CISO Malaysia schedule

During this 5-minute networking session, the aim of the game is to go and meet three people you don't already know. Have fun!

As Malaysia enters a new era of cyber governance, this session unpacks what the Cyber Security Act 2024 really means for CISOs, especially those responsible for critical infrastructure and high-risk sectors.

• Understanding the evolving role of the CISO under the Act: compliance, accountability, and strategic alignment
• Readiness strategies for NCII sectors: threat modelling, incident reporting, and collaboration with NACSA
• Bridging the gap between regulatory intent and operational execution through governance, tooling, and workforce enablement

Despite advancements in cyber security tools, human error remains the leading cause of breaches, with phishing attacks, insider threats, and credential misuse continuing to dominate the threat landscape. Independent research highlight 68% of cyber incidents stem from human error, reinforcing Mimecast’s human-risk research revealing that almost 10% of employees account for 80% of security incidents.

This session will explore the factors contributing to user vulnerabilities that lead to certain individuals being classed as high-risk.

You will gain insights into measuring user risk effectively and implementing tailored strategies to enhance cyber security across their organisations. My session will also highlight how a personalised and adaptive security approach can provide customised security measures for each user. By focusing on these high-risk individuals, organisations can safeguard their workforce while maintaining operational productivity.

• With the Cyber Security Act 2024 and Malaysia's national push for digital resilience, the CISO role is evolving from technical enforcer to strategic business leader
• Boards and regulators increasingly expect CISOs to articulate risk, trust, and resilience in business terms—beyond compliance
• Balancing real-time threat response with long-term transformation, regulatory alignment, and enterprise value creation

Moderator

 Vikneswaran Kunasegaran SVP – Security Assessments Firmus

Panellists

Amir Abdul Samad Head, Cyber Security (CISO) PETRONAS

Suresh Sankaran Srinivasan Group Head – Cyber Security & Privacy Axiata

Nantha Kumar Krishnan Head of Information Technology Operation – APMEA Kerry

Norman Leong Head of Cybersecurity Governance, Risk, and Assurance AirAsia

Chee Lung Yuen CISO AIA Malaysia

Every organization has well-documented endpoint security standards – yet the challenge is to make these work in the real world. Endpoint controls that were “compliant” on paper fail in practice due to inconsistent enforcement and outdated measurement methods. Organizations resort to reactionary measures rather than proactive ones. To make matters worse, 90% of successful cyberattacks originate at the endpoint.
In this session you will gain insights on

• Key challenges in the endpoint governance and compliance lifecycle
• Adopting a more Proactive Security Posture.
• Consistently enforce endpoint controls and measure security posture in real time.

• Key principles for architecting secure, scalable environments across cloud, hybrid, and edge
• How to embed resilience and agility without compromising speed or user experience
• Real-world approaches to modernising legacy infrastructure while preparing for future threats

Moderator

Abdul Hakim Razip Chief Risk Officer Generali Insurance

Panellists

Naveen Chantiran Head of Cyber Security Air Liquide

Yusfarizal Yusoff Head of Security Architecture PETRONAS Digital

Prasad Jayabalan Head of Cybersecurity Strategy & Architecture Axiata

Sivanathan Subramaniam Group Chief Cybersecurity & Risk Officer CTOS Digital

• Identifying and managing risks in hybrid IT-OT environments
• Implementing Zero Trust principles in OT networks
• Governance, compliance, and workforce training in OT security

• How leading teams coordinate across security, legal, comms, and business during an active breach
• What real-world playbooks reveal about decision-making, escalation, and containment
• Turning crisis into resilience through post-incident learning and tabletop exercises

• Showcasing how AI-driven cybersecurity enhances business resilience, operational efficiency, and customer trust
• Translating AI-powered security insights and threat intelligence into business-relevant outcomes for executive stakeholders
• Aligning AI-led security investments with enterprise-wide digital transformation and innovation strategies

• Turning policy into practice through behaviour, incentives, and leadership modelling
• How to embed security ownership across departments, not just in IT
• Lessons from leaders driving organisation-wide change in mindset and accountability

• How to measure security program maturity in ways that resonate with executives
• Linking metrics to risk reduction, operational performance, and business outcomes
• Using data to justify investments, guide strategy, and benchmark progress

• How do OT and IT leaders collaborate to prepare for cyber incidents that can halt physical operations?
• Can automation and AI-driven analytics improve visibility and reduce response time in critical environments?
• How can industry, government, and technology providers work together to safeguard Malaysia’s critical infrastructure ecosystem?

Speakers:

Edd Barber CISO WEL Networks

Dr Peter Leong Director MyCIO Services 

• Establishing a proactive incident response culture across functions
• Integrating threat intelligence and automation into the IR lifecycle
• Lessons learned from real-world cyber incident exercises

• Showcasing how AI-driven cybersecurity enhances business resilience, operational efficiency, and customer trust
• Translating AI-powered security insights and threat intelligence into business-relevant outcomes for executive stakeholders
• Aligning AI-led security investments with enterprise-wide digital transformation and innovation strategies

It's hard to believe that invoice fraud is even possible in this era of online payment, sophisticated accounts-payable systems and our heightened awareness of cybercrime. Yet, Australian businesses lost $152m to payment redirection scams last year - a 67% increase on 2023.

In this talk, I'll explore real world examples of cleverly crafted socially engineered attacks - taken directly from the emails sent by threat actors to Australian businesses. Some were acted upon and the unbelievable conversation with threat-actors will be revealed. We'll also take a look through the security analyst's lens and uncover ways you can identify these amazingly real-looking emails, as fraudulent.

Generative AI and GPTs feature heavily in the threat actor's toolkit to create very real and convincing attack emails, so we'll review examples of how ChatGPT is being so easily used to not only create the socially engineered email but also perform extensive profiling on the target to ensure the attack is contextually relevant, personal and believable.

How do you transform to evolve your defences against this type of attack, especially when your supplier accounts could be compromised or look-alike domains are used? Is it worth pursuing a takedown? I'll cover the reality of these techniques along with other methods such as EFT payment verification and behavioural AI.

Modern security architecture must go beyond technical defenses—it must also reflect an organisation’s governance, risk, and compliance (GRC) posture. This session explores how CISOs and architects can embed compliance and risk management into their designs, ensuring systems are secure, scalable, and aligned with regulatory and business requirements.

This session will discuss:

• Designing security architectures that account for compliance from the ground up
• Mapping risk appetite to architecture decisions for better resilience
• Avoiding “bolt-on compliance” by embedding controls directly into systems and workflows
• Balancing employee and customer experience with regulatory requirements in architecture choices
• Case studies: how organisations align security-by-design with Cyber Security Act 2024 compliance

• Evaluating current adoption trends and technology maturity
• Understanding usability, privacy, and implementation challenges
• Balancing security needs with user experience across diverse environments

• How leading organisations are implementing Zero Trust across hybrid and multi-cloud environments
• Breaking down real-world playbooks: identity, segmentation, continuous verification
• Overcoming resistance, complexity, and legacy system limitations on the path to Zero Trust

• Anticipating the next generation of ransomware, APTs, and AI-powered attacks
• Understanding how geopolitical shifts and AI misuse could destabilise security ecosystems
• Rethinking playbooks, tooling, and collaboration for the threat landscape of tomorrow

 
Moderator

Sivanathan Subramaniam Group Chief Cybersecurity & Risk Officer CTOS Digital

Panellists

Ebenezer Godomon Deputy Director II (Cyber Security) Sabah State Computer Services Department

Jeya Ganesh CIO Taylor’s Schools

Mohammed Hashim Security Architect Cloud Security Alliance Malaysia Chapter