Like all natural-born security professionals, Maurice Mo, Senior Director, Regional IT Security at insurance provider Prudential Corporation Asia, always has a backup. Mo began his career by launching a mobile infotainment company. But in the early 2000s, before smartphones were in every pocket, it proved to be an idea before its time. Mo’s backup plan? It was an idea right on time: a career in information security. Mo studied at night, earned a security certification, and traded his startup for a security position in the insurance industry.
Today, Mo is glad things worked out as they did, and so are many in the security industry. He has since served in various senior security positions within the insurance and financial services industries. We recently caught up with him to get his thoughts on how identity and security have changed over the last 15 years and to learn his most pressing priorities.
Below is an edited version of our conversation.
Thanks for sharing your time with us Maurice, could you tell us how you became involved with security?
Back at university, I was trained in computer science primarily in programming, but soon I realized I was more interested in socializing with people rather than debugging codes. Broader technology such as mobility was also very interesting to me. Security was a perfect match for my passion and interests.
In the old days, most organizations only had one or two people to lead security efforts. That meant the security manager had to do everything, from security assessment to vulnerability management to identity and access management. Those days were a great learning ground for me to touch on almost every aspect of security.
How do you see identity management having changed over that time?
I recall in the early 2000s, an access request took place on paper. So did the access review. I remember a 10-inch thick report was printed for one application access review, which were then delivered to system owner to manually review it all and identify the wrong permissions.
Then, the form on the back of the report required physical signatures. Since then, through improved identity solutions, organizations have been able to automate and digitalize the process and enhance provisioning and access management.
I think digitization and automation are the biggest ways in which identity access management has evolved and matured over time.
Has identity management grown to be more important to organizations?
It most certainly has, especially when it comes to security and regulatory compliance. The identity platform is typically the only platform that is owned by security but is also used regularly by every end user. Simplicity and user experience are crucial. Most other security controls are transparent to the user, such as antivirus, email protection, and other defenses.
In your role, what are some of your current top priorities?
That’s a great question. There are always many priorities being juggled, but among the most pressing ones would be getting the basics right.
Most of the cyber attacks could have been prevented simply by implementing basic measures, such as patching and privileged identity management. Cyber hygiene should always be top of mind because it will dramatically minimize the risks of becoming a victim of a cyber attack.
The second priority is security awareness. Effective security is about improving the risk culture in a company that should be measurable and enabling every employee to become part of the security defense by an engaging awareness program that people won’t hate.
The final top priority would be embracing digital transformation and enabling the business. Digital transformation is changing the perimeter of the organization, and more applications and data are stored in the cloud and various places.
This is challenging to our traditional security defenses that are no longer sufficient. You need to be adaptive and stay ahead of the game by integrating security and automation in this fast-paced changing environment.
Considering the priorities you just detailed, what do you see as the largest hurdles you face in achieving security goals?
I think the first is having visibility into one’s security posture. The scariest things are the things you don’t know. Without visibility, there is no direction and strategy. It’s like a pilot flying in a storm without radar.
It’s easy to become lulled into a sense of complacency. You can have every control you need in place, but you always have to dig deeper and challenge yourself: “Are you sure?” You have to make sure the coverage is right and try to find the areas where a control may fail. I think this is always the greatest challenge—to gain more visibility, and sufficient assurance, into your security posture.
One more challenge I would like to share is that as security matures, you may end up with a long list of disjointed security technologies that complicated your architecture and defenses. Having more tools doesn’t lead to more security unless the people and processes are in place too. I think the solution here is to build more integrations and automation. We need to streamline more processes because the security challenge is not about technology. We have too many technologies complicating our architecture. Not enough people ask if they even have the people to support all of the technology they have in place.
Where are you now with your identity efforts in Prudential, and what are your goals in that area?
In 2013, I started the IAM program using SailPoint for access governance, gaining visibility into “who has access to what” while also reviewing in order to identify inappropriate access. Over the years, we have made a tremendous improvement in maturing our program, such as self-password reset, automated provisioning and deprovisioning of accounts, integration with HR system, and enhancing the user interface.
We still face, like everyone, the challenge of the spread of data, more applications moving to the cloud, and role-based access which we are addressing. Another challenge is the scale, as the IAM capabilities are built in more than 10 countries across Asia.
The ultimate goal is to enable end users to manage identity and access with a pleasant experience and outcome, which can only be done by more simplification, continuous refinement, and automation.