HASH Speaker Series – Anthony Lim, Fellow, Cybersecurity, Governance & Fintech

IMG_0408

 

One must have or must undergo the physical experience of working in the IT network infrastructure environment, a keen interest in discovery & taking alternate views of something & a sense of mission “to help make our cyber world a safer place for all.”

 

Who is he? 

Anthony Lim is currently a cybersecurity and governance instructor, academic researcher, industry advocate, training module content developer, mentor, consultant and auditor (not necessarily in this order).

 

Can you tell us why or what made you decide to enter the cybersecurity sector? 

“I actually studied Economics but after which came a bad recession and I needed a job so I ended up in IT.  Then I worked for an American company selling IT network equipment to the military and this of course involved authentication, encryption, access control etc so wala! I am in cybersecurity sector.”

 

What is a typical morning at work?

“Checking emails, the occasional phone call, missed call or phone message, and whatsapp messages, that had come in through the night or early morning.  Yes nowadays many people use whatsapp like email, including attaching whole documents, probably hoping for more immediate response than if sent by email.

Simultaneously I am looking at my calendar scheduling for the day and week (because within those emails, calls & whatsapp messages) there will be new appointment / meet / call requests and cancelling or postponement of some other existing ones, so I would be entering new appointments & tasks in my calender, and moving some others or removing yet some others.  Also making a list (checking it twice :P) of tasks to be done for the day and marking those completed or obsolete.  

(Wow I am exhausted already just articulating this, and my day has hardly begun yet. And this is if I don’t have a morning meeting or other activity eg. seminar, class/ training, consulting or mentoring session, conference call, breakfast meeting outside).”

 

What are some of the challenges of the job? 

“The key challenge of the job as a cybersecurity & governance consultant, advocate & auditor is empathising with the (enduser) client (usually the CISO or IT security leader) who has to juggle, juxtapose, balance or align (however you put it) between cybersecurity needs, processes and best practices on one side, and on the other side, demands of business activities and also cost pressures.

If he (usually he) is strict on cybersecurity implementations, the business people will say “hey, you’re slowing down my process, you’re giving me hoops to jump through, or you’re a show-stopper – I need to close the deal and fast, man, I need to meet my business client’s requirements, etc. 

Then if the CISO bows to business or cost pressure, and a breach occurs (even if its not his fault), the boss or business people will ask him “ hey, what happened, man? Why like this? And “CISO” becomes “Career Is Soon Over”.

So we work hard to try to help him find the most optimal balance between security and productivity, to help him prioritise security according to his organisation’s business function and strategy (we have to pick our fights, we can’t have it all and surely not the best of both worlds), and find solutions that can do as best as it gets.”

 

How do you stay at the forefront of technological advancements and emerging trends in the industry? 

“First, I got to keep up – ‘cos things in this field are ever moving, and have been so since the beginning – so I read and research online articles, news feeds, industry media news & articles, linkedin posts, attend seminars, workshops, trianings, industry association meetings and huddles, chat with friends in particular domains or vendors.

Secondly, I have to pick my fights – I cannot know everything and even if I try It will be too much work and not useful, so I do all of the above, in certain domains that I like, or am working on, or think is something that will be important.  Others I will just have to let go.”

 

Can you share examples of significant technological innovations or breakthroughs that you find particularly exciting or impactful?

“This is a hard question – ask any 5 experts or professionals in the field and you may well get several differing answers. 

The way I see it, in cyber-security, there isn’t so much a particular significant technological innovation or breakthrough, rather than a security / protection /defense solution to a ‘mainstream’ IT technological innovation, which then I too am struggling to name, without falling into the blockchain story.  

What we see are improvements over how a security solution detects and protects, or do so more effectively, faster and cheaper, eg. deploying AI, data analytics and 5G.

I guess one cyber security technological innovation or breakthrough I can try to suggest, is this current concept of “Zero Trust”, which was first conceived by US Govt NIST (National Institute of Science & Technology) in 2020 (although it was first conceptualized by Forrester as far back as a decade earlier). 

Anyway, the significance of Zero Trust Network Architecture (ZTNA) is that it is a key departure from the original thinking of the firewall-perimeter-defense architecture.

Now we suspect that a legitimate user or connection into the network may have been spoofed, or contain a malware payload, and is clever enough to thwart to firewall filtering, so we need to verify its integrity again, hence requiring further authentication before allowing it to access other resources within the network and assets therein. 

By definition – Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud- based assets that are not located within an enterprise-owned network boundary. Zero trust focus on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

There are other “revolutionary” IT infrastructure security architecture concepts in the past few years, as originally proposed by Gartner, like “SD-WAN” (Software-defined Wide Area Network), as early as 2015, barely 3 years after they introduced the concept of SDN – Software Defined Networks), a much more efficient and cheaper way a company connects to its branch offices, other offices and business partners, through the internet.  Then Fortinet came up with “Secure SD-WAN”, where they combined the security of a firewall with the SD-WAN functionali
ty.

And then in 2019, Gartner came up with SASE (Secure Access Service Edge), a cloud-based cybersecurity framework that provides secure access to network resources from anywhere.  Next thing we know, every vendor worth its salt was touting SASE like they invented it.”

 

What are some of the main challenges or obstacles that you perceive in the adoption and implementation of new technologies? 

“Typically, cybersecurity solutions are quite not a favorite spend by organisations (even rich big ones like financial institutions, governments, energy companies, technology & e-commerce companies, telecoms …) 

Cybersecurity is seen as a cost and without tangible, visible or comprehensible returns.  It is seen as technical and disdained as a show-stopper.  If cyber-related legislations were lifted tomorrow, half the cyber solutions companies will go out of business because the clients will rather take their chances or prefer to pass the risk burden to cyber insurance, for example.

Much of the resistance come from the thinking that they already have cyber solutions in place so why is it still not good enough. “Huh, u mean I need to buy some more of this and that?!”  CISO’s have trouble getting the attention and respect of the business leaders, executives & boards.  The practice of enterprise risk management including cyber risks is still in infancy stage.  A lot of new cyber solutions and technologies are thus considered as “nice to have”.  There is a lack of urgency and a lack of proper budget allocation for this.   

Even if a company suffers a hacking or breach, they will try to play it down or cover it up and within weeks or months, the euphoria dies off and life goes on.”

 

Are they specific domains or areas within the technology industry that you consider to have a substantial growth potential, and why?

“Difficult to say.”

How do you foster a culture of innovation within your organisation and what practices do you employ to drive technological advancements?

“My answer will be in the following question.”

 

From your perspective, what role does technology play in advancing sustainability and driving positive change? 

“Technology basically is an enabler and an automator – it allows us to get mundane and repetitive tasks done much faster and hence in greater volume over unit time, and also in greater depth and detail than would be humanly efficient.  Technology, eg. in IoT (“Internet of Things”), drones and robots, allow things to be done which might be difficult or dangerous for humans, eg, rescue efforts in a disaster or fire, research and discovery, eg. in a volcano or space or other difficult terrain, and industrial maintenance for ships or other big equipment, or in difficult environmental conditions, just to name a few. IoT deployment in smart cities also not only help to provide many conveniences for a higher quality of life but also provide a higher level of safety and security enforcement. 

New technology, like blockchain, also serves to provide a new reliable authentication and integrity platform facilitating electronic business services like non-repudiation of documents and contracts, given that the electronic world is susceptible to hacking, fraud and other rogue activities by tech-savvy perpetrators. 

Within all these we are starting to see sustainability ethos and efforts getting embedded

Sustainable IT, also known as Green IT, covers the manufacturing, use, management and disposal of information technology in a way that minimises its impact on the environment. 

Also, Information Technology (IT) empowers both people and machines with information, which is transformed into knowledge and intelligence. Appropriate use of the knowledge by both people and machines contributes to sustainable development.

Technology thus plays a critical role in transforming societies and economies through enhancing efficiency, connectivity and access to resources and services. Sustainable development goals require harnessing technological innovation through utilization of information and communication technology.”

What were some of the life lessons which you have learned along the way in your career? 

“I get invited from time to time by some universities to do some sharing with final-year and graduating students about some ideas to keep in mind when going into the professional world.  The first thing I tell them is that while it is good to have some career plans and goals in mind, for the first five years, don’t’ stick to hard to the plans, rather go with the flow as opportunities and circumstances unfold, be daring to take these on and who knows where they will lead or what doors it will open.  Be ready to learn new things – take on challenges, break paradigms … my life mantra is “we never know”.

Secondly, be humble – don’t be envious … we can never have or achieve or know everything and there will always be someone better or smarter or luckier than us.  Do the best we can or have with our lot and see what else we can get or do along the way.

Thirdly, seriously, look after your health – both physical and mental … get rest, exercise, sport, take time out, spend time with family, take a hobby that is not part of the work domain.  Rest the mind, very important.  Stress is bad for the heart and health n mind.  I don’t want to get off on a philosophical tangent here … that is another article by itself.  

Also, be a team player – be polite & friendly & kind, especially to the less able or less fortunate.  Irrespective of skill, achievement and attained wealth, never become proud or conceited, the world does not like lone wolves.  What goes around comes around, it’s a hard world out there.  Having friends help.”

If I was not in my current company / position, I would be a _________?

“Hard to say too – my mom wanted me to be a doctor (I never made it thru med school). I studied Economics instead but ended up in IT.  I guess with an economics background I might be working for a government organisation, financial institution, listed company or consulting firm.”

What advice would you give to individuals seeking to forge a successful career path in the cybersecurity industry? 

“First and foremost, most importantly, one must have or must undergo the physical experience of working in the IT network infrastructure environment (as a network engineer, systems engineer, software developer, systems ad
ministrator, or a pre-sales engineer at an IT vendor, or similar such roles). You cannot just go to attend a course and get a certificate to turn you into an cybersecurity professional or practitioner without they physical IT network experience. Its hard to be a cybersecurity professional or practitioner if one cant tell CSA from PPT or TCPIP from UDP or port 443 fro port 67 or PKI vs DHCP. 

One must also have a keen interest in discovery and taking alternate views of something (hence “hacking”) and must also have the sense of mission “to help make our cyber world a safer place for all”.  So its not about just being technically competent or having a job, irrespective of salary. 

And no less one must be continuously diligent in learning and discovering new solutions, new issues, technologies, processes, etc. In the cybersecurity foray, soldiering on, as new things unfold over time – every year, in IT and digital transformation, we have new system, new services, new applications, new devices and technologies.  Hackers are always trying to hack something new, or trying new ways to attack incumbent assets or technologies.  We the good guys cannot be tardy or be behind, we need to keep moving and at least keep up, if not be one step ahead.”

 

Subscribe To Our Newsletter

Get updates and learn from the best.

More To Explore