When we think of\u00a0McAfee, the first idea that springs to our minds is its controversial, if not peculiar, founder John McAfee. Asked in 2012 if he used the famous anti-virus that bears his name, he answered that he takes it off as \u201cit\u2019s too annoying\u201d.\nBut despite the unfortunate words by the company\u2019s father, McAfee is one of the leading cybersecurity and computer security software companies in the world. \nOwned by Intel from 2011 to 2017, today McAfee is an independent company with more than six thousands employees and operations all around the world. \nIn an exclusive interview, Ian Yip, Chief Technology Officer, APAC, of McAfee spoke to CIO Asia about cloud implementation and the cybersecurity risks involved with it.\nWhat can organisations do to manage security risks when using the cloud?\nBased on a study conducted by the anti-virus company, 97% of organisations are using some form of cloud service. \nHowever, the same study also found security incidents to be pervasive, with more than 25% of organisations surveyed having experienced data theft, and 1 in 5 having experienced an advanced attack against their public cloud infrastructure.\nAlthough migration to the cloud is helping CIOs and IT executives around the world in their digital transformation journeys, Ian Yip warns of hastily jumping into it without some necessary maturity, which he thinks can be the case for some Southeast Asian countries.\n\u201cOne of the key risks is going too soon without having the due diligence in place to evaluate the risks that you are exposing yourself to\u201d, he said. \u201cThere are lots of benefits of using the cloud but there\u2019s a huge danger from a cybersecurity standpoint and the cyber risks standpoint of going too early.\u201d\u00a0\nWith data breaches and cyberattacks becoming more frequent and sophisticated, organisations need to be particularly careful when using the cloud. \nTo be able to manage security risks involved when using it, Yip says that first, you need to understand what kind of data you are storing in it.\u00a0\n\u201cWithout understanding what data you are going to hold in the cloud, you make it very difficult to prioritise your cyber defences because ultimately, cyber risk should be driven by what are you trying to protect from a data standpoint and from an asset standpoint\u201d, he continued. \u201cIn the cloud the most important asset you are protecting is sensitive information\u201d.\nOnce the risk profile is understood, he explained, you should focus on your cyber defences as the impact in the case of an attack will be different depending on the information you have in the cloud.\nHowever, Yip has a realistic approach to the cyberattacks threat and thinks that rather than aiming at avoiding data breaches at all costs, organisations should focus on reducing the risk and the impact.\u00a0\n\u201cIn an ideal world we would avoid all data breaches and all cybersecurity incidents", Yip told us. "I think the pragmatic view of it is organisations should primarily aim to reduce the impact of a cybersecurity incident. It\u2019s a very dangerous thing to say we can avoid all cybersecurity incidents - in reality, you are deluded." \nHe also added: "If the cybercriminals and attackers want to get in, by large they have very good chances of getting in. But the better your cyber defences are, the better you are reducing the risk and the impact if and when something happens."\nWhat to do in the event of a cyberattack?\nAsked about what advice would he give to fellow colleagues and IT directors when things go really wrong and hackers succeed in their criminal activities, Yip advocates transparency and communication.\u00a0\n\u201cThe top thing to be aware of, or to stick to, is to be transparent", he thinks. "If you look at it historically, the best ways to handle incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there\u2019s an incident, trust in your organisation goes down. But the most transparent and communicative organisations tend to reduce the financial impact of that incident.\u201d\u00a0\nYip thinks that initiatives like the European Union's General Data Protection Regulation (GDPR) or privacy laws in Singapore and Australia are positive government moves and force organisations to behave responsibly and the right thing for citizens and consumers.\n\u201cI think legislation is important because as much as we like to say security is vital, in reality, businesses are dealing with a lot of priorities and they only have a certain amount of budget to spend on some set of things that they would ideally not have to spend on", Yip said.\u00a0\n"Obviously legislation alone is not enough but it\u2019s definitely a good starting point to bring the level of visibility and importance for cybersecurity, for cyber risk, for privacy up to the right levels of the organisation so that they spend accordingly to address those risks", he added.\nIs emerging tech impacting cybersecurity?\u00a0\nEmerging technologies are influencing the way businesses work, affecting their workforce and disrupting operational models. \nThere\u2019s a lot of buzz coming out from that field but rather than going on with the trend, CIOs and other technology leaders should ask themselves how the implementation of emerging tech can benefit their work.\nFor Yip, unless there\u2019s a good reason to use disruptive tech, organisations should play that card with caution. As an example, he uses blockchain, where he sees a downside in performance and efficiency. In conversations with clients, Yip and his team challenge their clients to consider if blockchain is the best technology to solve their problems or if there are more efficient ways to do so.\u00a0\n\u201cI think blockchain holds a lot of promise for technology as a whole but it\u2019s still very early in the blockchain journey, particularly when we are talking about cybersecurity,\u201d he said. \u201cThe very first question people should ask when trying to apply blockchain in cybersecurity is \u2018do you really need blockchain?\u2019. There are other ways of solving cybersecurity problems that don\u2019t require blockchain, like encryption, databases and public key infrastructure (PKI) type solutions, identity and access.\u201d\nWhen it comes to cybersecurity, emerging tech is a double-edged sword as it can help both defenders and attackers. That\u2019s the case of artificial intelligence (AI) and machine learning, both technologies used by McAfee and on which they are heavily investing money on research and development. \u00a0\u00a0\n\u201cAI, machine learning and deep learning can help both the attackers and defenders through the ways it can be applied to detect, alert and respond to cyber incidents,\u201d Yip explained.\u00a0\u201cIt\u2019s a bit of cyclical arms race if you like, to be able to use AI for both good and bad purposes.\u201d\nAccording to the CTO, there are two key factors to remember about AI and machine in this "arms race". First is that all the algorithms are important. Second is to have huge amounts of data that can train algorithms on. \nYip explained that McAfee has vast amounts of data that are used on an ongoing basis in their technology to make sure that the security software company is in the best place to detect and respond to the ongoing threat.\u00a0\nShould companies hire hackers to test their cybersecurity defences?\nYip is clear in his answer: yes. But he is not referring to the dark-web lurking hackers-for-hire but the so-called \u2018white hat\u2019 or \u2018ethical hackers\u2019.\u00a0\n\u201cI think it\u2019s a good idea to hire white hat hackers, not the bad guys!\u201d, he told us. \u201cI would stay clear of using the bad guys to help to defend your company. But there are a lot of white hat hackers who are in it - the main difference is ethics and the goals they are trying to achieve. White hat hackers are just as clever as the bad guys but they are in it for the good of society and the good of businesses.\u201d\nNot only that, but he also thinks that hiring white hat hackers should be done regularly to find any vulnerabilities that systems have.\nIn fact, that\u2019s standard practice in McAfee, where they employ white hat hackers to make that their environment is secure and also to help some of their customers to find and fix vulnerabilities in their environment.