From 25 May this year, organisations across the ASEAN region will have to comply with the General Data Protection Regulation (GDPR), which will apply to any company that collects the personal data of European Union residents.
In the run-up to the looming deadline, a number of technology suppliers have been touting the importance of identifying, managing and protecting the personal data of EU residents, using various data protection and management technologies.
While there’s no doubt that tech suppliers are helping to raise awareness in the market about the GDPR, taking a technologically centric approach to GDPR compliance will further accentuate the dangerous view that data protection is an IT and security issue, and not a business issue.
As we all know by now, data protection and cyber security aren’t merely technology issues. When businesses get fined for data breaches, they are the ones that will draw flak for putting their customers’ personal data at risk, not their legal or IT teams. In some cases, CEOs have even resigned after public backlash over data breaches that took place under their watch.
In a bid to sell their technology tools, some suppliers have over-simplified their messages to suit their offerings, sometimes without having a full understanding of data protection principles and the requirements under the GDPR.
Instead, data protection – and GDPR compliance for that matter – should be approached from a risk management and governance perspective, with technology tools as enablers, not solutions.
Data protection laws such as the GDPR are complex, and can impact a broad range of business roles, including legal, audit, HR and finance, not just IT. In achieving GDPR compliance, organisations should focus on getting these roles to work together in ongoing efforts to ensure governance, risk and compliance (GRC) across an organisation, and not be distracted by the noise in the marketplace.
At Computer Weekly, we strive to provide in-depth coverage of issues, challenges and trends facing today’s IT leaders through original, independent and targeted content.
To ensure that our stories meet the needs of our readers in the APAC region, we’ve formed our inaugural APAC CIO Advisory Panel, an independent body tasked with providing strategic advice to our editorial team.
Please join me in welcoming the founding members of the panel comprising senior executives across leading organisations across the region.
Eugene Yeo, Group CIO, MyRepublic
Eugene is group chief information officer at MyRepublic. His primary focus is on driving customer centricity and operational efficiencies across regional operations of the company, through the use of innovative technology and efficient business processes.
Combining his experience in enterprise software development with a deep understanding of ISP operations, he leads the development of customer-centric, agile OSS/BSS platforms and operational processes that allowed for the stratospheric growth of the company across the Asia-Pacific region.
He is a regular keynote speaker at TM Forum events globally, and sits on the advisory panel of various startups and educational institutions across the region.
Dr Kwong Yuk Wah, CIO, NTUC
Yuk Wah is the chief information officer of Singapore’s National Trades Union Congress (NTUC). She is also the chief data protection officer of NTUC, its affiliated unions, as well as the Ong Teng Cheong Labour Leadership Institute.
Under her leadership, NTUC was a winner of the National Infocomm Awards (NIA) 2014 for the most innovative use of infocomm technology in the private sector. She was awarded the ASEAN CIO Award 2015.
Yuk Wah had also worked in Singapore’s public sector where she started her career at the National Computer Board, and held various management positions at the Infocomm Development Authority. She was also vice president of planning at Singapore Airlines.
Lee Kee Siang, CIO, National Library Board
Kee Siang is the chief information officer and director for resource discovery and management at Singapore’s National Library Board (NLB).
As the CIO of NLB, he provides leadership in formulating IT strategies and work plans to transform NLB’s service capabilities. He also sets direction for the design and implementation of organisation-wide IT policies and standards to ensure alignment of service outcomes, strategies and resources at all levels.
Kee Siang is also a member of the Technology Advisory Committee of the Casino Regulatory Authority of Singapore, NHB Digital Resource Panel and Honorary Auditor of the IT Management Association.
Manik Narayan Saha, CIO, SAP Asia Pacific and Japan (APJ)
Based in Singapore, Manik leads a global multinational and multicultural IT organisation. As part of the senior leadership team in APJ, he is responsible for SAP’s internal IT services to 28,000+ staff in the region.
With 19 years of experience and expertise in technology, Manik is a prominent keynote speaker at events, and provides thought leadership on a wide range of topics ranging from IT Strategy, artificial Intelligence, digitalising operations, process excellence and enterprise innovation.
Manik is a member of the INSEAD Alumni Network and a Regional Ambassador of the INSEAD Directors Network for Singapore. He was also the founding fellow and is currently serves as a vice-president for Ideation Edge Asia, a non-profit organisation.
Nigel Lim, Regional IT Manager
Nigel is regional IT manager (Asia & Oceania) at one of Japan’s largest trading companies. His division is responsible for managing the regional portfolio of IT programmes and projects as well as governance and compliance. He is also leads the company’s consulting practice.
In previous roles, he has been accountable for various portfolios of IT including service delivery, application support, infrastructure operations and compliance.
Nigel is a Chartered Fellow of the Chartered Management Institute, UK, and has more than a decade of experience managing IT. An energetic visionary, he is passionate about organisational excellence and delivering sustainable value.
Gary Adler, Chief Digital Officer, MinterEllison
Gary has had 19 years of IT experience, with 10 years in senior management roles. He has a finance and accounting background but made the move to IT in the late 90s, initially focusing on infrastructure. Gary has worked in the investment banking, insurance, mining and professional services sectors in both Australia and the UK.
In recent years, Gary played a lead role in the technology strategy which successfully brought together the global merger of Australian firm Freehills and UK and Asian firm Herbert Smith, before moving to lead Australian firm, MinterEllison in mid-2015.
Over time, his focus in IT has varied from managing technical portfolios to enterprise-wide strategy and planning roles. As Chief Information Officer, and more recently Chief Digital Officer, Gary’s focus at MinterEllison has been on bringing a new legal operations model mindset to ‘Big Law’ via emerging technologies such as data analytics and AI to streamline delivery of legal services to the firm’s clients and workforce.
With more businesses expecting enterprise-grade mobile devices to last longer than the average consumer smartphone replacement cycle, keeping those devices secure is a growing challenge.
According to a survey by Zebra Technologies, 51% of businesses want their mobile computers to last more than five years, some of which are still powered by legacy “green screen” Telnet-based systems or Windows mobile operating systems.
Getting support for these older operating systems is next to impossible, given that those systems have reached their “end-of-life” where software and security updates are no longer provided.
Even for a modern mobile operating system (OS) such as Android, security updates usually end after three years – well short of the five or more years that enterprises need. This gap between OS and hardware lifecycles can create an exposure to ever-present security risks, said April Shen, director of enterprise visibility and mobility at Zebra Technologies Asia-Pacific.
While some enterprises may look to replace their mobile devices with newer ones to take advantage of the latest – and more secure – versions of operating systems, some may be reluctant to do so, given that many enterprise-grade mobile devices are built to be rugged and hence can last longer.
So what can enterprises do? Like companies such as Rimini Street that provide third-party support services for enterprise software, Zebra Technologies, through a product called LifeGuard, delivers regular security patches on a monthly or quarterly basis.
“All security updates that we release also come with detailed release notes that share guidance on the specific vulnerabilities being addressed as well as detailed installation instruction,” Shen said. “All of this has resulted in a unique, industry-leading level of OS security support.”
But that does not mean that all of LifeGuard’s security patches, which address various threat severity levels, need to be applied all the time. Shen said businesses should evaluate the patches in accordance with their IT policies to determine if the patches are required.
“We also understand that software updates may carry a certain level of functional risk. For example, customers may want to assess the individual vulnerabilities addressed in each release, as they may already have taken steps to mitigate some of these vulnerabilities through measures (such as application white listing and lock task mode).”
Of course, there will come a time when enterprises will need to replace their devices for good. That will set off a chain of tasks such as porting existing apps to the new devices and operating system, and testing the apps before deploying them.
Shen said because LifeGuard continues to provide legacy OS security support for one year in the form of quarterly updates, enterprises will have enough time to migrate to the newer OS smoothly and securely.
The catch is LifeGuard is only available for newer Android-based devices from Zebra. Legacy products may either have LifeGuard support or some lesser security support profile.
Singapore Airlines (SIA) has been on roll lately with a slew of announcements that it hopes will cement its position as a leading carrier amid stiff competition from premium rivals and low-cost carriers alike.
Last week, SIA said it would launch the world’s first blockchain-based airline loyalty digital wallet app that will unlock the value of miles accumulated by customers in its KrisFlyer frequent flyer programme.
When ready, the digital wallet app, which has been tested in a proof-of-concept exercise with KPMG and Microsoft, would enable KrisFlyer members to spend their miles at participating merchants. The app will ride on an SIA-owned private blockchain involving only merchants and partners.
Hailing the digital wallet as ground-breaking, SIA’s CEO Goh Choon Phong said the initiative is a “demonstration of the investment we are making to significantly enhance the digital side of our business for the benefit of our customers”.
Under SIA’s recently unveiled Digital Innovation Blueprint, the airline hopes to become the world’s leading digital airline, supported by partnerships with Singapore’s key research institutions, universities and government agencies.
But more than just spurring digital projects and driving innovation, as most of such blueprints entail, SIA’s digital transformation programme is focused on building an open innovation culture across through staff involvement and supporting employees through digital training, such as in digital innovation and design and agile methodologies.
A digital innovation lab is also being set up to enable staff to work with innovative companies including start-ups, established incubators and accelerators, to stimulate new ideas and facilitate collaboration in a creative environment.
Such efforts are laudable, as digital transformation requires a major shift in employee mindset and organisational culture, which can be difficult to achieve especially for one of the world’s top airlines that has a lot more to lose should things go south.
Whether SIA can truly become the world’s leading digital airline remains to be seen, but one thing is clear – by putting employees at the centre of its digital transformation blueprint, rather than spewing buzzwords like IoT and AI as some others have done, the airline is setting itself up for success.
Despite recent advancements in deep learning, which has its roots in neuroscience, it not a dramatic breakthrough in artificial intelligence as it is sometimes portrayed.
That was the key point made by Tomaso Poggio, a renowned professor at MIT’s department of brain and cognitive sciences, and artificial intelligence laboratory, at the EmTech Asia conference in Singapore this week.
Poggio argued that many of the concepts behind deep learning were developed in earlier decades, and that for artificial intelligence to achieve the next breakthrough, we would have to solve the problem of understanding how the human brain works. “That goes beyond deep learning,” he said.
Machine learning and deep learning, for example, is still based on the premise that machines learn from large datasets to solve a problem, answer a question or perform a task. Human learning, however, does not require one to even look at dozens of images to learn what an object is for the first time.
“There must be the ability to synthesise programmes on the fly based on a set of small routines,” Paggio said, adding that his team will be exploring this research area using neuroscience and cognitive tools over the next five years.
Besides the research community, private sector companies such as Google are also looking into the possibility of having machines learn from smaller datasets, or even from a single example.
“If you’ve seen something just once in the morning, you’ll definitely be able to recognise it again, but machines have a hard time doing that,” said Oriol Vinyals, research scientist at Google Deepmind.
When applied in real-world settings, Vinyals said this would allow a robot, for example, to process its environment and perform an action without codifying all the possible actions that it can take.
In this guest post, Prakash Sadagopan, director of field systems engineering at F5 Networks Asia-Pacific, discusses mobile security issues and what enterprises can do to stay secure.
The boom of mobile applications—whether it is for ride sharing or couch surfing—has superseded traditional services and revolutionised convenience, as we know it. This is especially prevalent in Asia Pacific, home to over half of the world’s mobile subscribers. Asia is also leading the charge in mobile app revenue, with the figure expected to increase to $57.5bn by 2020.
Replacing traditional with unconventional
A dynamic playground for mobile apps, the sharing economy has nestled itself into almost every corner in the region—and it makes no differentiation, be it an emerging market such as Indonesia, or an established economy such as Singapore.
In Indonesia, home care portal Seekmi connects individuals to professional services at the touch of a button. With a platform of over 250,000 listings and a fleet of 5,000 service vendors, Seekmi provides a wide array of on-demand services including photography and plumbing. Last year, it raised multi-million dollar funding and made plans to expand its services across more cities.
In Singapore, we regularly see Uber Eats riders on their oBikes and Mobikes, completing their trips and delivering an assortment of food to their customers. These riders have no stake in any of the businesses—from the restaurants, or their mode of transport—but provide an ever so popular service. Today’s sharing economy has evolved to a point where jobs can be created, and completed, all just by owning a single app.
The underlying danger of DDoS
These success stories are a testament to the prowess of the sharing economy, which is quickly gaining traction across the region due to the speed and convenience it delivers. However, our increasing reliance on apps might also lead to our downfall. Consumers willingly offer personal information to shave off precious minutes of waiting. This is great, until they realise that the sharing economy also means an entire ecosystem of authenticated devices and data that are interconnected—a treasure trove for cyber criminals.
DDoS attacks caught the world’s attention with the Mirai botnet, which crippled the internet and brought down sites such as Amazon, Github, PayPal, Reddit and Twitter. If DDoS can easily take out large websites, one can only imagine the havoc it will cause if and when apps such as Uber, Obike and Seekmi are suddenly made unavailable.
Our dilemma: safety or convenience?
Connectivity is a double-edge sword today as it enables the level of convenience in our lives, and yet provides cyber criminals the platform for exploitation. The benefits the sharing economy bring to improving one’s standards of living are endless.
However, sharing economy apps achieve this intelligence by uploading customers’ personal information such as gender, age, interests and even credit card details to the cloud for data analysis and service improvements.
So what happens when enterprises face the unexpected wrath of a DDoS attack? Enterprises lose revenue in reduced web traffic and have to bear the high costs of remediation process. More severely, customers who once trusted enterprises would view the organisations as unreliable. In our information overload age, it only takes one website crash to send customers running to another vendor.
The key to keeping safe
Convenience is the biggest motivator in an increasingly impatient world. It is worrying that users of sharing apps surrender their credit card information and passwords too readily. Now more than ever, businesses need to strengthen their stance against DDoS. It may seem to be a daunting task; however, a practical first step could be to cultivate a culture of awareness.
Cyber security is slowly but surely becoming a priority for many organisations, especially in the wake of recent events, including oBike’s as well as AXA’s data breach. Yet, IT continues to struggle to gain a foothold in boardroom discussions and drive the point that proactive cyber security strategy is a necessary investment.
Given the option between building on an existing security framework and investing in business ventures, it is almost a no brainer for executives to choose the latter. A Ponemon Report on APAC app security finds that only 17% of IT security budgets are dedicated to app security. The only real change enterprises have to make is recognising that they have to carry great losses that extend beyond monetary means during a security breach, and that at any time, a breach could happen.
With the right mindset comes the right steps to security. Enterprises should bear in mind that security monitoring and observations are imperative. From prioritising what needs protection to ensuring your IT programme timely and effectively identifies security breaches, every step counts towards a safer future for a business.
Enterprises should also carry out active measures to protect both end users and businesses, starting from digital hygiene practices. This can range from password renewals every six months to conducting regular patching exercises. Deploying web application firewalls (WAF) also protects web applications and application programme interfaces against a variety of attacks, notably injection attacks and application-layer denial of service.
Lastly, enterprises should adopt a cyber security infrastructure that creates on-going conversations across all business units and functions. This will ensure a varied and multi-faceted opinion in identifying critical vulnerabilities in security and building towards a more robust secure strategy in an enterprise. Simple yet effective, these measures could save you a trip to the emergency room and help keep sharing safe.
Software and silicon design company Synopsys has just published an interesting report that classifies chief information security officers (CISOs) into four archetypes or what it calls “tribes”.
Through in-person interviews with 25 CISOs from some of the world’s largest firms, such as Facebook, Goldman Sachs, Cisco and Starbucks, Synopsys grouped CISOs into different tribes based on whether their organisations viewed security as enablers, technology, compliance or cost centres.
Each tribe demonstrates specific characteristics or “discriminators” that fall into three domains: workforce, governance or controls – equivalent to the clichéd phrase, people, process and technology.
In Synopsys’ model, membership in one tribe is mutually exclusive with membership in other tribes. Each of the 25 CISOs fits into one of the four tribes, although he or she may share common discriminators with those in another tribe.
Tribe 1: Security as enabler
Organisations in this tribe are the most mature of the lot in their approach to security. Far from being a cost centre or a compliance checkbox, security in Tribe 1 is seen as a pathway to good business. They take a business-focused approach towards security, which isn’t seen as just a technical issue. Compliance is viewed as a planned effect. CISOs in this tribe also get in front of the problem by influencing the standards by which they will be judged.
Tribe 2: Security as technology
CISOs in this group typically begin their careers as technologists and tend to turn to technology to solve every security problem. They also try to understand the business, but have not reached the “senior executive gravitas” of Tribe 1. Their penchant for problem-solving also leads them to take on the toughest business challenges on their own rather than delegating tasks.
Tribe 3: Security as compliance
Although compliance requirements can get organisations to do something about security, they have a tendency to foster a checklist mentality, where security is viewed as yet another box to be ticked. It has been proven that compliance is not a panacea to every security problem, and it certainly can’t keep out determined hackers. Yet, organisations in this tribe continue to under invest in security in spite of compliance requirements.
Tribe 4: Security as cost centre
Organisations in this tribe may not even have CISOs. Their security leadership may exist down the pecking order or in middle management. Because security is seen as a cost centre, it “never drives budget creation and in some sense has a thick glass ceiling imposed on it”. It’s a tough job for security professionals in organisations that belong to this tribe where security is viewed in the same vein as the IT helpdesk.
In its report, Synopsys did not reveal the number of CISOs in each tribe, but it fears that “Tribe 4 may be very large, meaning there’s plenty of room for security improvement in the world”.
What type of CISO are you? Tell us more in the comments!
Hyundai, along with a handful of key investors, is pumping more money into Grab, Southeast Asia’s largest ride-hailing service in an effort to bring its mobility services to the region.
The South Korean car maker is already dabbling in car-sharing on its own in the US, Netherlands and Austria, where its Ioniq electric vehicles are available for rent in major cities such as Amsterdam and Vienna.
Hyundai did not reveal how much it is investing in Grab, which it will be working with to develop a new mobility service that will make use of its Ioniq vehicles. Other investors in this Series G funding round – Grab’s largest so far – include China’s ride-hailing giant Didi Chuxing, SoftBank and Toyota Tsusho.
Grab operates the largest ride-hailing network in Southeast Asia and is one of the most frequently used mobile platforms in the region with over 3.5 million daily rides. The Grab app has been downloaded onto over 77 million mobile devices, giving passengers access to the region’s largest land transportation fleet comprising over 2.3 million drivers.
This latest round of investment by industry bigwigs should bolster Grab’s position in Southeast Asia where it competes with key rivals such as the embattled Uber in markets like Singapore and Malaysia, as well as Go-Jek in Indonesia.
It also comes at a time when interest in ride-hailing and car-sharing is growing, particularly in Singapore where a new electric car-sharing scheme called BlueSG was launched with much fanfare in December 2017.
Besides offering ride-hailing services and possibly a car-sharing programme in future through the Hyundai partnership, Grab has also partnered with self-driving startup nuTonomy in a driverless car trial in Singapore.
Elsewhere in Asia, China’s Baidu has reportedly developed its own self-driving Apollo platform that has been undergoing testing in cars on public roads since late last year.
Some 20 teams of cyber security industry professionals and tertiary students in Singapore pitted their skills against one another in a competition aimed at plugging the cyber security skills gap in the city-state.
Conducted in December 2017, the Ixia Cyber Combat competition saw participants from industries including financial services, technology, government and education take down enemy servers, expose vulnerabilities and win flags, while defending their home ground against enemy attacks.
More importantly, the competition had exposed the participants to a range of new tools and situations that they can take back to their organisations.
The team that won the gruelling 12-hour challenge were from Wizlynx, a Switzerland-based cyber security service provider.
“It was a stressful but fun experience,” said Ang Guo Gen, a Singapore Institute of Technology undergraduate and intern at the Wizlynx. “On the defence side, we were only given a Fortinet firewall and Splunk to do some analysis of our environment. I also looked at the logs to try and understand what was happening, did some tests and made some guesses which turned out to be right.”
On the offensive side of things, Ang, whose team mate was Wizlynx senior security consultant Linh, managed to find all 20 enemy targets that he was supposed to find. “In the end, we came from behind and took the show.”
Ixia Cyber Combat follows efforts by others in the cyber security industry to groom more cyber security talent.
In July 2017, Singtel launched a portal to provide information on career paths and showcase the efforts involved in fending off cyber attacks. Visitors to the portal will also get a chance to test their skills in cyber challenges that will assess their understanding of cyber security terms, concepts and operational principles.
Those who fare well will be invited to Singtel’s Cyber Security Institute to hone their skills in cyber war games conducted on four weekends a year, and get a chance to be mentored by cyber security experts.
According to the Cyber Security Agency, which also organises an annual cyber security exercise for critical sectors such as finance, transport and government, Singapore’s demand for cyber security professionals is expected to grow to from 4,700 in 2015, to 7,200 in 2018 and 9,700 in 2021.
In February 2017, the government-led Committee on the Future Economy called for Singapore to shore up its expertise in data analytics and cyber security as part of efforts to build strong digital capabilities in its economy.
The government has since accepted the committee’s recommendations, and has started recruiting and building cyber security talent through Singapore’s military conscription programme.
A vote by the US Federal Communications Commission (FCC) to repeal the net neutrality rules spearheaded by the Obama administration was largely met with disdain by internet companies and users.
Proponents of these rules often claim that blocking or discriminating internet traffic limits consumer choices, hampers innovation and goes against the principle of a free and open internet.
Those on the opposing fence, mainly telcos and internet service providers (ISPs), have argued for their right to optimise finite network resources and charge over-the-top (OTT) service providers for traffic that passes through their networks. Video streaming services, for one, account for a large part of web traffic.
Singapore’s net neutrality stance appears to have struck a compromise on both sides of the net neutrality debate.
In a white paper published by the then Infocomm Development Authority (IDA) in 2011, ISPs and telcos in Singapore are not allowed to block legitimate content. Nor can they impose discriminatory practices that could render any legitimate content effectively inaccessible or unusable.
While telcos and ISPs in the city-state can still throttle traffic, IDA said “traffic management practices that are found to be anti-competitive or to harm consumer interests will be dealt with on a case-by-case basis”.
Service providers are also allowed to offer specialised or customised content, applications and services based on commercially negotiated arrangements. This has enabled telcos to partner with OTT service providers such as Netflix and Spotify to offer add-on services for consumers without any degradation in user experience.
Singapore’s net neutrality stance has enabled telcos and ISPs to benefit from the growing popularity of OTT services, keeping them invested in efforts to improve their networks and offer a wider variety of services for consumers.
It is thus heartening to know that the Infocomm Media Development Authority (IMDA), formed from the merger of IDA and the Media Development Authority in 2016, has said that it would not change Singapore’s position on net neutrality, which together with its licensing approach, has kept the telcos on their toes and brought new services and operators to market.