Ex-Huawei tech security chief on steeling UOB’s cyber defences

Tobias Gondrom is an idealist. His decision to take a job at Singapore’s UOB after a career in tech and telecoms firms was prompted, in part, by an advertisement he had seen on a Cathay Pacific flight from London to Hong Kong a few years previously.

The commercial featured a young girl receiving books from a donor. Before long, her father decided that one book was too valuable to accept and insisted on returning it to the donor. The sentiment struck a chord with Gondrom – particularly in the aftermath of the financial crisis, when banks were accused of acting with excessive self-interest.

“It touched me so much I had tears in my eyes,” he says. “I went off the plane and I posted on my Facebook, which I normally never do, and said something like: ‘The virtue of self-motivated honesty: wouldn’t it be nice for all banks to be like this with this kind of value?’”

Since joining UOB as chief information security officer almost a year ago, Gondrom has focused on protecting the lender from cyber threats. He has enhanced hacking penetration testing and scenario analysis at a time when data loss through cyber attacks and the potential damage to reputation assume significance.

Risk.net’s annual ranking of the biggest op risks for 2019, based on a survey of operational risk practitioners across the globe, put data compromise as the top threat for the first time. The role of the chief information security officer is at the sharp end of banks’ efforts to protect client data and guard against IT disruption and financial loss.

“I spent all my life in IT,” Gondrom says. “Being able to understand the technology allows me to combine the strategic view with the detailed technical questions, to support my team members and set them up for success.”

Gondrom was the chief technology officer for security at Huawei till June last year. He declines to comment on his role at Huawei or the espionage allegations engulfing the Chinese firm now, citing clauses in his employment contract with UOB that prevent him from talking about his previous employer. Instead, he chooses to put the spotlight on how he is leaning on lessons learnt in his almost two-decade-long career in technology to augment UOB’s defences against cyber threats.

One of the first changes he made was strengthening the ethical hacking team, which recreates the tactics of cyber criminals, to boost defensive measures and improve response time.

A typical way of testing a bank’s systems is to deploy a red and blue team. The red team plays the part of hackers attempting to breach the bank’s security systems. The blue team detects and defends. At UOB, the two teams test for vulnerabilities, come up with strategies and report to senior management.

Under Gondrom’s watch, the red team has also started penetration testing, where ethical hackers take their big bag of “keys”, which include tools and techniques, and attempt to open all the possible locks and layers of security the bank has built.

Typically, pen testing is short-term in nature, whereas red/blue campaigns take place over a longer period of time. At UOB, this work was previously done by separate teams, but Gondrom has made changes.

“We combined the penetration testing work with the red team because we found there to be enhanced synergy in that they share common tools and attack techniques,” he says. “Penetration testing is useful as you get a good idea of what are our potential weaknesses. This in turn makes the work of the red team more effective.”

Pen testing represents a steady and continuous flow of work, while red team engagements are more flexible and open, so combining the activities allows both units to balance workloads across different peak times, maximising productivity, Gondrom adds. The structure also makes it easier for staff to move between functions, providing a career development path for individuals.

UOB is in the process of forming a purple team, which is a mix of red and blue teams, to increase the quality and effectiveness of the activities and learning cycles.

Brought to life

Another widely used approach to manage cyber risk is scenario-based analysis, which Gondrom recognises for having two strengths: making threats specific and tangible.

“When I go to the board or speak at a conference, it is often helpful to show a number of scenarios because it brings these cases to life,” he says. “If you speak in a scenario, it’s a story. Stories are powerful. With a story, you can make it very tangible for the board members or for your senior stakeholders – why is this important, why should you do this, why should you care.”

UOB is not the only bank in Singapore to develop scenario analysis as a cyber risk tool: Standard Chartered is using the technique to model losses from cyber breaches. One caveat to scenario analysis is that an institution may need thousands of scenarios to perform scientific risk management of cyber security, which is a laborious task. Thus, identifying a number of major scenarios is important to achieve effective results, Gondrom says. He identifies examples such as the SingHealth data breach of last year, the NotPetya ransomware case of 2017, and the Bangladesh Bank heist in 2016.

Gondrom also supports efforts by Asia-Pacific regulators to push banks to share more intelligence on the nature of the cyber threats they face. Some lenders, however, fear penalties if they highlight perceived weaknesses in their defences, and are unwilling to risk breaching local data protection laws.

“On a personal level, I’m a strong fan of sharing intelligence,” Gondrom says. “But it is important to find the balance between sharing and oversharing on an open network. You don’t want to show all your cards to your adversaries. If a circle of people is getting too big, you have a higher risk of having someone infiltrate it. That’s why closed trusted networks are probably the most common ones at the moment for sharing intelligence.”

An example of a closed network is ORX, the Operational Riskdata Exchange, a consortium of financial institutions which aggregates loss data from its members, anonymises it, and publishes the data back to member firms.

Gondrom, a German native, holds a diploma in physics from the Technical University of Munich and a master’s in general management from London Business School. He moved into the technology sector in 1999, working for a Canadian software company, OpenText, where he later became head of the security team.

He then spent seven years at the now-defunct boutique risk consultancy Thames Stanley in Hong Kong as head of information security and risk, before joining the Shenzhen-based telecoms firm Huawei in 2015. Until June last year, he led the development and improvement of security technologies such as software-defined networking, internet of things, wireless and security competitiveness across Huawei’s product lines and business units, his LinkedIn profile shows.

With the previous financial crisis fading into history, bank executives and regulators – including US Federal Reserve chair Jerome Powell – believe cyber attacks could be among the triggers for the next crisis.

As such, the role played by Gondrom and his team is set to be as important as the focus on lending standards, capital levels, conduct and culture.

Gondrom plans to grow his team to enhance expertise in security risk management, governance, automation and advanced analytics, he says.

“We spend a lot of effort and focus on choosing the right people and the right team,” he says. “Once we have them, it’s about unleashing their potential.”

Editing by Alex Krohn