Whether you're at a CxO seminar or speaking to CIO/CTO/CDO, you'll find digitalization being a key focus, in fact KPI for most. This even includes CEO and the Board is very keen on these initiatives. In this article, I use the Malaysian Utility companies as an example and to what extend is digitalization made the business digital.
To a layman, digitalization simply means moving things into the technology space. Now this very definition, is rather vague and open to interpretation. I'll give you an example to illustrate. A restaurant uses pen and paper to take orders and issue the bill at the end of the meal. Everyone agrees that's manual. First step of digitalization is perhaps to move from pen/paper calculation to calculator. Some argue, that is digitalization since calculators make less mistakes (assuming no input errors). The next evolutionary step is to convert paper and calculator into a restaurant centric Point of Sale and Order system. That's digital. Or is it? Beyond that, thanks to the pandemic, you have online restaurant menus served via the demon called QR codes, order made from the phone and even paid using credit card before the order goes through. That's also digital. An extreme scenario would be a blockchain based order system to ensure order immutability so that your fresh nasi lemak and teh tarik gets served as per order.
Suresh, you just confused me. Then what is digital?
Well, it really depends (I know, I hate this answer) on who you ask that question to. And what the CxO deems it to be. Hence, there is where the trouble starts in Bolehland (where anything is possible). And I'll explain how there is a huge disconnect between annual reports claiming digitalization initiatives and what actually gets delivered.
Over the year's end, I went to 2 utility company and a government agency in Malaysia to perform some processes. I'm using this experience to highlight the experience.
To set the context, Malaysia uses National ID card called MyKad. There are variations which is MyKid, MyPR, etc. The card has 3 factors built in. First, the visual card, showing picture and details of the cardholder. Twist the card and you'll find holographic embeddings on the physical card. Secondly, you'd find a smartcard chip on it. Read the chip and you'd also get biometrics information of both side fingerprint to validate if it matches with the data read from a fingerprint card reader. Thirdly was for convenience, the introduction of Touch N Go contactless payment system. MyKad was introduced on 5 September 2001 as part of flagship MSC application.
Ask any Malaysian and they'd tell you this. Always keep a photocopy of the NRIC for any govt or services.

The first process!
Banks started using the MyKad PMPC on chip verification for banking services long ago. Yet, you'd notice they still take a copy of the NRIC photocopy as part of the process.
At utility company #1, they did a fingerprint biometrics validation and that was sufficient. Great stuff, digitalization works! At the utility company #2, I was chased away, asked to get a photocopy of my NRIC and return back to complete the process. I had to hunt for a stationery shop, make a copy of the NRIC and back. To make matters worse, since it involves rebates, I need to print my bank statement to show proof of my account ownership.
Now, why in the fish head world would any other company need my bank statement? I'll explain later below how this process can easily be made digital (this isn't new and I still find people not knowing about it).
On to the second process!
Back to utility company #1, initially I was impressed with the whole process. But that was just the beginning. (no more gripe about company #2).
I had to do another process which involved some monetary reimbursement. Diligently I went to their "kedai" or outlet as I wasn't sure what the process is. At the Kedai, I was told I could do it over the mobilr app! Impressed, I am. So the person guided me and the claim process was submitted.
The claim process involved an audit which requires the utility company #1 to come over and check on some stuff. Fair enough. App status says appointment fixed. But I had no idea when the appointment was! After waiting for a few days, I decided to call. Customer Service, to my horror, claimed they have no access to see the information that was presented to me. Meaning they had no access to the system and was clueless!!! So they escalated to a different section. The different section, upon getting details, parroted every single word on the status that was displayed on my app.
No S Sherlock!*
So i asked when was the appointment, they didn't know either. Escalated to a different section. (Oh before I forgot, I selected 2 for English, after talking a while the Customer Service agent asked if I could talk in Malay, i said I selected 2 for English!). Back to the appointment, the third department gave me a date, to which i asked, who did they speak to and how did they confirm the date since I was the complainant? They said the date is set by themselves. My next question - if you set the date yourself, how would you expect me to know? There was an awkward silence...) Remember the mobile app had no details about the date, only status update. For this, a ticket number was generated to expedite the process.
Fastforward, appointment done, audit completed, and claim was sitting in a queue, unattended. I had to call again to get them to look into the claim approval. To expedite, another ticket number was generated. Claim got approved and pending verification. Again, like before the Customer Service agent parroted the status which I saw, to which when i asked for details went into silence.
So here I am thinking the verification process is most likely internal? NOPE! I am suppose to do verification. And I had no clue. Waiting for a few days and constantly checking the app, which had no button for verification, called good ol' Customer Services, who promptly blame me for not verifying. So I asked, how am i suppose to verify? I am suppose to click a non-existent button on the app. Sent screenshot. Then said I am suppose click a button on the email sent to me. Did that and it took me to the app.
The clincher of the whole customer services conversation. Now Customer Services said I was suppose to reply the email that was send to me. The email send was [email protected]
So I am suppose to reply to an email that says no reply. The Customer Services insisted that, that is the only method, besides me explaining that it clearly says no reply (i got the name, but i don't the poor person losing her bonus). So I did, as told, to get an email bounce to confirm that i am NOT SUPPOSE TO REPLY!! I sent that also to Customer Services via email and called them and made another ticket. After that, I got a call confirming that I now need to go to the Kedai to complete the process. (Should have told me earlier) And I have to go to a particular Kedai at a particular location to complete the process, when I am not able to do it at a Kedai near my work. (What is it? 1990 with banks fixing their branches to each location for accounts???)
Story ends with me then hauling myself, after beating the jam clocking into the Kedai right before it was closed to complete the process.
But hey, they got mobile app. Digital boleh!
Third story
Since I had time and extra months on my passport, decided to just do the renewal. While sitting on my couch, opened up the URL, filled in the details (I had taken picture a week earlier in anticipation), uploaded that (without the barrel distortion making my nose bigger) and submitted. Made payment. After 20 minutes, dressed up, went to the Immigrations department, got my queue number, waited patiently. On my turn, got my new passport and went home. Happened during eve of new year.
Just a web app, mobile friendly, payment integrated, email confirmed and issued. How digital is suppose to be done right!
How to go truly digital?
- Use biometrics (MyKad reader and the software) to print out the validation (if you are too cheapskate to do integration due to cost).
- Use the verified biometrics information which usually is printed (or kept as PDF) for document of proof.
- For rebates or refunds, use DuitNow validation mechanism. Did you know that either using the person's mobile number or NRIC number you can send funds (even when you don't know their account details?)
- In the event if you do get account number and you want to make sure that it goes to the right person, DuitNow allows organizations to force validation before transfer.
- Banks need to play their parts as well. How long does it take to introduce a simple module that generates a PDF that confirms that the account number belongs to the person? A simple letter generated in PDF would suffice.
- It's 2025 now. If you're still using paper based submission (unless if it's for BCP), you missed the boat on going paperless (which was around early 2000). You really have to think about your whole IT strategy, which is sorely outdated.
- Your processes, a lot dictated by governance (who does not see the value of digitalization and automation) needs to move in tandem with the times.
While everyone knows I write primarily on security, you cannot divorce looking into technology and understand the interworkings. I started on tech, and tech heavy but pivoted into NCIS much later (see i use business'y language like pivot).
This article is not a wake up call for CIO/CTO (if you still need a wake up call, i have no words!), but more of for board to evaluate how digital your organization is. Best way to do that, is to be a customer, follow each business process as an independent journey and discover how digital is the organization!
Author: ORCID ID - Suresh Ramasamy: 0000-0003-4562-037X
This article is mirrored on Linkedin at https://www.linkedin.com/pulse/digitalisation-lost-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm-hderc/