SecOps: The heartbeat of modern banking

Asia's banking sector stands at a digital crossroads, characterised by rapid adoption of mobile finance, digital wallets, and open banking APIs. This hyper-connectivity, while driving financial inclusion and growth, dramatically expands the attack surface for cyber threats.

For security leaders in the region, the challenge is twofold: defending against globally coordinated threats such as sophisticated ransomware and data exfiltration, while navigating a complex patchwork of domestic data sovereignty laws and stringent regulations from bodies such as the Monetary Authority of Singapore (MAS).

The operational reality for 2025-2026 is that resilience is the new benchmark. Success will be measured not by preventing every breach, but by ensuring critical banking services, such as cross-border payments, remain operational during an attack, requiring a strategic shift from pure defence to proven business continuity under fire.

SecOps: The conduit between strategy and action

The role of a Global Head of Cybersecurity Operations is fundamentally the command-and-control function for an organisation's digital defence. It entails the 24/7 management of the Security Operations Centre (SOC), overseeing threat detection, incident response, digital forensics, and threat intelligence. This role is tactical and operational, focused on the "here and now" of cyber threats.

"I support the bank's information and cybersecurity strategic plan that underpins our ability to operate securely across 54 markets," begins Lavy Stokhamer, global head of cybersecurity operations at Standard Chartered. "This includes global detection, analytics, response, data and AI security, FUSION (our cyber defence centre) and cybersecurity resilience."

In an exclusive interview with FutureCISO, Stokhamer says cybersecurity ops are central to the bank's strategy: enabling trusted cross-border payments and protecting the growing base of affluent and private clients. "As clients move wealth and data globally, our mission is to safeguard every transaction and interaction with the precision and trust the bank is known for," he continues.

The link to the CISO is direct and critical. The CISO sets the overarching cybersecurity strategy, policies, and risk appetite, which are approved by the board. The Global Head of Operations is responsible for executing that strategy.

They translate the CISO's risk-based directives into actionable security controls, monitoring, and response playbooks. They provide the CISO with the ground truth through metrics on incidents, response times, and control effectiveness, enabling informed strategic decisions and board-level reporting.

In essence, the CISO defines "what" needs to be protected and "why," while the Head of Operations builds and leads the team that determines "how" to protect it and "who" responds when a defence is breached.

"Cybersecurity ops today function a lot like air traffic control, operating across multiple skies at once, balancing automation with human judgment, and continuously managing trust in motion. The difference is that our "runways" now stretch across a fast-expanding digital footprint - from clouds, APIs to global data streams."  Lavy Stokhamer

Assume breach: Measuring real-world readiness

The assume breach principle holds that a system will eventually be compromised, shifting the focus from solely preventing attacks to detecting, responding to, and recovering from them.

IBM estimates that the global average cost of a data breach is around US$4.4 million – a 9% decline from the previous year, with IBM attributing this to faster identification and containment.

Stokhamer reveals that Standard Chartered's "Assume Breach" philosophy ensures that the bank remains prepared for any scenario.

"It's not a slogan, it's a discipline. We treat cyber readiness like elite sports training, built on repetition, precision, and instinct under pressure," he continues. He reiterates that every drill sharpens response speed and teamwork, so when the real game begins, execution feels natural rather than reactive.

"We reinforce this through continuous purple-team simulations, real-world threat emulation, and automated red-vs-blue exercises," he elaborates.

Key metrics such as Mean Time to Detect (MTTD) and Mean Time to Remediate/Respond (MTTR) are measured in minutes, not hours. "AI-augmented analytics and attack-path modelling enhance situational awareness and speed, while human judgment ensures precision and adaptability," elaborates the bank executive.

"Balancing automation with human insight remains key as we build integrated, data-driven defence capabilities within the enterprise's digital ecosystem." Lavy Stokhamer

Use regulations to build genuine resilience with recovery

Stokhamer insists that regulatory cybersecurity resilience is not about compliance; it's about assurance. "We continuously validate recovery readiness through full-stack war games, simulating concurrent cyber and operational crises to test coordination under pressure. Our guiding principle is to "recover to trust," not merely "recover to service."

"Moving from siloed tools to unified, data-centric platforms enables faster orchestration, stronger assurance, and closer alignment with both regulators and enterprise priorities," concludes Stokhamer.

Extending visibility

The globally connected economy brings both risks and opportunities. This was evident in the SolarWinds attack of 2020 that leveraged compromised software to infiltrate government and corporate networks, including approximately 18,000 organisations, including financial firms.

"We apply continuous external attack surface monitoring and AI-driven threat correlation to detect abnormal vendor activity," says Stokhamer.

He acknowledges that as ecosystems become more interconnected, shared visibility and accountability are essential.

"Through a platform-driven, AI-enabled approach, we embed third-party monitoring into our architecture, building a scalable, intelligent ecosystem supported by joint playbooks and real-time collaboration with partners. This connected model strengthens collective resilience across the value chain," says Stokhamer.

The exfiltration blind spot

Data exfiltration is the transfer of confidential information out of a computer or network. The cost of recovery, regulatory fines, and potential legal action from the affected parties can lead to massive losses for an organisation.

According to SentinelOne, data exfiltration is becoming a preferred tactic among cybercriminals, with a 64% increase among surveyed respondents compared to 46% previously.

Stokhamer says: "As data becomes the new currency of trust, protecting its movement and integrity is core to our mission."

To counter the threat, he revealed the use of "behavioural analytics and anomaly detection to identify large or unusual data movements before encryption or staging begins. As data volumes and encrypted traffic grow, alerting precision becomes critical.

"The rise of AI models introduces new challenges, ensuring AI systems and models are secure, transparent, and resilient against manipulation. Together with the bank's Chief Data Office teams, governance frameworks and controls are designed to uphold client-centricity, accountability and assurance as data-driven ecosystems scale," elaborates Standard Chartered's global head of cybersecurity operations.

Investigating within the lines

In recent years, Asian businesses have faced escalating cybersecurity risks, particularly around cross-border data transfers, amid rising geopolitical tensions and increasingly sophisticated cyberattacks such as ransomware and supply chain breaches.

Countries such as China and India enforce stringent data localisation laws that mandate the storage of sensitive information within their borders, boosting compliance costs but enhancing privacy. To navigate this, firms adopt privacy-enhancing technologies such as advanced encryption and AI-driven monitoring, fostering secure regional collaborations while adapting to fragmented regulations to sustain digital growth.

Stokhammer points out that investigating incidents across jurisdictions requires both precision and respect for local data sovereignty.

"We use a federated investigation model that allows local teams to handle evidence within their jurisdictions while central oversight coordinates analytics," he revealed. "Embedding these capabilities into our enterprise data architecture enables scalability and compliance by design, ensuring analytics move to the data, not the data to analytics."

The business continuity trade-off

In 2025, Asian banks bolster cyber containment via layered defences, AI-driven monitoring, and supply chain resilience. Singapore's MAS enforces data protection through prohibition orders for unauthorised access, while China's PBOC mandates tiered data classification and MLPS 2.0 standards for secure storage and rapid assessments.

What about in 2026? Asked how banks and other financial institutions should approach cyberattacks without bringing down, albeit temporarily, existing critical services, Stokhamer believes that by 2026, cybersecurity resilience will be defined by adaptability, anticipation, and architectural integration.

"The industry is shifting from a 'buy' to a 'build and integrate' model, enabled by the accessibility of advanced data platforms that allow organisations to design, scale, and unify security capabilities. Success depends on aligning cybersecurity architecture with the enterprise's data and AI strategy." Lavy Stokhamer

The Strategic Pivot

A report by the Internal Audit Foundation suggests that Asian banking cybersecurity faces escalating threats like AI-enhanced ransomware, API exploits, and supply chain vulnerabilities, with 62% of APAC leaders ranking it as the top risk, rising to 78% in finance.

Geopolitical tensions, regulatory fragmentation (e.g., Singapore's Cybersecurity Act), and skills gaps exacerbate challenges, particularly in Southeast Asia's scam hubs, straining SME resilience.

Stokhamer offers three advice for security leaders and teams when faced with the prospects of continuing uncertainty and an evolving threat landscape:

Advice 1 – Integrate cybersecurity into the digital core

"Treat cybersecurity not as an overlay but as an intrinsic layer of the enterprise's digital foundation. Integrate controls and intelligence into the data and AI fabric to achieve real-time visibility, assurance, and trust at scale."

Advice 2 – Accelerate the response window

"The time between vulnerability disclosure and exploitation has compressed from months to days, sometimes hours. Organisations must automate detection, response, and patching to operate at machine speed. Leveraging AI for predictive analytics and decision-making is no longer optional; defenders must match the sophistication and velocity of AI-driven threats."

Advice 3 – Unite technology, people, and strategy

"Bring cyber, risk, fraud, and financial crime teams closer together. As boundaries blur, shared intelligence and collaboration become essential. A unified Fusion approach ensures faster decision-making, deeper visibility, and enterprise-wide cybersecurity resilience."

The heartbeat of modern banking

In the intricate landscape of modern banking, cybersecurity operations emerge as the heartbeat that sustains financial systems and safeguards trust. As digital transactions become increasingly complex and cyber threats evolve, the proactive measures and strategic frameworks established by cybersecurity leaders are crucial for ensuring resilience and continuity.

From leveraging advanced analytics to fostering collaboration across teams, these operations not only protect sensitive data but also underpin the broader mission of enabling secure financial interactions.

Ultimately, as the backbone of a thriving digital economy, cybersecurity operations are indispensable in maintaining the integrity and confidence that customers expect from their banking institutions.

To conclude, cybersecurity is no longer a control function—it's the confidence layer of modern banking.