During the Malaysia Cyber Security Strategy (MCSS) launch, there had been a panel discussion of sorts whereby vendors and relevant security-based agencies spoke about their respective organisations’ experiences. Amongst all of them, was a lone panellist representing the user segment, who shared how his organisation approached cybersecurity and implemented it.
How should an organisation position cybersecurity for an effective risk management, and what is the main criteria for success?
Axiata Group’s Chief Information Security Officer and Group Head of Privacy, Abid Adam, systematically approached this question and identified it has two facets.
“How do you position cybersecurity as a function so it’s taken from top down, very seriously?” he repeated the first facet of the question and proceeded to share what has been working well with Axiata for the past 3 years.
“I will start with 3 key items. Firstly, what we have done is align cybersecurity with the organisation’s vision – meaning, cybersecurity is aligned with its core purpose, the reason for its existence.”
Alignment
According to Abid, Axiata’s vision is to be a new-generation digital champion. This can be translated to really advancing the region, using digital innovation and technology.
“If you go to our website, (you will see) that’s our core purpose, that’s why we exist.
“Now, if you take that as the cybersecurity team, and unpack that, we (the cybersecurity team) will ask the question: What role do we play in making that happen?
“When we unpacked that (question further), we came up with the vision that we want to inspire digital trust and confidence. That’s our vision from the cybersecurity team’s perspective.”
When we unpacked that (question further), we came up with the vision that we want to inspire digital trust and confidence. That’s our vision from the cybersecurity team’s perspective.
From this vision, the next action steps fell into place for Axiata, namely they came up with a 3-year rolling strategy called Digital Trust, and having concluded the first 3-year strategy from 2018-2020, they are now planning for the next three years which is 2021 till 2023.
“So, that’s how it sort of aligns to what the organisation wants to do, and what we as a cybersecurity team is able to do for the organisation,” Abid explained.
Understanding implications
The second point is about understanding, identifying and communicating what is at stake and the implications to the organisation.
“This has the risk element to it, and that’s what the management gets engaged on, if you are able to converse with them,” Abid pointed out.
“Wearing my CISO and risk management hat, if like our organisation most other organisations are accelerating towards digitalisation to provide products and services through digital channels, then you can ask yourself the question: What are the things we can do to either protect the organisation, the brand reputation, customers….?”
Abid also wanted to point out that attacks like ransomware equate to downtime in business operations, and cybersecurity has to consider what they would do if they underwent a ransomware attack.
“You have to equate it in a language so it’s not just about a DDoS attack or a malware attack… these are just the reasons, but (you have to explain) what they mean to your organisation. That comes into your conversations about risk, and that’s a discussion we have at board level.”
Compliance
The last point is about compliance to regulatory requirements and what Axiata has done is come up with the absolute minimum baseline security standard called MBSS.
With operations in 11 different countries and differing maturity levels, the question they asked all these countries’ Axiata operations was “What is is the absolutely minimum, non-negotiable baseline across all the countries we operate?
“What is is the absolutely minimum, non-negotiable baseline across all the countries we operate?
“We made that as the going-in position, and on top of that is the data privacy requirements of the different countries.
“That gave us a good solid foundation to work on and when we build new products and services to go to market, the go-to-market is (getting) faster and faster, because we have the core solid foundation, sorted out,” Abid said.
Criteria for success
Abid shared that worked well for Axiata was the tone and support from top management, leadership and also change management with communication.
“When we started this journey, we went to the board and said that no matter what it has to be driven from the top.
For example, as part of the 3-year digital trust strategy, everybody from top management to the junior involved in the value chain, has KPsI. “(That) includes our group CEO’s KPIs which is endorsed by the board.”
Three specific KPIs were set out for (group CEO), the first being the minimum baseline standard for security. “With this, we said 100-percent compliance for all our crown jewel assets, non-negotiable. The second was that all new employees who are onboarded, must be trained in cybersecurity. This is also non-negotiable.”
The third KPI involved NIST maturity. NIST is a cybersecurity framework and with concerted effort at board level as well as from the group CEO, Abid said Axiata’s NIST maturity is now in the global average range (3.2 to 3.5) and ahead of the APAC region’s average.
On top of all this, is the risk compliance committee which meets at least 4 times a year, for discussions that last at least 3 hours.
Tone from the top
Stakeholders like the group CEO, CFO, and CEOs of respective countries Axiata operates in, are at the table for these discussions. There would also be another board meeting chaired by the group board representative.
And what is the topic at all these meetings?
“Only cybersecurity and privacy-related matters. That is the amount of robust discussions we have, and sometimes 3 to 4 hours is not enough,” Abid said, adding that there is also the financial investments made in the last 3 to 4 years, which amount to about RM150 million, just to improve their detection and response capability.
“We made a strategic intent in 2018 that we will increase our ability to detect and respond,” Abid explained and he pointed out everything he shared as being examples of the level of seriousness from the board of directors and also “the tone from the top.”
Abid advised that as a cybersecurity leader, one has to define that good looks like in the very early stages. “You have to have that thousand piece puzzle in your mind and take the organisation on that journey with you.
You have to have that thousand piece puzzle in your mind and take the organisation on that journey with you.
“Understand your strengths, and what you are not good at and need help with. Surround yourself with the right team members. Because cybersecurity is so broad that nobody can claim expertise in everything.”
He concluded with the reminder for cybersecurity leaders to communicate, and he emphasised the word three times, driving home the point that these leaders have to take the whole organisation with them on that cybersecurity journey.
