Interview: Zscaler’s Heng Mok – ‘Cyber is now very much a board-level management discussion’

We talked about what he learnt in his 10 years working in Australia prior to his current position and how things have changed, the sorts of threats he’s seeing deployed in the region, and what kind of career steps lead someone into a big CISO role.

Heng Mok: The reality is that if you look at every CISO, they’re going to follow different paths to get to where they are.

Like for myself right now – and I started in very sort of technical roles [and] had different experiences along the way … So I started off as a developer, I then went into things like implementation of security-type technology and then security testing, and then managing teams, and doing strategy and architecture.

And then eventually, I guess, finding my feet and trying that on for size.

So that’s, you know, that’s the sort of path that I took, which was doing different things, getting different experiences along the way. And then, I guess, in each of those roles, I wanted to be challenged.

So I’ve always sort of stepped into, you know, management-type roles.

And then I’ve stepped back into individual contributor roles, and I’ve found sort of made my skills a little bit more relevant. So you’re able to become a little bit more holistic and full stack, so being able to talk to the board, being able to talk to senior management, being able to be commercial as well.

But at the same time, understanding the technology, understanding the risks, and being able to guide your teams in terms of knowing where they need that sort of guidance – because, you know, the higher up that you go, a lot of the work is more, I guess … general management-type work.

VIEW ALL

But at the same time, in that security space, you need to be able to guide and keep your team happy and provide that balance.

So you know that’s that’s my part – but I know other CISOs who have come from other paths. I’ve seen CISOs that have done general technology management and then moved across sideways into cyber. You’ve also got a lot of non-technical CISOs out there who had started in risk-type roles and then ended up in that particular space as well.

So I would say that, you know, it’s pretty generic, and you know, everyone can sort of follow a different path, but at the same time, you know, every sort of job that you do helps you with that experience of managing cyber and the risk for an organisation because you know you’re leaning on all those types of skills to be able to balance the commercial side as well as the risk side.

Cyber Daily: It sounds like being able to wear a lot of hats is a really useful skill.

Heng Mok: Oh, it definitely is.

You know, I’d say about most CISOs if they’ve worn different hats, then they’ll bring all that experience onto the table to help manage their particular team. And that’s what you sort of need because it’s a very, what I would say … it’s a contextual role where you know every day is different. You know you’re moving from talking about finances to potentially people, the legal, the third-party risk, and then maybe a project escalation, a security incident, right?

And if you think about all those different contexts that you’re wearing every day, you have to be able to shift into each of those contexts. And, I guess, get into the right headspace in order to be able to manage that type of role.

Cyber Daily: That makes a lot of sense. So I know you spent a lot of time in local roles – you were with AGL, at NAB, you’ve done 10 years in the security space here in Australia, so … What do you think of the last decade? I mean, surely, last year must have been a wake-up call for everyone – or were you aware that it was only a matter of time until Australia started seeing these really big-name incidents?

Heng Mok: So I mean, I think you know, the reality is that, you know, those particular instances last year, they could have been any organisation we can think about. The Medibank breach or Optus breach itself – each of those could have been any Australian organisation.

Every organisation is having to manage a vast real estate, and the reality is that unauthenticated API that Optus had? That could have been anybody, right? Could have been a misconfiguration in a DevOps pipeline, could have been a human error … All those particular pieces could have been any organisation.

So it’s not really surprising to, I guess, see some of those breaches come out.

But what we have seen over the last 10 years is that cyber is now very much a board-level management discussion.

If I go back to when I first started my career over 20 years ago, it was really a back-office-type function, very much hidden in the technology space, whereas now it’s front of mind for every business as they’ve digitised because the reality is that building customer trust, ensuring that you know the reputation of the organisation is at the forefront of aligning your cyber strategy, your business objectives.

You know, all these particular building blocks have sort of made it a much more business-oriented risk discussion, and it’s got the same level of exposure now to, say, credit risk in the banking space or OH&S and safety in the utilities and energy space.

So, at that particular table, it’s very much organisation-wide risk that is being managed and consistently being invested in order to maintain organisations within their sort of risk tolerance and risk appetite.

So there’s been that fundamental shift, and I guess with digitisation, what that sort of means is that there’s that connectivity that is in place between organisations, reliance on third-party supply chains, which means that naturally, cyber security has to be embedded into all the business processes that we have because of that; and the fact that data information can be anywhere across all these particular disparate places just means that, yeah, it’s a much wider sort of ecosystem now.

But you know that we sort of have to manage and protect and ensure that the information is safe across all those various distributed locations.

Cyber Daily: I get the impression it used to be a case of … you needed expertise in-house, and if you needed it, you had tools in-house.

But now we need to worry about the expertise and the tools of everybody in your supply chain.

Heng Mok: Yeah, definitely. I mean, I go back to 20 years ago, everyone had their own data centre. Basically, you had a few applications that were digital in nature, and then everything else was still highly manual, right?

So now you’ve got that sort of shift where commoditisation of shared services – you know whether it’s HR, finance, whether it’s document printing, you’ve got specialisation and commoditisation of all those services.

And it just means that organisations are focusing on where they have the intellectual property and business value. And then essentially outsourcing or strategically sourcing all those other commoditised services with various partners in order to, I guess, be competitive and maintain scale.

That’s essentially where the cyber problem sort of fits nicely into – the fact that, you know, with that connectedness and digitisation and the way that businesses are looking at costs and being commercial, it means that, yeah, cyber teams are very much at that forefront of embedding those security processes into everything that they do, where the business process is material.

Cyber Daily: So one discussion I keep hearing from people we chat to ... in fact, there are two discussions.

There seem to be two axes where some security specialists believe security is absolutely the role of people in the C-suite and in the security team, but others are saying that it should be a whole-of-organisation thing, and every employee is responsible.

Do you think there’s a middle ground, or do you think they’re both true or … ?

Heng Mok: If you think about the maturity curve and the way that every organisation starts, it’s about: do they do the basics right?

And that’s where you may have that starting point of the C-suite setting the tone and then the cyber security team doing some of the initial heavy lifting of ensuring that there are the right controls in place and that risk is managed right across the organisation.

But then, when you think about organisations that are more mature and if you think about the scaling problem of security, you know there are only so many SMEs that are available in the market, right? So every CISO has that issue of how do they scale their cyber teams?

One of the things that I like to see in organisations building that cyber culture, ensuring that it’s almost embedded like OH&S – it becomes everybody’s responsibility. Everyone is protecting the information within an organisation, and I think the reality is that cyber teams are a limited resource and you do need both top-level management support to set the tone, but then at the same time, you know certainly everyone to be culturally aware to do their part in protecting the information that they’re dealing with on a day-to-day basis as part of their business processes.

So I think the whole issue around making it everybody’s problem is where organisations do need to get to, because, you know, when everyone is singing from the same hymnbook, then, naturally, you’ve got that scale and you’ve got further protection across your entire organisation – it’s sort of behavioural in that way, where everyone is doing the right thing. Then you know that it’s building cyber security into everything that the organisation does.

Cyber Daily: That actually makes a lot of sense.

You’ve now moved into a more regional role as CISO for the Asia-Pacific and Japan region, so what kind of trends are you seeing in that area – are there curious things happening in this region that aren’t happening elsewhere?

Heng Mok: Yes, it’s sort of interesting – if you look at the Asia-Pacific and Japan region, it’s made up of a lot of different countries and a lot of different cultures, and you’ve got different organisations in different parts of their cloud journey, right?

So I’d say that the region is quite wide in terms of cloud adoption as well as adoption of new technology. It’s a fast-moving mix of different different cultures.

One thing that I would say is that every organisation in every country at the moment is looking at other sorts of regulation coming through.

In Australia, with the new Cyber Security Strategy and the big data breaches, regulations all come through SOCI and critical infrastructure. Every country is looking at that and looking at where they go with regard to protecting their countries in that critical infrastructure space.

Some countries are a little bit more extreme than others in the way that they approach that, being more prescriptive, whereas Australia, in general, has been very much principle-based or risk-based adoption of guiding principles. But if you look at Singapore, they’re more compliance-driven and then more prescriptive in that way.

But if I were to think about the threat landscape, it’s pretty consistent across this particular region. We’re seeing ransomware, you’re seeing the same sort of adversaries, you know, looking to, I guess, break into organisations and land that foothold, and whether that’s through the exploitation of vulnerabilities of internet-facing assets, whether that’s VPN, whether it’s other capabilities in that space …

There’s so much automation that is being leveraged by the adversaries. They’re consistently scanning and looking for that external attack surface in order to land that first foothold in order to either deploy ransomware and perform that data breach because you know the monetisation of the data is there and there’s a vast economy in the dark web where there’s trading and selling of that information and you know the economics drives a lot of those particular attacks.

Seeing that consistent scanning of the external attack surface, and the other area that you do see a lot of now is that with generative AI components being able to perform more accurate phishing and business email compromises, which is another trend that is coming across this nation because, traditionally, you would train your employees to look at phishing emails, train them to look at grammar issues, spelling issues …

But with things like ChatGPT now that are available to the adversaries, you know they’re able to use that in a more accurate way and be able to get better initial compromise through that use of human psychology.

And I think the other barrier that has sort of been broken as a result of that is multi-language now, right?

Historically, it’s been English only, but in this particular region, now you can actually use ChatGPT to do translation, and essentially, you’re seeing a lot more targeted email phishing-type attempts in other languages as well.

All those particular pieces are naturally in play, and then you know the supply chain, right? Because every organisation has so many third-party suppliers that they’re reliant on for their day-to-day business. You are seeing supply chain attacks constantly growing because an adversary will look at … “Where’s the place that I can land and then get the biggest bang for buck?”

So if there’s a service organisation that is servicing, I don’t know, 30 big end sort of corporates, then that’s a natural sort of ingress point for them to compromise and then be able to pivot to all those other areas, and naturally, you’ve got connectivity, whether it’s through a service arrangement or through a connected application that those particular service providers need to access.

So, naturally, you’ve got that connectivity out there.

Cyber Daily: One last question, and I ask this of everyone I chat to about cyber security – what keeps you up at night?

Heng Mok: You know, when I was in that operational CISO role, I always used to worry about … OK, is there gonna be an incident call that’s gonna come through at 4am?

Is there gonna be a, you know, a media article that’s gonna come out that I’ll have to write a position paper and board paper for the next day?

Is there gonna be a project escalation, right?

It’s one of those things where you’re constantly worrying about everything in your environment, and, you know, that keeps you up at night, right?

Where’s the next attack? And it comes through. Where’s the next vulnerability, is there an adjacent industry that’s been data breached in the morning, and I’m gonna have to react to that?

It’s a vast number of those particular things which keep me up at night.

Cyber Daily: Oh, great – that’s a lot of things!

Heng Mok: That’s it – it’s never one thing.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.