AIBP ASEAN B2B Growth
AIBP ASEAN B2B Growth
Axiata Group : Navigating Cyber Risk in a Fast-Changing Digital Landscape
In this episode, Mr. Suresh Sankaran Srinivasan, Group Head of Cybersecurity and Data Privacy at Axiata Group, discusses the evolving cybersecurity landscape in ASEAN and the challenges faced by organizations in the region. He shares insights into Axiata's approach to structuring cybersecurity functions and selecting solutions based on a risk-based methodology.
He also highlights the growing risks posed by emerging technologies like AI, IoT and quantum computing, as well as legacy systems.
Axiata group is a Malaysian multinational telecommunications conglomerate with extensive operations in Asia. Axiata is listed on Bursa Malaysia with a market capitalisation of USD 5.45 Billion.
The AIBP ASEAN B2B growth podcast is a series of fireside chats with business leaders in Southeast Asia focused on growth in the region. Topics discussed include business strategy, sales and marketing, enterprise technology and innovation.
Vanessa Kwan:Hello and welcome to the ASEAN B2B growth podcast, where we sit down with individuals responsible for driving growth within their organizations here in Southeast Asia. My name is Vanessa, and I'll be your host for today. Axiata Group Berhad, commonly known as Axiata, is a leading digital and telecommunications conglomerate across ASEAN and Southeast Asia. In this episode, we have Mr. Suresh Sankaran Srinivasan group head of cyber security and data privacy for Axiata, joining us. Without further ado, may I invite Suresh to give a brief introduction of yourself. Give us an idea of your background, and perhaps also a little Intuit for our audience who may not be familiar,
Suresh Sankaran Srinivasan - Axiata Group:sure. Thank you. Morning everyone, or Good day everyone, depending on which time of the day. My name is Suresh Srinivasan. I head up cyber security and data privacy for Axiata group Berhad, Malaysia. Ah, quick intro on the group first before I introduce myself. So Axiata Group is a telecom and technology conglomerate headquartered out of Malaysia, with operations in about 11 countries in South Asia and Southeast Asia, with various lines of businesses, such as telecom towers, digital advertising, FinTech, digital banks, so on and so forth. So that's a that's an intro on the group. About me, I have been in cyber for 24 years now. This is, this is what I'm passionate about. How did I land up here, I was a wannabe Armed Forces person. Couldn't make it there due to certain reasons, so chose an alternate career path. I found that alternate career path in this domain, fortunately, so that's how I landed up in this I ended up kind of converting a passion into a profession, so to speak. So that's that's a quick about me.
Vanessa Kwan:It's very interesting. And you know, we've heard a lot about I've heard a lot personally from you about how you know cyber security is being structured within the Axiata group. We've also heard a lot from other leaders across the ASEAN region that there are more and more business leaders getting involved in the cyber security conversation. Perhaps if you could share with us a little bit more about how cyber security is currently being structured for the group, whether it sits under the business, whether it sits with the IT, Are there any direct reporting, indirect reporting? So to say,
Suresh Sankaran Srinivasan - Axiata Group:Sure, so, the way cyber is structured within Axiata is very similar to how it is structured in the financial services industry. So we have a Risk and Compliance Office, which which is, which is headed by my land manager, who is the Chief Risk and Compliance Officer, who reports into the group, CEO. So from a function perspective, the risk and compliance sits directly under the CEO's office and cyber and privacy, along with erm and ethics and integrity, compliance forms four pillars within the risk and compliance function. So from a functional reporting point of view, we have a direct line of reporting into the CEO. What we have done is we have adopted a three lines of defense model. So first line of defense sits within the operational ecosystem, whether it's technology or any, any, any of the operational spaces. Second line of defense sits under the Risk and Compliance space. Third line of defense is the internal audit, which is the independent audit function. So that's how we have structured. We also have a board reporting, or a board oversight, so to speak, through a board subcommittee for risk and compliance. So there is a board reporting which happens periodically, and an update goes to the board, through the boards of community on on cyber privacy and all the risk and compliance matters.
Vanessa Kwan:Understand, understand, and when it comes to say, for example, selecting cyber security solutions for axiata in your perspectives as well, for organizations in general, are there certain preferences when it comes to best of breed approach, single platform approach, hybrid approach, when it comes to selecting certain cyber security solutions?
Suresh Sankaran Srinivasan - Axiata Group:Okay, there is no silver bullet answer to this. I'll start with that. So the way we have adopted it as we have kept it fairly hybrid. It's not a single platform solving every every problem within the ecosystem. The way we do it is we look at the risk first, we look at where the risk reside, whether it is in the application space, whether it is in the infrastructure space, whether it is in the network space, depending on and it's not just about technology, it also, it also spills over into the process ecosystem. It also spills over into the people ecosystem. Awareness is one key risk, which we all deal with in the in this domain. So you look at the you look at the broader risk, and then we look at which solution best caters in terms of remediation for that risk. And when you, when you consider solutions, I'll probably touch upon this a bit. You don't look at features, or you don't look at capabilities alone. You also look at the OEM or the vendors presence in your respective ecosystem. You look at their support structure. You look at obviously, you look at commercial models, you look at all of that. So it's it's looked at in totality. It's not looked at that a specific OEM or vendor providing a platform will solve all my problems. So look at the risk. Look at which technologies or which solutions best fit that risk remediation, and then then look at whether it can be done using any of the existing solutions that we have. If it cannot be done, then look at an external solution, do an evaluation based on the criteria that I've already spoken about, and then we landed, then we landed the solution. And all of this is kind of driven or governed by our enterprise security architecture stack, stack. So we have an enterprise security architecture stack which, which kind of governs the way we select technology solutions, primarily technology solutions, and how do we, how does it fit into the larger scheme of things?
Vanessa Kwan:Understand, I think it's very interesting that you mentioned that you know in the earlier survey we conducted last year, together with cyber security Malaysia, we were asking enterprises around the percentage of IT spend should be allocated to cyber security, and how much is actually being allocated at present Malaysia, specifically, we look at about 51% of enterprises who believe that over 20% of IT budget should be allocated to cyber security, but at present, you know only less than 5% is being allocated to cyber security. PIKOM recently released their report as well sharing similar sentiments. So I'm wondering for yourself, is there like a so called best practice or certain kind of framework that you adhere to when you kind of look into cyber security budget, I think because earlier you mentioned as well, this is something that sits under the risk and compliance function for
Suresh Sankaran Srinivasan - Axiata Group:See, I will not get into the specific axiata. numbers because they are, they're sensitive and confidential in nature, but I can, I can probably touch upon the the genesis of, how do we get in, get to the budget part of it. So we don't exactly say, Yeah, X percentage of the budget should go into cyber budgeting. What? What instead we do is we, we take a risk based approach, and we evaluate all our risks, we then look at their impacts to the business, and based on that, we we plan our budgets for the future. So it is not necessary that it has to be 10, 20, 30% it could. It could fall within any of that spectrum. But what's more important is, is Is it enough to remediate the risk that the business have? Because we are a diverse group, and we have got lines of businesses which fall across the spectrum of regulation. So some of them are heavily regulated. Some of them are probably moderately regulated. Some of them are very, very loosely regulated, for the want of a better phrase. So we can't, we can't budget based on the regulatory levels alone of the businesses. Yes, they that definitely comes into consideration, but that's why we drive it more. Or in terms of the risk that all these businesses and their technology deployments post to the larger group, and how do we remediate the risk on a priority basis, which is driven by the risk based approach
Vanessa Kwan:understand and when it comes to cyber security as a whole. What are some of the challenges that you are experiencing currently, for yourself at axiata and and also generally across the Malaysia landscape as a whole? Are there specific challenges that you think are unique to Malaysia?
Suresh Sankaran Srinivasan - Axiata Group:I will, I will kind of split my answer to this question, because it's a it's a very relevant question. It's an interesting question, but it's also a question which can be deliberated probably for 24 hours or 48 hours in one go, right? So, because the the magnitude of the answer is that big. So I'll try and split this into few. Now, if you look at if you look at the cyber security world today, and it's primarily driven by the way businesses are evolving and the level of digitalization that businesses are adopting, especially in the past four to five years. Now the because of the because of the faster and expansive adoption of technology for digitalization, emerging technologies post a huge cyber security risk and threat to enterprises. Now, whether it is, I mean, I don't, I don't want to just say that it is AI or ml or analytics. It is a combination of all sorts of digital technologies which are in the emerging technology space. Ai being the latest in that list. Give it another 18 to 24 months. We will talk about quantum in the same spectrum, right? So I'll broadly bucket it as emerging technologies. The second part of this answer is more around the legacy technologies, while everybody is focused towards the emerging technologies and securing them and all of that, what needs attention is also the older technologies, which are still within an ecosystem, which are which are traditionally called the legacy technologies. Now how do you, how do you still continue to secure, because some of them are, some of them are either out of support, or some of them don't have any more development happening and stuff like that. So how do you because they still needed for the business. So how do you continue securing them while you secure the future technologies is a key consideration for every cyber security leader globally. The third risk, which is very critical, especially in the regions that we are we are talking about, which is South Asia, Southeast Asia, the ASEAN region, so to speak, is around cyber security, skill and talent. Yes, I know it's, it's, it's an over discussed and over hyped kind of a topic, but in reality, it is still a major issue, because there is a shortage of talented and skilled people in this domain, so which technically means the ability of enterprises to secure themselves with the right skill sets and talent is fairly limited. The last part is, which is the fourth part of this answer is around people, awareness and culture within an enterprise, there is a misnomer that skills or risk capabilities, such as cyber, privacy, etc, are the responsibility of a specialist team. Yes, the core capabilities are the responsibility of a specialist team. However, the broader risk management of it all, or the responsibility of risk management also rely also lies with the broader employee ecosystem, so making the employees aware about emerging threats, emerging risks and how can they contribute towards remediating them, etc, plays a huge role in terms of managing the cyber risk within a within an enterprise. So these, if you, if you, if you kind of layer it, layer these four answers in within a line, you kind of will get the quantum of problems that cyber security leaders face,
Vanessa Kwan:understand and you know, just to dip a little bit deeper when we look specifically to like application security. Are there certain areas that are how do I put this nicely, causing. Um, stress to you more a little bit. You know, you have a very interesting role of leading both cyber security and data previously as well when it comes to application security or any customer facing applications for the mentor, I think the number one thing that a lot of CISOs mention is data breaches and leakages as one of the key areas they have to really think about is that the same case for you, or are there other concerns that you have when it comes to App Security specifically,
Suresh Sankaran Srinivasan - Axiata Group:it still remains a key risk. It still remains a fairly significant risk, if I can put it that way, however, I will want to kind of break down that term application security, because application security in traditional parlance versus application security in today's parlance is fairly different. So I think it's important to it's important to define that problem statement before getting into what what do we do about it? Today? Application Security is comprising of your traditional applications, like web applications, mobile applications, courts, etc, over and about that you've you've got APIs which kind of fall into the app the application ecosystem. So they the API security, in my view, somewhere is either interconnected or forms a subset of application security, then you have the entire third party application ecosystem, which is your SaaS and third party applications piece of it. So if I wear both my hats cyber and the privacy hat, that causes a major threat, not just from a supply chain point of view, but also from a data residency, data governance, and eventually a data leakage sense. So if I take all of these, and if I take the underlying infrastructure, which powers applications, whether it's the cloud infrastructure, whether it is on prem infrastructure, whichever infrastructure it is, a combination of these two, cumulatively, in a digitalizing or a fast digitalizing enterprise world is a major risk area for cyber and Privacy. For that matter,
Vanessa Kwan:understand and for application security earlier, you mentioned about how you are defining it at present. Are there certain areas that you are currently focusing on for application security in the next 12 months? Are you like enhancing detection capabilities? Are you expanding coverages, implementing new security tools, technologies? Are there specific areas that you're focusing on for application security.
Suresh Sankaran Srinivasan - Axiata Group:See, it's it covers across, if I can take the NIST cyber security framework as as a reference for this conversation, it covers across the protect, detect, respond, recover, that that entire spectrum, right? So the controls will will spread across the whole spectrum in itself. So whether it is making sure that applications are tested, are designed, tested are designed, coded, tested and rolled out in a secure manner, the whole surround ecosystem is also secured appropriately. That's from a protect angle of it. Then, like you said, making sure that there is visibility of applications from a detection standpoint. There are, there are right logs being, being integrated if, if there is a sock or a monitoring piece, then there are, then there are appropriate What do you call this response capabilities for applications as well? So yes, we definitely are looking at the entire spectrum of controls and making sure that they are integrated within an applications life cycle in the ecosystem. Now, when it comes to SaaS applications or third party applications, enforcing necessary security requirements through contract, contractual obligations, making sure that there are there are due diligence happening, there are audits and assessments happening, and the enforcement is fairly tight on the on the third parties, or the SaaS providers, that also becomes a part of this ecosystem,
Vanessa Kwan:I understand. And when it comes to your larger cyber security priorities for axiata, are there certain areas that you are focusing on in the coming two to three years? Or, as you mentioned earlier, it's going to be a broad based approach, where you kind of try to cover all the bases at once.
Suresh Sankaran Srinivasan - Axiata Group:It always is a broad based but if, if you ask me specific to the next two to three years, like, like I said, making sure that we, we secure emerging technologies, whether it's AI, IoT, tomorrow, quantum, whichever, whichever are the. Emerging technologies to make sure that we are securing it, and we are doing necessary risk assessments for all those emerging technologies, and securing them adequately is one of our key priorities. Promoting a security aware culture within the organization is another key priority for us, to make sure that the broader employees act as the first line of defense for the organization itself. Right? The third priority definitely is to have adequate bench strength when it comes to cyber team itself, so which means training Skilling and even even probably having a broader engagement with within the within the markets that we operate in, whether it is with unis, whether it is with educational institutions and communities and So on and so forth, making sure that we have adequate engagement with the broader ecosystem, so that we we can, we can build a talent pool or a people pool within that within that ecosystem, which we can also depend from right so that that kind of adds to the bench strength that I was talking about. And bench strength is not just around cyber. Bench strength is cyber on let's say emerging technologies, or cyber in OT, cyber in IoT. Cyber is not standalone. Cyber is linked to all forms of technologies. So it's it's not just about knowing cyber, but applying cyber in specific technology domains, like whether it's aI ot IoT, quantum, whichever, whichever technology we are talking about. So it's important to have that skill set which combines the two. So that's broadly what we are focusing on.
Vanessa Kwan:I understand. And my final question for you is, looking ahead, you can answer in the context of axiata, or in your own opinion, what are some of the areas within cyber security that you are most excited about? Are there certain areas that keep you up awake at night.
Suresh Sankaran Srinivasan - Axiata Group:There are quite a lot of things which keep you up at night. See one of the biggest things that that's that I have seen, and this is me speaking, probably at an individual level, as a practitioner, so to speak, the the ability of threat actors to launch an attack has become fairly, fairly significant. I'll explain. I'll have to just take quick two minutes to explain this. See earlier, availability of tools for threat actors was fairly limited, and when I say earlier, I'm probably talking about seven to 10 years back today, the availability of tools and exposure towards tools is fairly significant. Two is threat actors are kind of collaborating with each other. So if you look at, if you look at any anatomy of any attack, you will, you will actually see the fingerprint of two, three different threat actors or threat actor groups within a single if it's a if it's a fairly sophisticated attack, you will probably see three, four threat actors, or threat actor groups within, within the anatomy of that entire attack itself. So gone are the days when it's it's one group. You focus on one group or one threat actor and and you, you focus on responding towards them. Today, you need to understand that entire threat actor ecosystem, which means staying, staying either current or one step ahead of what's happening within the within the thread ecosystem. So that's that's one thing that keeps me awake. Obviously, emerging technologies is another thing that keeps me excited and awake, both and while I'm excited for AI and quantum and all of that, I'm also equally concerned, because they bring with them a magnitude of risk which, which, again, requires all of us to re look at the way we are doing things. And it's not just about it's not just about how we run cyber. It's about how we integrate cyber with all of these capabilities, the last, but definitely not the least. And that's something I have been talking with some of my fellow leaders. And all is this whole, is this whole people matters. And when I say people matters, it's. Not just about shortage of skill and talent, there is also an element of mental health and burnout within the cyber community. I see this more and more purely because the volume of data and the volume of analysis that gets thrown at cyber professionals today is quite huge, so And obviously, because of the because of the shortage of resources, multitasking the same, same individual, doing two, three different kind of roles within cyber is fairly common. So that leads to burn out, that leads to stress, that leads to a lot of mental health issues, which is, which is actually now a mainstream conversation within, within this community itself. That's, that's something I'm I'm conscious of, that's something I'm concerned about. I'm thinking about it in terms of, how do we, how do we make sure that we don't stretch our people. We give them adequate time, energy and space to to recover from whatever they do and come back motivated, excited and refreshed, to again, again, face another challenging day ahead. Whether is automation the answer, not entirely, or, I mean, people keep talking about, yeah, automation is the answer, not entirely. Automation can help up to a certain level. There are, there are other contributing factors as well, and that, like I said, that's probably topic for another entire conversation on its own. But yeah, these are some of the things that that kind of keeps me awake and keeps me excited.
Vanessa Kwan:Understand. Thank you very much for sharing. Suresh, I think you sit in a very exciting role. There's a lot of developments like you mentioned in the AI quantum IOT space that certainly has a lot of cyber security repercussions that comes along with it. Also definitely looking forward to the many positive and great initiatives that axiata has, and we definitely do look forward to future conversations with you. Thank you for sharing your insights with us. Thank you.
AIBP Intro:We hope you've enjoyed the episode. For more information about business growth in the ASEAN region, please visit our website, www.IoTbusiness-platform.com.