Facing Digitalization as Cyber Security Professional
Oliver Valentino, Head of Cyber Security Amar Bank
Oliver Valentino, Head of Cyber Security Amar Bank
Digitalization has become the main theme for change these past few years. Currently, everything is either “as a code” or “as a service”. These changes happen because of a global pandemic that is affecting every aspect of our lives. By moving to digital space, a whole new risk is introduced to businesses around the globe.
Before the global pandemic happened, some companies already started their digitalization effort to gain an advantage over competitors. So, when digitalization is a must, a lot of people are already prepared to transform the business into a digital space. But what about cyber security? Are we ready?
Let’s look at what cybersecurity is all about. A penetration test is where they do a manual security test at the end of the development or once a year, where they have to sign off every deployment. Tools administration is where they place a security engineer for each tool and do administration to the tools, where the tools are expected to protect and monitor everything. We try to comply with or certified our process to meet certain security standards. So, is this bad? Is this good? Or even, is this enough? And is there any problem with this setup?
The main problem with this arrangement is, security is not integrated with the business process. We, as security leaders, act as a gatekeeper and that’s it. So, are we helping them to achieve the security standard? Or are we just becoming an obstacle?
Cyber security has to evolve. We need more cyber security professionals that understand we are in the same boat as the other team. We need to start bringing value to what the company thinks is important.
Here are a few things that we, as cyber security professionals, need to start doing,
Integrate Presence
We have to start integrating our presence into the business process. Not only as a gatekeeper but also as a navigator. Talk with your business and product team as early as possible. Initiate conversation, or ask to be involved as early as the ideation stage. State your concern regarding potential risk early on, and state that you need to be involved in the whole cycle, including penetration testing in the last phase, so they can plan accordingly.
Involved in requirement preparation for the new product, giving security recommendations that help developers as guiding posts when they develop their product, not the exact word-by-word limitation. By doing this, they can feel cyber security presence as a friend instead of a blocker. We can help them navigate their development process toward a secure product.
Maintain the Same Speed and Agility
Security testing might take a long time to complete. Start adopting automation where low-hanging fruit can be easily found as early as possible. While manual testing will still need extra time to complete, the cyber security team can plan so the process can be completed without taking too much time. The team can start understanding the product by learning their documentation. Have documentation on how you will conduct the test, and what the product and development team will have to provide. Keep in mind you want this test to be completed as fast and smoothly as possible.
Maintain the Same Technology Standard
Developers and technology have a high speed in their development research and technology adoption. We also need to learn and adopt this new emerging technology. While it is a benefit to us to understand this new technology, it is also a huge benefit to the company. By keeping up with this new technology, we can also help our development process and guide them to adopt this new technology securely. This can give the business an advantage in technology adoption and will affect the service to the customer. So, we need to prepare. Keep doing research in new and emerging technology, and joint research with a technology team where we can have the same direction in technology research.
Have a complete vision of what you want to achieve
A security checklist or standard is a tool to help you achieve what you need. But sometimes this checklist is not really suitable for your organization. As a cyber security professional, you need to have a vision of what you want to achieve by implementing certain security standards. It is okay to challenge the list and ask if this standard will bring me closer to our goals. You need to check all the lists to gain the certification or conform to the standard, but by understanding what this list wants you to achieve, you don’t have to follow exactly word by word but show that by implementing certain control, you can achieve the same result.
To be able to ensure that all of our digital platforms or systems are safe, we will continue to acknowledge and be actively involved in the development phases so that we have good knowledge regarding these technologies.
Understand that We are No Longer Confined by Physical Space
The company starts adopting remote working, the data center is no longer in the same building as the office, the critical system moved to the cloud platform, and we are no longer building a system but subscribing to digital services. A lot of this operation, is no longer confined by physical space. Cyber security teams have to understand this, and start to change their point of view to the important thing to protect is data and digital access instead of physical access.
In Amar Bank, as the pioneer of the digital bank in Indonesia, we prove our commitment to continuously maintaining its data and operational security. We always continue to develop technology on its digital platforms. To be able to ensure that all of our digital platforms or systems are safe, we will continue to acknowledge and be actively involved in the development phases so that we have good knowledge regarding these technologies. Then, we will provide relevant prevention or protection and ensure the security of Amar Bank and the users’ data.
Weekly Brief
Read Also
