Secret CSO: Jason Lau, Crypto.com

What do you feel is the most important aspect of your job? “The most important aspect of my job is the security of our employees, and the protection of our customers’ data.”

IDGConnect_secretcso_suppliedart_jasonlaucrypto.com_1200x800
Crypto.com

Name: Jason Lau

Organisation: Crypto.com

Job title: Chief Information Security Officer

Date started current role: March 2018

Location: Hong Kong, Singapore and Malta

Jason Lau is currently the Chief Information Security Officer (CISO) at Crypto.com where he drives the global cybersecurity and data protection strategy with his team of security and privacy experts. Lau led his team to become the first cryptocurrency company in the world to have company-wide certifications in ISO 27001:2013, PCI:DSS 3.2.1 and to conform with the Cryptocurrency Security Standard (CCSS). Prior to this, he was a regional Cybersecurity Advisor at Microsoft, leading Microsoft’s cybersecurity and GDPR initiatives in the region.

What was your first job? Rather than start with my first job out of university, I would like to take the DeLorean back in time a little to my earlier university days where I had my first experience with “hacking.” As part of my electrical engineering degree, we had to experiment with integrated circuit chips and programming them to do a variety of different things. It just so happens it was around that time when the first ever PlayStation was released. In my spare time, I researched and “hacked” the boot sequence of the machine with a “ModChip” I programmed, and I was able to play games from different regions around the world. I was one of the first with these ModChips at that time, and my friend and I started to help others as a freelance job; it was quite thrilling and exciting! This was my first experience with hacking and reverse engineering.

How did you get involved in cybersecurity? I always had a passion for IT, but it was in my final year of university where I was lucky to be taught and mentored by a professor who was an international expert in disruptive technologies. Our textbooks would be teaching us about electronic commerce over the Internet, and he was talking about peer-to-peer business through mobile phones even before mobile phones became popular, and many years before smart phones hit the market. He was five years ahead with his predictions (which all ended up coming true), and our private discussions around being prepared for cybersecurity and cyber-enabled economic warfare to me was fascinating.

Unfortunately, there were no courses at that time to further my interest in cybersecurity, so I joined a company focusing on enterprise systems management and monitoring, which allowed me to travel around the world and work closely as a management consultant to many CTO’s (“CISO titles didn’t exist back in those days…) on critical infrastructure security.

What was your education? Do you hold any certifications? What are they? I hold a Bachelor of Engineering (Honors) and Bachelor of Commerce from the University of Western Australia, and completed executive programs at both Stanford and Harvard with a focus on corporate governance. Certification wise, I hold Certified Information Systems Security Professional (CISSP) from (ISC)2, Fellow of Information Privacy (FIP), Certified Information Privacy Professional / Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) from the International Association of Privacy Professionals (IAPP), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) from ISACA, Certified Ethical Hacker (CEH) and Certified Network Defence Architect (CNDA) from EC-Council, ITILv3, Certified Scrum Master (CSM) from the Scrum Alliance through to being an ISO 27001:2013 Lead Auditor.

I believe cybersecurity is much more than just having certifications and the benefit of the certifications come with a wealth of resources and a network of like-minded peers who love to share industry experiences.

Explain your career path. Did you take any detours? If so, discuss. My career so far has spanned management consulting, IT, cybersecurity and data privacy where I started early on in the systems management and monitoring days. The days way before cloud computing and when proactive monitoring and alerting was the first line of defense against potential issues in your network – issues which could have resulted from malicious activities from an internal or external attacker.

My work covered almost all sectors you can imagine, across five continents and it allowed me the opportunity to see how different industries and different cultures approach security. I would not really call it a detour, but more of an evolution of my interest in IT and I had to adapt to the changing environment and skill up to go deeper into cybersecurity.  Most recently having to pivot slightly again into data privacy to complement my cybersecurity experience.

Was there anyone who has inspired or mentored you in your career? My father has always been the most inspiring person to me. As the youngest of a family of five siblings, I grew up watching, learning and following him while everyone else was at school. To me, he could do everything and always had some way to “fix things.” Dad was into everything from traditional medicine, a mechanic, hydroponics, electronics, mathematics, farming, cooking and more! The lesson for me here which followed me into my career is that you should not just focus into one field. You can learn a lot from different fields and that you should have a growth mindset and to explore multiple ways to find a solution to a problem. Often, I would try and suggest ideas but the bad ones would always get a response, “No Way…” :)

What do you feel is the most important aspect of your job?  The most important aspect of my job is the security of our employees, and the protection of our customers’ data. This involves putting together a cybersecurity strategy to embed security and privacy into all projects by design and by default, and to promote a secure-culture at the heart of the organisation. Keeping safe from hackers is not an easy job. It requires commitment from the CEO through to having every single employee do their part to make the organisation more secure. Part of the strategy is also to keep abreast of external industry developments, so as to prepare well in advance for new threats.

What metrics or KPIs do you use to measure security effectiveness? There are indeed many metrics and KPIs which are useful to keep a pulse on the effectiveness of security controls within the organisation. However, one area I like to focus on is the human element of cybersecurity. Where over 90% of cyberattacks originate from phishing, humans are and will always be a big risk to any organisation. Cybersecurity and data privacy awareness programs, ongoing training and measuring the effectiveness of phishing campaigns is a good way to educate employees on the risks and what to look out for. These KPIs will allow you to see a trend over time on the improvement the company has made in regards to the maturity of cybersecurity awareness. You can have the best cybersecurity vendors, tools and toys, but it only takes a few clicks from an untrained employee to put an organisation at serious risk.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There is a definitely a global cybersecurity shortage, and because technology adoption and digital transformation is accelerating faster than the rate at which we can supply cybersecurity professionals, organisations will often be playing a catch-up game in trying to fill roles. I am fortunate to have built a pretty robust team covering different areas of cybersecurity, but with the growing number of projects, we are always on the lookout for cybersecurity experts at all levels. The most difficult to fill are cybersecurity experts with many years of experience on the secure source code application development side.

Cybersecurity is constantly changing – how do you keep learning? Things are changing very fast for the FinTech industry, and the only way to keep up to date is to be closely involved with industry associations and be part of groups who collectively share expert knowledge and experience. As the regional lead for the International Association of Privacy Professionals, networking events help me (and many others) to be up close and personal with industry experts and regulators to see and learn about the direction of where things are going. On the side, I am also an Adjunct Professor for Cybersecurity and Data Privacy and on the Industry Advisory Committee for the School of Business at one of the top business schools in Asia. One of the unique elements of this masters programe is that we have brought in experts from some of the most prestigious companies from around the world, to share first-hand industry experience from cybersecurity, data privacy, Blockchain, cryptocurrency, virtual banking, big data, artificial intelligence, and a lot more. This is where I happily take a back seat and listen alongside my masters students and learn new industry developments and to think about the risks ahead. Being part of local and global think tanks are another way I learn from industry peers. Global security and privacy think tanks like the Centre for Information Policy Leadership (CIPL) are great for industry, government and regulatory briefings and the ability to participate on working groups like A.I. and data ethics. Being on the government’s Entrepreneurship Committee Advisory Group is also a great way for me to see young talent pitch their new ideas and to learn about the new up-coming business trends and thus, cybersecurity challenges for the future.  

What conferences are on your must-attend list? The must-attend conferences for 2020 for me will be the RSA Conference, as well as the Asia Privacy Forum hosted by the International Association of Privacy Professionals. There are some other regional CISO Roundtable events, which are a great way to network with other regional CISOs. Centre of Information Policy Leadership (CIPL) conferences will also be on my agenda for 2020. BlackHat and Defcon if time permits, but it would depend on the theme and the speakers.

What is the best current trend in cybersecurity? The worst? The best current trend in cybersecurity is the emergence and integration with privacy. The recent large-scale data breaches have put a spotlight on data privacy, and organisations can no longer ignore. Privacy needs to be embedded deep into an organisation's culture; protection of personal data needs to be a core priority.  The newly released ISO 27701 will help with establishing a Privacy Information Management System (PIMS), and the soon to be released NIST Privacy Framework (which was based on the very respected NIST Cybersecurity Framework), will allow organisations to have much more structure in designing and implementing data privacy programs for their organisations to align with cybersecurity programs. I would also say machine learning and A.I. are growing trends to help cybersecurity, but it will take a few more years to mature to weed out the false-positives. On the flip-side, A.I. will evolve over the next years to give rise to A.I. powered malware and this trend will be very scary indeed.

The worst (ongoing) trend is overconfidence. Top management and boards need to understand that cybersecurity risks are business risks and can impact a business in many ways. There is a cliché saying, “not a matter of if you will get hacked, but a matter of when.” The new rhetoric is to have an “assume breach” mindset. That is, you should be operating on the assumption that insiders/outsiders are already in your network. It will always be a challenge to change the mind-set of C-Levels and the board, but with the growing trend towards digital transformation, cybersecurity and data privacy need to be core pillars for any organisation’s business strategy.

What's the best career advice you ever received? Wow. I have received a lot of good advice over the years, but I will need to credit my past CEO who pushed me to be the best I could be and to work fast, efficient and with attention to detail. A lot of the time those three things don’t go well together as you have to trade off speed with more errors for example. That was not acceptable to him, and over the 15 years working directly under him, I was able to understand that it is indeed possible. His mantra and advice was A.B.C.– “Always. Be. Closing”. From Glengarry Glen Ross, a classic movie with quotes that will flow on for generations. It’s about motivation, and always finding a way to complete a task and “close the deal”, get things done and move on to the next objective. He was never a man of many words, but had some classic quotes, like “DON’T ASSUMEASS out of U and ME” (i.e. if you assume, you will often be wrong and you will make an ass out of you and me).

1 2 Page 1
Page 1 of 2