Meet GI's Cybersecurity Champion: Chan Yew Weng, Agency Chief Information Security Officer (ACISO), NLB

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does.

As the National Library Board’s Agency Chief Information Security Officer (ACISO), I manage NLB’s cybersecurity team and all related agency cybersecurity matters. NLB nurtures Readers for Life, Learning Communities and a Knowledgeable Nation by promoting reading, learning and discovery through our network of 28 libraries across Singapore, the National Library and the National Archives of Singapore.

What kind of cyber threats does your organisation face on a regular basis?

Like every organisation that is tech-enabled and connected, NLB faces cybersecurity probes, incidents and active threats. These include phishing, scam e-mails and messages, active cybersecurity threats, malware threats, and cybersecurity reconnaissance probes on our networks and services.

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally?

In cybersecurity, the consensus among all cybersecurity professionals is overwhelmingly that the human element is the weakest link. Hence the biggest cybersecurity threats that we face today usually pertain to scams and phishing attempts through e-mails and messages that target users.

All it takes is one person, even someone who is tech-savvy, to inadvertently run unauthorised processes and/or unwittingly introducing unverified files into systems. We need everyone to be vigilant all the time. No one, not even the tech-savvy, can afford to be complacent with cybersecurity.

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defense. What is your view?

Yes, AI has increasingly become a double-edged sword for cybersecurity. On one hand, we are seeing prevalent use of AI to generate scams and phishing messages and in creating vocal and/or video deepfakes which makes it difficult for users to distinguish the authenticity of information / communications received.

On the other hand, cybersecurity professionals leverage AI for data analytics, monitoring and filtering of the massive amounts of data that is collected by the organisation. With AI to augment our operations, we are better positioned to identify and thwart potential attacks in a timely manner.

Cybersecurity is often described as a team sport whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture?

Sharing of information and resources is vital. With more information at hand, we will be better placed to identify and find indicators of compromise in a timely manner rather than guessing at what to look out for.

Hence the whole-of-government or country approach, in terms of information sharing is helpful in these circumstances.

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect?

As is often said, it is not a matter of if but a matter of when. We need to prepare for the worst and hope for the best. NLB regularly conducts drills such as tabletop and recovery exercises where we test the effectiveness of our cybersecurity recovery plans should a breach occur.

To subscribe to the GovInsider bulletin, click here. 

Over the years, our recovery plans, exercises and drills have evolved to address emerging challenges like ransomware and scams, ensuring our readiness against the dynamic nature of cybersecurity threats.

However, cybersecurity is evolving at such a pace that whatever plans that are in place today might not be effective against new and evolving threats. That is why it is also important for everyone in this space to stay updated and vigilant on emerging cybersecurity challenges and adapt accordingly.

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on?

I would make use of the budget in two ways. First, the main priority is to target user awareness and education since our people is our first line of defence.

Next, it would be the enforcement of basic cybersecurity hygiene (in terms of simple things like the principle of least privilege, baselining and hardening of systems, utilising Multi-factor authentication in systems and networks, etc).

In my opinion, a sophisticated cybersecurity toolset will increase the quality of telemetry gathered but it is not such an essential element on Day 1. Getting the fundamentals right matters more.

What brought you to this profession and what do you love the most in your job and what would you like to improve?

I was first given the opportunity to work in this field in the early days where cybersecurity was just in its infancy where security was often an afterthought.

It gave me the opportunity to learn and understand where cybersecurity needed to be implemented and was most important and effective. (i.e. from the Network to Applications and now the Cloud).

To my mentors in my previous agencies, I am forever grateful for the opportunity!

What motivated me then and now, is still to create a safe environment where everyone has access to the learning and discovery of our resources and services.

I believe that providing this safe and level playing field is essential - when people feel secure using our systems, they can focus on what truly matters: learning, discovering, and growing at their own pace.

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

This has been a challenge from the beginning since the cybersecurity field first emerged. Singapore has been trying to expand the talent pool of cybersecurity professionals through various training and education programmes.

As we have progressed, I am encouraged to see that cybersecurity awareness is becoming part of the broader IT culture. 

The majority of IT professionals now have basic cybersecurity knowledge ingrained in them. This shift has made collaboration between cybersecurity professionals and other IT fields more effective and efficient.

Also the emergence of AI has helped to augment some of the more mundane tasks in the industry.  By automating routine tasks like alert monitoring and data analysis, cybersecurity professionals can dedicate more time to critical activities like risk assessment and developing mitigation strategies, rather than getting bogged down by repetitive monitoring tasks.

If you had a chance to restart your career from scratch, would you still want to be cybersecurity professional and why?

On a personal belief and mission basis, yes, I would still want to consider cybersecurity as a career. There are fundamental challenges that I believe I can help tackle and influence in cybersecurity.

However, the pace of change in cybersecurity and AI are relentless, and a lot is expected from the cybersecurity team. Therefore, I cannot overstress the importance of having a good team in place to ensure that the organisation achieve its goals. At the end of the day, while the work can be intense at times, the sense of purpose and fulfilment I get from it makes it all worthwhile.