Panel Discussion: Cybersecurity in a Hyperconnected World: Why Everything Is Now a Target

The modern enterprise is a web of connections: cloud services, legacy OT systems, employee-owned devices, and AI-powered tools all communicating in real time. The result is unprecedented efficiency, but also a sprawling attack surface. As the panel discussion “Cybersecurity in a Hyperconnected World: Why Everything Is Now a Target” at a recent Singapore conference made clear, the old rules of perimeter defence no longer apply. Instead, security leaders must embrace a philosophy of radical visibility, risk-based layering, and proactive adaptation to threats ranging from shadow AI to quantum decryption.

The session was moderated by Neha Malhotra, Chair of the Global Achievement Award review committee at (ISC)². She was joined by three distinguished panellists: CW Wang, Head of Cybersecurity at PLTPRO Data Centre; Dennis Chan, Chief Security Officer at Huawei International; and Yaron Slutzky, CISO at Agoda. Together, they offered a masterclass in modern cyber resilience.

Start with Visibility and Business Alignment

For a new CISO, the first 90 days are critical. Dennis Chan of Huawei International stressed the non-negotiable need for complete asset visibility. You cannot protect what you cannot see, and hidden risks, such as forgotten legacy servers, are the entry points attackers love. Yaron Slutzky, CISO at Agoda, reinforced this by urging a formal risk assessment to identify organisational weak points before any strategy is written.

However, visibility alone is not enough. CW Wang, Head of Cybersecurity at PLTPRO Data Centre, advised new leaders to learn how their industry operates. Identify the profitable divisions; those are your critical assets. Your governance programme must prioritise their protection, even while accounting for the wildly different lifecycles of hyperconnected systems, from brand-new cloud instances to ten-year-old OT equipment.

This groundwork directly supports budget conversations with the board. Dennis Chan noted the importance of knowing your board members’ level of cybersecurity understanding. In Singapore, the Cyber Security Agency (CSA) recommends cyber-aware directors for critical infrastructure firms. Presenting clear vulnerability assessments helps justify the investments needed in people, processes, and technology.

Integrate Compliance with Business Enablement

Yaron Slutzky emphasised balancing compliance requirements with enabling fast business delivery and revenue growth. Security strategies need to be documented and communicated clearly to gain buy-in from both business and board stakeholders. An early focus on understanding the compliance landscape relevant to the organisation is critical for effective risk management.

Security Architecture in a Fragmented World

When systems are fragmented across cloud, edge, IoT, and on-premises environments, a uniform control framework is impractical. The panel offered a layered way forward.

First, adopt zero trust and disciplined device management. Human factors remain the weakest link, so apply zero trust architecture and use Mobile Device Management (MDM) tools for Bring Your Own Device (BYOD) policies. Enforce security rules consistently across all branches.

Second, apply risk-based protection tailored to specific threat actors. Yaron Slutzky argued that you must understand your own attack surface before building controls. A financial firm’s risks differ from a utility’s. While traditional tools like EDR and firewalls remain essential, they must be complemented with AI-aware defences.

Third, for converging IT and OT environments, isolation is your best friend. CW Wang described merging these worlds under a common governance framework using standards like ISA/IEC 62443. But because legacy OT systems often cannot be patched without risking operations, compensating controls are vital. Network segmentation, dedicated OT firewalls, and zero trust platforms can isolate critical infrastructure, preventing up to 90% of potential attacks. Dennis Chan expanded the OT definition to include home routers; a compromised home router can fuel a botnet that attacks corporate IT systems. This is why Singapore’s CSA now recommends minimum cybersecurity standards for home routers.

Yaron Slutzky stressed monitoring permissions, logging access, and detecting anomalies in OT device connections. Isolation plus compensating controls provide practical protection when patching is not feasible, reducing operational risk in critical infrastructure like water and electricity.

Third-Party Risk and Supply Chain Security

Your security is only as strong as your weakest vendor. The panel was unanimous on this point. Dennis Chan explained that his company requires third parties to hold certifications like ISO 27001 or CSA CyberTrustmark. Cybersecurity clauses are embedded in supply contracts, and a scoring system tracks vendor responsiveness to vulnerabilities, directly influencing procurement decisions.

Yaron Slutzky advised limiting vendor API permissions and monitoring their queries to reduce sensitive data exposure. For installed software, disable auto-updates to prevent untested or malicious versions reaching production; offline versions are preferred to allow thorough testing first. CW Wang highlighted the need for a shared responsibility model across customers, suppliers, and cloud providers. Contracts must include audit rights, and managing third-party risk requires collaboration between legal, technical, and government teams.

Managing Shadow IT and AI-Driven Risks

Unapproved IT use, or shadow IT, is a perennial challenge, but AI has intensified it. Yaron Slutzky described a practical solution: centralise AI token management. By consolidating all AI service tokens through a gateway, you control authentication and track usage. Furthermore, deploy endpoint agents on user devices to observe AI prompts and responses. Platforms like Claude offer hooks to enforce policies, such as blocking personal accounts or restricting access to certain services. Yaron noted that responses must vary depending on whether shadow IT involves production systems or individual devices; controls must be adapted to balance security with user productivity and innovation.

Preparing for Quantum Risk

The quantum computing threat is real, but not immediate for most organisations. Dennis Chan identified the financial sector as the highest risk right now, due to attackers harvesting encrypted data today for later quantum decryption. While “Quantum Day” (when quantum computers break current cryptography) is uncertain, it is expected in the years ahead.

Preparations should begin now. Adopt post-quantum cryptography (PQC) and explore quantum key distribution (QKD). Fortunately, vendors are starting to support PQC algorithms through software updates, reducing the need for hardware changes. Legacy equipment may require dedicated encrypted devices. Organisations should assess vendor roadmaps and plan technology refreshes within the next two to three years. Meanwhile, Yaron Slutzky noted that internet companies are reducing certificate lifespans to prepare for quantum threats. New client-server encryption models and sidecar proxies are under development to secure communications. The panel concluded that quantum risk is compounded by AI capabilities, but broad impact is expected beyond 2026; waiting is not an option.

Final Takeaways for the Modern CISO

The panel left the audience with a clear action plan. First, achieve full asset visibility within three months. Second, align security strategy with business profit centres, not just compliance checklists. Third, engage the board by speaking their language: risk and budget justification. Fourth, layer your defences for IT, OT, and AI specifically, not as an afterthought. Fifth, write third-party cyber risk into every contract and monitor it continuously. Finally, start your quantum readiness journey today, not on the eve of “Quantum Day.” In a hyperconnected world, everything is a target. Your job is to prove that nothing is a secret entry point.