When will you be breached? And what will you do?
By Dzof Azmi January 18, 2018
- Awareness of cyber security risks in Malaysian boardrooms increasing, but uncertainty reigns
- Securities Commission, Bank Negara begin to make reporting, discussion mandatory at board level
"FIRST question, did you know you got breached? Second, when are you going to get breached?"
This sentiment was offered by Dani Michaux (pic), executive director of KPMG Management & Risk Consulting, against the backdrop of the Cyber Security Challenge held in late November. While behind her teams from Malaysia and Thailand fought to capture virtual flags from secured servers set up by KPMG, Michaux talked about the bigger picture of cyber security in Malaysia and the challenges faced by boards as they try to navigate their organisations into the digital era.
"Sometimes the CEOs and management sleepwalks with no reality how quickly their business has changed,” she says. “Oh yeah we just bought 20 companies and half of them had some technology aspects but we didn't realise all the risks which came with that.”
As part of her role as the Asean and Aspac Cyber Security Lead for KPMG, she frequently talks to Chief Information Security Officers (CISOs) throughout Malaysia. She knows all of them – if only because they are so few in number. “I can count them on my two hands.”
It’s a number that companies in Malaysia wish were higher now.
"People started to pay attention because the media has been playing a vital role,” Michaux explained, pointing to news such as the WannaCry ransom attacks, the leak of confidential financial documents dubbed the Paradise Papers and of course the much talked about breach of over 40 million records of Malaysian mobile subscribers.
An increasing awareness of cyber-security risks
Michaux says that this awareness is in stark contrast to what she has seen in surveys done by KPMG in previous years. So things are changing for the better.
She offers an example that happened on the day of this interview. “I was at a board meeting and when I walked out they were saying ‘I am constantly reading about data breaches. Do we know our data breaches?’”
Even the government and associated bodies have begun to understand the risks of what is happening. For example, in October 2016, the Security Commission Malaysia (SC) issued guidelines on cyber risk management and this made cyber-security a boardroom topic in a mandatory way. “That sent a little bit of shock waves,” she observed.
"So the SC has played a vital role in Malaysia to start talking more about it, (and) Bank Negara is coming along as well.”
Michaux however wants to see it going beyond awareness. “One day, I hope to see it as part of corporate governance codes,” she said. “That's going to make me really excited.”
Cyber security is more than just good IT talent
Coupled with this awareness is a demand for CISOs, but that kind of talent is difficult to find, not just in Malaysia, but worldwide.
Michaux says that this talent needs to be built up and not just bought off-the-shelf, as it were.
"You need to build sustainability and resilience and you don't build sustainability by using external parties,” she said, pointing to external third-party risk as a good reason why not.
Michaux agrees that there is much one can do about cyber-security, even without looking into the technical nitty gritty.
Reference international frameworks for cyber-security, she urges. “Eighty percent of the frameworks are not technical IT or security. Most is about governance. So how do you govern a more resilient structure?"
She talks about building an ecosystem, where legal teams know how to insert relevant clauses with PR departments that understand how to draft statements and where CEOs are ready with what they have to say when there is breach – not if.