As the gateway to China and a global business nexus, Hong Kong's digital transformation isn't just an upgrade—it is its lifeline. But with great power comes great vulnerability.
The Office of the CIO is about protecting data while safeguarding Hong Kong's reputation as the unshakeable bridge between East and West. As Hong Kong cements its status as Asia's innovation powerhouse, our approach to resilience must be equally cutting-edge.
In the executive roundtable discussion, Operationalising Resilience: From Core to Cloud to Edge, industry practitioners, technology leaders, and experts addressed how they rise to the challenge and accelerate Hong Kong's digital transformation, not just adapting but leading the charge in this new digital frontier.
Business continuity and disaster recovery
A global IT outage earlier this year required robust business continuity strategies. Organisations must prepare for worst-case scenarios through regular drills and scenario-based planning.
Silvia Lam Ihensekhien, director of Information Security and Risk Management at Swire Coca-Cola, underscores the importance of regular testing. "No one underscores the importance of regular testing. "No one is 100% prepared for it, but we need to understand the roles and responsibilities in case a security incident happens and what to do. The communication channel is essential as well," she said.
Another delegate to the roundtable noted that based on where you operate, which country, and so on, you put together your risk profile, and then, based on that risk profile, you create your business continuity plan (BCP).
Another delegate, a veteran chief information security officer based in Hong Kong, said, "Part of our resilience plan is to stop the spread of whatever's going on. Only then can we start switching to resilience, continuity, and the other options as the next phase."
Another CISO delegate acknowledged that they evaluate their BCP and Disaster Research Response (DR2) Program annually. He further elaborated that if the scenario is a cyber-attack, you trigger the incident response plans first before you do the containment and the remediation with the DR2.
Aside from DR, Zerto (an HPE company), underscores that organisations should also invest in cyber recovery. In a blog, Zerto differentiates the two concepts, explaining that DR focuses on system functionality while cyber recovery focuses on threat mitigation during recovery.
“For example, a DR plan for cyber security may restore servers after a system failure, but a cyber recovery plan ensures that those servers are secure, free from malware, and protected against future attacks,” it explained.
Further, the group believes responsible technology use involves evaluating new technology before deploying it in organisations.
One of the delegates to the roundtable from the financial services conceded taking a cautionary approach when implementing innovations, explaining "whether this is the best practice we can gain from the market, or maybe the investment cost we made, whether we can get it done."
"IT has to be aligned with the customer's requirements. We make a lot of effort to understand where they are, their system landscape, and where they want to take the business," explained Juancho Jerusalem, head of Sales for APAC at Zerto.
Cyberattacks and resilience
Building cyberattack readiness and resilience is crucial for any organisation, especially in a dynamic environment like Hong Kong.
One of the delegates to the roundtable acknowledged that people as a cybersecurity vector is a worry. People may be professionals in their chosen field and industry, but not everyone is cyber-aware.
"We need to find a way to change that and give them the right tools, the right skill to spot out the phishing, make sure they have the muscle memory, more phishing exercise, and a lot of interesting campaign," he added.
Due to the number of their manufacturing plants, Swire Coca-Cola's Ihensekhien also prioritises operational technology (OT) security.
“As OT environment become increasingly connected to the internet, the risk to the OT continues to grow," she explained.
The information technology head of a Hong Kong-based investment holding company principally engaged in the chemical business revealed that because their company manufactures chemicals in China, operational technology is a primary concern. "If we can't maintain production, our contract agreements are at risk. Failing to produce could lead to significant penalties for us."
Data protection and privacy
Data breaches can be catastrophic. CIOs must safeguard sensitive information, implement encryption, and educate employees on data handling best practices.
When asked if technology leaders feel confident in their current data protection strategy against potential attacks, the head of Information Technology for a leading local contractor and property developer conceded such a situation is not ideal: " However, in our industry, the importance of data isn't on par with sectors like finance or banking."
While Ken Lee, deputy GM of Innovation at Bank of China (Hong Kong), believes the bank's data protection strategy is robust enough, he was quick to underscore the importance of continually educating users.
How do technology leaders balance data utilisation and privacy concerns? The group acknowledged the difficulty, if not the impossibility, of achieving balance.
Michael Mok, head of Infrastructure at Anglo-Eastern, concurs, adding: "There is no balancing. Personally Identifiable Information (PII) always rules. All new systems must be designed with data masking and proper encryption. When properly configured, you should still be able to access the data and analyse it without any privacy concerns."
The section head of Data and Analytics at a statutory body agreed, commenting: "We gather data from companies around the world and store it in our data centre. We then apply business intelligence tools as part of our analysis process."
Technology leaders must choose appropriate vendors and products to protect privacy and data. As many vendors approach them offering solutions, there are things they wish their vendors knew.
To this, the delegate from one of the largest insurance companies in Hong Kong emphasised the importance of vendors grasping their customers' issues and pain points.
"There are countless vendors and products in a crowded market. Time is invaluable, so it's crucial to understand the pain points and the underlying problems. Only then can you offer a targeted solution or an integrated approach to address those challenges effectively," he explained.
Zerto’s Jerusalem agreed, adding, "It all boils down to building relationships, understanding the key metrics and pain points, and being humble enough to walk away when you recognise that you are not the solution of choice."
