PNB: Building Trust in a Zero-Trust World

Show Notes

In this episode, Puan Aishah Farha Mohd Raih, Chief Information Security Officer, Permodalan Nasional Berhad (PNB) shares her experience on transforming cybersecurity at one of Malaysia's largest fund management companies. As CISO of PNB, she discusses how her team implements zero-trust architecture while managing third-party risks and regulatory compliance. Through comprehensive security programs and platform integration, discover how modern security leaders are protecting organizations in an increasingly complex digital landscape.

Transcript

AIBP: 0:00

Digital trust demands defenders who can outpace The threat landscape for teams to evolve right now with the threats. more advanced, or rather higher usage of artificial intelligence, AI, right So, and we also see in Malaysia, particularly, right, new regulatory requirements or local laws, right? We've had Cyber Security Act this year that was passedin Parliament. When millions trust you with their future, innovation becomes your strongest defense

Aishah - PNB: 0:41

I think it's really timely and important view right around platformization. So for PMD, platformization is also important for us to optimize resources that we have right and it also helps by having single source of truth for harmonization of effort, right, when managing security solutions or incident management, especially

AIBP: 1:09

in the world of modern finance, the greatest threats are the ones you can't see

Aishah - PNB: 1:13

Our defenders in PNB today, we're starting To explore use cases and implement right AI, use to make sure our average or mean time to respond and recover towards a resolution around a particular incident scenario is faster, right? And this is for its end to end process. So leverage a leveraging AI would actually achieve this faster detection to response and resolve, which will, in turn help organizations and PNB particularly to achieve our reporting requirements to our regulators and the authorities.

AIBP: 1:55

Join us for a conversation that takes you behind the digital walls where artificial intelligence meets human ingenuity in the race to protect our financials tomorrow. Please enjoy this episode from the aibp ASEAN B2B growth podcast.

AIBP Intro: 2:13

The AIBP ASEAN B2B growth podcast is a series of fireside chats with business leaders in Southeast Asia focused on growth in the region. Topics discussed include business strategy, sales and marketing, enterprise, technology and innovation.

YY - AIBP: 2:36

Hello and welcome to the ASEAN read to be growth podcast where we sit down with individuals responsible for driving growth within their organizations here in Southeast Asia, my name is YY, and I will be your host for today. Today we have a very special guest joining us, Aishah Farha Mohd Raih, the Chief Information Security Officer of Permodalan Nasional Berhad, Permodalan Nasional Berhad, or PNB, is one of the largest fund management companies in Malaysia. A little fun fact for our non Malaysian listeners, PNB recently moved its corporate headquarters to the Merdeka 118 skyscraper in Kuala Lumpur. This building, also developed by PNB, is the second tallest building in the world, second only to devise Burj Khalifa. This move not only showcases PNB significant role in Malaysia's economic landscape, but also highlights its involvement in creating iconic landmarks that are recognized globally. Without further ado, may I invite Puan Aishah to give us a brief introduction of yourself.

Aishah - PNB: 3:50

Thank you. Thank you, yy, and thank you for having me for this conversation right with the AIBP, so I'm Aisha and I'm appointed as the Chief Information Security Officer of Permodalan Nasional Berhad or PNB, in short, like you mentioned, right? So a bit of introduction of myself. So earlier in my career, I started coding, doing technical support and project management work for encryption solutions. And this was when, you know, the internet boom, and you know online banking started, right? So that's where you know security solutions such as encryption is very crucial to make sure the safety and security of transactions online, right. And then next, I went into broader consulting, in risk assessments, business continuity, disaster recovery and security audits. And these were in the fields of consulting, right in various consulting firms, as well as banking right then I moved on into security operations. Hands right, getting really my hands dirty around, you know, security devices, network devices, right, manage internal audits and performed, you know, a lot of reporting around internal audit work. Then I extended my experience in data protection, in privacy as well as risk management, and this were in the telecommunications and pharmaceutical and healthcare sectors, right? And then I took up the role of CISO of PNB, and it has been a privilege since then. So thanks a lot, yy for letting me, you know, giving a background myself, thank you.

YY - AIBP: 5:43

So Puan Aisha, what you've just mentioned is that you were looking after critical information of the telcos, the banks, and I saw that you also have pharma experience. So those are key industries. Tell us a little bit more about PNB, and especially for international audience who may not understand the significance of PNB to Malaysia,

Aishah - PNB: 6:05

right? So, so PNB was founded in 1978 right? And it was established as part of Malaysia or nations New Economic Policy. So really, we go a long way back since after our independence right over the past 45 years, PNB has grown to become one of the largest fund management organization in the country, right, and that is to really deliver our renewed purpose and mandate to uplift the financial lives of nations across generations, right? From a business standpoint, we cover, you know, areas such as public markets and looking at, you know, fixed income, variable price funds, right? And we also look into private and strategy investments where we are major shareholders in a lot of Malaysian conglomerates. So that's a background of how we were institutionalized, right? Really driving economic growth for the nation.

YY - AIBP: 7:16

That's a great background of where PNB sits within Malaysia itself. I believe it was one of the instruments of the government's new economic policy when it was first set up, and now it has grown quite a bit since then. Well, with that in mind, I think in the ASEAN region, what's been seeing is that organizations are identifying several strategic goals to really enhance their security programs over the next couple of years. This includes things like Cybersecurity Awareness, cloud security, using AI in security, amongst many others, or in your role at PNB. What are some of these goals when it comes to addressing this evolving threat landscape and still ensuring robust cybersecurity measures for PNB,

Aishah - PNB: 8:08

okay, so you know you're right, right? The threat landscape continues to evolve right now with the more advanced, or rather, higher usage of artificial intelligence AI, right? So, and we also see in Malaysia, particularly, right, new regulatory requirements or local laws, right? We've had Cyber Security Act this year that was passed in Parliament. And we also have the enhanced Personal Data Protection Act, apart from that within the capital markets industry, we also have the guidelines on technology risk management that was published. So both evolution of technology, as well as now new publish right local laws and regulatory requirements. So how do we actually make sure we stay ahead of the curve, right? So from our from a strategy standpoint, really the first is we make sure the control designs and controls are included from the onset of any projects. So how do we do this? Right? We we have the control assessments or control implementations that are required as part and parcel of respective business or divisional processes, right and in our new upliftment effort, right where it's in our broader cyber security and data protection program, right within PNB or organization wide, this is where the. There are further efforts to make sure there are inclusions of these controls within the respective business processes, right? So that's the first, and then the second is just now I just mentioned briefly we are having an overarching cybersecurity and data protection program, right? And this is crucial right to cover people, process and technology areas across various work streams, right? And why do we need to do this is so that we can reach an elevated target cyber maturity state to reduce our risk and exposures, right? And so the areas of our work streams or focus areas within the teams, right, cover five. Right? They are the first one our cyber and data protection strategy, right? We're looking at areas that we can mitigate the risk faster and also reduce the attack surface or exposures, right? So I can, just now, I mentioned about the new publish local laws, enhance and as well as regulatory requirements, we're looking at risk and compliance as a dedicated work stream as well to elevate and drive efforts around, you know, not playing catch up, but really staying ahead of the compliance needs, right? The third is around third parties, if we see in the news today, third party related breaches are quite rampant, right? So third parties is a focus all dedicated work stream that we have to make sure that the supply chain, either you know, to the services they provide or the data they manage, right, are actually secure in accordance to our PNB standard requirements, especially for those third parties that have access to our network and systems. Right. The fourth is around culture, where we work closely with our colleagues in HR right, in terms of upskilling capabilities, right, as well as looking at guidelines for broader employees across PNB right. And the fifth and the last one right is around technology, making sure that is a cyber security blueprint right that matches the broader business strategy in terms of reduction of risk in the identified areas. So in a nutshell, we have two ways as part of overall strategy right, which is making sure that controls are from the onset in the respective business processes so that cyber security is not seen in silo. And second is having this overarching cyber security and data protection program to support those daily conversations right that are happening. So that's in summary on how we strategize against the abolishing of cyber threats, and now, you know, the many regulatory requirements that we're seeing.

YY - AIBP: 13:31

Well, I mean, what you've mentioned is is very true, and talks about technology as the last pillar, right? But I'm curious, because I think now with so many different types of cyber security technologies. This to be a trend towards platformization in cyber security. And then I think there are some that looks like an integrated approach. There are some that may be looking at like Best of breed approach. Do you also look at this kind of different areas looking at like, single platform, hybrid model, how do you take a how do you look at that?

Aishah - PNB: 14:06

Yeah, thanks for the question. I think it's really timely and important view right around platformization. So for for PNB, platformization is also important for us to optimize resources that we have, right. And it also helps by having single source of truth for harmonization of efforts, right when managing security solutions or incident management, especially so what I mean by that today, for example, we have a governance, risk and compliance solution that we're looking at right, but not just for the need of, for example, closing certain volpies or exposures right and tracking the risk acceptances if there are around. The vibes that are open, right? But really it's more of also seeing how we can integrate this one governance risk and compliance solution across our broader risk management as well as comply with sorry if we have certain metrics around risk management, looking at system security, right, reputational risk, financial risk, then is also to use this single platform as part of the integrated platformization, so that then in terms of user convenience, there is one single platform, one that the users can adapt and be agile and get familiar to use. And two is in terms of cost efficiency, we can really leverage certain, for example, certain risk process of lagging certain alerts, right? That could be similar across the platform to various stakeholders, right? So one risk that maybe is relevant for across different stakeholders that needs to track it under a compliance purpose that needs to be tracking, and then technology implementation or fix fixes to close purpose, all these are having a single view, right? That rolls up to a same initiative, so that then there is more integrated efforts from a cost perspective to close as well as risk management in general. So I think that's where we are progressing towards. Now we're going into this cyber security and data protection program phase two. So hopefully there will be more of those integrated efforts we already starting. If we have started, it's more of now execution and following through those plans.

YY - AIBP: 17:01

what? What I think what you mentioned is very, very true. Right at the end of the day, you have to optimize for cost, because budget is never Unlimited, so you have to decide what to prioritize. And I think now with proliferation of like, say, cyber security threat and like you mentioned, various depths of platform, migration does help in providing a more cost effective plus also a way to have a complete view of the cyber security within the company itself. I'm

Aishah - PNB: 17:30

also wondering, right, how do you prioritize or allocate resources? Because at that day, if I look at it, everything is also quite important, right when it comes to cyber security, because the breach come from anywhere. How do you then decide what to really look into, more versus others? Yeah, you know, and that's a that's regular juggle right across a lot of organizations, not just BNP, for us, we really prioritize areas for budget right and funding from identified risk and focus areas that we've identified through a number one, our cyber maturity review that we do periodically, right and number two, through focus areas or themes that we need to implement in our broader cybersecurity and data protection program that I mentioned right, and number three is through internal assessments. Right? Because when there is a new act, for example, that just came out, Cybersecurity Act, and we've already done a gap analysis and a cyber maturity review against the gtrm that was published just before that, right? So it's always making sure that those periodic assessments are timely. So then we can revisit any budgets that we need to reallocate towards a particular initiative because that that will, in turn, impact or reduce penalties around potential non compliance right, and also will support in terms of harmonizing initiatives right across Different areas, so those cyber maturity review and also internal assessments, is a collaborative effort that we do with various stakeholders, you know, race compliance technology, as well as our business division representatives and owners, so that They are aware of for example, if we have, we have to remediate a particular security issue right or a VP around zero day or around a particular patching need, and then it will impact the organization from certain angle. Or from certain exposure, you know, external or internal, then we see, where are the funding, whether it should be prioritized for that or another scenario is we've now got to go live for a core investment system, right, which maybe also has certain exposures which we want to mitigate, right? And this is another application going live, for example, for our unit trust management purpose, right, serving the approx 15 million unit holders. So we will prioritize the funding. You know, we look at this tree which could shape us the most right, which will reduce the risk the most, and of course, then the funding goes into, okay, let's do it for the core investment, or the core unit trust. That way we need we will potentially save us from impact of penalties or non compliance and reputational risk, right? So that's how we prioritize the funding right in summary, we look at the cyber maturity review. Second is the overall focus areas in our cyber security and data protection program, and the third is through the periodic assessments that I mentioned.

YY - AIBP: 21:15

That's a very comprehensive strategy. I think when we talk to many enterprises within the region, there are certain camps that say that they will do everything themselves, and there are certain camps that say that they have, like a managed service provider, actually help them with it, in partnership with them. Right for PMB is it mostly done in house, for all of your cyber security, like you say, the risk management, the overall cyber security audit that's done in house.

Aishah - PNB: 21:46

Okay, so for us, it's a, I think, combination of areas and companies, combination of efforts to fix or combination of efforts to mitigate risk, right? So some are done internally right where, for example, for the on premise applications and servers, predominantly we do that internally right for server levels, for example, and where it involves off the shelf applications, right, where it's proprietary. We have that through contractual terms, where it's addressed and where it is. You know, more cloud native needs, that's true. And cloud native needs and via certain tenancy arrangements, that is through we through our managed services, right? So it's a combination, depending on the scope of risk and issue that we need to fix, as well as the current engagements that we have for those different areas. I like

YY - AIBP: 23:07

how you've scoped it right, like there are different costs and there's different risks, so then you have to really look at what is the most. How much value are you getting per unit? In that sense, when you get cybersecurity, there is this term that's been being thrown around quite a bit, zero trust. How do you view zero trust? Yeah,

Aishah - PNB: 23:31

I think zero trust is is crucial for any organization scale today and size right for any organization size as well. Reason being is, if your large organization right, sometimes there is the challenge of having visibility of online or site of every security alerts, right? That's so if you're, for example, 100,000 plus organization, or like PNB in the 1000s as well, having line of sight and visibility of everything is is also a challenge, right, and for smaller organizations, right even as well, because then you might not have the, you know, needed funding right to spend on those monitoring that you require to make sure that your defenses are, you know, intact. So then this is where zero trust comes in, right regardless the size of the organization or the setup where you have, you know, various, I mean, you have various controls, right? And you, of course, trust through the kind of partnerships that you have and people internally that you've trained how. Ever all those connections and systems needs to be verified, right? And this will mitigate a lot of attacks that we see today, for example, if someone managed to get into certain segments of the network now, and this is via through certain means, like, you know, they moved to a certain segment, and they keep quiet there for a while. And let's see if anybody notices me before I move on to the next area. You know, I find out if people discover I'm there. So this zero trust model helps make sure that, for example, in this scenario where those segments are right, different segments, there are controls right that is set in for these different segments. There are access that are defined for these different segments, right? So it's really also controls in depth, in depth, right? It be serving different purpose, right? So if you are a system administrator, administering a core investment system, right, and you are having back end operations access, so then, therefore your your system administration access, that should also have certain login capabilities that is tracking what you're doing, you know if you're doing certain actions around managing data, that is the database access, monitoring, looking and you know for whatever edits are made or data dumps that are done. So I think those are very crucial in terms of making sure that we trust the partners that we have and the stakeholders that we are working with, but we verify right through the right controls serving the different purpose, and then making sure that that continued trust Is there for the servicing of the millions of unit holders that we have.

YY - AIBP: 27:04

Understand, you've mentioned that third party risk is one of the highest growing risk, right? So that's why it's one of the pillars that you look into. I think I have a couple more questions. And in regards to, you know, how do you then measure your success. So is it based on, you know, like zero day? Is it? Are there other areas where you measure the team's performance and whether you know a well deserved bonus is going to be given this year? How do you measure the success of cyber security measures in PNB?

Aishah - PNB: 27:40

thank you. And that's, I think there's a lot of lenses and angles to that question, right, you know. And why I say so is because, how do you know, for example, the cyber security and data protection program that we've implemented today, we're going to phase two, is effective, right? It's it's not visible to the human side, right? So for us, we define certain matrix like this year, for the first time in the ho right, we have defined as part of our broader group KPI around data loss, right? So what that means is, across divisions in PNB today, we have, you know, matrix around defining what data loss is, and it could vary in terms of the business process for that particular business function, right? So if you're a business function that processes personal data, right? And on average, you send out personal data for processing employee information, for example, or you process new candidates to be hired, right? So there are thresholds defined around respective functions, and there are also definitions of what these matrix are when we when what constitutes data loss that is not tolerable to us, right? So that's number one, defining those metrics right. And then second is having those thresholds right and and if it surpasses the thresholds, then it's, it's a sort of, maybe a red line or an area that for us to monitor whether we should revisit the safe cases that we define in the system, whether it's effective or not in terms of the control design, right? And then the third is actually. Looking at the intended outcome from the use cases of solutions that we've implemented, right? So for example, right? If we put in inside our data loss prevention system three use cases, right? Make sure that data is not sent to personal email address to public cloud drive. We there is an assessment on how we assess effectiveness of those data being sent out to the channels. So that's another method that we use right and last but not least, the most important is we also assess effectiveness around people, right? People awareness, right? If we do phishing simulations, we conduct e learning, making sure there are mandatory e learning that's completed 100% completion. So if there is no completion at 100% then there's also a flight for us to consider. Is, you know, what are the challenges behind not meeting those mandatory needs right? And phishing simulation, we do a benchmark against those that fall prey to clicking those links, right? And we have click through rates that's acceptable and not acceptable against the benchmark. So that's another form around how we assess success or effectiveness of those defined matrix

YY - AIBP: 31:33

that's a very comprehensive view. So you have a benchmark about like, if you're if somebody clicks on the link that offers them a discount at the supermarket or like it's a boss email. Do people actually click through those links? Okay, understand that. That's a very good overview. I guess we're coming to the end of today's discussion, and look at this evolving landscape that we started off speaking about. What are some of the areas looking forward that you're personally very excited about, where you see the largest growth and opportunities for Malaysia, for Southeast Asia, and perhaps even globally?

Aishah - PNB: 32:19

Yeah, so I think the really where we can have opportunity and leverage on right as as defenders into cyberspace is also leveraging on the AI and machine learning part, right? So, for example, if today, our attackers are using AI to try a break systems faster, right then our defenders in PNB today, we're starting to explore use cases and implement right AI use to make sure our average or mean time to respond and recover towards a resolution around a particular incident scenario is faster, right? And this is for its end to end process. So leverage a leveraging AI would actually achieve this faster detection to response and resolve, which will in turn, help organizations and PNB, particularly, to achieve our reporting requirements to our regulators and the authorities, right? So that's one, and I think at a personal level, you know, now, I think my own house, right? We were using, you know, Google Nest, and I don't really, you know, open my curtains anymore. I just ask how Google has to do it for the curtains for me, you know? So we're living in an area where of IoT technology and edge computing, right? So it's to make sure the approach that you take with especially for the developers house developers out there, towards smart homes and smart cities, considering security around IoT technologies, and for those who fancy this space at home, right, trying things out, like my family and I, right, is really seeing okay if you're using Google Nest, understanding the vulnerabilities around that and the software with that right, if you're using certain remote solutions right on your mobile to be able to control your lighting or your doors being opened remotely, you Know, before you reach your house and such, making sure those kind of applications and software are also secure, right or not easily exposed, and you don't use default passwords around those applications, right? So I think number one is really around leveraging AI. Yeah, IoT is really interesting at a personal level to me, right on how for me, because I'm always on the go. Sometimes I forget to lock the door. You know, sometimes my car lights are on, and I usually I really leverage my softwares to make sure I do this remotely, right? So that's one, and I think another opportunity which has both flip sides of the coin is really for the young ones out there to explore cybersecurity as a career, right there is, you know, a lot of conversations in the industry, and now the World Economic Forum also has developed a framework around cyber security talent, framework to basically drive down gaps, on shortages in this space, right? So it's, you know, for those who are in data science, or, you know, doing data analytics, right? I think because of the billions of alerts, for example, that we see to cyber monitoring or defense activities, data analytics, scales are also applicable in cyber security, right? And it is a very lucrative space to be in if you're interested, right? I think it's just a matter of making sure that you are aware of personal limits and also the demands of the space, so that that self awareness is crucial for your day to day management yourself and also your organization, right? So I think See, that's the third one about three things, right, leveraging AI and really looking at how IoT can actually fit for your own use, and making sure it's secure. And also the journeys for Yeah, the opportunities around talent, the works would work, opportunities that we have. And I think I just need to mention this one more thing. It's also for cyber security practitioners to see how compliance requirements actually would benefit them, right, and how they can leverage on this compliance requirements without so much of it being a tick in the box exercise, but how you drive certain automation checks around this compliance needs right and then get the necessary funding and investments needed. So I think if I can share some highlights, those would be, I guess, my topics around both challenges and on the flip side, opportunities that can be explored.

YY - AIBP: 37:46

Thank you very much. Puan Aishah, your time has really enlightened us about how PNB is driving cyber security within your organization, and what are some of the key areas of opportunities that you see for Malaysians in the cyber security sector. Thank you very much for your time today. Thank you. Yy,

Aishah - PNB: 38:07

I appreciate the conversation. Thank you.

AIBP Intro: 38:11

We hope you've enjoyed the episode. For more information about business growth in the ASEAN region, please visit our website at www.aibp.sg.