KPMG's Lee Ser Yen: Minimised data collection, embedded privacy, privacy-friendly options are essential cybersecurity practices

Cybersecurity leader Lee Ser Yen discusses the evolving threat landscape and the importance of building resilience.

The tech landscape is constantly evolving, and cybersecurity is no exception. As businesses become increasingly reliant on digital technologies, the need for robust security measures becomes paramount.

A seasoned professional with over 25 years of experience in information security, Lee Ser Yen offers valuable insights into the current state of cybersecurity and the challenges and opportunities that lie ahead. He boasts a distinguished career in cybersecurity, having designed and implemented security solutions for a diverse range of clients across various sectors.

Lee Ser Yen currently leads the cyber transformation service at KPMG in Singapore, where he advises clients on securing their businesses through a holistic approach that considers people, processes, and technology.

The evolving threat landscape

Lee Ser Yen observes that cybersecurity has transitioned from a technical concern, “nuisance,” and “inconvenience” to a critical boardroom issue. The rise of cyber incidents and their far-reaching impact have necessitated a shift in mindset, with organisations now adopting a "not if, but when" approach to cyber threats. “The ability to be cyber resilient is key in minimising damages from cyber threats,” he said.

Citing KPMG’s “Cybersecurity considerations” report, Lee Ser Yen highlighted several key trends shaping the cybersecurity landscape over the past few years.

He emphasised the importance of building trust with all stakeholders, including customers, employees, and regulators, in the digital age. Moving from a centralised security function to a federated model that integrates security into the core of the organisation is also essential. Furthermore, partnering with trusted service providers and modernising supply chain security are critical aspects of mitigating cyber risks.

Whilst AI and automation offer immense potential, organisations must also manage the associated cyber risks of these new technologies and leverage them to enhance security.

Data protection and privacy in a digitised world

With the increasing digitisation of businesses, data protection and privacy regulations are becoming more prevalent and complex. GDPR has formalised many prior data privacy guidelines and added enforcement ‘teeth’ since it was introduced in the EU in 2018. Regulations have then been adopted or updated to align with GDPR.

With this, Lee Ser Yen emphasised the importance of several key strategies for organisations operating in this environment. Organisations operating across borders need to adopt a unified approach to comply with the evolving global data privacy landscape.

Navigating data localisation requirements alongside national security and privacy concerns is crucial for organisations with a global footprint. This is especially since regulatory bodies are now becoming more assertive in enforcing privacy laws with heavier penalties.

“Organisation should embrace privacy by design and by default. Minimising data collection is a good hygiene practice as it reduces the risk and impact of any data loss right from the beginning, with the benefit of reducing the cost of data storage and protection,” Lee Ser Yen explained. “Embedded privacy early into solution and workflow design creates better consistency across the organisation and minimises security gaps between systems and teams. Embracing the most privacy-friendly options by default will also ensure human errors are reduced and there is alignment with regulatory requirements.”

Maintaining a clear view of the data landscape and holding third parties accountable for data breaches and other related incidents are critical aspects of data protection.

Lee Ser Yen stressed the significance of a strong GRC (Governance, Risk, and Compliance) culture in managing cybersecurity risks in a dynamic environment. He outlined strategies for seamless integration of GRC into cybersecurity operations.

Firstly, fostering a culture of risk awareness and accountability across the organisation is essential. According to Lee Ser Yen, this will result in improved decision-making processes and better collaboration across teams.

Next, aligning GRC processes with security operations ensures effective risk management and governance, allowing for faster updates to policies and procedures in response to threats and attacks. Utilising GRC tools and AI-powered insights can also streamline processes, track compliance, and better communicate with management. 

“It is important to see the role of GRC in managing cybersecurity risks as a leading light in any organisation where current state can be tracked against targets to align policies and efforts to strategic goals. It will facilitate faster improvements and changes to cybersecurity defences in response to the changing environment and threats, and eventually sustain the effectiveness of the cybersecurity defences,” Lee Ser Yen said.

Cybersecurity and emerging technologies

Lee Ser Yen acknowledged the continuous interplay between cybersecurity and emerging technologies like IoT and blockchain. He highlighted both the challenges and opportunities presented by these technologies. In that, new technologies introduce new vulnerabilities, necessitating continuous adaptation and improvement of cybersecurity measures.

“Whilst the global lack of skilled cybersecurity resources remains a critical problem, innovative solutions that leverage new and emerging technologies promise to reduce our dependence on humans and allow us to operate more efficiently,” Lee Ser Yen pointed out.

AI and machine learning offer promising solutions for threat detection and automated security operations. Striking a balance between harnessing the potential of new technologies and ensuring robust security measures is crucial. Governments and regulators are increasingly focusing on cybersecurity requirements for emerging technologies, and so cybersecurity will surely become a critical component of any new technology or solution.

As a judge at the SBR Technology Excellence Awards, Lee Ser Yen believes that solutions should be innovative and pushing boundaries. They should solve real-world problems and deliver tangible value to users and stakeholders. For him, solutions should also demonstrably create economic value and impact, whether through increased efficiency, cost optimisation, or market disruption.

“Technology should bring value and benefits to people and society…The awards will be a recognition and endorsement for the great work and achievements each winner has put in,” he said.