PKF AvantEdge

Category: Technology (Page 9 of 11)

PPWG (Protection Profile Working Group) Workshop at the Lexis

October 15, 2013 / / 0 Comments

On the 10th – 11th October 2013, we had a meeting of all the Protection Profile Working Groups (PPWG) in Lexis Hotel, Port Dickson.

The PPWG is an initiative under Thrust 3: Cyber Security technology framework of the National Cyber security policy (NCSP), which in turn is to address cyber risks pertaining to Malaysia’s Critical National Information Infrastructure (CNII). 4 PPWGs were established

1. Data Protection

2. Network Devices

3. Application

4. Smart Card and related devices

The idea behind this was to set up standards and frameworks for developers to adhere to, to ensure information security is embedded in the system, instead of tacked on. We are, in all aspirations, like the National Institute of Standards and Technology (NIST) in the US.

PKF Avant Edge was formerly invited at the beginning of this year to be part of the PPWG3 group, comprising representatives from MIMOS, Cybersecurity, IRIS, Bank Negara and a few other private companies. In our first meeting, there were several representatives from the industries aside from the ones named above; but by the time this workshop rolled in, and after several iterations of all day meetings to discuss on the standards and protection profile for banking applications; we were the only ones left.

The idea behind PKFAE’s participation and our continuous support for the PPWG is not so much for profit, than for our philosophy. We don’t get anything out of it. The meetings are all day, 9 – 5 in Technology Park, in MIMOS’ HQ, and PKFAE’s representative is the managing director himself, not any other member of the company. So time cost’s perspective, it doesn’t really make too much sense for us to be part of it. But our philosophy has always been to balance profitability and responsibility. These are reasons why we give free workshops on Personal data protection act and project management; why we give free talks and industry contribution to universities; why we spend time engaging the government and educational societies in bringing information security awareness: we don’t get paid at all, and yet we do it. The underlying idea is to contribute back to the industry in which you are part of. If not in charity or donations, then in time and value. It does sound utopian, but we started the company with these basic tenets, so why not just continue on?

As such, aside from the government agencies, we are one of the few, if not the only consulting firm that is participating in our PPWG. It takes a lot of hard work and sacrifice, as well as doing something without any fees. We are not looking for any reward, but simply as something we need to be part of, as the basic form of our existence.

Once in a while, it’s still nice to get away from it all to Port Dickson, of course.

Good View from my room

Session ongoing from one of the PPWG

PKF Avant Edge in the ASEAN Financial Institution Conference Hanoi

September 28, 2013 / / 0 Comments

I was invited to attend the 2013 ASEAN Financial Institution Conference in Hanoi as one of the speakers. My presentation (done in a video scribing mode) was on “Navigating the PCI-DSS Journey”. It was a topic close to heart of course, with many of our clients either undergoing PCI-DSS or starting the PCI DSS journey.

Overall, it was a great experience. I went with my Project Management Director, CB Chan, and met up with our PKF colleagues in Vietnam, who also joined us in the conference. We managed to not just meet with other technology partners and conference speakers, but also representatives from other banks in Vietnam.

As always, networking is vital for the survival of our business. The experience itself was an added bonus as Hanoi was a bustling city packed with motorbikes and people.

Possibly not the most photogenic people (we are technologists and accountants after all, not models) but we’re still proud of our little space for consultation and advisory.

Aside from those listed, where PKF is proudly the only consultation and advisory firm, Cybersecurity and MDEC were also represented from the Malaysian contingent.

Other mugshots we had:

 

PKF IT Opportunities

May 20, 2013 / / 0 Comments

One of the main reasons we moved the IT advisory function out of internal audit was the fact that IT encompassed so much more than just doing an audit.

I believed in the exponential growth of IT based on the simple belief: IT is integral to efficient and effective businesses. Businesses that do not leverage on IT will go nowhere. So it only makes sense that IT will get more complex and more critical as each year goes by.

Back in 2010, PKF Malaysia realised this pattern. By staying stagnant and doing what the other firms were doing: Internal Auditors doing IT audits, we were going to simply die off. The first thing we realised was that, while Internal Auditors were OK doing IT audits, these were two different animals. We didn’t want to do checklist audits. We didn’t want someone  doing IT audit who didn’t even know what the heck was an AAA server or how to do a simple VLAN config on a Cisco router. We didn’t want someone who would go up to the Audit Committee, put someone else’s career at stake by giving ridiculous recommendations and reports, based on ‘previous experience’ and ‘industry best practices’, when they don’t even know head or tail on what Active Directory is used for, or what’s the basics of DNS poisoning or IP spoofing. We needed serious technical people who have been on both customer and consulting end, and we needed to separate from the Internal Audit group….simply because we want an audit to be done differently.

We moved quickly into ISO27001 (ISMS) and PCI-DSS, we went through ISO27005 for risk assessment, we did COBIT 4.1 training and enablement and got everyone at least CISA certified. Most of us, like me, have multiple certs, for instance in IT forensics, IT ethical hacking, IT management, Project management and so forth.

We moved quickly to become MSC status to be a serious player in 2011, and we started strategic collaborations for different purposes. We joined workgroups with government and private agencies, opening channels to MOSTI, MIMOS, Bank Negara and so on, to conduct knowledge sharing sessions. For free. I am a great believer that contribution back to the industry should be done as part of our professional duty, and not as an engagement service.

So here we are, at the precipice of change. PKF itself has undergone some tremendous changes over 2012 and 2013. This week, we had our PKF Asia Pac Conference, where different countries got together, to explore different areas and opportunities. We’re excited, as we see the work we’ve done in the past 3 years to build our knowledge and reputation, possibly coming to fruition. I am also a big believer that PKF requires an IT function regionally. There should be a Center of Excellence, not just to do IT audit but to do Technical Services like penetration testing and forensics, or troubleshooting and service management; and also project management.

This is where we are. We still have a long way to go, but with the extension of our services into the other firms in PKF, we’re set to stay for a long while.

Here is the link to the presentation we did to the other PKF Firms last week.

PKF Avant Edge – Partner Presentation

Are we a biscuit company?

March 18, 2013 / / 0 Comments

When our IT consultancy group first joined up with PKF, one of the first thing we did was to check if pkf.com.my was taken up. We had pkfmalaysia.com running already. Unfortunately this is where things got tricky, pkf.com.my was already taken up by a biscuit company. Hence, I suppose this is where we get a lot of “Are you a biscuit company” queries.There’s nothing much to be done about it, but when pkf.my first became available, we snapped it up, and did a forwarding to our main site.

I was speaking to a company that handled domain services last week, over a nice lunch, and one of the things they do is called “Digital Branding”. A simple form of it, in DNS speak is to ensure that your branding on the net doesn’t get devalued against anything that attaches itself to your name. It sounds like a simple service, but it’s really a critical one.

When Pope Francis was chosen to lead the 1.2 billion catholics in our world recently, he was viewed as a breaker of tradition. He asked the crowd to pray for him instead of blessing them. He refused to stand on a podium, instead stood together with his bishops and cardinals. He tweeted. He started a blog called www.popefrancis.com. Oh wait, that’s taken.Popefrancis.org…oh nuts, it’s squated by a blog. Popefrancisi.com? Wait, taken as well. A whole pile of popefrancis name with the top level domain .uk, .de, .be, .net, .tv all taken. The good news is that popefrancis.my is available. He should set up his site on our .my domain. It’s opportunistic. Sometimes, a $20 investment can get you around $3000 to $5000. Who wouldn’t want it?

Or what about the long drama between Nissan Motors for www.nissan.com? Nissan is actually a jewish name. In the bible, there’s reference to Nissan as month in the Hebrew calendar. If you go to www.nissan.com you can read the drama on how Nissan motors tried flexing its corporate muscles to bump out this guy running a computer shop from nissan.com domain. It’s a David and Goliath scenario, except the Goliath here is Japanese…who is half French.

So back to digital branding. As we become more and more dependent on the internet as the main source of information, it’s important to look at the simple stuff like this. For Pope and Nissan, they dropped the ball. For PKF, I’m just glad that pkf.com.my is a biscuit company and not some sort of porn site.

So who’s holding your cheese?

January 10, 2013 / / 0 Comments

Years ago, when I was starting out, I was given a book by my eventual father-in-law (though I didn’t know it at that time) called “Who Moved My Cheese?”. It’s a fascinating look at change management and pre-set my mind into what I am now in some respects: that change is Good. That change is Needed. That change should be Anticipated. I was a young rat then, entering into the race, and now a dozen years after reading that book, it still resonates somewhat in me. That change is great.

You can change a situation and not change a person. For instance, you might know someone who got retrenched. His situation changed. His cheese was taken away. But like some of the characters in the story, he sat down and mooned over his situation. Or you can change a situation and change a person. Someone else adapted to the situation and changed his mindset to address the new situation. Better yet, if you anticipate the change, and start moving before even your cheese is finished. The last part is certainly the hardest. This is mainly not due to our resistance to change, but to our comfort of the status quo.

Imagine we go to work everyday, with a set routine and do things from 9 to 6. When we’ve gone home, we spend time with family, watch our favourite show and crash for the night. Deep in our thoughts we have made up our mind to study a new system, or new language or develop a new methodology for IT risks, or even to diversify our income channels by going into investments. But we always say, well, not this day. And as the famous phrase from Scarlett O’Hara goes: “After all, tomorrow is another day.” The phrase of optimism and hope has turned the next generation into a generation of procrastinators, because ‘tomorrow’ is only a day away and we can do it tomorrow.

For an organisation such as ours, the inability to change is to die. The inability to anticipate is to be stagnant. The inability to innovate is to be left behind. The absence of evolution is the certainty of extinction. It might sound melodramatic, but it’s never so prominent in our case, in IT services.

We need to anticipate in two dimensions: The first is in the current product: the service, the input, the output of our sweat, our efforts, our WORK. How do we do the things we are doing better? How do we improve on the things we are currently selling? The second dimension is in the future ideas. I personally don’t believe in a Blue Ocean. I believe that whatever we do, there is no such thing as an impregnable barriers of entry. With that in mind, I do believe in not just doing things differently, but doing different things. Especially in IT, what are some of the future services we can anticipate? What happens when our IT audits and compliance cheese are finished? Which direction do we move in?

2013 will be in a lot of aspects a year of anticipated change. With more focus on security, we are looking at areas that previously has been ignored: the understanding of big data, the movement into mobility, the virtualisation of workspace.

Are we ready to move from our cheese station this year?

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑