An interview with Winston Chew


Sainsbury: What are your priorities for the next 12-18 months?

Chew: With readily available system and network layer protection to secure the infrastructure, hackers had shifted the attack to the application layer, exploiting coding and logic weakness to perform illicit transactions. Embedding security into the software development lifecycle by educating developers on secure coding practice and common application weakness, code review, application security testing, identification of security weakness for existing “live” system and closing the window of exposure remains a focus.

Sainsbury: What do you see as the biggest security concerns currently facing financial services?

Chew: As mobile devices gains popularity, there will be an increase in the attacks against mobile banking applications. It doesn’t help that most mobile devices don’t have any form of security protection and users willingly jail-break their mobile devices or download “free” apps that are Trojan horses. Already we have seen malware such as ZitMo Trojan that attempts to bypass online banking security and this trend of mobile attack is going to continue. With the push for Bring-Your-Own-Device (BYOD), there is also concern that these end-point devices may become launch pad for attacking the corporate network and stealing data from the end-points.

Advanced Persistent Threats that establish a covert channel to pilfer sensitive data is a concern given the high profile RSA breach that affected so many of its customers. With tradition security mechanisms such as anti-virus, firewall and IDS failing, awareness training and additional countermeasure needs to be in place to keep up with the evolving new threats.

Other concerns include the use of social media, insider threat, social engineering concerns, third party development/support, remote-site security, etc.

Sainsbury: What have you found to be the most effective policies for managing social engineering security issues?

Chew: Social engineering is an attack on people to achieve the goal of gathering sensitive information, bypassing controls, etc. With personal and corporate information readily available on corporate website, Facebook, Linkedin, discussion forums, etc,   social engineers use the information to gain trust and convince people of who they are. Throughout my career, I’ve seen cases where a “Managing Director” who is “offsite” called and ask for sensitive information to be sent to his personal email urgently. Other cases involves fake emails from “IT Department” asking users to install malware that supposedly “fix” their PC problem, employee posting sensitive corporate information on blogs where social engineers can simply gather them and many other variants.

A layered approach is needed to counter social engineering. Education is a key defence because social engineering can be from many means such as a phone call, an email or a message to personal Facebook account. Security policies and guidance to educate staff on protection of classified information needs to be part of the induction and refreshed on a regular basis, similar to anti-money laundering, fire safety, etc. User must also be aware of avenue for them to report on suspicious activities for investigation when in doubt. This needs to be enhanced with control processes. Example, social engineering attacks that ask for the release of privilege password or production changes would trigger an alarm if there is an approval process in place for check and balance. Technology also plays a crucial role with monitoring for malicious content, sensitive information and social media usage. Different countermeasures such as Data Loss Prevention, advanced persistent threat solution, web content filtering, etc. can serve this purpose.

Sainsbury: What are the best practices for engaging with customers to promote safe banking behaviour?

Chew: No customer will have the patience to read through that 10-page “thou shall not” commandments on safe banking. Personally I believe in bite-size, one liner messages that pop-up every time the customer accesses the online banking platform to educate customers on safe banking behaviour. Over time, there is a higher chance that customer will become more aware of safe banking practices. Of course a verbose version can be available as a link from the pop-up for zealous customer who wants to find out more.

Sainsbury: With increased pressure from non-traditional competition, how can the regulatory framework in financial services evolve to better enable traditional banks to maintain a competitive edge?

Chew: The purpose of regulatory framework is to protect the depositors, prevent misuse for criminal activities (money laundering, etc.), reduce risk to the financial eco-system, protect banking confidentiality, etc. The safeguards include regulatory supervision, licensing, capital ratio requirement, corporate governance requirement, reporting and disclosure, stiff penalties for non-compliance, etc. As non-traditional and unregulated competition ventures into the arena, the necessary safety nets need to be in place. Many of these non-traditional competitions are aware of the possible minefield and choose to partner with existing financial services and leverage on each other’s strength. With the evolving landscape, regulatory bodies should continue to scrutinise the non-traditional offerings for any violation in a timely manner, provide clarity, guidance to the financial services on the use of non-traditional means to ensure a secure and stable financial eco-system.

Sainsbury: Given the diversity of markets throughout Asia, how can regional players ensure a consistent approach to security and risk?

Chew: From China, Japan, Korea, Hong Kong, India, Indonesia, Malaysia, Thailand, Australia, Singapore, just to name a few, the diversity of Asia ranges from culture, language to the different jurisdiction and regulatory framework. There needs to be a consistent approach that handles regional needs.

Having worked with different regional and global banks, my advice is to start with understanding the different requirements from the region, incorporating them in the global policies and procedures, documenting the regional specific requirements where there are deviations and having a consistent risk assessment and dispensation process.

Sainsbury: What emerging trends are you keeping an eye on right now?

Chew: I’m keeping an eye on Cloud computing, with its promise of availability, on-demand scalability, lower cost of ownership, etc. It also introduces legal, regulatory and security challenges with multi-tenancy, commingling of data, data sovereignty among many issues that needs to be addressed before it will make headway into the regulated industry.

BOYD is another interesting trend to drive productivity and lower cost that raises questions such as “How do you protect proprietary information on personal devices and what if it’s lost?”, “How can we ensure that personal devices running Angry Birds are safe enough to access the corporate environment?” Mobile Device Management and Virtualization are among solutions that helps address these challenges and it will be interesting to see the maturity of these solutions and how readily the regulatory industry will adopt them.

Social media with its wealth of personal information with “likes”, “check-in” location, where you work, birthday, etc. presents purchase opportunities, person to person banking among other possibilities. Already Facebook is partnering with banks to pilot Facebook online banking. Given that sensitive banking customer information may now be residing with Facebook, the ability to perform transactions such as fund transfers, regulatory, privacy and security will be key concerns.

Other trends I’m looking at include mobile payment system such as Goggle Wallet, Apple Passbook, the development of Advanced Persistent Threat and security on mobile devices.

Sainsbury:  How do you foster a culture of innovation within your team?

Chew: There is a tendency for people to get stuck in the mindset of “if it works, don’t touch it”. Unfortunately in an ever evolving world where the only constant is change, innovation and adapting to the environment is crucial for business survival.

I believe empowerment is the key. As leaders, if you set clear objectives and goals, empower, listen and trust your people to come up with the best way to achieve the targets, you will be pleasantly surprised. Sending team members to seminars, training and keeping them contemporary by subscribing them to leading newsletters also helps to bring ideas from across the industries. Cross-pollination with cross-department sharing, job rotation within the team or inter-department transfers also helps to spark innovative ideas with fresh perspectives.

Sainsbury: Which business leaders outside of financial services inspire you, and why?

Chew: Business leaders that takes an idea, materialize it to revolutionise the world inspires me.  This includes Bill Gates who transformed the personal computer, Steve Jobs who changed the landscape of mobile devices, Larry Page and Sergey Brin with Google search, maps and earth that brings information to the fingertips.

Business leaders that perseveres despite all odds inspires me, stealing a line from the movie Rocky Balboa, “It ain’t how hard you hit…it’s how hard you can get hit and keep moving forward”. This includes Colonel Sanders who was turned down a thousand and nine times before finally he sold his chicken recipe.

Sainsbury: Every leader, particularly at your level, has a legacy they wish to be remembered for. What is yours?

Chew: I wish to be remembered as a forward looking leader who made a difference professionally and someone who cared and grow the people I’ve worked with.

Throughout my career, I have been introducing technologies and processes to help make the workplace become more effective and keeping up the times and business needs. Example includes being the pioneer in the Asia region to champion SIEM technology for enterprise-wide IT surveillance while heading up Security Surveillance for a leading regional bank in 2006. In my current role, I’ve also introduced SAST and DAST technologies on a global scale for effective security testing and training programs to educate the development community on latest security attacks and common security flaws.

I have always encouraged my colleagues to pick up new knowledge, go for related industry certification to horn their skills, challenge themselves, push the envelope and offer them opportunities to expand. I feel that if people who had worked with me haven’t grown in terms of their capabilities or skillset, it would have been my failure. I have the same expectation of myself as I continue to learn new things everyday as I believe that if you don’t grow, you die. During the early days of my career, I’ve was part of a team to migrate a key mainframe system to open systems. After the migration, the bulk of the mainframe developers were made redundant as they were no longer relevant. It’s a cold hard fact of life but as we all know, the dinosaurs perished because they couldn’t adapt. This is especially so in today’s fast moving information age.