We are augmenting hygiene detection-based technologies with detection-less means in our email gateway

COVID situation has injected a “situational” dimension into the classic People, Process, and Technology perspective. What that was already tricky enough is now becoming trickier

This is an exclusive interview conducted by the Editorial Team of CIO News with Ken Soh, Founding CEO, CIO/Director e-Strategies BH Global Corporation at Athena Dynamics Pte Ltd, on:

Digital and Business Transformation (DX/BX) Journey with respect to Disruptive Protection Technologies

Ken Soh holds concurrent appoints as Group CIO of mainboard listed BH Global Corporation Limited since Mar 2014 and as the founding CEO of the group subsidiary cyber security company Athena Dynamics Pte Ltd. Ken has more than 28 years of working experience in the ICT industry. Prior to joining BH Global, Ken held various senior positions in public and private sectors at CxO and business leader levels with Master Planning and P&L responsibilities. Ken has been an avid industry speaker and writer. He holds a Master of Science in Computer Studies from the University of Essex; and a Master of Business Administration (eMBA) from the Nanyang Business School (a Nanyang Technological University and University of California, Berkeley joint programme).

When asked about his company’s journey in the pre and post-COVID era, Ken Soh, Founding CEO, CIO/Director e-Strategies BH Global Corporation at Athena Dynamics Pte Ltd, in an exclusive interview with CIO News, said, “You begin your journey not knowing where it will take you. You have plans, you have dreams, but every now and again you have to take uncharted roads, face impassable mountains, cross treacherous rivers, be blocked by landslides and earthquakes. That’s the way my life has been.” – Lee Kuan Yew

I would humbly borrow and draw analogy from the above quote by Singapore’s founding father and first prime minister. Certainly, our journey is not comparable to the scale and weightage of challenges that he has respectfully overcome. Nevertheless, the quote comes close to our heart in articulation of the journey thus far. It is about “uncertainty”, “preparedness”, “resilience”, “transformation” and most importantly, one’s “Adversity Quotations” (AQ). I believe this would resonate well with many business leaders too as we continue to strive forth alongside global uncertainties.

To your question, I would like to take a two-tier perspective to it. The first tier is the fundamental digital and business transformations in every business to stay ahead of the curve. It is about business competitiveness and survival. This baseline “tier-1” mind-set was the typical focus well before the pandemic. As pandemic happened, the need for transformations becomes imminent with very limited reaction time for all. We see a COVID-mandated shift in demand curves and hence the transfer of wealth between sectors, drastic change in work operations and the need for urgent innovations. This collectively resulted in the ruthless emergence of tier-2 transformation mandate.

When the pandemic hit, all of us were forced to transit from a tier-1 transformation mind-set pre-COVID to a tier-2 mandate with urgency. People were forced to adapt to working from home almost overnight. Processes adjusted to minimize risks in the perspective of BCM, ERM and DRP. With such transformations, cyber protection technologies especially the disruptive ones, started to make its value felt when mainstream, conventional protection paradigm is no longer sufficient.

When asked about changes his company’s IT team is implementing in the new normal in terms of business transformation to digital, he said, The learning point thus far is therefore not just about having an innovative mind-set. It is also about the new considerations to innovate in a pandemic-resilient approach. For example, when pursuing transformation, it is not just about leveraging digitalization, but with considerations towards 100% software-only or cloud propositions to minimize physical logistics that bring about operational and business impact when pandemic hits.

When asked him to elaborate about any cyber-attack or security incident that happened recently after COVID or before COVID and how did the IT team tackle the incident and how different could it be to tackle these kinds of incidents in the post-COVID era compared to the pre-COVID era, he said, Sure, as all of us knew, there is never any 100% assurance in security. We work to our best effort in people, process, and technology. That is the way it is. Do we know if we are already compromised? In my opinion, no one knows. In today’s advanced threat landscape, detect nothing does not mean that it is safe. For the common saying that “it is not about if, it is about when” which I would rather suggest a more realistic mind-set of, “it is not about if or when, it is already”.

As to your question about incident, just like any other enterprises, there is never short number of reported attempts. As an example, years back, a finely-crafted advanced phishing email came so real to us in our supplier’s letter head, and with contents that gel so delicately and accurately with the then on-going correspondence between us and one of our suppliers. The email requested a final settlement of USD 80,000 to be paid to “new account due to recent restructuring of their finance system”. Fortunately, our bank alerted us on this, and eventually discovered that our supplier’s enterprise LAN is already infested by advanced malware which allows the attacker to read the communications in the enterprise silently and remotely, and strike when the time is ripe. Such context-sensitive phishing email is probably just one of the manifestations that they are already in the shop. Many other possibilities could have happened. We have since informed our partner on the needful to cleanse up their environment and put in proper measures to avoid recurrence.

As to your mention of whether there is a difference between pre and post-COVID eras, the learning point is that the COVID situation has injected a “situational” dimension into the classic People, Process, and Technology perspective. What that was already tricky enough is now becoming trickier. For example, the phishing context could take the form of masqueraded COVID-related government grant notification, and that way solicit personal information that would lead to well-planned attacks subsequently.

When asked how his organisation geared-up in terms of technology during the COVID times, he said, there is no 100% security. We would apply practical approaches and disruptive paradigms in People, Process, and Technology to strengthen our security posture at our best possible effort and with our best possible means.

People-wise, we see on-going security advisory and briefing, phishing campaigns and education sessions pay. Process-wise, table-top exercises of cyber protection processes, which are integrated with the corporate BCM, ERM and DRP framework is useful. Technology-wise, it is an on-going leapfrogging game between the dark and light sides. It is therefore important to constantly explore disruptive innovations to protect better.

When asked about disruptive protection technologies and the ones implemented in his company and about the success factors to be focused on by technology leaders in the industry while implementing these technologies, he said, Over the last 8 years, we have amalgamated various disruptive propositions and operationally tested some of which in our environment. Some examples of the disruptive technologies include detection-less, IP-address-less, Password-less, Source-Code-less and sometimes we call it Human-less propositions. These are large subjects which we are happy to share more if there is interest.

For now, I would pick an example of detection-less paradigm which is under the sanitization category. Specifically, today’s advanced threats are skilled in evading detection. Unfortunately, most cyber protection technologies today are still caged in the paradigm of detection, e.g. anti-virus, sand-boxing, monitoring etc. These are good measures as a baseline, hygiene layer of protection. They need to be augmented with detection-less ways such as sanitization to defence against the unknown or undetectable.

When asked how disruptive protection technologies can impact/affect the way businesses, customers, company, or the industry functions, he said, the impact could be tremendous. Citing sanitization technology, if applied in the email gateway, all emails will become strongly protected against the undetectable. This essentially is also the rightful approach in curbing context-sensitive phishing emails which is typically one of a possible after-effect of Advanced Persistent Threat (APT) infection. Drawing analogy from medical science, it is akin to secondary bacterial infection after a primary viral infection that weakened the body’s baseline immunity.

Many enterprises when faced with advanced phishing would procure expensive anti-phishing platforms in hope to filter them away. Unfortunately, this just addresses the effect of the issue, i.e. advanced phishing, and not the cause, i.e. to prevent advanced persistent threat (APT) from taking root in the internal LAN.

When asked about strategies he is implementing, and other technology leaders should implement to defend organisations from cyber-attacks in the future, he said, we are augmenting hygiene detection-based technologies with detection-less means in our email gateway and other key file transfer gateways. Alongside that, we are in continual study on how to operationalize newer approaches such as password-less authentication and the possibility of having automated VAPT in an on-going basis. We are also getting key applications to be checked via Source and Binary SAST to make sure that application vulnerabilities are uncovered and rectified early.

When asked about work model he plans for his organisation now: Work-from-office, work-from-home or hybrid, and how he plans to educate the non-IT staff to protect themselves and the company’s and customer’s data, he said, Working from home is a larger subject than just technologies and protection. It entails specifically nature of the business, staff’s situation and also the company culture.

Certain nature of jobs is inherently fitting for 100% work from home even with improved productivity, especially businesses which are fully digital in nature. Unfortunately, some other types of businesses, especially those that involve physical beings and presence, e.g. F&B, travel etc. would not be conducive for such arrangement.

How does staff’s situation come into play? One good common example is that staff with young children at home would find it uphill to work from home. Conversely, staff with conducive working environment at home, would fine it much more productive naturally to do so. This is especially so if the company’s location is distant from the staff’s residence, or of difficult accessibility due to lack of public transport, or the company resides in remote areas.

Not lease, company culture and mind-set play an important role too. Traditional mind-set needs to see the staff physically during office hours. Unfortunately, in digitalized businesses, staff typically ended up working throughout his waking hours. Work and life are intertwined. The company therefore needs to adjust to the new world norm of managing and measuring by results, not by physical presence in the office.

When asked about digital channels he thinks are the best for providing customer service and enhancing customer experience, and what strategies he thinks must be implemented by other technology leaders to enhance customer experience, he said, this in my view is to be seen from a KYC perspective. It is important to truly connect with the customer via Omni-channels which are most accessible and practically convenient to both the company and the customers. Key is to avail feedback mechanism at all customer touch points. For instance, an online service portal should provide means for feedback and complaints via one-click email, calls and text messages. Today, we are indeed spoilt for choice with smorgasbord of digital channels. We should make full use of a good mix of them as efficient and effective feedback channels for each differing business.

He highlighted, my takeaway is to acquire the art of learning how we learnt, so that past successful models of learning can be preserved and be applied for learning and extrapolating into innovations, especially the disruptive types.

Keeping a mind-set of constantly cannibalizing our propositions via new disruptive paradigms is the way forward, or others will do so up on us. We do not want to be the victim who wakes up one day and say in great astoundment, “who moves my cheese?” If that happens, it would be too late.