“I put governance around information security,” said Surrey Mui. “We’re not security guards: we enable business to do things in a secure way, and if there’s a problem, we need to come up with solutions for the business to consider.”
Mui has spent two decades in banking, including 13 years at J.P. Morgan as well as stints at BNP Paribas, RBS and insurer AIA. She joined Credit Suisse earlier this year as chief information security officer for both Asia Pacific and for the business delivery center.
Some of her biggest products involved offshoring and outsourcing, which was the trend in the early 2000s, which she learned was far more than a technical job. One project for moving applications single sign-ons to an external team involved many business tasks. “It was about both technology and people,” she said. “A simple security project is actually a complex management issue.”
Today her priorities include security for all aspects of information and data: chatbots, identity controls and who can access to information and how, risk assessment, supporting trading systems, and staying on top of ever-changing regulation. And that’s on top of her primary duty of ensuring the bank understands and protects itself from cyber threats – not just from external hackers but sometimes from internally.
“We need to understand technology in order to find potential vulnerabilities, and provide advice to the business,” Mui said. “One piece of tech connects to other apps and systems, upstream or downstream, or externally. Take a client transaction: how does the data flow, what are they key security elements?”
The reality is there is always going to be a weak spot, and banks can’t know each one. “Cyber-security isn’t just the tech and the information,” Mui said. “It’s your reaction and recovery.”