In this edition of CISO Diaries, we speak with Frankie Shuai about leading cybersecurity across highly regulated, multinational environments and what it takes to build trust, resilience, and relevance at the highest levels of the organization. Drawing on decades of experience across global financial institutions and technology companies, Frankie reflects on executive decision-making, security as a business enabler, and the human leadership required to operate effectively at scale in today’s complex risk landscape.
About the Interviewee: Frankie Shuai
Frankie Shuai is an award-winning technology executive and cybersecurity leader with over two decades of leadership experience across the financial services and IT industries. Frankie Shuai, Former Director of Cyber & Technology Risk, UBS AG, has held senior leadership roles across global organizations and has led regional information security functions across the APAC region.
Widely recognized for his impact on cybersecurity leadership, Frankie has been featured on the Nasdaq Tower in New York’s Times Square as a Global CISO 100 award winner and on the cover of Enterprise Security Magazine (APAC edition). A strong advocate for business-aligned security and people-centric leadership, he is also a technology innovator and the sole inventor of a U.S.-filed patent in next-generation wireless networking, cited by industry leaders such as Intel and Ericsson.
Frankie is a frequent keynote speaker at global industry forums and academic institutions, with speaking engagements hosted by organizations including the Wall Street Journal, Thomson Reuters, IDC, The Asian Banker, and central banks across the region. His perspectives on cybersecurity and technology leadership have been featured in international publications, including CIO.com, CSO.com, Economic Times, and Enterprise Security, among many others.
How do you usually explain what you do to someone outside of cybersecurity?
As the cybersecurity leader, I often describe our profession as the 21st century’s cyber warriors. The stage for our cyber warriors is not the traditional battlefield but the internet battlefield. The mission for many of us is to know our enemies and ourselves in order to protect our crown jewels of the enterprise, community, and nation.
What does a “routine” workday look like for you, if such a thing exists?
I would like to use 3 maxims from one of the bestseller books, which has transcended 2,000 years, The Art of War, to describe a “routine” workday for cybersecurity leaders. It’s written by Sun Tzu, the ancient Chinese general, philosopher, and strategist who lived in the 5th or 6th century B.C. The book has become a kind of Rosetta Stone of military theory, and has been translated well beyond the battlefield to gain prevalence in modern business schools worldwide, and now the cyber battlefield as well.
- Maxim 1 form Sun Tzu: “Know the enemy and know yourself, and you can fight a hundred battles without disaster.”
In the cyber world, “knowing the enemy” means understanding threat actors’ tactics, techniques, and procedures (TTPs), and motivations. Tools like threat intelligence platforms, open-source intelligence, and dark web monitoring could enable security teams to gather actionable insights on adversaries. Simultaneously, “knowing yourself” involves knowing one’s crown jewels by mapping one’s digital footprint and prioritizing critical assets. Together, these efforts create a comprehensive picture of the cyber battlefield, enabling informed decision-making and proactive defence.
- Maxim 2 form Sun Tzu: “Speed is the essence of war. Take advantage of the enemy’s unpreparedness; travel by unexpected routes and strike where they have taken no precautions.”
In the current fast-paced world of cybersecurity, speed and agility are critical. Ransomware campaigns can paralyze organizations in hours, not days or weeks anymore, and zero-day vulnerabilities can be exploited before patches are deployed. So cyber defence requires the ability to detect, analyse, and respond to cyber threats in an efficient manner.
- Maxim 3 form Sun Tzu: “He who relies solely on warlike measures shall be exterminated; he who relies solely on peaceful measures shall perish.”
Sun Tzu emphasized collaboration and intelligence sharing. Cyber is not a silo, and it’s always a Team Sport. Threat intelligence sharing among organizations, industries, and even governments strengthens collective defences and reduces the likelihood of successful attacks. Initiatives like the Information Sharing and Analysis Centres (ISACs) and public-private partnerships enable stakeholders to pool resources and exchange critical insights. Such unity is especially important in combating sophisticated actors like nation-states and cybercriminal organizations that exploit isolated defences.
What part of your role takes the most mental energy right now?
Cybersecurity is the science, but also the art. As the art, it would involve people, and people are the weakest link in the world of cybersecurity defence. No matter how advanced security technology is implemented and how many layers of defence are put in place, it just takes a simple click on an attachment in a phishing email by a staff member to open the initial penetration point for the phisher. They intend to hunt for the lowest-hanging fruit in an organisation to gain illegal entry. So staff awareness, training, and even phishing exercises are crucial and useful to help build an organisation’s defence fortress.
What’s one security habit or routine you personally never skip? (Work or personal.)
Cybersecurity has been in the spotlight for a while. We have witnessed the continually evolving cybersecurity landscape from the expanding attack surface to the more sophisticated cyber-attacks in the past decade, particularly in the last few years during the pandemic, when digital transformation has become an important agenda across industries globally, and when emerging technology like AI, the double edge sword, has redefined the cyber world. As one of the many seasoned cybersecurity leaders, I am fortunate that I can contribute in this area to fight cyber-attacks, safeguard the business in this aspect, and gain stakeholder trust by keeping learning the new skills and new ways of thinking with the help of technology like AI.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I am a tech-savvy guy since I was a child, as I liked to disassemble and reassemble the toys after understanding how it works inside. This habit has influenced me until now. For the technical product or solution, in the security domain and beyond the security domain, I like to drill down to understand why it’s needed, how it works, and how it doesn’t work (then how to fix it). This habit has provided me with the context and insights both technically and non-technically, which really helps both my corporate work as cyber security leader and personal life as well.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
As Henry Ford, the founder of the Ford Motor Company, said, “Coming together is a beginning; keeping together is progress; working together is success. ” In my eyes, cyber is not a silo, and cyber security is always a team sport. So it needs all of us, policy makers, practitioners, and service providers to work together – to learn, share, and shape the future of cyber security together.
What’s a lesson you learned the hard way in your career?
Looking retrospectively, if I were to have the superpower to talk to myself twenty years ago, I would encourage myself not to be afraid of failure too much, and more importantly, quickly learn and grow from failure. At the end of the day, failure is the mother of success.
What keeps you up at night right now, from a security perspective?
First of all, as per IBM Security’s annual threat intelligence report, in 2024, globally, our APAC region has experienced the largest number of cyber-attacks in the whole world, accounting for 34% of all cyber-attacks globally, ahead of the US and Europe.
Such cyber threat landscape is evolving as there is increased attack surface exposure when our systems and data are moving to the cloud, when our employees are connecting the corporate network at any time, at any place and using any device, so called “3A”, when there are more connections & dependency on the partners or suppliers in the whole product or service chain All these shifts are increasing the digital touch points which in return increased the potential cyber-attack surface, which always keep me up as the cyber security leader based in APAC region.
How do you measure whether your security program is actually working?
The security program should be planned and implemented as smoothly as possible to reduce the friction in front of the customers and users while making sure the product and service can be delivered in the expected safe, secure, and compliant manner. It’s like the triangle, composed of compliance, security, and UX (User Experience)/CX (Customer Experience) 3 sides, with an effective balance of these 3 sides needed.
What advice would you give to someone stepping into their first CISO role today?
CISO has been viewed as Mr. / Ms. “NO” in some enterprises in the past. With the rapid adoption of emerging technologies in both corporate and personal life, cybersecurity is now one of the key differentiators of business agility and resilience. My humble advise to the cybersecurity leader stepping into the first CISO role is “CISO” is not just the title, but the mindset recognized and respect earned by being the valuable “ENABLER” of business innovation and growth to provide the safe, secure, sound, and frictionless user experience to business.
What do you think will matter less in security five to ten years from now?
In the next five to ten years, the number of devices or workloads accessing our network, the amount of data that needs to be protected, and the area of digital surface that our business is expanding exponentially when we are on the journey of digital transformation include AI & ML adoption, cloud migration, robotics automation, etc. As the cybersecurity leaders, the traditional perimeter-based, manual work-driven, layered defence was effective, but might not be continuously effective, both technically and economically.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
The shift of focus for the cybersecurity leaders is happening; we have seen that there are leading CISOs already exploring or even investing in AI to improve the cyber intelligence collection & analysis using AI, to improve the malicious code scanning efficiency using AI, and to generate more personalized internal phishing exercises using AI. More are coming, More to come. One example already happening now is the evolving job requirements of cyber security professionals, as there are many job advertisement of cyber security professionals already put AI knowledge and expertise as a required capability for cyber security professionals.
Disclaimer: All the sharings are the author’s personal views, but do not reflect his current or past employers’ perspective.