With the focus of the government on developing the Malaysian digital economy and the announcements by Amazon Web Services (AWS) regarding launching a local region by 2024, Malaysia is a fast-rising digital star in the region.
This is not to suggest that the journey only began in 2023. Rather, organisations on the leading edge have been quietly and methodically building the foundation for their digital transformation. In this article, we’ll explore some of the learnings from these trailblazers.
We’ve spent time interviewing two leaders in the Malaysia FSI industry: Ts. Zaidee Ismail, Director of Technology Services at Bank Islam, and Yu-Wern Pong, Enterprise Architect at Payments Network Malaysia (PayNet). Their thoughts are quoted below.
One of the questions we often get at Sourced Group (Sourced) is simply, how does an organisation get started in cloud? Given the regulatory landscape, the work required to even put one workload in cloud can seem overwhelming. Key success factors for initiating a cloud journey can be broken down to two areas, motivation and methodology.
An organisation needs to have a clear view of why it is adopting the cloud in the first place. Like any transformation, it requires investment, and the benefits will flow in time. Executive sponsorship and top-to-bottom alignment are crucial.
“We began our cloud adoption journey with strong support from senior management, including the CIO and CEO. Another pivotal role was played by the Risk & Compliance Division, along with the pioneering Application Development team responsible for creating the initial critical workload application.” – Yu-Wern Pong
“We need to build the business case, then craft the plan of how cloud will help us materialise the business case. Once we have that, we can then share our proposal to the Board of Directors and have their approval and support.” – Ts. Zaidee Ismail
On methodology, our typical advice is to adopt a “crawl, walk, run” approach. No organisation has unlimited capacity to execute, so attempting to onboard too many workloads or to multiple clouds simultaneously represents a real risk to the success of the initiative. Build a plan to adopt cloud in a systematic and progressive way, giving the organisation an opportunity to build strength and experience.
“[We began with] a series of discussions were conducted to foster consensus, covering topics such as business value, risk, architecture, and more. These conversations initially focused on the fundamentals of cloud technology and how PayNet could securely and compliantly transition to the cloud.” – Yu-Wern Pong
Bank Islam highlights the importance of experimentation in a meaningful but safe way.
“We launched a new business unit – we experimented, we tried all the cloud stacks from the start. This was our opportunity to test new products and systems. But this was not research for research sake. Our ultimate goal was to translate our learnings and discoveries into the cloud-native, digital banking service that we launched for Bank Islam customers in July 2022.” – Ts. Zaidee Ismail
By ensuring our cloud adoption programme mobilises in the right way, we set a good foundation for eventual success. Speaking of success, how do we measure it? How do we ensure we’re getting the right return on our investment?
Earlier on, we talked about how the motivations for adopting cloud should be clear to all in the organisation. More specifically, what is the expected benefit? Before we can answer that question, we need to consider how we measure success. Organisations may articulate this in different ways – return on investment, business case, definition of done, but all are fundamentally concerned with the same question: How do we ensure the effort is giving us value?
While datacentre evacuation to drive a lower total cost of ownership (TCO) was historically a key driver of cloud adoption, it is far from being the only one. Organisations we work with may value agility, flexibility, improved security, retention of key talent and improved time to market alongside the traditional TCO analysis. For example,
“The focus must be on the business objective and what we are trying to achieve. Obviously, Internet Banking is a key channel for us, and this is a system that needs to serve millions of our customers. Our motivation behind moving to cloud is to ensure this service is reliable and stable, especially during peak time. Our experience tells us this is challenging to do on-premise.” – Ts. Zaidee Ismail
“Our strategy positions cloud hosting as a complementary infrastructure option alongside our on-premises hosting. We measure return of investment (ROI) by assessing operational simplicity and reduced operational overhead for specific technology stacks. We also gauge ROI by considering speed to market and development velocity.” – Yu-Wern Pong
Here we can see that return on ROI is being measured on multiple axes. While of course the economic case must be made, we can see a strong focus on customer satisfaction and operational overhead as being key success criteria. These can be measured over time and used to refine the cloud journey.
A common theme among organisations that have successfully adopted cloud is their emphasis on education, both upfront and ongoing. If we accept that cloud is a step change that will leave no part of the organisation untouched, it then follows that education efforts need to be similarly broad.
This does not mean that all parts of the organisation will need the same type, level or depth of training and education.
“I think different personas require different types of training materials. We have our engineers who’ve been trained, for example, in the AWS Solution Architect Professional certification. We’ve also trained our IT Risk as well as the IT auditors and not forgetting the business continuity management (risk management) team. We also engaged with members of the Board of Directors specifically on topics relating to Cloud computing.” – Ts. Zaidee Ismail
Our experience shows us that organisations that tailor their approach to the various personas, as well as considering a mix of commercial training, cloud provider training and bespoke training have the greatest success.
“To cultivate a robust cloud technical skill pool, PayNet’s management has endorsed continuous training and certification for all team members. We provide continuous training opportunities, support self-paced learning through platforms like Udemy and ACloudGuru, offer recognition to encourage certification, and promote peer coaching for day-to-day activities.” – Yu-Wern Pong
It is important not to think of cloud training as being just a technical exercise – product managers, risk and compliance and senior management are all personas who will be impacted by cloud and will need understanding on how their roles will be impacted.
For any regulated organisation we must consider the compliance aspects of adopting cloud. Any regulated organisation looking to adopt cloud should be familiar with not only RMiT but specifically Appendix 10, which documents control measures for Malaysian entities looking to adopt cloud. Over and above risk management, Appendix 10 specifically calls out how modern cloud practices and best practices such as DevOps, CI/CD and immutable infrastructure can be used to enhance security.
Organisations should also be very familiar with the Personal Data Protection Act and understand the circumstances under which personal data can be processed outside of Malaysia.
A key learning from early adopters is that the regulator should be seen as a continuous part of the cloud adoption process, and not just a stage gate at the end.
“There is a series of conversation happening to brief Bank Negara Malaysia (BNM) of what we are doing and the progress of our development. By the time we went into the consultation process we already knew what kind of technology we’d like to implement in the cloud and what are the kind of controls that we need to put in. We’ve learned what the expectations are, the risks that they expect us to cover, and we’ll share how we implement a certain control within cloud. It can’t be a one-off conversation; it must be a continuous process.” – Ts. Zaidee Ismail
The experience from PayNet also speaks to the benefit of maintaining a regular cadence with the regulator:
“During the initial stages of our journey, PayNet closely collaborated with BNM to ensure they gained a thorough understanding and awareness of our cloud adoption. This involved conducting demonstration sessions to showcase PayNet’s readiness. Our Risk & Compliance and Audit teams at PayNet maintain regular engagement sessions with BNM to keep them informed of our progress in adopting cloud technologies. Furthermore, an annual Cloud Audit Assessment, conducted by PayNet’s Audit team, is shared with BNM to keep them updated on our cloud advancements.” – Yu-Wern Pong
As we can see, early and continuous engagement with the regulator helps the organisation be well prepared for the later stages of the process of putting workloads in cloud. We’ll be exploring this topic in more detail in the next instalment of this series.
Throughout this article we’ve learned a little about how the early adopters in Malaysia have navigated their cloud journey and touched on the key areas of mobilisation, measuring success, education and compliance. Over the next articles in this series we’ll dive deeper into some of these topics and discuss in more detail the key building blocks to a successful cloud journey.
If you’d like some further reading, check out these articles:
Ian is the Head of Consulting for Sourced Group ASEAN. Based in Singapore, he has more than 10 years of experience in cloud transformation, and is a former AWS Ambassador and AWS APN Cloud Warrior. With a strong background in security, compliance and software delivery, Ian specialises in cloud transformation for financial institutions and other large enterprises.