Building a Culture of Cyber Intel Sharing in APAC 

In APAC, cyber defenders are likelier to share tactical threat intel rather than strategic information, often out of fear of suggesting they were breached, says Devinder Singh, Maybank’s CISO. But getting intel out fast – and across borders – is key to the sector's defense. To encourage a culture of trust and collaboration, Singh says APAC cyber teams need to share information on successful defenses, have the option of anonymity, and be sure of their leaders’ and regulators’ support. After all, sharing is a shield, and doing the right thing is often doing the smart thing.  

Transcription (edited for clarity)   

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Communications and Corporate Affairs Officer at FS-ISAC.  

Intelligence sharing – sharing the cyber threats one firm sees with many others – is at the core of what we do. But just because it's in the entire financial sector's interest to collaborate and share this information the same way the threat actors do, doesn't mean it's an easy thing to do. I spoke with Maybank CISO, Devinder Singh, about the state of sharing in the APAC region and how we can work together to share more. 

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Thank you so much for joining us. Really appreciate your time. When we discussed what we were going to talk about, the topic we landed on was the state of sharing in the Asia-Pacific region. And I thought it's a really good topic because FS-ISAC recently had its 25th anniversary, and intelligence sharing as a concept has been around for the last 25 years or so, but it's more mature in some regions than in others. 

Let's start with where you think cyber intelligence and knowledge sharing stands in the financial sector across the APAC region. 

Devinder Singh, Chief Information Security Officer, Maybank: In the APAC, we see, of course, that the evolution of cyber intelligence, of knowledge sharing, between the FIs [financial institutions] in this region is definitely getting to a maturing state. I think there has been fairly good progress. But of course, at the same time, there is still some room for improvement, right? While we made strides, we were not quite at the level of maturity seen in some other regions, like in Europe, for example. I guess the maturity level there is very, very much different. And of course, there's much awareness of the importance of cybercrime intelligence sharing. 

That's where we've been promoting internally. And also, regulations in this region are also pushing for it. And FIs recognize the collective benefits of having this information sharing. Now, we see the growth of regional and national-level information-sharing platforms and communities. And these platforms and communities for threat intelligence are becoming more sophisticated, right? And allowing for automated sharing analysis and integration into security operations, that probably will make it more efficient and actionable. Now in conclusion, actually, to be honest, the future in terms of the cyber intelligence sharing and APAC and financial sector depends actually on addressing these kinds of challenges. We need to foster a culture of trust and collaboration. I think that's the foremost thing.  

And then thereafter investing in technology, which comes with platforms, and then skills development that needs to be done in terms of what is required to be shared and work to come up with a standard framework, or rather a certain set of guidelines, engagement with FS-ISAC and similar organizations, tailored towards the APAC context is definitely vital. Of course, only through collective effort we can effectively combat this evolving cybercrime landscape. I think communication is also one of the keys, besides having all the defense tools, the tools in terms of monitoring and triggering. That's from a tool perspective, that's also equally important.  

Heathfield: So what kinds of sharing do you see and what kinds do you not see happening already?  

Singh: So I guess the types of sharing that we see is that tactical threat intelligence, right? I think that sharing is the most common type of sharing that happens. It involves a little bit of immediate threats from a malware, IOC sharing, phishing campaigns, what are the sending emails and URLs, and then the TTPs as well. So those we see very openly in chat. And of course, the other one is the sum of the operational information, such as what are these best practices in the security operations? How can we get better in terms of the response procedures? Of course, sharing across in terms of the tools, as well as the best practices, right? From an operational perspective. Now, some of the things that maybe we need to get better, which we don't see much happening, is that bridge and incident data. So I guess you will get it eventually, right? But I think it's getting the information up early and fast. That's the key thing that we're trying to address. Of course, the other one, cross-border – I think that's also equally important. We are not just talking in-country. I think cross-border, not even within one region, but I think cross-region, that is something that basically we need to foster more. I know FS-ISAC is doing a fantastic job in this. If one region is sharing, it will impact the other regions as well. So that's one of the things I think that we need to do much better.  

Heathfield: Yeah, for sure. mean, one of the things that comes to my mind – I'm sure you've heard of the term pig butchering. There's a lot of that coming out of the APAC region and going around the world, right? The victims are around the world. And I know that we have done some reports and stuff like that based on some of the members' sharing and our intel office, et cetera. But, you know, it's a perfect example of a kind of cyber crime that is happening in APAC and is impacting around the world. It requires cross-border sharing. What do you see as the barriers? So we've talked about the kinds of sharing that we see and we don't see. What are the barriers? And specifically in APAC, what do you think the barriers are to sharing more relevant and maybe even strategic-level information?  

Singh: I think my thoughts around that would be, I guess it's back to openness, maturity also as well. And I think it varies significantly between regions, countries, right? And even within the financial sector itself, right? Some institutions are very advanced, while others are very basic- or intermediate-level as well. And the other one, of course, is the concern of competitive disadvantages, of reputational damage. Right? I guess if I start sharing with you what I see in my environment, it has a bit of a competitive disadvantage. And of course, the other one is the reputation … if I start sharing a lot, it only gives one the perception that this guy is experiencing a lot.  

I think one of the key areas where organizations have resisted to share such information is that, one, they start sharing a lot of this information, they will probably have some reputational kind of impact towards them. One will be thinking that one organization is just sharing a lot. That could also be an impression that the organization does not have really strong security controls.   

Heathfield: There's the idea that people don't necessarily know or they may not think it's important enough and then they may worry that [sharing cyber intel] makes them look like, if they're getting lots of attacks, that their security posture isn't strong enough, right? One of the things that we spoke about when we first were kind of batting around the topic is the idea of trust, right? If you don't know people, you're far less likely to share. In the US, FS-ISAC has been around for 25 years, and it started in the US, and there's a long history there of people meeting in person, at, for example, FS-ISAC summits and other venues as well. So they build trust over time in person. And then when they see [each other] on a call, it's like, ‘okay, well, we've already actually met, had a coffee’ or whatever. Do you think that the same applies in APAC, that [it] could take years? And people really need to meet in person? Or do you think there are ways of building that kind of trust even in digital format, digital platforms as well?  

Singh: Yeah, I think, of course, the most traditional ways of building trust – meeting people, getting to know them – have always been the most effective way in terms of getting and building the trust and getting the trust from one to the other.  

Now, one of the other things from a technology standpoint of view is, probably we can build a technology to anonymize the people who are sharing, right? And to build also some platforms. As the person who's going to share the information, you will feel that the platform is shared enough that it'll keep me anonymous and at the same time I won't be known to the outsiders in terms of who's going to share. So those are one of the things that maybe can be looked at. And the other one, I guess, in terms of the principles, in terms of guiding what to share, also can be very important. And you know, it gives one the option that if I want to share, I can either do it openly to the people that I know and I still trust. Or I can just be anonymous in terms of sharing that information. Either/or, the way that you share this information is protected. You know, your identity is protected anonymously … you probably have to also believe on the platform that your identity will be anonymous. That's one of the things maybe we can do in addition to the traditional way.  

Heathfield: What do you think the role is of leadership – the CISOs and even CEOs and boards and regulators – in terms of promoting sharing? I would imagine that it's in regulators' interests to help promote sharing, because obviously everybody wants to protect the financial system as much as possible, right? So what would you say the role is of leadership and regulators in helping to promote a culture of sharing?  

Singh: Yeah, I think they play a very distinctive role in terms of trying to have the interconnected part in fostering this culture of sharing. Both internal and also regulators, as well as the police, it’s a very, very important role. I think internally in terms of the executive or the board members, I think they should recognize that the importance of sharing is across industry, across region, is something where all industries are moving [toward]. And that is one of the probably [most] effective methods in terms of addressing these ever-growing and evolving cyber threats. Now, I think for them, promoting that culture of sharing and commitment in terms of transparency, we want to build that communication. We want to also get their commitment in terms of transparency … In terms of what we're going to share, it's also very important that we get the buy-in from them, right? And if we get the buy-in, we get the support from them – for the people who're gonna share, it will be much easier. And at least we know that this is something that we have got the agreement on, or we got the onboard of the senior management and also the board level in terms of their willingness and their acceptance in sharing this information. I guess that's very, very important as well.  

While regulators, I think the function is wider. You have those financial institutions, usually, building the culture and promoting the whole transparency. So I guess the other one is the regulators must also promote the interconnectivity between all the financial institutions, right? They need to promote the value of information sharing. And I guess they can start by leading the practice in terms of sharing the information. And then when FIs get information from them, we feel it's also safe enough to share information with them.  

And it has to be that certain criteria is also met because sometimes we're thinking that if I share too much with the regulators, they'll be coming in front of our doorstep, right? I think we should get off from that thought. And I think in order to do that, [we have] to get some understanding, a working level kind of arrangement, with certain areas of regulation that will make you feel more comfortable in sharing information. And I think that will happen vice versa. That could be one of the ways in terms of how regulators can also help all the FIs in sharing information. And I think that's very important as well.  

Heathfield: One thing you said that, and I've heard it before, it's not just an APAC, right? But for institutions that haven't been doing intelligence sharing for a long time, there's a perception that if they saw a threat, and they share that threat, that people will assume that they were impacted by the threat, right? But actually, you could see a threat, effectively mitigate it, and it shows how strong your controls actually were. But even just seeing it still could help others who may not have those same controls in place or have something slightly different and it somehow slid past [them]. So it's almost like there may be some divorcing of the fact that you saw it, it doesn't mean that you were impacted by it, right? You may have been able to effectively block it, but it still would be valuable for other people to know. And that I feel like might be something that we might want to try to correct, right? Because as you said, they saw 10, they report one, the one that was the least impactful. When actually the most valuable thing to the sector would have been to report at least the most impactful, if not all of them. But even sharing the least impactful is still helpful. So I wonder if there's something there in terms of, you know, just because you saw a threat doesn't mean that you were impacted by it. That could help. The other thing that I wanted to kind of talk a little bit more about was the knowledge-sharing piece, which you mentioned a little bit, the ‘what did you do’ piece? Sharing the security controls that were applied and what you actually went through to mitigate something could also be really helpful for people. And that shows how effective your security posture is as opposed to how ineffective it is. Do you think … even the successful mitigation-sharing could be a route into developing that kind of trust that we need to be a bit more transparent in general?  

Singh: I totally agree with you. I guess, I mean, it's not about sharing bad news always, right? I mean, of course, it's also about sharing the same thing, good news, right? I mean, you can get used to sharing information in terms of what you have successfully done, or rather what you have successfully actually detected and you mitigated, right? It's something that you want to tell people, and you start building their confidence in terms of what you should be sharing. Sharing that basic information will be helpful, and it will just become more natural. And the hesitation will also be reduced in terms of sharing because we are used to you sharing all the good news. I think sharing the not-so-good one …  in our culture, you know, that's the best thing to do. That's the right thing to do. And you'll do it with your own principles that you have set. Of course, whatever principles the organization has set, you'll be guided to that, and you'll be openly sharing. I think that's, that's very important as well. 

Heathfield: Do you see a lot of exercises happening across the sector? Cross-sector exercises? One of the things that I participated in a little bit, in my role as Head of Communications, is exercises that test what happens in the middle of a big incident that impacts not just one institution, but many institutions. And we do actually quite a lot of that kind of exercising of, ‘well, what do we do? What's the playbook? How do we communicate? How do we share what's going on without compromising any legal issues or anything like that?’ Does that happen at all, or does that happen enough in APAC? And do you think that there's a role for that to help promote sharing as well? 

Singh: No, that definitely will help as well. I think getting familiar with whatever the response plan is that we have, and ensuring that we follow the response plan accordingly, is something that we really need to practice always in order for us to be very familiar. In the APAC region, we do those kinds of tests as well. Can it be done more? Of course, the answer is yes. It's probably done once or twice in a year, but I think that might not be enough. Because you probably need to practice a lot in terms of the process, of recovery and response, working with your media partners and with your external comms people as well.  

Heathfield: If you were chatting with a fellow CISO of an APAC financial firm and they asked you for some advice on making sure that their teams understood both the value and also the know-how – what to actually do in terms of intel and knowledge sharing – what would you suggest they do?  

Singh: We have a CISO forum, at least in the Malaysia region, and I know in some of the Asia-Pac regions they have a CISO forum. In the CISO forum, we have rules in terms of sharing. And that was among the first things that we did when we built this forum. So there were some house rules that we collectively agreed upon. The sharing among the CISOs started off with non-official sharing, pretty much very light work-related sharing. And that sharing was basically, in a way, trying to build the communication, trust, and confidence in terms of sharing. Then, thereafter, as you can see, as we moved along, we started to share more. We started to be more open. And of course, you may have some different opinions, which we all respect. Every opinion matters. Everyone's feedback matters as well. And we made sure that everyone's very open in terms of giving or receiving – both sides. And that actually has developed a very, very good openness, I must say.   

Heathfield: If we can overcome some of these barriers, right? With more trust, with encouraging sharing, with giving some effective guardrails, what would a positive future state look like to you in APAC? What would the outcome be? 

Singh: Everyone wants to achieve this particular state where sharing information is no longer something to consider. It's a given thing. It's not even an option. It's not something that you will consider. It is something naturally that you do, and you know, that's the right thing. In terms of sharing between the sectors and between regions, it is something that we want to do globally as well. I think communication is sharing. Openness and trust, I think, from a human defense perspective, that's very important. While we might have all the tools, the monitoring, and all the wonderful kinds of detection and everything, all that's given, the tools are always going to be there. But I guess from a human perspective [sharing is] also a very important shield that we need to build. And the interconnectivity.  Not just systems. Like they say, the human is the weakest link, but I think we can turn it around later on, and say the human is the most powerful weapon against cybercrime.