In the course of my facilitation, I realised that the key focus of the discussions was on how organisations today handle their biggest asset – data – and manage all the moving parts in large and diverse settings and in very traditional enterprises that are transitioning into data-driven “New Age” businesses.
The Impossible Tech Triangle
Data has never been so prolific or strategic as it is today. Multiple sources of data generation and technologically savvy customers have seen a data explosion. Simultaneously, personalised services and data insights have seen a drive toward using the data for increased intelligence in most industries. The biggest risk organisations face and what CSOs and business leaders spend sleepless nights on, is significant disruption due to compromise. Moreover, the complexity of the technology platforms means that no organisation is 100% certain that they have it right and that they are managing the risk effectively.
Does this give rise to a similar situation as in Marketing and Advertising where the triangle of price, quality and speed appear to be unattainable by many organisations?
Key takeaways from the sessions
#1 Drivers & Challenges of Cloud adoption
The fact that discussions around agility and innovation can happen with the intensity it does today, is because organisations have embraced Cloud infrastructure and application development platforms and SaaS solutions.Every organisation’s Cloud journey is unique, driven by its discrete set of requirements. Organisations choosing cloud may not have the resources to build in-house systems – or may choose to migrate to the cloud for various reasons such as cost, productivity, cross-border collaboration or for compliance.
When embarking on a Cloud journey it is important to have a clear roadmap that involves instilling a Cloud-First culture and training the IT organisation in the right skills for the environment. Concerns around costs, security, and data ownership are still synonymous with Cloud, therefore, organisations can distill the workload from a cost angle before jumping on Cloud. It is important for organisations to appreciate when a Cloud option will not work out from a cost angle and to have the right cost considerations in place, because organisations that do a straight resource swapover on Cloud are likely to end up paying more.
Data ownership and data residency can also be challenging, especially from a compliance standpoint. For some, the biggest challenge is to know the status of their data residency. The challenges are not just around legacy systems but also in terms of defining a data strategy that can deliver the desired outcomes and managing risk effectively without ruining the opportunities and rewards that data utilisation can bring. Cloud transformation projects bring in data from multiple and disparate sources. A clear data strategy should manage the data through its entire lifecycle and consider aspects such as how the data is captured, stored, shared, and governed.
#2 Perception on Public Cloud Security
While security remains a key concern when it comes to Cloud adoption, Cloud is often regarded as a more secure option than on-premise. Cloud providers have dedicated security focus, constantly upgrade their security capabilities in response to newer threats and evolve their partner ecosystem. There is also better traceability with Cloud as every virtual activity can be tracked, monitored, and is loggable.
However, the Cloud is as secure as an organisation makes it. The Cloud infrastructure may be secure, but the responsibility of securing applications lies with the organisation. The perception that there is no need to supplement public Cloud security features can have disastrous outcomes. It is important to supplement the Cloud provider’s security with event-driven security measures within an organisation’s applications and cloud infrastructure. As developers increasingly leverage APIs, this need to focus on security, along with functionality and agility should be emphasised on. Organisations should be aware that security is a shared responsibility between the Cloud provider and the organisation.
#3 Viewing Security as a Business Risk – not IT Risk
The Executive Management and the Board may be involved in the Security strategy and GRC policies of an organisation. But a consistent challenge Security teams face is convincing the Board and Senior Management on the need for ongoing focus and investments on cybersecurity measures. Often, these investments are isolated from the organisation’s KPIs and are harder to quantify. But Security breaches do have financial and reputational impact on organisations. Mature organisations are beginning to view Security as a business risk requirement and not a matter of IT risk alone. One of the reasons why Senior Management and Boards do not understand the full potential of data breaches is because CISOs do not translate the implications in business terms. It is their responsibility to find ways to procure senior management buy-in, so that Security becomes part of the Strategy and the costs associated gets written into the cost of doing business.
Training sessions that educate the stakeholders on the basics of the risks associated with using knowledge systems can help. Simulation of actual cybersecurity events and scenario testing can bring home the operational issues around recovery, assessment and containment and it is important to involve senior stakeholders in these exercises. However, eventually the role of the CSO will evolve. It will become a business role and traverse Security across the entire organisation – physical as well as cybersecurity. This is when organisations will truly recognise investment in Security as a business requirement.
#4 Moving away from Compliance-driven Security Practices
Several organisations look at Security as part of their compliance exercise, and compliance is built into their organisational risk management programmes. Often, security practices are portrayed as a product differentiator and used as a marketing tool. An organisation’s Security strategy should be more robust than that and should not only be focused on ticking the right compliance boxes.
A focus on compliance often means that Security teams continually create policies and call out non-compliance rather than proactively contribute to a secure environment. Applications teams do not always have the right skills to manage Security. The focus of the Security team should not be on telling Applications teams what they are doing wrong and writing copious policies, procedures and standards, expecting others to execute on the recommendations. There should be a focus on automated policy-driven remediation that does not restrict the Applications team per se but focuses on unsafe practices, when they are detected. Their role is to work on the implementation and set up Security practices to help the Applications team do what they do best.
#5 Formulating the Right Incident Response Policy
In the Ecosystm Cybersecurity study, 73% of global organisations think that a data breach is inevitable – so organisations largely believe that “it is not about if, but when”. About 50% of global organisations have a cyber insurance policy or are evaluating one. This trend will only rise. Policy-driven incident response measures are an absolute requirement in all enterprises today. However, to a large extent even their incident response policies are compliance driven. 65% of the organisations appear to be satisfied with their current breach handling processes. It is important to keep evolving the process in the face of new threats.
Organisations should also be aware of the need for people management during an incident. Policies might be clear and adhered to, but it is substantially harder to train the stakeholders involved on how they will handle the breach emotionally. It extends to how an organisation manages their welfare both during an incident and long after the incident response has been closed off.
Over the two sessions, we explored how to achieve the ‘unattainable triangle’ of Cloud, Agility and Security. What I found interesting – yet unsurprising – is that discussions were heavily focussed on the role of Security. On the one hand, there is the challenge of the current threat landscape. On the other hand, Security teams are required to deliver a Cloud and an agile development strategy in tandem. This disconnect ultimately highlights the need for Security and data management to be embedded and managed from the very start, and not as an afterthought.
The Personal Data Protection Commission (PDPC), which oversees the country’s Personal Data Protection Act (PDPA), has developed a new framework to better support organisations in the hiring and training requirements of Data Protection Officers.
Why the Need?
PDPA has been around for a while and the new framework is brought into practice to enable a greater focus of government and organisations on data privacy. According to Ecosystm’s expert on GDPR and Data Privacy, Claus Mortensen, “the initiative reflects the difference between ‘theory’ and ‘practice’ when it comes to data security. PDPA is not making changes to the present regulatory framework, but they are putting together a program and guidelines for how companies can apply and abide by the present regulatory framework.”
To ensure the data flow mechanisms and to ensure security, Infocomm Media Development Authority (IMDA) has been appointed as Singapore’s Accountability Agent (AA) for the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems certifications. IMDA will allow Singaporean organisations to be certified in APEC CBPR and PRP Systems for accountable data transfers.
“The PDPA requires a data protection officer to be appointed in every organisation. This framework is focused on educating and certifying these officers. However, it mostly makes it easier for slightly larger companies who can afford to send employees on longer training programs or who are able to hire people, who have taken the certificates. Smaller organisations – such as start-ups – would benefit more from detailed guidelines and from on-premises guidance. Establishing a framework for such services could be the next area of focus for the PDPC.” said Mortensen.
Legislature for the data handling and exchange practices
The private data has become an increased target of hackers as well as an international commodity. Attackers always mine the cyberspace for any leaks or financial information that they can exploit to their advantage.
“Managing sensitive data is notoriously complicated – especially for ‘legacy’ companies that still have or rely on non-digitised data. Even when all data is digital, employees may have copies on their PCs, they may have partial backups on removable media, some data may need to be shared with sub-contractors, moved around between cloud providers, etc. This can make it very difficult to map out PDPA relevant data in the organisation. Even when the data has been mapped, it can be difficult to ensure that all business and data processes are compliant. This is where on-premises guidance can make a difference,” said Mortensen. “While the government clearly aim the new framework initiatives at helping SMEs, it will help further protect consumer’s sensitive data.”
Importance of Cyber Security
A business harnessing digital technology can’t afford to gamble with sensitive data and rising cyber-attacks. The government is taking initiatives by forming guidelines and regulations to prevent cyber-attacks, but it is the responsibility of businesses to have a cybersecurity strategy in place to prevent a breach. If a business becomes a victim of hacking, it is perceived as a failure to the company.
The government passed the PDPA law and compliance to ensure that businesses understand the importance of cybersecurity. Therefore, every business, organisation or academic institution must ensure compliance with the data protection act and must have security best practices to safeguard the data of its customers.
Intellectual Property Intermediary (IPI), an organisation established under Singapore’s Ministry of Trade and Industry, is an affiliate of Enterprise Singapore and focuses on technology innovations in the industry that can empower enterprises to develop new processes, products, and services. IPI has identified Blockchain Technology for Food as an area where the industry can benefit from innovation. The ecosystem will also benefit from the information gathered, with the potential to further improve the production chain.
Taking supply chain visibility a step further, Blockchain technology is being used for fraud prevention – especially payment fraud. Financial transactions are complex and involve multi-step processes and human intervention – involving collaterals, settlement, currency denominations, third-party mediation, and so on. It is often the prime target for fraudsters. The most common instances of fraud involve bank to bank transactions, mobile payments, and digital identity fraud, essentially by tampering with ID or using it an unsanctioned way – providing unauthorised access to digital systems and falsifying information.
Blockchain helps automate preventive measures enabling real-time information sharing which is transmitted on a chain of connected devices where all the nodes in a system verify the transaction. Since it stores the data on several nodes and every other user on the network has a copy of the entire data on the Blockchain, it is virtually impossible to hack or destroy it completely.
Earlier this year, Standard Chartered Singapore showcased their cross-border trade finance transaction which digitalises trade processes and financing documentation. Blockchain enabled the transaction between parties by digitally streamlining the documentation process while providing security and transparency between the partners. Not only does it support the clients’ entire supply chain, but it also creates a transparent way to provide same-day trade financing.
Non-profit organisation BitGive Foundation uses Blockchain technology to provide greater visibility to their donors into the receipt of funds and how they are used by sharing financial information and project results in real-time. The GiveTrack project is built on Bitcoin and Blockchain and is a user-friendly, data-centered and comprehensive user interface. People making donations can precisely track the donations and how the funds were used.
Legal & Compliance
In industries that have higher Compliance & Regulatory requirements, Blockchain can enable safe, secure, and scalable data-sharing. The industry is seeing instances of self-executing contracts, smart registries, secure and time-stamped documents with Blockchain. Blockchain is introducing abilities to record events for a long duration which might include indisputable claims, criminal records, case procedures to support the potential legal work.
Dubai launched a city wide blockchain strategy. Dubai Land Department is implementing blockchain to make property transactions secure, transparent and immutable, thereby reducing fraud and eliminating reams of physical documents. This impacts the entire ecosystem – customers, developers, the land department, utility providers, payment channels, and municipalities – to work in collaboration.
Shipping companies that need to enforce global contracts daily are also benefitting from Blockchain. However, the biggest use cases will eventually come from the Public Sector – across citizen services and criminal justice systems. For instance, National Stock Exchange of India (NSE) is testing Blockchain e-voting facilities. The project is still at the pilot stage and aims to tokenised voting which makes it easy to conduct test and audit for the votes. This allows the regulating authorities to access real-time data, and at the same time, provides means to audit the regulators.
73% of global organisations believe that a data breach is inevitable, according to the Ecosystem Cybersecurity Study, and only 18% of them use some form of tokenisation and other cryptographic tools. Blockchain technology offers several capabilities in mitigating cybersecurity risks and detecting and combating cyber attacks. For example, Blockchain can be used to prevent DDoS attacks, and crypto secured biometric keys can replace passwords providing robust ID authentication systems, more secure DNS and decentralised storage. Blockchain implementation can also prevent man-in-the-middle (MITM) attacks by encrypting the data in transit so it is not manipulated during the transmission or accessed by unauthorised parties – thus maintaining data integrity and confidentiality.
eGovernment initiatives will also benefit from Blockchain. The biggest stumbling block for providing eservices has always been cybersecurity, where the Government cannot be sure that the citizens are able to access their own records in a secure manner. It has always been a question of responsibility and liability – is the Government liable for a data breach that happens because of a citizen’s fault? Estonia is using Blockchain to protect their digital services such as electronic health records, legal records, police records, banking information, covering data and devices from attacks, misuse, and corruption.
The ultimate benefit of Blockchain will be realised when it is used to enhance Customer Experience (CX). It brings transparency in doing business, gives on-demand data visibility and fosters trust in customers. A company that shows all transactions between the company and the customer, and in a secure manner, can create a better relationship, increase overall customer satisfaction and retain their customers in a competitive market. For example, Blockchain technology can allow more secure and transparent loyalty programmes, through token creation that can be redeemed on-demand, without customer service intervention. Singapore Airlines’ KrisFlyer structures their payments and loyalty programme with Blockchain. Their digital wallet enables members to convert KrisFlyer miles into KrisPay miles instantly to pay for their purchases at partner merchants. The users can pay through an application by scanning a QR code at a merchant’s location .
Customers will increasingly look for ease of use and security in their transactions. Bank of America has filed a patent for Blockchain powered ATM, for securing records and authenticating business and personal data. This will boost the transaction rate and facilitate various transaction experience with full encryption and security. Blockchain-enabled transactions can be registered and completed with greater easy while lowering the transaction costs for customers and keeping the network safe.
While Blockchain technology is continuing to evolve for a range of applications and industries, it comes with its own share of risks. Adoption should not be based on the hype around the technology but should be evaluated carefully. The starting point should obviously be a real business needs analysis.
Speak with an expert today to evaluate whether your organisation can benefit from Blockchain.
To strengthen cybersecurity, the Cyber Security Agency of Singapore (CSA)and the National Cyber Policy Office (NCPO) of New Zealand inked an agreement on information sharing, cybersecurity and capacity building in the region. A new Cyber Security Arrangement will support greater information exchange, including through an annual cybersecurity dialogue between the two countries. The aim of the agreement is to increase information exchange, prevent incidents and threats and follow best practices on data, infrastructure, and systems protection.
Commenting on the announcement Ecosystm Principal Advisor, New Zealand-based Jannat Maqbool, said, “Engaging internationally on cybersecurity research and initiatives is fundamental given the trans-boundary nature of the cyberspace. As both nations become more digitised and connected, a collaboration will enable each to leverage strengths in key areas to develop a multi-pronged approach to cybersecurity. Both countries will also be in a better position to weigh in on the development of rules-based international order for cyberspace.”
Echoing these comments, Ecosystm Board Advisor, and former Global Head, Digital Development Unit at the World Bank, Randeep Sudanexplains how cybersecurity is critical to the growth and development of the digital economy. “Mitigating cyber risks will require coordinated action by multiple stakeholders, including governments, the private sector, academia, and non-governmental organisations,” Sudan says. These bilateral and multilateral G2G partnerships are, therefore, an essential piece in tackling cyber threats. “Given that Singapore and New Zealand are leading players in cyberspace, a G2G collaboration between them will offer learnings of immense value to other governments,” Sudan continues.
Due to Ecosystm’s own close ties with New Zealand, and considering that we are headquartered in Singapore, we are ourselves actively engaged in promoting the dialogue between New Zealand and Singapore. Ecosystm CEO Amit Gupta and Chief Operating Officer, Ullrich Loeffler are in New Zealand this week to participate in Techweek New Zealand (an annual initiative to promote and build awareness for new technologies and innovation in New Zealand) to meet key stakeholders and attend industry events.
Commenting on the sidelines of Techweek, Amit Gupta gave his thoughts on the agreement, “Both New Zealand and Singapore are in hyper-innovation mode at the moment. With the advent of Blockchain and AI especially spurring the growth of the Fintech ecosystem in New Zealand, there is strong potential gains in engaging with the already thriving Singapore Fintech ecosystem.”
New Zealand and Singapore are not only model free markets, but also have been key proponents of data privacy over the years, an area that requires a serious look, as we start to apply new emerging technologies such as AI. “There is an opportunity for these two forward-looking nations to take it a step further to build an actionable Data Privacy Corridor to streamline the Fintech collaboration between them,” Gupta added. “With New Zealand being an export economy and Singapore, a strong services economy, this would enable a much more seamless collaboration between these two countries.”
The collaboration does not end at cybersecurity and Fintech. As part of the partnership, a joint work programme is being negotiated, starting with two flagship collaborations – an advanced data science research platform to build New Zealand’s data science capability; and a food and nutrition cooperative science programme with a focus on ‘future foods’. Both countries have different areas of expertise, and collaborative measures such as these, give them an opportunity to share best practices that will prove mutually beneficial.
AT&T joined as an equal member with other founding members of the group. Over the past few years, AT&T has been building its cybersecurity capabilities and has recently acquired AlienVault– a commercial and open source developer – to offer a platform that integrates and automates point security products to manage cyber attacks. AlienVault has been rebranded as AT&T Cybersecurity, and includes consulting and managed security services. Similarly, at the end of 2018, Singtel revealed the brand ‘Trustwave’ that combines the capabilities of partners such as Optus and NCS, to provide a comprehensive security suite and services to help organisations fight cybercrime.
With the rising risks of cyber-attacks, these initiatives are providing a synergistic front and helping organisations to analyse and act faster against cyber threats. The alliance plans to expand its global footprint and span across APAC, Europe, MEA and America.
Speaking about the alliance, Alex Woerndle, Principal Analyst Cybersecurity, Ecosystm says that, “Similar collaborations exists within other industries already – most commonly they use regular information-sharing sessions with the collective security teams to discuss what each is experiencing, what strategies and tactics have worked or failed, and provide details on the type and nature of attacks. The telcos – at a minimum – should be collaborating at that level. But given the global nature of this alliance, they will need to consider how they can aggregate threat information and share it in a more agile way on a day to day, hour to hour and minute to minute basis.”
The alliance accounts for a significant percentage of the overall traffic and is a tangible example of companies taking steps to fight cyber attacks. “As the threat landscape continues to expand there is an opportunity to broaden the intelligence – sharing what they collectively gather and analyse, to strengthen the defences of the broader market not just in their local geographies, and to impact globally”, says Woerndle. “Think of the immense opportunities to share intelligence gathered collectively by all the major telcos, to proactively prevent attacks on their clients – from other enterprises down to small/medium businesses and consumers. Law enforcement could benefit from the global telco collaboration, also”