Azlan Mohamed Ghazali is an Engagement Director in the Emerging Tech Risk & Cyber (ETRC) Department at KPMG in Malaysia for the Government Linked Companies and Government Sector Account.
His role is to establish and build relationship with Government sectors such as NACSA, MAMPU, CSM and other government agencies to promote the services offered by ETRC. He has also represented ETRC at the MCMC Security and Network Working Group for development of Technical Guidelines.
Businesses are not the only entity that are exposed to cyber threats, but government sectors as well. To further provide better understanding on the cyber landscape in the government sector, Azlan shares his insights in a Q&A session below.
The cyber threat landscape continues to evolve, leaving all forms of organizations vulnerable to cyber threats regardless if they operate in the government or private sector. Hence, the right security control, which should comprise of People-Process-Technology, has to be in place to prepare, protect, detect and respond to all types of internal or external cyber threats.
I believe the Malaysian government has put a strong control in terms of Technology/Solutions to combat ransomware. With the help of Cyber Security Malaysia (CSM), MAMPU and NACSA, the government continues to strengthen and strategize the nation’s Cyber Security Framework, especially the on-going Info Security Awareness for internal and external stakeholders (citizens). Furthermore, according to the Global Cybersecurity Index (GCI), Malaysia with a score of 0.89 was ranked as the third best among 193 countries globally in cybersecurity in 2018. We have thus far managed to maintain this ranking in two (2) reports (2015 and 2017).
The importance for public sector to be well equipped to face potential cyber threats must not be taken lightly. It is essential for organizations to continuously promote the importance of cyber security threats to internal staff as well as to the public through Info Security Awareness. The government should also consider establishing an extensive Cyber Security Awareness Programme that could be easily replicated across to all government agencies. The programme should comprise of all types of cyber threat awareness such as Face-to-Face talk, Emails, Surveys, Coffee Talks, Posters, Campaigns, Social Media and etc. Additionally, each agency should have internal staffs that are capable of handling and managing cyber security threats without fully relying on an external third-party agency. Companies should at least make it compulsory for employees to partake in a yearly Information/Cyber Security Awareness Training. The top-down approach will always be a good example to promote continuous information security awareness within the organization.
Yes, I fully agree. In the People-Process-Technology trial, people have been identified as the weakest link. Mistakes can happen at any time and there is also a high possibility that individuals would try to take advantage of even the slightest mistake, which in turn, could potentially cause losses to businesses. Hence, having an established process in place and continuous education will help guide and educate people/employees in managing these types of incidents - especially when dealing with cyber security threats and attacks.
Cyber Security encompasses a broad domain, and the appropriate skills and capabilities vary for each area. Both technical and non-technical skills are crucial. Security Technical related skills, such as Pentester and DevSecOps will help to identify potential threats or security flaws in the servers, applications and the network. On the other hand, Security Governance, Strategy, Risk and Compliance skills will help to strengthen and implement a right policy, direction and strategy in managing and operating cyber security. Cyber Defence and Security Operation skills are also required to assist in responding to incidents, combatting potential threats as well as to extend and carry out Security Forensic. I believe these skills are vital in managing and operating Cyber Security Services in organizations.
Additional skills needed are a fundamental knowledge of IT, IT Networking and OS Security. It will help the organization have a better understanding on internal and external connectivity. It is also to ensure that secured configuration is applied to all servers and network devices.
Most likely yes, but in a limited capacity. Robots work based on instructions or programmes that have been embedded, thus cannot cater to every single problem faced by humans. Even with the development of Artificial Intelligence (AI), there are still some ways that that robots cannot compare to humans.
The easiest example would be in terms of creativity. Robots cannot understand context, and I doubt they have enough creativity to resolve all problems. While robots can duplicate human artwork, since their minds are programmed by humans, it is unlikely that they will ever be as creative. Also, human connection gives a certain added personal touch, I doubt people would be at ease talking to robots all the time.
For more information on ETRC and the services offered, visit www.kpmg.com.my/cybersecurity
© 2020 KPMG PLT, a limited liability partnership established under Malaysian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.