because there's a lot of good cybersecurity solutions or firms out there like yourself, you know? So that part is something that they can definitely look at.
Then second is of course the processes, you know, so they need to have the right processes to bridge to ensure a successful deployment. And again, I have to emphasize, as you mentioned, the misconception of a law firm, that this is not like any other IT implementation that you just implement once and let it run. No, right? You have to always adapt to it. You know, it changes very quickly so you can't come back next year and see what happens. You have to keep adapting or, you have to keep moving with it, right?
So it's a moving target, so to speak, but the third angle or the third element is important to me is the people. You have to look within your organization of what is the skillset that you have and what you don't have, so sometimes besides employing the right solution, you also need to have the right people as well.
Of course, some organizations argue that we are too small or we can't attract the right talent. But then of course there are many sorts of solutions out there like CISO-as-a-ServiceCISO-as-a-Service, or you could go to, I'm sure there are a lot of professional service firms out there that provide such services or can, are able to bridge, a certain skill gap, you know?
So do look at the skills gap, especially when it comes to cyber risk management within the company. Is it a skill that you have? Because there are a lot of times that I conduct tabletop exercise with the C-suites and then we'll find out that at the end of day, you know, there are certain gaps or certain skills gap that they don't have.
So, even if they want to deal with it, you know, they would not, they do not have the right person, the right expertise. So I think that's very important.
So look at what you have and whatever you don't in terms of a skills gap to see if you can bridge it with the use of maybe third parties or consultants or even outsource through outsourcing.
Paul
Yeah. Yeah. I agree. I mean, like definitely if you don't have the internal resources or knowledge, it's important to work with a partner on that and varying levels of partners too to solve different problems in different spaces. I think the security community in Singapore has grown a lot in the past 10 years that I've been here. And the past six that Horangi's been here, just our birthday last month so we just turned six.
Michael
Happy birthday, Horangi!
Paul
Thank and yeah. Thank you. And yeah, I think having a partner is good and of course, like it depends on your business and where your risk lies, kind of investing in the areas that make most sense for your business is really key.
So another question is like, kind of, there's one parting shots in terms of cyber risk management. What do you think organizations should take away from this episode?
Michael
Yeah, I think organization should take away from this episode is they have to sort of ensure that they have done enough of awareness, so I think the, again, just to go back to the people factor, right? I think the people within your organization could either be your weakest link as I've seen in many cases or many data breaches. Or they could also be your strongest line of defense, right?
So what you could do is to empower them. Empower the people within your organization with a lot of awareness in terms of all the cyber risks. And then sometimes you might have to go a bit further as well because cybersecurity or cyber risk is not what you call that, a dry topic. It's not something you could just sort of tell people about, that you have to experience it.
So I find that a lot of times you have your fight, sort of fire drill, or you can have your phishingphishing exercise, you know, you have tabletop exercises, like what I mentioned, where you get all the C-suites together, you can simulate actual, simulate a breach and then see how each and one of the functions within the organization will react to it, you know, and whether they're equipped to react to it at all, so I think having a readiness in terms of the organization and the people involved. That's definitely something we should look at.
Then the second or the last parting shot is: the world is evolving or even the Metaverse is evolving, so while we cannot discount the fact that we will then have to toggle between 2 areas, right? There's always the physical world. At the end of the day, we cannot sort of escape or discount this physical world. So even if you talk about fraud investigation, ultimately, you know, no matter how the crime or kickbacks is done, it will end up with someone's bank accounts where they have to withdraw the money to buy a Lamborghini, right?
So there's always a convergence between your Metaverse and your physical world so that is where I think as a cybersecurity expert, and also for cyber risk management, we have to consciously look into these two different environments and see how we can find the best way to integrate.
Paul
Yeah. Yeah. Agree.
Like, I mean, the onboarding offboarding crypto is, if not done correctly can be dangerous and kind of like just sending money to the wrong places, like I mentioned, Discord. I mean all these problems actually exist in the non-crypto world as well, and generally, there's some of the biggest issues, but of course, it also does exist in the crypto space which is a challenge and it's a bit, you know, easier to send money in crypto in a lot of ways. It can cause sometimes more security issues, as well.
So I think, yeah, it's interesting and still evolving and you know, like, I mean, of course, every time there's sort of something put in place to kind of protect an organization or an individual from something, an attacker will figure out a way around that, right? And that's kind of like the game that we play as security people, especially with new technology coming out all the time, there's oftentimes new exploits, right? Or new ways to kind of get around things, right?
So, yeah, it's the challenge we face when we're moving quickly. But that's the business that we're in. It's kind of, kind of keeping up and fixing the holes as they're found as well. So yeah, super interesting space to be in, both on the crypto side and traditionally on security as well.
But as we kinda wrap up, like any, like parting thoughts to the listeners or anything else that you think we should be chatting on?
Michael
I feel that we talk a bit about the challenges. So obviously the challenges are very real in terms of that whole opportunity in the Web3, Metaverse, and cybersecurity as we know it. But I would also like to, sort of end with a more encouraging note, you know, that there is solutions for us as well.
In fact, we could also leverage on the same platform of what I like to say, the ABCs: your AI, Blockchain, and CloudAI, Blockchain, and Cloud. You know, because in fact, these three elements which forms, some say forms the Web3, can be advantageous for us as well for, in terms of cyber risk management.
Why AI?
Because we are dealing with big data. So it's very important and crucial to be able to crunch and analyze a big set of data in real-time, you know so that you can make the informed decision. So the use of AI is obviously critical. Then blockchain, as you know, blockchain has, is a Hyperledger and it's very transparent, so I think Paul mentioned that I'm a certified cryptocurrency investigator or blockchain investigator. So you'll be surprised that there's a lot of transactions, a lot of data or information that is available on the blockchain, and once it's captured on the blockchain, it's immutable, you can't change it, so that's, for an investigator that's actually what you call the crown jewels, right?
So there's access to all these transactions and if you know how to make sense of it, you know, and you can analyze it, it can be very useful. So the blockchain again are very useful and finally the C which is Cloud.
So again, cloud works, like they say, it cuts both ways, right? So, clouds enable this whole open platform, but whatever is stored in the cloud, again, it's a wealth of treasure trove when it comes to the digital evidence that we can mine as well.
So at the end of the day, I feel that it's not all doom and gloom. In fact, the challenges, while we have the challenges, you know, there are even more solutions out there that we can overcome this challenge, you know, and that's what makes cyber risk management very interesting.
Paul
Yeah. Yeah, totally agree.
And yeah, I think like the pace of innovation in the space and just the general growth of it, much out surpasses the security risks. But it doesn't mean we shouldn't be mindful and continue to kind of investigate as you and your firm are of course doing, the issues that we find.
But yeah, thanks again for coming on the podcast and really appreciate everyone out there who's listening and please do like and subscribe to our channel, and like us on Spotify. Hope everyone has a good day ahead and thanks for, and thanks for joining the podcast.
Michael
Right. Thanks, Paul.
Paul
Yeah. Thanks, Michael.
Michael
Bye.
