Endgame with Gita Wirjawan - Pei Yuen Wong: Cybersecurity, Down But Not Beaten
Episode Date: August 3, 2022Keamanan siber adalah perlindungan yang sangat dibutuhkan untuk menjaga dan mempertahankan kerahasiaan (confidentiality), integritas (integrity), dan ketersediaan (availability) informasi elektronik a...tau Sistem Elektronik. Lalu, apa endgame dari kemanan siber? Pei Yuen Wong CTO dari IBM Security untuk Asia Tenggara, Australia, Selandia Baru, and Korea, bicara tentang pentingnya prinsip “zero-trust” dan resiliensi dalam menghadapi ancaman siber. Pei Yuen Wong adalah pimpinan senior di bidang bisnis dan teknologi dengan pengalaman lebih dari 20 tahun dalam R&D Pertahanan, Pemerintah dan Sektor Keuangan, serta keahlian di bidang Security Architecture, Security Programme dan Portfolio Management, Offensive Security, SOC Operations, Governance, Risk Management & Compliance. Saat ini, Pei Yuen berperan aktif dalam transformasi keamanan siber untuk melindungi organisasi dari ancaman siber dengan memanfaatkan inovasi dalam teknologi keamanan siber. #Endgame #GitaWirjawan #cybersecurity -------------------------- Pre-Order merchandise resmi Endgame: https://wa.me//628119182045 Berminat menjadi "policy leaders" berikutnya? Hubungi: admissions.sgpp.ac.id admissions@sgpp.ac.id https://wa.me/628111522504 Playlist episode "Endgame" lainnya: https://endgame.id/season2 https://endgame.id/season1 https://endgame.id/thetake
Transcript
Discussion (0)
What exactly is the end game for cybersecurity?
Where exactly are we heading cybersecurity?
Are we heading for zero bridge?
Is that the end game?
That means we make sure we are, we will never be breached.
But being bridge doesn't mean we have to be beaten or we have to be down.
So it's really about cyber resilience that we are talking about in today's climate.
So what if you are breached? We can still survive.
This is end game.
Hello, friends, today we're coming Pei Yuan Wong.
He was CTO for IBM, for ASEAN, New Zealand, Australia, and Korea.
Tentuneiorea, is one of one of the company that's cool
for the technology and line-line.
Pei-youan, thank you so much for coming to our show.
Thank you for having me.
I want to hear a lot of things from you.
today but to start off uh i want to ask you you know about where you grew up and how you grew up
and how you got interested in in the field of cyber uh eventually which is what you're doing now
tell us thanks thanks thanks thanks for that yeah so i'm kyan i'm um i'm a singaporean i grew up in
under the singapore education system which is a very i'll say it's a good system which brought me to wear
today. I had a degree in computer science. But since then, I also, because of circumstances and
then my results, I actually also managed to secure a Ministry of Defense scholarship. So after
graduation from the National University of Singapore, I actually went on to DSO National
Laboratories. And that's where I started my career in computer security. I was working in
the computer security lab doing cybersecurity research. And that is where all my
real and cyber security, how it started.
So during my DSO days, I actually managed to do a lot of things from a data security standpoint,
how to secure systems, and then how systems can break as well easily.
So I carry on from there, and then one thing leads to another and now with IBM, the CTO,
really looking at how cyber security and the technologies involved in the different dimensions
and services involved can actually help corporations, enterprises and the world at large,
including consumers, to really secure their systems in the corporations as well as at home as well.
Of all the sectors that have been prone or vulnerable in terms of cyber, you know,
if I read, it's mainly the financial services, right?
and after that, you know, it's the manufacturing.
How do you see the treatment from a cyber standpoint
with respect to each different sector?
Is there a common denominator or each sector is very different from the other
for cyber security protection purposes?
I think at the core of it, cyber security,
the core dimensions are the same, is always about protecting the CIA, the confidentiality,
integrity as well as the availability of IT system.
The financial industry has always been among the top sectors for tax by criminal, because it is where the money is.
Be it the transaction system, the payment system, credit card systems, as well as consumer data,
a lot of data actually sits within the financial sector.
I think said that in recent years, because criminals have started to see how by disrupting the supply chain,
it can actually cause even more widespread havoc with the entire ecosystem.
So they have started to also target the manufacturing sector. So in fact, in 2021, the manufacturing sector has become one of the most,
the top target of attack outpacing the financial sector, because criminals have started to see that by disrupting the manufacturing sector,
it actually caused supply chain worldwide to be disrupted.
So I think, however, at the core, at the core of cybersecurity,
is always about protecting the confidentiality, integrity, and availability of data.
So as an example of a supply chain attack that has got disrupted the world over,
so sometime last year there was an attack on the US pipeline, for example.
It actually caused real world impact to constantly.
consumers on the ground, it has actually caused gasoline prices in US to actually increase by 10%.
So by attacking the supply chain, by attacking the actual pipeline, through the use of ransomware,
it actually caused real world impact to consumers on the ground. So cyber security is really a real world problem
that really has a widespread impact on people like UN. It's not just on enterprises. You may hear about it in the news,
but actually it has real impact on the individual as well.
You know what's amazing is that as much as you aptly pointed out,
it's in the top of the minds of the criminals or the bad guys.
Conversationally, it's not in the mindset of lots of leaderships of organizations.
There are exceptions, but I could generalize, I think, for the most part or for many parts,
not a lot of guys out there are talking about this as a risk.
You know, when you meet with them, they only talk about what numbers you're trying to achieve
at the end of the year, at the end of the quarter, at the end of the semester and stuff like that.
It doesn't come out, you know, in that cyber is actually a very essential.
part of the day-to-day business that they need to look after and try to mitigate the risk of.
Why is that or how do we deal with that? I'm just curious.
I think it really depends on the industry and that we are in.
I think in a lot of the regulated industries, for example, the financial industry,
I think these conversations about cybersecurity are taking place at the board level in terms of cyber risk is usually now also regarded as an operational risk.
that really cause and amongst the regulated industries,
these are actually thought of mind amongst some of these C-Suit shareholders.
I believe what you are referring to is across many other industries
where cyber security is really just sort of like a cost of business.
If they think about it, otherwise it would be really something that is at the back of their mind.
They don't really think about it.
But having said that, increasingly there are more people who are because of breaches that has been happening.
So just to cite an example, even an ice cream company, a company that is selling ice cream,
because of a data breach, they actually cause millions of customers' data to be lost.
And therefore, now they are very into cybersecurity because they need to regain their reputation
and also make sure, which is why they are actually asking for the right kind of cybersecurity certification
from national authorities to make sure that people regain confidence in their ability to protect consumer data.
This is true, for example, loyalty points and so on,
where you really have your private data submitted to the company.
So I think increasingly there are people are giving awareness.
I think it also requires a lot of concerted effort across the board
through the government, through consumers themselves
who need to be mindful why are they submitting certain info and data to,
you know, for example, for a lucky draw.
How likely is it to win that particular car versus how likely is it for you for the data to be lost through a data bridge?
I think the odds are almost equal now.
If not worse off, because it's a lot easier for you to lose the data than to win that lucky draw price.
So I think the good thing is that really people are more attuned to the fact that cyber bridge is real.
But there's more work that needs to be done across the board by many different stakeholders.
I'm of the view that it's way underrated.
Yeah.
Right?
I think it needs to be brought up.
At the very least, conversationally.
Yeah.
You know, at any level of the organization.
Right.
And I want to ask you this because when I looked at the report,
I was shocked when I saw that there would have been about 1.6 billion attacks on Indonesia
alone in the year, I don't know, 2020 or 2020.
That's a staggering number.
I mean, if there would have been 1.6 billion attacks on individuals or companies in this country,
why is it that people don't talk about it as much as I think they should, right?
Okay, so as you rarely point out, especially because of the pandemic.
In Indonesia, for example, the number of attacks posed.
pandemic is actually about four to five times more than pre-pandemic.
So I think because of the effect of the pandemic where there's a huge push towards digitalization
by corporations, as well as the consumers themselves now needing to work from home, having
access to routers and VPN and so on and to really access to corporate data through, but when
they are still at home. I think this really sort of excavated the problem. But why are they
people not talking about it? Because I think a big factor is really because they are, they themselves
are not affected. They hear about all these breaches. They appear in the news, but it's always to other
people. They themselves are not affected yet. But having said that, actually, the truth of the matter
is really that most people would have been affected by some breaches. Why is that so? Because if, for example,
a particular corporation has been breached and data has been leaked to cyber criminals.
That data, even though is breached because of lapses in a particular corporation,
but the data actually belongs to you and me.
Because if you have submitted the data, for example, in 2018 in Singapore,
there's actually a breach in the healthcare system.
those data actually belong to the Singaporeans
and these kind of breaches actually happen
to other parts of the world and other jurisdictions as well
so I think but the effect and the impact of those breaches
are still not felt as much yet
because we do know that our data is out there anyway
but it doesn't impact them so much yet
because their money is not lost they are still
even though the data healthcare data is lost but they are
not really impacted by any much
I think that's the key issue that we need to deal with.
You know, I want to follow up on,
I think it's important to underline the point that
the reason that it's not surfacing
to the conversations of as many people as we think it should be.
It's not just because the top guys don't pay premium
on this as much as they should.
But I think the middle and the level,
lower people, they may not know that they would have been inflicted.
I wouldn't know if I might have been inflicted.
Maybe my data would have been used to the advantage of somebody out there
without my knowing that it's to my disadvantage.
And, you know, metaphorically, it's until when you open your wallet and you realize you got nothing.
in there. That's when you feel the pain. Is that the right way of thinking about it?
Very much so. You know, interestingly, one of my friends recently tell me that his mother
was like 70 plus years old, told him that robbers today shouldn't be robbing bags or, you
know, taking wallets and so on. Because all the money is actually in your mobile phones,
on your mobile apps, in your banking systems and so on. And the truth of the matter is that there
actually many breaches out there as you rarely pointed out that we might not even know about
you know there's actually this you know a lot of websites that actually compile the different big data
breaches that has been happening so for example there's this website called have i been pawn.com
once you go to the website you can actually key in for example your email address or your you know
credit card number and things like that and lo and behold you might find it already out there
on the dark web oh man being being so
for, you know, very cheap amounts.
You know, each credit card number is like one cent or something like that that are being sold out there.
So, unfortunately, even after we have found out that some of these data is out there.
The true of the matter is that they are already out there.
You can't really do much about it.
People already, of course you can report to your credit card company and whatnot,
but other than that, you can't really do much about it.
So this awareness in terms of the real work,
impact that it can cause really needs to be promulgated across more widely so that people are
aware that data breaches can cause real world issues because people can abuse your credentials
or PII, personal identifiable data to apply for credit cards, to apply for loans, for example,
and then eventually you will be the one who needs to pay and you need to sort of show that you
are not the one applying for it but it's sometimes not so easy so I guess the issue is
really to be able to make this a wider known problem and some of this can be done
through cooperation with government entities for example for campaigns video campaigns
so in some jurisdiction I know for example there are actually advertisements or not
advertisement, sorry, there are actually campaigns to really show how there's this
security cannot be done without you.
You know, security is spelled as ECU RTI, but taking the you away, security cannot be done
without the you.
So I think to have campaigns like that to really make people aware that it's important
ownership taking ownership, yes, to take ownership about what, so it's not just about
how the corporations or how other corporations can protect.
the IT systems, but also about how yourself should be protecting your own data, because the data actually belongs to you.
The most common breach is ransomware. Tell us, what's the biggest ransom
ransom that would have been asked and paid to settle?
So there are different, you know, people typically don't broadcast how much they have been paying.
If they are paying at all, they may not even tell.
But I have heard of double-digit million payments.
And that's really because they are at the week's end,
because without paying, they really can't restore their operations
and the operations are just at a stand still.
But having said that, it's actually even after paying,
in many instances, you may not be getting,
but it may not be actually getting what you want.
So, for example, usually when you pay,
you're actually paying for the keys
so that you can decrypt the data
that has been encrypted by the ransomware.
But the true of the matter is that
they can give you the keys,
but the process of decrypting the data
may sometimes be so slow
that you're actually better off just restoring from your backups
if you do have the backups.
Or there are actually
what we call
double extortion schemes.
So about 59% of ransomware
in 2021 are actually
double extortion.
What does that mean is they can give you the keys, you can restore operations, but they will ask you to pay again, otherwise they will leak the data out there because they have your data.
So, and there's actually such a thing called triple extortion.
Triple extortion means that because they have the data, so they sort of ask you to pay for ransom to get the keys and then if not, they ask you to pay for them not to leak the data as well.
but the data actually belongs to a third party.
They then asked the third party to pay the ransom as well,
which is why it's called triple extortion.
If I have your data, your data is with me.
If you don't pay me, I'll also leak your data.
So schemes like that are actually happening.
So it's actually why ransomware is of concern to many organizations
as well as individuals in recent years.
I want to bring up day-to-day stuff
that I think we human beings tend to take for granted.
A couple of things.
I mean, when you go home, most people never check
whether or not their router would have been breached.
Right.
I mean, you have no idea if some stranger
within the same zip code or from a different zip code
would have breached it.
I mean, I never check my router.
I'm sure most people out there don't.
And the other stuff is that I take for granted
that I know most people take for granted is
when you go to a place with unsecured network capabilities,
like a cafe or like a mall or like whatever, the hotel,
what sort of stuff that we need to know about stuff like this?
You know, I mean, I think it's going to be education.
what you're about to say.
Right.
To be honest, I think these are areas that warrants a lot more awareness,
which are unfortunately not at the level that they should be.
Many people, when they buy the router back home,
you know, the routers are usually when you switch on the router,
you can actually start using it, you can connect to it,
and then you can have Wi-Fi, you can have internet access and so on.
But all these routers are actually also systems
with credentials, you user ID and pass-a-endix.
user ID and passwords and configurations that you need to be very mindful of to tighten before
using it properly. So as an example, many routers have the default password or user ID
and password or admin admin or admin password and people typically just don't change it.
So I've had countless, I'll say, occasions where I was visiting friends home and all that.
Can I use your router?
They say, sure, go ahead.
So I really just go ahead.
And after that, they asked me,
don't you need the password, but I say, I know the password.
Because I mean, oftentimes they actually don't change the password.
That's one.
That's one.
And second is really these flouters and switches, for example, at home,
actually needs to be updated regularly as well.
And many don't.
So they have, basically runs on firmware and software as well,
which needs to be constantly updated and patched.
And within each of this,
internet connection devices,
they're actually different configurations.
There you need to tighten to make sure
that people are not using it.
For example, you can just limit it for use
for your home PC,
for your mobile phone,
and maybe for your children's machines.
And that's it, without allowing other people to hot one.
I have had instances,
I've seen instances where some of these routers
has been hacked,
and you can actually,
coming back to your earlier point about cafes,
for example, you can actually mimic the same, let's say it's called Cafe A.
You can actually mimic the same Wi-Fi, what we call S-SID as Cafe A, and people hot on to it,
not knowing that it's actually a rogue ID, and therefore you can start sniffing, passwords,
whatever websites they are surfing, legit or otherwise.
And that's where people start to know and have got hold of your data.
and all will still implant malware onto your machines
and then from there start wreaking havoc
and then start to do all sorts of funny things.
So I think even very simple things like that
has to be done well.
Of course for me as a cyber security profession,
I know how to do this well.
When I get a mobile phone,
when I go to a cafe,
even if I do use their Wi-Fi,
actually have VPN software installed
so that I make sure that it's actually well secured.
But as much as possible, especially when I'm in the home country, I'll use the data plan rather than which are, well, at least arguably more secure than using Wi-Fi.
So I think these are things that, again, many people, well, I would say either I'm not aware or even if they are aware, they don't quite bother, so long as they get the...
Because it's so convenient to be able to get it for free.
Exactly.
Ah, it's okay.
Nobody's going to bother them.
using something for anything sensitive, but not knowing that, not forgetting that they're actually
using it for something that is sensitive as well, such as banking application, for example.
And that's at the individual level, right? How about at the corporate level? What sort of things
that people take for granted that they need to be a little bit more cautious, if not careful
off or with? So, you know, with the, especially with, during the pandemic where a lot of
are working from home and so on yeah so some of these considerations how I mean how do
we know as we were discussing just now for consumers but even when you connect
back to your corporate office through the home router how do we know that the
router is really secure how do you know that your the connection is actually
not breached I think these are things that people have to be mindful as well
but the good thing about corporations especially those with a good and
mature security team is really that
we have this concept called zero trust, which means we trust nothing, and we assume, yes, some of these things can be breached.
And therefore, in every transaction and every connection that we make, we actually make sure that they are properly authenticated and verified.
So even if some of these intermediaries, I would say, whether it the router and switches or the ISPs are bridge,
the corporate resources themselves are still well protected.
So with a concept such as zero trust, this is something that we will really try to incalcate in the clients that we have.
So we are really trying to make sure that the ecosystem, whether is it our clients or even our family members and so on, are imbued with this concept.
Let's say if we are talking to your friends and family, it may not be called zero trust.
But the concept is really ultimately about zero trust, not trusting anything, making sure that
everything is authenticated and properly verified before granting access.
Zero trust and verify.
Yes.
Not trust and verify.
Yeah, it may sound like a paradox.
Never trust, always verify.
Well, depends on, yeah.
So, yeah, but indeed, especially with the increasing sophistication of cyber threats, I think
this is something that we need to pivot to us.
And the other thing is, the other observation is that most of the breaches, or most breaches, have been done by insiders, as opposed to outsiders.
Is that, that's, at first it sounds hard to believe, but it kind of makes sense, right?
Because you, sometimes you're going to overtrust your insiders.
Yeah. So there are various reports to say that, say, about 80% of sub-breeches are actually caused by insiders.
Well, it really depends also on the interpretation as well. So ultimately, you need to become insider in order to breach a system.
In the sense that even if I'm an external attacker, I will need to breach an insiders credentials, be it, you know, the database administrator, some super-administrator.
admin user, the CFO or whoever, in order to bridge the system and you have to become insider.
But having said that is also the truth of the matter is also that insiders will, by virtue of the fact that they are insiders and have the right access to systems and so on,
that they can already do some of these malicious activities to cause a breach.
which is why I think
this
again
this concept of zero trust
is needful
because
for insiders to be able
to carry out the attacks
usually because
you know for example
for insider to transfer large sums of money
to their own accounts for example
many of these are actually
anomalies
so with a proper
data analytics systems put in place
and data security measures put in place.
These are actually good tell-tale signs
that something anomalous is happening
and you can actually have applied data analytics
or AI techniques onto the whole
flow of, how should I say,
the behavior of the system as well as the individual
to really identify all these anomalies
and flag out as exceptions for people to validate.
These are some of the techniques that we have been applying in many organizations.
But the truth is also that it's a challenging problem because, as I mentioned earlier,
to be an insider already means that you have all the right access.
So to really identify the right, how should I say, to really identify anomalies across all
these different kind of transactions, which can be very complicated transactions and so on.
I think you were about to say whether or not there's a universal model.
I smelled that.
That was what you're thinking about saying.
So GDPR is certainly something that many countries refer to as a good reference model,
but I don't think there's a one-size-fit-all.
Every country will have its own unique circumstances,
and not every aspect of GDPR is applicable to the particular jurisdiction.
But at the core of it, I think data privacy is really about protecting, you know, personal data that are very close to you and me, whether is it how much money we have in the bank, our healthcare data, you know, what kind of drugs are we taking and so on.
So it's really something that each and every individual ought to be mindful of and ought to be concerned with.
Unfortunately, the truth of the matter is also that, well, again, it depends on the individual,
it depends on the individual and also generally speaking, it depends on the climate and the awareness level in the different countries.
There will be countries that are very mindful and very fearful about, you know, leaking some of this data.
But there will be also those that really, well, so what if it is all there?
I don't have money in the bank anyway.
So people know I have $500 in the bank.
So I think different strokes for different folks.
I don't think there's one universal model that when it comes to data privacy that applies to everyone.
So back to our earlier discussion about having that awareness,
I think the ramifications of.
having your privacy sort of abuse is something that needs a lot more attention to make people aware that from the heart, from themselves, that they should be really mindful of.
I guess, you know, to some extent it depends on the type of government that exists in the respective countries, right?
And the degree to which the infrastructure is ready, right?
And a few other things.
And that, I think, is reason for why there shouldn't be any universality with respect to what sort of a framework you have.
You've been quoted in the past for saying, pretty much, I'm paraphrasing here.
You can get beaten down, but you can't be taken out.
You just got to make sure you're not taken out, right?
Explain that.
Yeah.
Okay, that's really at the core, and that's very close to my heart,
because I think in the, well, I think we discussed earlier,
I started on my career day one in cybersecurity,
and that's where we are mostly talking about protection
and also detecting tracks and so on.
But in recent years, especially, it is,
really important that we are mindful that it is really
and I like this you know this this is called endgame right what exactly is the end
game for cybersecurity what where exactly are we heading cybersecurity are we
heading for zero bridge is that the end game that means we make sure we are we will never
be breached I think the increasingly as as cybersecurity professionals we realize and
we recognize that it is a matter of time that any organization
or any individual may be breached eventually, one fine day.
Of course, we want that fine day to be really, really, really far down the road, right?
But that's an eventuality that we sort of recognize.
But being breached doesn't mean we have to be bitten or that we have to be down.
So it's really about cyber resilience that we are talking about in today's climate.
So what if we are breached?
We can still survive.
We can still, if we are a bank, we can still dish out money,
we can steal your cash, we can recover in time.
We can claw back the money in time, for example.
Or if we are a manufacturing firm, the production floor can still operate.
The damage can be contained quickly, fast.
So it's really about being resilient.
It's almost like the pandemic.
So, of course, in the past two years, different countries are resilient to the pandemic in different ways.
And there's different degrees of how people have bounced back.
Some countries have bounced back better or faster.
Some countries are still in their, you know, they're still,
I think all countries are still struggling,
but I think different countries are sort of bouncing back in different degrees.
So it's a little bit like that for cyber resilience as well.
The endgame is really not to, for us to be fully protected and never get breached,
but to be able to bounce back,
even when we are breached to
continue to operate, to be a
going concern, to be a continuously
functioning corporation
or as a consumer at home,
for us to be able to
continue our daily
lives without being
really being brought down. I think that's the
crux of
cyber resilience today.
And really at the core of cyber security,
which honestly, not
everybody recognizes or not every corporation
recognizes a lot of well at least quite a few people that we've been speaking to are still
focusing too much on I mean given limited budget for example they're still focusing too much on
protection and making sure they are not reached but I think increasingly especially when we
mature ourselves in the the different cyber security domains we really need to pivot towards
being resilient focusing a lot of our attention on being able to detect
reaches and recover from it.
And it's in the recovery part that I think many organizations still need to put a lot more
effort and attention on.
For example, in conducting exercises, making sure that, you know, let's see in the
red teaming exercise, when certain systems are down that we can recover, how do we know
that the backup systems is still working?
Let's say in a ransomware attack, how do we know we can really recover from our backup?
And even though almost all organizations and backup systems, I think, again, hand to heart, many organizations have not tested the recovery part yet.
I think so that's where a lot of attention needs to be spent on.
It's not just about being resilient.
I think it sounds more like about being anti-fragile.
Yeah.
Right?
You can actually bounce back stronger.
Yes.
Compared to how you would have been before yesterday or whatever.
Right.
Yeah.
Talk about what IBM has a mind for ASEAN, you know, broadly or specifically?
I think one big challenge in cybersecurity is really the dearth of talent, or in tech
at large at least, but certainly in cybersecurity as well.
So globally, we are at least in security, depending on the different research reports you have read,
there's a shortage to the tune of a few million cyber security professional globally.
So in some countries, you'll be a few thousand, some tens of thousands.
So globally there's a widespread shortage of cybersecurity talent,
and that's in different roles.
That's single digit.
millions, all across the world.
All across the world.
Less than 10 million.
Yeah, thereabouts.
Okay.
Yeah, thereabouts.
Yeah, so each country will be to the tune of tens of thousands.
Yeah.
Thereabouts.
So how do we really have that pipeline so of talent so that we can really close this gap as fast as possible?
IBM is doing our part.
So we are really committed to train up to 30 million.
not subject, 30 million tech professionals across the board by 2030.
That's something that we were really committed to do.
And that's through different means, through collaboration with IHL's,
institute higher learnings, with corporations through corporate programs,
training academies and so on.
That's something that we are trying to do across the boat globally and certainly in ASEAN as well.
To really have the pipeline through, and that can be mid-career professionals,
converting them to tech professionals and so on.
To really then build up this band strength and the tech space to really address these gaps.
Especially in the digital economy with a rapid pace of digitalization,
there's a lot of need for different professions within the tech industry.
I think this is where we are doing our part to really help to uplift.
the skill gap and to really make sure that in time to come we have
across the globe in different industries we have the pipeline of talent that we need
these are vocational levels or tertiary
it cuts across it cuts across different vocational levels as well and tertiary
as well so it really cuts across different domains
where do you see those 30 million professionals or skilled
you know, experts
geographically
spread.
Most of that is going to be in Asia
or Europe? It really
cuts across.
Okay, I don't think I've
answered to that question. I think I have it somewhere
but I cannot remember off and, but it really cuts
across. Yeah. Okay. Okay.
But I would
think it would
mirror where growth is like.
Yes, yeah. Yeah. That is correct.
I mean, if it happens in place A,
or place B or place C.
That's correct.
That's where...
Look, I mean, a bit on where the world is heading right now.
I mean, we're seeing a number of geopolitical winds in a number of places,
one of which is in Europe and a few other places and somewhere else.
And we're seeing some macroeconomic headwinds also, right?
Recessionary tendencies and...
a number of countries.
Right.
Then we're seeing these rising tension between the US and China, right?
It's just like a perfect recipe for cyber to rise up, you know, in terms of the order of importance.
Right?
Yeah.
Right? Because there is a requirement to reprice everything by way of how everything is changing, not necessarily for the better.
It just sounds like it's going to entail more vulnerabilities from a cyber standpoint.
My question is not about the geopolitics, but my question is more about, is 30 million going to be enough by 2030?
Well, that is something that IBM aspires to do from our standpoint,
and we feel that that is something that we can achieve.
Is that enough, everybody's guess?
What is for sure going to happen is that all this complexity,
all the geopolitical tension that you mentioned about,
is going to drastically heighten the need for,
we talked about several resilience just now.
for every organization and for every industry out there to be resilient to all this increased
complexity of cyber threats.
And the reality is also that many of these threats are carried out by very sophisticated
threat actors.
They can be cyber criminals, they can be nation states and so on.
So to be able to withstand the cyber threats that are carried out and the kind of sophistication
and the kind of resources that have been pumped into that by the threat actors.
It really takes the whole ecosystem of service security professionals,
government, the corporate sector,
and everybody to work together in collaboration.
And that's something that IBM advocates as well,
for the whole entire ecosystem to work, even among competitors.
So IBM can be a competitor to another cyber security firm.
but what we are trying to really encourage
is an open ecosystem
where there's a lot of collaboration
for example through common standards and open standards
for there to be interoperability
between different suburb security solutions
and IT solutions
so that because
in the cyber security industry is actually quite fragmented
there are really different players
but when there's an open ecosystem
with a lot of open standards and all that
that can interoperate with one another
it actually helps the organisation
to pre-am cyber attacks a lot better because technology A can talk to technology B
and then make sure that threats that are identified in this particular technology flows over
to a response system by another technology or by another firm.
So this is really something and IBM strongly believes that this is the way to go.
We have an open ecosystem with open standards and for the
blue team to work, or I would say the blue team to work very closely amongst ourselves
because the red team, or rather the bad guys, are collaborating amongst themselves.
They're sharing, you know, all their spoys, they're sharing how to crack into the systems
and all that, very well amongst themselves. Yeah, and they have no inhibitions. They have
no sort of laws in their mind. They are lawless and in the first place we can share freely. So
why can't we share freely? Yeah. So, they have no. So, they have no sort of laws in their mind. They are lawless. They are lawless. They are lawless. And in the first place, we can share freely. We can't. We can
there's something that we are strongly encouraging.
You know, if I take a look at how technology is changing exponentially,
it's more in a private sector, right?
It's happening in the private sector.
The more you need to basically regulate this
or to make sure that it's not being used for the wrong reasons
or for the wrong purposes.
whereas the way policy making all around the world has been moving at a much more linear manner.
How do you reconcile the two so that the coexistence of the two will result in a stable environment
where the risk of cyber threats can be further mitigated?
it takes really a very consultative approach on both sides
yeah so so from the regular I think gone are the days where the regulators think that they know everything
yeah and therefore just prescribe you know standards or or policies and all that just because
they are the regulators and they do so increasingly we see in many countries that the regulators
are really also very open-minded yeah they really yeah they really yeah they really yeah they
really, for example, before they really push out any regulation, there's a lot of consultations
that are going on. They consult the industry, the impacted parties, as well as the service
providers, for example, IBM as a service provider for critical infrastructure and then
our sort of cybersecurity monitoring services, for example. So there's really a lot of
consultation going on by the regulations.
And from the private sector standpoint, I think it's also useful.
And because, as I mentioned earlier, to have this very good open collaborative ecosystem.
So even from a private sector standpoint, I think there's a lot of opportunities for us to
collaborate very well with one another through industry consortiums, industry bodies,
as well as with the regulators.
There are a lot of, I'll say,
I'll say, opportunities in different forums
or both sides to work together and collaborate on issues.
I've also seen, for example, labs laboratories that are set up,
that it can be set up by the private sector
by inviting the regulators to join,
or it can be set up the other way around.
And they actually work hand in hand in the labs to experiment,
to try out different things to explore,
whether is it new solutions and technologies
or the implications of new regulations
and how it impacts.
And there's a lot of, I'll say, close collaboration.
And that's a good thing to see,
and that's really hardening to see
that we are sort of converging.
And I think in times to come,
will be a more close-needed group of community,
a more close-needed community to really work together
to address all this increasingly sophisticated cyber trends.
Interesting.
You've talked about 2030.
Tell us what you have in mind about 2045.
A lot of the kids in Indonesia,
Yeah. Well, at least we're trying to encourage them to think long term, right?
But how Indonesia is going to be, how ASEAN is going to be by 2045.
That's only like, what, 23 years from today.
You see a much more benign picture from a cyber standpoint for ASEAN?
If any, you'll be as complex, if not more complex.
and as treacherous, it's not more treacherous.
I wouldn't say, I certainly don't think it would be more benign.
But what, especially from the threat landscape standpoint,
by then you will be, there will be a lot more,
the whole tech landscape,
there will be a lot more sophisticated.
So, you know, today, in any typical organization,
there will be tens of thousands of different types of solutions and technologies
that each and every one of them will come with different vulnerabilities that can be exploited.
By then, with the rapid migration digitalization effort, there will be, and now, of course,
a big push to migrate to the cloud and so on.
There will be, I think there will be more convergence in terms of the different types of
technology use, and it will be less fragmented, I think.
however having said that because of the different use cases that are brought about by different
technologies like 5G and in some countries we are talking about 6G already
there's the application of all these different technology will mean an explosion in the types of
use cases that can be exploited well there can be I shouldn't use the word exploited in the context
of cybersecurity but they can be utilized by different you know consumers on the street or by
corporations they all
be, so from a cyber security standpoint, again, in tandem, there will be a huge explosion
in terms of the attack surface, where there will be a lot more threats that can be coming and
there are a lot more vulnerabilities. So, certainly not more benign. But having said that,
because of the collaboration and the convergence that we are seeing in the community and so on,
I think things are, from a defender stand more, it will be a lot more harmonized.
there will be more so close.
So for example, from a threat intelligence sharing standpoint,
I think there will be much less inhibition in terms of sharing threats with one another,
even amongst competitors.
I think this is what we are seeing.
Yeah, correct.
In some countries, for example, when it comes to threat intelligence sharing,
so in some cases, we still see that people are looking at it,
as something that is quite private.
I don't want to share with my competitor
in terms of what I've been seeing.
But in some jurisdictions,
we have in emphasizing that
track intelligence is not a competitive advantage.
Of course, you can always anonymize
certain things that are sensitive,
but to share, for example,
the tactics that the attackers are using,
how they manage to breach the system
so that there's wider benefit
for the other organizations
to have early warning,
to be able to detect some of these
threats that are coming towards them.
I think that's something that is very useful amongst the community
and increasingly we see a lot more of that.
I think that is also encouraged by the formation
of a lot of industry bodies.
There are of light-minded professionals that come together
to really share experiences and insights with one another.
I think this is a good development
and we should continue to encourage that.
Any final?
messages pay you on?
I think from
I think the world
we are living in is
especially
we are still sort of
we are finally seeing
a little bit of light at the end of a tunnel
from a pandemic standpoint
the borders are opening up
a lot of travel is happening and so on
so that's good to see
but what is
what happened
during the pandemic because of
compressed timeline over the past two years that we see and people starting to work from home and so on.
We are at the juncture of and this is something that I am just paraphrasing something that I've heard,
which I think is very useful to share as well. There are decisions that we have made in the past
two years during the pandemic that are the right decisions back then because of the circumcances.
suddenly if you lock down
while you still need to carry on
of course you have to work from home
and so on and you open up remote access
to some of your critical system for example
because things still need to run
but now that we are
sort of almost seeing the light at the end of tunnel
I think it's
the right time now to revisit
some of these decisions that's been made
during the last two years
and make sure that they are still the right call
and if not to make tweaks
to some of some of these
and to really calibrate accordingly
and perhaps to even
sort of roll back some of these measures.
Of course, I don't think,
okay, it depends on the organisation
and so I don't think
everything can be rolled back all the way
to pre-pandemic levels, but I think
it's time now and it's the right junction now to really
review some of these decisions and then make sure
that we are still on the right track.
and maybe sort of as a broad summary
and again this is something that
I think it's quite useful to share
is that service security is almost like the
seat belt that we have in our cars or on the airplane
and it's something that sort of
inhibits our movement a little bit
you can't really move incident
you better wear it
yeah but you better wear it
and you have to wear it
it sure it works exactly
so if you are on a moving car
and you are speeding
would you not want to wear a seatbelt?
I think, so I think, yeah,
a civil security is almost like a seatbelt.
You have to wear it for you to speed,
for you to move fast, especially in the
post-pandemic world where everything is moving so fast.
Great.
Thank you so much.
Thank you.
Come on.
Thank you.
T-on Wong,
CETO from IBM
for Asian, Korea,
Southan,
Slandia,
Badu, and Australia.
Thank you.
Thank you.
Thank you.
This is Endgame.