“Having the right tools is not enough without a well-trained workforce to carry out the job” said Ts. Saiful Bakhtiar Osman, Head of IT, Shared Services at PNB Commercial.

Can you describe your current role, and what responsibilities do you undertake?

I am the Head of IT, shared services for PNB Commercial, the real estate subsidiary of Permodalan Nasional Berhad, a premier fund management company in Malaysia. I oversee the IT Department and all the IT Services delivery within the group, which consists of IT infrastructure, business applications, IT security, in-house system development, project management, network and cloud, end user support, IT strategy and compliance. We are currently implementing the system harmonization between subsidiaries as part of the digital transformation and innovation initiatives. I believe that we are on the right track, and we have a clear direction from the management, as well as their full support.

How will you describe your journey in the cybersecurity Industry?

I have been handling IT Security and cybersecurity for many years now. One thing that I notice is that the threats are evolving rapidly each day, and we need to keep up or we will be left out. The threat actors are coming up with new ways to penetrate every organization. User awareness should become your main attention because they are exposed to cyber threats daily. However, some organizations may not have the luxury of budget to spend on IT security. It is indeed a challenge, but you still need to deliver to safeguard the organization. Having the right tools is not enough without a well-trained workforce to carry out the job.

If you could make one recommendation to the next generation of cybersecurity leaders, what would it be?

If you are not able to see the threat, it does not mean that the threat is not there. You may not realize that your organization is already compromised. Maybe your detection tools were outdated or not patched on time, that resulted of these zero-day attacks were not able to be detected. Always prepare for the worst and diligently secure your IT ecosystem. Having good SOPs and policies in place would help in standardizing the delivery across all IT personnel. This would reduce human errors, or any potential critical tasks being overlooked by anyone that might jeopardize the whole organization.

How do you stay current with the latest security threats and technologies?

It’s crucial for any IT professional to keep up to date knowledge of the latest technology and emerging threats. As for myself, the main resource would be engaging myself with global IT organizations and getting first-hand information from IT colleagues across the globe. Attending IT summits and seminars would also be a good way to learn from others about what is happening in the IT world. However, with the time constraint and busy schedule, I would rather prefer for IT vendors and partners to come to our organization instead and share the latest information and introduce new technologies.

Can you discuss a time when you had to handle a security incident, and what steps you took to resolve it?

There was once, a ransomware incident in one of my previous workplaces. First and foremost, do not panic. You must be clear-headed because your staff depends on you for directions and the next course of action.
My priority back then were as follows:

Contain the situation from spreading – Instructed my team to isolate the environment and investigate the degree of damage.
Activate IT disaster recovery – Get the approval to route all access to the alternate site, while cleaning up is done to the primary site. The priority is to have the business to resume the soonest possible.
Root-cause analysis – Identify the source and address the gaps to prevent it from happening again.