The New Enterprise Risk Management Strategy


COVID-19 , Governance and risk management , Remote work

Alan Ng of China Taiping Insurance explains how COVID-19 changed the game

CyberEdBoard •
November 11, 2021

Alan Ng, Chief Information Security Officer at China Taiping Insurance, Singapore, and CyberEdBoard Executive Member

Security practitioners focused on the Confidentiality, Integrity, and Availability triad – or CIA – as the foundation of cybersecurity. But as COVID-19 drove more digitalization, more risks morphed into technology and cybersecurity risks as we leveraged more technologies to drive businesses to reach more customers.

See also: Live webinar tomorrow | NSM-8 July 2022 Deadline: Keys to Implementing Quantum Resistant Algorithms

The old risk mitigation strategy and controls were inadequate to effectively reduce risk. So, as our adversaries were constantly evolving and inventing new techniques every day, we as security professionals also had to adapt to meet the challenges of cybersecurity.

We used to secure perimeters, assume internal networks were secure, and maintain virtual lines of defense. But the massive adoption of cloud-based solutions and working from anywhere, anytime has made us perimeterless – or borderless – allowing access from any device without friction. This, in turn, generates a huge amount of data in the cloud.

The demand to protect anywhere, anytime access to digital capabilities requires security to become software-defined – to be able to scale quickly and cloud-delivered – to take advantage of its technology and scalability. to force changes in security architecture and strategy. This even affects the vendor/technology selection criteria and requirements.

We must also adopt a new strategy to defend our organisations. I think the following three new paradigm shifts in cybersecurity are worth considering and examining more closely to achieve greater cyber resilience and approach cybersecurity differently.

Distributed, immutable and ephemeral triads

the Distributed, Immutable, and Ephemeral Triad – or DIE –presented by Sounil Yu, CISO and Head of Research at JupiterOne, offers a new paradigm for making attacks irrelevant.

In each era, we have faced new challenges that have directly undermined our ability to identify, protect, detect or respond. So we had to develop new solutions to help us overcome each of these challenges. The solutions of the previous era did not solve the problems of the current era.

—Sounil Yu

(Source: Sounil Yu at RSA Conference 2021)

As more and more applications, systems and infrastructure are now designed and built in a highly distributed and always-available way, they are highly resilient, fault-tolerant, elastic and scalable – in the cloud and/or on-premises . This help deals with the availability aspect of the CIA triad.

Because applications, systems, and infrastructure are built to be immutable, small changes are detected very easily. This removes the need to maintain integrity. Integrity issues arise when we have the ability to make changes, intentionally or unintentionally, that are very difficult to detect. This affected the integrity aspect of the CIA triad.

The ephemeral makes applications, systems, and infrastructure transient or short-lived. This disrupts the persistence a malicious attack requires to affect the privacy aspect of the CIA triad and greatly reduces the window of opportunity for the attacker.

(Source: Sounil Yu at RSA Conference 2021)

chaos is good

Chaos engineering originated at Netflix, as the company migrated to the cloud, and spawned the principles of chaos engineering to improve resilience.

(Source: Verica)

Chaos engineering is the discipline of experimenting on a system in order to build confidence in the system’s ability to withstand turbulent production conditions.

Principles of Chaos Engineering

With the foundations of Chaos Engineering, the principles can also be applied to security engineering.

Security chaos engineering is the discipline of instrumenting, identifying, and correcting failures within security controls through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production.

Aaron Rinehart

According to Rinehart, co-founder and CTO of Verica, Security Chaos Engineering is a means of approach security differently. The idea is to test the resilience of security controls continuously and automatically in the face of chaos – or real events simulated on real production systems in a controlled way – without affecting other systems. This helps security practitioners build trust and learn and improve the resilience and effectiveness of these controls over time.

Trust no one, check everything

Zero Trust Architecture (Source: O’Reilly)

Zero Trust was created by John Kindervag when he was at Forrester Research to solve the broken and outdated trust model of assuming that everything within the perimeter is trusted.

It is a concept of security centered on the principle that organizations should not, by default, trust anything or anyone internally or externally, but should adopt a posture of “suspected breach”. “. If we are already violated, we assume that nothing is clean or can be entirely trusted. Therefore, we must constantly verify, authenticate, and authorize all users, devices, and network connections through adaptive policies and controls.

Tips for Security Practitioners

Organizations should adopt security-by-design principles and have “secure by default” as the basis for involving cybersecurity from the start of any digitization project to avoid surprises. This will ensure that they don’t introduce vulnerabilities that malicious actors could exploit.

Applying DIE Triads, Security Chaos Engineering Principles, and Zero Trust Concepts during the Design and Resolve Phase and their continued execution during the Implement and Operate Phase can significantly improve security. by design and enable security practitioners to truly deliver security differently.

CyberEdBoard is ISMG’s first members-only community comprised of senior executives and thought leaders in security, risk, privacy and IT. CyberEdBoard provides executives with a powerful peer-driven collaborative ecosystem, private meetings, and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries around the world.

Join the community –

Alan Ng is Information Security Manager at China Taiping Insurance in Singapore. One of his main responsibilities is to understand the current information and cybersecurity situation, MAS TRM compliance status and audit results, past data breaches and major IT risks. and write a strategic plan to bring the business back up to tolerance and comply with all regulations. or compliance requirements. In securing and defending against cyberattacks, Ng focuses on people, policies, processes and culture combined with the latest technologies and best practices.


About Author

Comments are closed.