OCBC explains its multi-year roadmap to cyber resilience
Complete with unified command centre.
How much is cyber security and resilience worth? I don't know about other banks, but OCBC's investing very heavily into it.
When David Ng invited me to drop by OCBC's booth at GovWare, I wasn't expecting much, However, I came away really impressed by its focus on resilience and security.
Multi-year road map
OCBC has a multi-year programme to address evolving threats, and currently uses a 3-tier strategy adapted from the NIST Cybersecurity Framework 2.0:
- Cyber Defense Review (CDR).
- Risk Committees.
- Framework.
OCBC is in its 4th iteration, or CDR 4.0, where the plan is to maintain its level of security while improving user experience.
Some approaches used:
- Content Disarm and Reconstruction.
- Zero trust architecture.
- Immutable storage.
A unified command centre
To coordinate its entire IT assets, OCBC created a "Unified Technology Command Centre" with team members all sitting in the same room.
The three core teams:
- App and infra monitoring, control.
- Data center operations.
- Security operations.
I was told there are around 100 dedicated personnel, who work in three shifts for around-the-clock monitoring.
And there's even a commander empowered to call all the shots - exactly like in the movies.
I think the unified command centre is brilliant. Is a problem due to a cyberattack, an internal bug, or a failure in the data centre? Having everyone in the room eliminates finger-pointing and addresses problems quickly.
Infrastructure kill-switch
From what I can see, OCBC uses a mixture of virtualised and physical assets for its infrastructure. This is deployed in a private data centre in Singapore.
- HA architecture.
- Microservices.
- CDNs.
Everything is fully redundant (active/active) and wired to a kill-switch managed from the command centre.
This means the Commander can "kill" and lock out a compromised segment without impacting operations.
For greater resilience, there's also a backup data centre in Malaysia. I hear a 2nd command centre is coming soon.
A rising tide lifts all boats
Banks hardly share about their IT deployments. So, credit must be given where it's due. OCBC clearly believes in improving the cyber ecosystem by sharing its experiences.
I still remember when I first met David some years ago - as the moderator of a panel where he was a panelist.
Let's just say that when he shared how OCBC conducts its phishing tests, the room of hardened cyber professionals audibly went "wah".
Buy me a coffee and I'll tell you.