Hire a Data Protection Officer. You need this person to be your eyes and ears on privacy regulation. Without this person, you could be breaching many data privacy regulations and be at risk for hefty fines.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jason Lau, multiple award-winning cybersecurity and data privacy professional with over over 20 years experience and is currently the Chief Information Security Officer (CISO) at Crypto.com, Adjunct Professor for Cybersecurity and Privacy at HKBU Master of FinTech program and also on the Standing Committee for the Privacy Commissioner for Personal Data, Hong Kong (PCPD). Jason is also currently the Regional Lead, Co-Chair, Faculty Member and Official Training Partner for the International Association of Privacy Professionals and a Fellow of the Hong Kong Institute of Directors (FHKIoD), and Fellow of Information Privacy (FIP). Jason is also an official member and contributor to the Forbes Technology Council and was recently included into the Global CISO 100 list.
Jason holds CISSP, CIPP/E, CIPM, CIPT, CDPSE, CGEIT, CRISC, CISM, CISA, CEH, CNDA, HCISPP, ISO27701 Senior Lead Auditor, Senior Lead Implementer, ISO27001 Lead Auditor
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Firstly, thank you for acknowledging me as an authority in the cybersecurity and privacy space and it’s my pleasure to share my background and experience with your readers.
I grew up the youngest in a family of 5 siblings (including myself), where all of them were mentors to me in different ways throughout my years and even now. I grew up playing chess as our family hobby, where at an early age, I was vicariously watching on the side-lines as they would be winning competitive chess at the highest levels, which drove me to follow in their footsteps and enter competitions at the age of four. Being all doctors and a lawyer put a lot of pressure on me with big shoes to fill and I decided to walk the path of engineering. From there, I had the opportunity to work in the information security field traveling around the world, working for and helping some of the largest multinationals.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
As part of my engineering degree, we had to experiment with integrated circuit chips and programming them to do a variety of different things. It just so happens it was around that time when the first-ever PlayStation was released. In my spare time, I researched and “hacked” the boot sequence of the machine with a “ModChip” I programmed, and I was able to play games from different regions around the world (back in those days games were on CD’s and had country regional restrictions on where they could be played and some of the best games were never in my region!)
I was one of the first with these ModChips at that time, and my friend and I started to help others as a freelance job; it was quite thrilling and exciting! This was my first experience with hacking and reverse engineering and taught me how to use root cause analysis to really dig deeper to understand the underlying technology and reasons for why things work (and don’t work), and this is a fundamental skill which I have found useful in my cybersecurity career.
Can you share the most interesting story that happened to you since you began this fascinating career?
I was fortunate to be a cybersecurity advisor at Microsoft during the time when it was going through a global restructure under the direction of Microsoft’s CEO Satya Nadella. It was at a time when Microsoft was not known for being in the “cybersecurity” industry but built an arsenal of security products, and took over some of the best Israeli security companies and was committed to spending over 1 billion dollars in cybersecurity each year. Microsoft got serious about security and it was something I wanted to be part of. At the global annual Microsoft gathering, where I had the opportunity to be part of Satya’s briefing, there was something Satya said which stuck with me: “Don’t be a know-it-all; be a learn-it-all.” I thought this was very inspiring and at that time as everyone was preparing for the new General Data Protection Regulation (GDPR) to come into effect the following year, I took it upon myself to skill up and “learn-it-all” about data privacy. This has helped tremendously with the evolution of my current cybersecurity career. So to aspiring security leaders out there, my advice is to listen to one of the most inspiring technology leaders — “Don’t be a know-it-all; be a learn-it-all.”
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Without a doubt, my father has always been the most inspiring person to me. As the youngest of a family of five siblings, I grew up watching, learning and following him while everyone else was at school. To me, he could do everything and always had some way to “fix things.” Dad was into everything from traditional treatment, mechanics, hydroponics, electronics, mathematics, farming, chess, cooking and more! The lesson for me here which followed me into my career is that you should not just focus into one field. You can learn a lot from different fields and that you should have a growth mindset and to explore multiple ways to find a solution to a problem. Often, I would try and suggest ideas but the bad ones would always get a response, “No Way…” 🙂
Are you working on any exciting new projects now? How do you think that will help people?
I wear multiple hats right now. As Chief Information Security Officer at Crypto.com, we have a corporate mission of accelerating the adoption of cryptocurrency. My role is to work with my global team of experts to secure the platform and ensure our clients funds and data are safe. This is an extremely challenging task, and while launching products such as our Crypto.com App, Exchange and more, we have also complemented it with services and offerings like Decentralised Finance offerings, a DeFi Wallet and more. These will help people in many ways regardless of their experience in cryptocurrency, with the goal of transitioning more people to the FinTech space. While exciting, it also poses many challenges for our team as security and privacy are core pillars of the company and my team and I continue to work towards strengthening our security maturity over time which in turn helps to build trust with our customers.
Outside of Crypto.com, I am an Adjunct Professor of cybersecurity and privacy at one of the top business schools in Asia, as well as being on the board of directors for several think tanks and industry associations. These are critical, allowing me to help contribute back to the industry and community through ongoing security and privacy awareness on one hand, and by staying at the forefront of industry developments and mutual sharing with my peers allows me to feed new insights into my cybersecurity strategy at Crypto.com.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Burn out is a major problem for the cybersecurity industry. Research by ISC2 showed that there is currently a major cybersecurity workforce shortage, with over 4 million positions which need to be filled. The shortage of skilled professionals means that cybersecurity professionals are having to do more and wear multiple hats. There has been a lot of press around CISO burnout where over 88% have indicated high levels of stress and the average tenure is just 26 months, and the same goes for other information security professionals who also suffer from the same stress and challenges.
There is no perfect solution for this, and for my team I have tried to support them the best way I can by building a culture of collaboration where each of the team members get the opportunity to work on different projects. In addition to this, we have to extend the security responsibility and train and make the rest of the organization realize that security is a shared responsibility, and in doing so, build a company-wide secure culture; people are always the weakest link, and having other employees being an extension of our security team and being alert and informing us of potential threats can help the security team to be more proactive rather than reactive after a sudden incident, which in turn can reduce the stress level.
Finally, it is important to have a good work-life balance. The constant stress of potential threats can have a toll both mentally and physically so my advice to fellow CISO colleagues would be to take some time to “chill” and spend time with family and I have found that some of these times have resulted in fresh ideas and new perspectives for work strategies.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The number one factor which excites me the most is the chance to work with amazingly smart people. I have a great team of experts who come from different backgrounds and the multicultural aspect of the team gives fresh new perspectives on many challenges we face. I also have a close network of CISO’s around the world and we have gone through many different types of security challenges over the past 20 years and being able to share thoughts and ideas on incidents and solutions has been an enlightening experience.
Secondly, I would say that the industry which I am in which marries FinTech, Blockchain, and Cryptocurrency with cybersecurity and data privacy are all areas currently in the spotlight. Each one of these areas is rapidly changing and when you combine all of them together into a day job, you won’t have a dull day but need to be on your toes to keep up with the industry changes all the time.
The third thing which I would say excites me is the natural evolution of the cybersecurity industry. I have been in the industry from the beginning, before it was even called cybersecurity, and to see how it has evolved from the basic systems management and monitoring to highly intelligent products.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
As mentioned above, while I am excited about the evolution of the cybersecurity field, on the flip side, I see external threats becoming more advanced and these will be society’s critical threats over the next 5–10 years. We will see challenges with quantum computing and also artificial intelligence powered threats like malware which companies are going to need to be prepared for. On top of this, ransomware is getting more “clever” and with the growth of Internet of Things (IoT) combined with the new COVID19 challenges, Healthcare is facing a big risk — cybersecurity is no longer a tech issue, and ransomware has already resulted in a patient’s death.
I feel that the global cybersecurity shortage will get even worse over time unless companies upskill existing employees with cybersecurity training. The strategy should not be to rely on a select few or a team of security folk in your organization, but to get everyone trained to a certain level so they are aware of their own respective departmental risks. An overall cybersecurity strategy should encompass more than just buying tools. Companies need to continue to invest in talent and keep abreast of new technologies that can also introduce new business risks. Specifically to the above question on AI-powered threats, companies will need to invest and adopt their own AI cybersecurity strategy and tools such as User-Entity Behaviour Analytics (UEBA) to help early detection of anomalies in the network environment.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I would say that there were many interesting cases but the most recent experience would be with WannaCry ransomware attack where I was witnessing first hand a company in the middle of an attack demanding installment in Bitcoin. This was a case where they had no other choice but to pay the ransom due to the sheer amount of data and systems which were locked and the implications would have been devastating. Overall, WannaCry ended up infecting hundreds of thousands of computers in many different companies and spread to over 150 countries worldwide. The lesson learned here is to ensure companies are always on the most updated patches and to always scan and close out vulnerabilities at their end-point systems. This needs to be a continuous process to minimize risk.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Cybersecurity can be simplified to its core focus which is the protection of Confidentiality, Integrity and Availability, often referred to as the “CIA Triad”. In order to safeguard these core areas, organizations need to focus on People, Process and Technology.
Notice the order of the above — technology should come last in the discussion. Through my years of experience, too much focus has been put in vendors and products and I have seen many companies spend millions of dollars on the best “tools” but were not the right fit for their company and their infrastructure, or they could not fully utilize all of the product features. Thus, a better strategy is to focus on cybersecurity frameworks and standards such as those from ISO and NIST for example. Through the use of the standards and frameworks, you can find the right tools which will help to support these strategies and goals and help to complement rather than just simply add tools to the cost.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Unlike the traditional banking sector, there are currently no ‘best practice’ guidelines or nicely packaged “over the counter” software available in the fintech space. For many companies, the first step of showcasing commitment to data privacy is the appointment of the Data Protection Officer to oversee the overall privacy governance, and a Privacy Officer to run and overlook the day-to-day privacy program. These roles are immensely important as such programs will only be successful if there is someone in an organization to take ownership of it. This also poses an exciting challenge for cybersecurity professionals looking to make an impact, and from the ground up, baking in privacy by default into the whole system development life cycle — into the DNA of their operations — rather than bolting it on as an afterthought.
Fintech is an exciting field with some of the best security talent from traditional financial services and the enterprise technology world moving into startup roles, lured by an exciting and dynamic industry and the opportunity to truly innovate and architect systems that create true business impact. Those spearheading security efforts should strongly consider industry standards and regulations such as International Organization for Standardization (ISO) as a road to improving overall cybersecurity posture. We’ve seen this in our business with exciting hires and top talent bolstering our own team and capabilities — all of whom are bringing their experience to ensure all of our products and solutions have security at their core from inception to execution. Our security team brings different levels of expertise to ensure that everything we do delivers on security and helps safeguard our platform as well as customers’ funds and information — right from the get-go.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
1) Phishing emails — this is the number one method of attack from hackers who try to breach your systems via human weakness.
2) Slowing of your applications and network — if your everyday tools and resources are significantly slower than usual (or worse still, you cannot access), then it could be a sign that “something” is happening on your network which could be anything ranging from a denial of service attack to some form of malware propagating throughout the network.
3) Active Attack signs — For a lay person, seeing a ransomware sign on their screen, or seeing that their screen is being remotely controlled is an immediate red-flag to warn the IT Security team immediately.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Immediately kick off their Incident Response plan. This is a playbook which the information security team will help to drive if it is a security incident which is a systematic step by step approach to handling security issues which are relevant to their environment. The approach could differ for different companies, depending on the type of attack and the risk. It is often also very important early on to get your Data Protection Officer involved in case they need to be on stand-by to report the incident to regulators and customers, as well as the crisis management team, insurance company and outside experts and law enforcement if needed.
For Europe especially, with General Data Protection Regulation (GDPR) being a key focus, for companies that are on the road to GDPR compliance, cybersecurity is a key component that should already be on the top of any agenda. Companies can look to the new ISO27701:2019 to help with their Privacy Information Management Systems (PIMS), and while regulations and standards such as these play a role in setting companies on the right path, at the same time, self-regulation is also a component. Companies that put in the effort to ensure they achieve the highest standards, gain internationally recognized certifications, and innovate to develop new solutions — will win people’s trust and get ahead.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Overconfidence. After travelling around the world and consulting for some of the biggest companies, the consistent issue is with how organizations still often have an overconfident mindset that they have not been hacked and thus can put less focus into resources in cybersecurity. Top management and boards need to understand that cybersecurity risks are business risks and can impact a business in many ways. It will always be a challenge to change the mind-set of C-Levels and the board, but with the growing trend towards digital transformation, cybersecurity and data privacy need to be core pillars for any organization’s business strategy.
In addition to this, other mistakes include misconfigurations, lack of patching, poor end-point security and a lack of having a secure culture.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Indeed there have been more phishing attempts on employees and this has been reported across all industries worldwide. Hackers are taking advantage of people’s interest and fear and hoping that more people will click into COVID19 related links. The only way to improve and prevent will be through internal phishing campaigns to test your own employees and ongoing security awareness training.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1) Cybersecurity is a Top Down and Bottom Up strategy. You need C-Level and Board Level buy in.
2) Hire a Chief Information Security Officer. You need someone to drive your overall security strategy. Without this role, security will just be bolted on at the end and never baked into the company’s DNA.
3) Hire a Data Protection Officer. You need this person to be your eyes and ears on privacy regulation. Without this person, you could be breaching many data privacy regulations and be at risk for hefty fines.
4) Cybersecurity and Data Privacy are closely related and linked. You need to ensure you have a global cybersecurity and privacy strategy which goes hand in hand and stays on top of the changing global regulations.
5) Be proactive with the community. There is so much that the community and industry can benefit from your lessons learned and vice versa. Ensure staff have a growth mindset and continuously learn from industry associations, build trusted networks and work towards building an ecosystem of sharing security and privacy insights in your region.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Tell everyone to stop thinking about “2FA” and focus more on MFA. MFA stands for multifactor authentication — Something you know, Something you have, and Something you are. In today’s advanced world of attacks, each one of these factors has been independently hacked in some way, and 2 factor authentication means independently using two of these factors to strengthen your security. This is not enough. People should really move to three factors (which is the true essence of multi-factor authentication), and this defence in depth strategy can be performed by anyone and statistics from Microsoft have shown that MFA can prevent up to 99.9% of people from getting breached.
How can our readers further follow your work online?
LinkedIn and Twitter:
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Thank you Authority Magazine again for allowing me to share my thoughts and experience with your readership.