Lester Chng

---

On todays episode:

---

---

Below is the transcript of the podcast and links to some other content by Lester.

https://www.linkedin.com/in/lesterchng/

---

[00:00:00] Daemon Behr: Today I’m happy to introduce our next guest, Lester Chung.

Lester is a seasoned cybersecurity professional with a background in crisis management and exercise and project management. Lester, you have a very interesting background that is global in nature. Can you provide a bit of a background on your career and how it’s evolved and how you got to where you are now?

[00:00:23] Lester Chng: Yeah, certainly happy to do so. So thank you Damon for having me as your guest to share about my experience and the, the topics that I’m passionate about, crisis management, cyber project management, exercises especially. So my background, I started off my career back in Singapore where I was a naval officer for about 12 years.

So, Only after I left the Navy, I realized that, oh, I had a big part to play in information security back in the Navy. So that’s my first foray into information security of really being the not info, what we call the InfoSec officer of, of a unit. That’s where you would have to push down info security policies.

That the Navy has to your unit ensure that everyone understands what some of the controls are, don’t share the secrets, understanding information, classification who you can speak to, who your children speak to, and being aware of the track actors. Who are interested in military secrets. So that was my first foray into, into cybersecurity.

I never really, cuz we didn’t refer it to cyber, I guess 15 years ago. It wasn’t, cyber wasn’t really well well known. I think people mostly referred it to information security. So that was my, my first foray into InfoSec. In the Navy. I also specialize in operations of, of the ship fighting. It’s a war ship.

So we’re, we we’re trained in war fighting. And a lot of it is operations and, and people management [00:02:00] cuz it’s You, it’s a tight, neat, tight kni family in order to operate a ship. So that was my experience. And in particular, I specialize in wall gaming and simulation. And that has led me to several roles when I transited out of the military.

So, War, gaming, security. And one of my, my roles in the financial sector in Canada was running a security exercise program in a financial institution. So that entails right as a cyber scenario, a fraud scenario, physical security, and even crisis management. So it was a very white mandate. From ransomware to tornadoes.

So that’s my short journey of how I started off in the Navy. Took and extracted a lot of skills and experience that I learned in the Navy and transitioned to corporate financial sector and in particular cyber and cyber and crisis exercises. Yeah.

[00:03:05] Daemon Behr: Thank you for that. So as it relates to the realm of cybersecurity, how would you define crisis management and, and why is that important?

[00:03:16] Lester Chng: Yeah, so I think crisis management, not many companies think of cyber and think of well synchronizes cyber and crisis management together. But I think it’s becoming more and more common on how people. Hinder incidents leading to a crisis. And we all know that cyber incidents has the potential to become a crisis for whether it’s a small company or a large enterprise.

And I think one of the areas for crisis management, if you think about it, the cyber security teams, by nature, they are very siloed and highly specialized in their particular field. And even in [00:04:00] response to incidents, they tend to look at the incident or the problem from one lens. So for example, if you talk about potential for a data leak, then the d r p teams to say, okay, how then do we prevent any alcohol traffic?

The network teams, network teams will think about, okay, how do we isolate networks the. D F I R teams about will be focused on trying to analyze the, the potential malware that’s present in the networks. So the cyber teams, rightfully so, are focused on their area of work, because that’s where their skillsets are, are most valuable, and that’s where the, that’s the value that they bring.

But the issue with this is they may be too they may have their blinders on and not be able to see the larger picture of how it’s impacting the entire enterprise. So I think that’s where prices management seeks to firstly synchronize the actions across all the specialized teams, whether it’s cyber team, legal, tech, any other stakeholders that are important as part of the response.

So I think crisis management synchronizes that. Ensures a common operating picture and a common message in order to be, provide the most efficient way to bring business back to back to user operations. So I think the, yeah, having a broad view of the, the issue handling it, synchronizing it across all the teams, I think that’s important role that crisis management plays, especially in a cyber incident.

[00:05:43] Daemon Behr: So with the changing threat landscape that’s continually becoming more diverse and new and evolving threats are coming out , how can organizations prepare for new and, and novel cyber crisis that are out in

[00:05:59] Lester Chng: the [00:06:00] wild? Yeah, I think it’s a. I think the first step is awareness.

So whether you have a comprehensive track intelligence program and team monitoring the the tracks in order to make an assessment of potential impacts, filtering that to the correct stakeholders internally to proceed. Assess whether your current controls can mitigate or prevent what is known and also have a clear sense of.

I guess your, your cyber readiness and posture, whether your, your teams are ready to deal with whatever is novel. But I, another thing that I think it’s important is that

we have got to realize that not. We, we don’t have, we may not have the privilege of knowing a lot of the incidents that will happen, or TTPs or IOCs. Sometimes unfortunately, you are on the, the other side, you’re on the victim side, or you have been impacted, and it is coming, becoming increasingly more common that threat attacks are not if, but when and therefore teams needs to.

Hmm. Be aware that okay, there’s a strong possibility that you may be a victim of a cyber attack and therefore the focus will be okay if that is a strong possibility. How then do you focus your efforts on on mitigation? So yes, there’s prevention. A lot of effort has to be put placed on there, but I think this has to be increased focus on, okay, if we are hit, how then do we quickly mitigate and recover?

So I think that’s where. The crisis function and structure prepares people to respond and mitigate as strongly as possible. So that touch on the, when the day comes, everyone is aware of roles and [00:08:00] responsibilities, certain pain points that you would discover in a crisis. Hopefully, you, you have the capacity to think of it in peace time, so to speak.

[00:08:12] Daemon Behr: I imagine these are done through tabletop exercises getting all the various parties into a room together for a period of time. What, does it actually look like? Like can you give an example of what a, successful engagement would look like?

[00:08:27] Lester Chng: Yeah, I think definitely I think you, you, you, you brought it up, right?

An exercise is, Without being hit, it is probably the best way of understanding how ready you are to respond to a, a potential incident. So I think a successful exercise ties into two key parts. One is how mature your team is, and that would the exercise would. Mm. Sort of go in, go in line with how ready your team is.

You don’t wanna throw a very difficult scenario to a new team because it would, you probably do more damage than good, right? You, you, there are ways to build up maturity of the team. There are ways to introduce simpler scenarios so that they can get the basics sorted up and therefore the exercise allows them to grow a bit.

The other thing on how you scope exercises is it has to tell a story. Yes. To tell the story of how well your overall cybersecurity program is progressing. So you, for example, you just wrote out a DRP solution. And therefore if your exercise Is able to showcase that. Then from a business point of view, it’s easier to understand, okay, why, where do we spend that 10 million on?

Okay. So it’s to prevent this, this very important risk control implemented and how it prevents further damage [00:10:00] in, in the crisis. So I think. Majority of the team, as well as overall synchronization to, to the broader plan. Those are two considerations to, to think of when you, yeah. When you’re trying, when you’re trying to place your program, your exercise program in, in the grand scheme of your, your overall cyber security transformation.

[00:10:24] Daemon Behr: So when you’re, you’re having these engagements and During the actual process, is there somebody who’s documenting the responses or the actions that each person , is providing so that you can go back and iterate on that , and improve that over a period of time?

[00:10:41] Lester Chng: Yeah, I think that’s one of the more, most, one of the most important things to record and keep track of.

Because people have, think of it this way, people have invested time to participate in your exercise. I think it’s only fair that maybe you assign a scribe or someone in your team to record key points of discussion. And translate all this into action, action items that is eventually tracked and remediated.

And this is important because if you don’t do so, people would lose confidence in your overall program. They may not see the value of the exercise and how it brings overall improvement to the overall the, the posture of the teams. And it also builds confidence that. Okay. People are aware of the difficult conversations.

They are taking notes and key decision points that people are all aware of, and therefore, in a real incident, there’s, there’s no surprise element and everyone can focus on firstly, being aware if there’s a problem and a gap, we, we may not solve our gaps, right? We, we know that it’s. Gaps gets translated into projects, gets translated into timelines that may not be solved immediately, which is fine, [00:12:00] but we don’t wanna discover those gaps in a a crisis.

We wanna discover that in exercises so that we have awareness of it. We have thought about, firstly, we know the gaps. Secondly, we thought about how to mitigate it and if something were to happen and therefore those. If it’s all recorded in action items trackable it, it helps tie up the entire story of how does exercises bring value to your overall program.

[00:12:30] Daemon Behr: So when the scribe documents , all this stuff, do they do it just through take notes or is there audio? Is there a video? Do they enter it into a system , like Jira? Did they put it in a like risk register? Like what are the different components that comprise that whole process?

[00:12:48] Lester Chng: Yeah, yeah. So good point.

Because we all know in a, in a larger grc, there’s so many players tracking some of these items. I think video recording there may be legal. Implications are recording some of these sensitive conversations, right? So, okay. It, it is dependent on your com your, your organization’s discretion of whether you want to, you gotta balance the risk of learning and legal obligations.

So yeah, you gotta check, check with your legal teams on whether you wanna record some of those conversations. And. The second part, like you mentioned, are risk register, JIRA archer. You got to place your program in the overall GSE structure. There’s no need to reinvent the wheel. Speak to your, your risk.

Risk. Teams understand how the action items that are surfacing, where does it fit into, where is the issue, a risk, a gap. A regulatory finding. Yeah. And, and therefore understanding what you discover or what’s discussed, [00:14:00] which bucket it fits in. You don’t have to reinvent the wheel. There’s a really process upon process on trying to track this items, so there will be a place for it.

If not, then it may, if it’s a, if it’s a novel thing, like exercises and what, what’s being found. Firstly, if it overlaps with current issues that’s already live, and just, just tag on as a notes to that so that you know that it’s being tracked somewhere. You don’t have to double dig into another issue. But if not, then yeah, if you’re just starting off, it may be a manual tracking of of action items, which it’s not ideal, but at least there’s a Acknowledgement and a peer ownership of who owns some of the action

[00:14:46] Daemon Behr: items and for , the outcomes of what actually happened or the changes from the last time it’s done.

Who does that get given to? Does that get provided over to the CISO or other stakeholders who actually looks at that?

[00:15:00] Lester Chng: Yeah, good question. So normally the product, the end product after action after action report at the end of the exercise at the end of exercise, you would normally have a, what they call hot workshop or a debrief.

So that’s where you have a discussion about, okay, does everyone Not agreed, but at least are there any pointers that they brought up? Have what, what have they learned during the exercise so that you can be there, take those items and consolidated it. Any after action report the after action report, then depending on the topic identify normally.

It’s distributed to the participants of the exercise, which have already been pre-identified as, as having a stick in the exercise. Therefore, they’re there. Yeah. So normally that, that flows through to, to the people who attended other parties that may receive it, but may not take part in the exercise.

Are your risk teams, your [00:16:00] regulatory. Relations teams. Yeah, most of the time those are the two. Audit. Audit sometimes wants to have a look at it. Because think of it this way, all the money spent on your cyber program normally what does it lead to? It leads to a dashboard of green with yellow and, and certain numbers that it’s a bit arbitrary sometimes on how well your program is progressing.

Right? All that spend is to, it’s a bit, a bit a broad brush, but all that spend is to ac demonstrate whether you can firstly prevent, and then if you are hit, how do you respond? Right? At the end of the day, all your spend is just to do that. And there’s almost no other way. Two ways. One is you get hit and then you react, which touch wood, nobody wants to be.

Part of the other way is to run exercises and demonstrate how your tools, your responses are able to respond adequately to a, a scenario. And therefore it is all very useful to, to showcase your readiness, showcase your progress, and. I think the corporate, the corporate world is starting to warm up to exercises and understanding it a bit better.

Think of it from the flip side, where, where I came from, the military, all the military does is if you’re not in operations, you are on exercise. That’s all we do all day long, and that’s where I think the. Value of exercises are fully extracted. So for example, if you have a new tool, your new airplane, new capability, they’ll be running exercises firstly to demonstrate the capability, and then secondly, now internally to validate that the capability works and then they will showcase it to the war and say that, okay, we have a new [00:18:00] plane.

The new plane can fly so far this missile house can reach so far. And it’s a. Sort of an active demonstration. I mean, obviously there are more undertones about why people do that. But I think if the corporate work can extract some learnings from how the military users exercises turn it around, it’s a good story to tell on the progress of the overall program.

It’s also makes it easier for the business to understand how we will respond, how we have improved in our response. And I think exercises are, If you’re not, if it didn’t happen to you, at least demonstrated robustly during an exercise, I think it helps bring the competence levels

[00:18:40] Daemon Behr: much higher.

I think , in Canada, there’s a lot of organizations that , are small, medium size organizations. They don’t necessarily have a large IT ops team. Usually not a dedicated SecOps team or even , G R C. So if they don’t have that mm-hmm. Is there still value of them to do an exercise? Or do they need to have a certain level of cybersecurity readiness in place before they can get value out of it?

[00:19:06] Lester Chng: Yeah, I think, great question. I think that’s a, most people think. I don’t even have a team. Why am I running exercises? Right. But do you think of it from the track’s point of view? Do they care whether you have a team ready to respond? No, they don’t care. It’s like if you are your a juicy target, your a juicy target and therefore, yes, well, you may not have your, your, your, your team may not be mature.

You may not, you may have plenty of gaps, but an exercise highlights that highlights. Okay, if this were to happen, touch would really were to happen. At least you know who to call, or at least you have a thought of. Think through who you gotta call. How are you gonna protect your business as much as possible, even if, even if you have no defense, right?

I mean, it sounds, it sounds like a very sad situation, [00:20:00] but there are things that you can do to, to prevent. To stop the bleeding, to at least ask for help to coin additional resources. But you don’t want to be thinking about that in the midst of a crisis because you would just be panicking and reacting to whatever and whenever, and you would have done a lot more damage if you had not.

Take the time. Run exercise. Yes. It’ll be painful, you know, all the pain points. Yeah. But at least being aware of that and then yeah, because you’re not aware, you can’t do anything about it. But if you’re aware, at least you spend the time thinking. Ask a friend, ask another company’s like, okay, how, and, and what can I do if The end, like there are federal organizations are ready to be able to assist maybe not in your environment, but at least they have best practices to, to help smaller companies especially.

[00:21:02] Daemon Behr: So if a smaller company wants to do an exercise, , how would they go about to do that? Would they get an external consultant to come in , and run the whole exercise for them? Are there any best practices for them , to do that? Like how would they go about , to engage with that?

[00:21:19] Lester Chng: Yeah, so. Most, like you mentioned, most smaller companies don’t even have a dedicated security team, so they won’t have the capacity to start thinking of how to structure and exercise to help the, their companies readiness. So one way, like you mentioned higher and external firm I think they are large companies that do it, smaller companies as well that have bespoke services for.

Incidents for your particular company. Alternatively, if you somehow find some spare capacity CISA, UKCSC, they have pre-canned scenarios injects and questionnaires to help.[00:22:00] Companies who are interested in running their own exercises. Yeah, they do have a lot of information. I think FEMA is another organization that has a lot of the material in organizing structuring.

Individual exercises as well as an overall security program or exercise program. So I think those three resources, if you find the capacity for self-help, I think those three resources would, would yeah, would, you’ll be able to find a lot of information there. All right. Well,

[00:22:31] Daemon Behr: thank you very much for joining me today.

It’s been a very interesting and insightful conversation that we’ve been having. Before we we go, is there any last thing that you would want to say , to our listeners?

[00:22:42] Lester Chng: Yeah, I think exercises are going to be more important. I think the regulators are gonna start asking for them more. So it’s better to be proactive rather than reactive to demonstrating the readiness of your organizations.

And I think that’s one last parting statement. You are, you cannot build resilience in the midst of a crisis. You’re gonna do it beforehand so that when you meet hit a crisis point, you’re able to then fully leverage the resilience structures, technology processes that you have put in place to sort of lower the impact of a potential crisis.

But if you try and do it during a crisis, you’re just reacting. You’re just not in a optimal state of response. So invest, invest the time prior to the. Boom, shift it as left as possible. Invest the time and energy and run exercises. Be surprised by some of the questions coming up, doing an exercise rather than doing a crisis.

Yeah. So that’s, that’s all I have to, to live with the listeners. Great. Well, thank you.

[00:23:56] Daemon Behr: Now if somebody wanted to reach out to you on, on the internet or [00:24:00] through social media or so on, what would be the best way to,

[00:24:02] Lester Chng: Do that? So I think the best way is to, to connect with me on LinkedIn. And yeah, if you have questions about exercises crisis management, I think those are the two areas that I, I, I speak constantly about and very passionate about those topics.

So yeah, feel free to, to leverage LinkedIn and connect with me there. All right. Thank you very much. Thank you.