Here at Cybersecurity ASEAN (CSA), we try to do more than just deliver cybersecurity news on a daily basis. We believe our role is to help cybersecurity professionals understand the latest developments in their space.

When it comes to Malaysia and the financial sector, arguably, the most pressing topic is RMiT. Bank Negara’s Risk Management in Technology framework came into effect in June this year with a requirement for regulated FSI companies to be RMiT compliant by October this year.

CSA decided to run an event to help security professionals in FSIs understand ways they can meet compliance. Knowing this to be a specialist area, we planned for a small, focused event for around 25 attendees, but it seems the topic is “hotter” than we anticipated with over 60 people registering for the event.

CSA is one of the news titles produced by Asia Online Publishing Group and their Group Publisher Andrew Martin was on site to set the scene for the day. Reminding the audience that as financial institutions, it is not a case of ‘we could be targeted for attack’ but that they should expect that they are under cyber-attack at all times.

Andrew pointed out that the Bank Negara RMiT framework was a reminder of how high the stakes are for financial companies. The impact of successful cyber breach against these companies, according to Andrew, does not just impact the individual companies, it has a wider impact on international confidence in Malaysia as a place to do business.

RMiT and keeping FSI companies secured from cyber risks is serious and important.

CSA had enlisted the support of Cyber Exposure company Tenable to take part in the event with Tenable’s APAC Chief Technical Lead, Dick Bussiere, speaking in-depth of how to be RMiT compliant.

Choosing Tenable to partner in this event was absolutely by design, as their technology accurately manages, measures and reduces risk holistically in the digital era. They refer to this as Cyber Exposure.

Rather than jumping straight into RMiT itself, Dick described the underlying issues that companies face trying to deal with today’s cyber threats. Putting forth a personal example, he referred to his own home. Using Nessus, he scanned how many IP addresses “belonged” to his house when he moved in just a few years ago. The answer was 6. He revealed that today, when he runs the same Nessus scan, he can see that his home is using 25 IP addresses. Dick assured us he has not acquired another 19 laptops; instead he has multiple devices connected to the internet.

Dick’s point was to extrapolate that trend to an enterprise corporation, and the number of access points, or to put it another way, the threat landscape is expanding at a rate that is impossible to keep secure at all times.

Giving a more business-orientated example, he referred to a company that Tenable works with that identifies over 100,000 security vulnerabilities per day, but even with automation, the maximum number of these vulnerabilities they can remediate in a day is 4,000.

Squaring this circle can be achieved more easily than you might expect if you have the tools to automate the process. Dick explained a process which he called the “Triad” of vulnerability management. This process underpins how Tenable helps companies manage the exposure gap and in doing so, meet regulatory compliance.

The triad is made up of the following components- Vulnerabilities, Threats and Business priorities (such as regulations). Where these three intersect is where you focus your remediation. To paraphrase the explanation, if you identify 1000 vulnerabilities, but only 200 of them have known active exploits that target them, then you focus on these 200. If 100 of these relate to systems that are unregulated or do not affect business reputation, then you focus on the remaining 100.

Using this methodology, the exposure gap can be closed while rendering the tasks manageable, the business and compliance imperatives can be converted into rules, and RMiT-specific dashboards can be created. 

Speaking to some of the attendees during and after the event, they were clearly impressed. The cost and time of achieving compliance can sometimes be taxing. However, they could see companies like Tenable offer solutions to assess the exact vulnerabilities that frameworks like RMiT are designed to protect against.