Computerworld Malaysia asked IBM Security's Technical Security Leader for the Asean region, Nigel Tan, for his take on the changing security landscape, especially with the dawning of the Asean Economic Community.
Coming from Symantec, Nigel joined IBM's Security business in July 2015 as the technical security leader for ASEAN where he manages a team of technical professionals and provides leadership, vision and strategies to address key security issues faced by clients in the region.
Speaking of his role, he said: "I would count the beauty of being able to take what I have learnt from other countries and apply them to Malaysian customers one of the great things about my job."
Photo - Nigel Tan, Technical Security Leader, IBM ASEAN
Let's talk first about the top four cyber threats noted in IBM's recent X-Force report: what should infosecurity officers in ASEAN be prioritising as we go into 2016?
The top four threats identified in 4Q 2015 X-Force report are insider threats, malware and ransomware, stealthy tools and morphing attacks. The exponential growth of mobile and the Internet will make cybersecurity a greater growing concern at organisations.
However, this also gives companies an opportunity to evaluate their security mandate and adopt safer computing practices.
Organisations need to be constantly on guard, alert and continually improve security infrastructure and practices as well as educate their employees. They also need to educate their employees on the importance of secure computing practices.
You have said in the past that you see security as a business enabler: what opportunities will there be for Malaysian businesses with the ASEAN Economic Community (AEC) in 2016?
Malaysia is currently the country chair for the ASEAN Economic Community, which is looking to ensure that its member states are not only economically integrated as a single entity but also sustainably and gainfully integrated in the global economy.
However in today's connected and digital economy where opportunities abound, cybercrime is also alive and thriving. This also means that cybercriminals can reach out and touch organisations anywhere in the world. Therefore, confidence in security is going to be an important part in ensuring that the AEC is able to attract and retain global investments.
Another long standing challenge is the cyber security skills gap both in Malaysia and indeed globally.
Cyber security is no different from other fields. It is important to keep training new talent and honing the skills of existing ones because like other fields, it is rapidly evolving. Security professionals should also enhance their skillset by keeping up to date with the trends through media alerts, security blogs and publications such as the X-Force Reports.
Furthermore, organisations may not always have skills in-house and it is critical that they seek help from experts when needed.
In Malaysia, IBM has partnered tertiary institutions such as Universiti Kebangsaan Malaysia, Sunway University and Temasek Polytechnic to embed security modules into the IT and business curriculum.
What more should be done by governments and how is the IT industry helping currently?
The Malaysian government should ensure that the policies and regulations that it puts into place is accompanied with proper enforcement. Safety, security are cultural traits that have to be built in to ensure that society is always one step ahead of online threats. This can be addressed through proper education and awareness.
Regarding the eternal security-privacy balance debate, major breaches together with the current terrorism threats have added pressure to industry to weaken security - what is your view on this?
This is a complex issue. My personal opinion is that organisations should ensure that their core data is secure, particularly Personally Identifiable Information (PII), of their customers. However, at a national level, there is a need for a more integrated security program. The Malaysian government has taken proactive steps to address the privacy and security ecosystem by establishing Cybersecurity Malaysia and the Personal Data Protection Act.
Notwithstanding those measures, it is best to articulate how it protects the citizen data from a policy and initiatives standpoint. By outlining a framework that address how the private and public sector should treat PII and at the same time, maintain a dialogue with all of the stakeholders, we can avoid the debate from being a zero sum game
Over the years, we have noted the ongoing risk posed from within: has the Security IQ of people shown any improvement? And what more can be done?
While there is a heightened awareness at the C-suite on cybersecurity -- which is a positive sign -- there is still a fair bit of work to do when it comes to disseminating and raising awareness to the employees. What would make a difference at organizations is if they can define a security program that takes into account regular education sessions with employees.
Some companies are talking about dropping passwords for other login procedures: what's your opinion on this?
The proliferation of biometrics on mobile devices is pushing the envelope to get rid of passwords. In these cases, passwords are actually still being used and in fact are longer and more complex (sometimes even random). What is done is that the passwords are stored and used in a digital wallet that is secured by a biometrics scan and extracted when the user is authenticated. This removes the need for the user to remember the password. Gartner predicts that this year, 30% of organizations will use biometric authentication on mobile devices, up 5 percent from last year.
Could you say something about the Internet of Things (IoT) and other upcoming trends have on the security landscape in Malaysia and thr region?
IoT and other upcoming trends will bring cybersecurity to the front line making it a household name. In fact, security will have a very significant role to play as IoT becomes a reality.
As more and more devices connect to the Internet, a unique set of security challenges will arise for manufactures of devices, companies leveraging the potential and their users. The critical factor here will be to embed security from the beginning not just in devices but across networks and make sure it's integrated. Open standards will also be critical for IoT to realise its potential and provide a level playing field for all.
Can you say if there have been recent 'wins' in the war against cybersecurity attacks?
One positive sign from the X-Force report is that board level and management are recognising security as a priority and making active decisions to support it like increasing budgets.
A recent survey by Southern Methodist University and IBM found that 85 percent of chief information security officers (CISO) said that support from upper level management has increased. The survey also found that 88% organizations have increased their security budgets since 2015.
There are three essential things companies need to do to tackle cybersecurity concerns.
1. Conduct scenario planning type exercises to be fully prepared such as mock table-top exercises, including stress tests, educational scenarios, technical and non-technical discussions, and cross-functional reviews
2. Document incident response plans as the ability to respond quickly and efficiently may mean the difference between a short-duration event with limited impact and a long-running disaster.
3. Deploy systems and procedure that red flag compromises in real-time. Indicators include unusually high network traffic, anomalies in user activity, surges in database read volume, mismatched port-application traffic, web traffic with superhuman behaviour.
Sign up for Computerworld eNewsletters.