Meet GI's Cybersecurity Champion: Tan Shui-Min, Chief Information Technology Officer, National University of Singapore (NUS), Singapore

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does. 

NUS is the oldest, largest, and the flagship university of Singapore. We are also one of Asia’s leading universities. Ranked 1st in Asia and 8th globally by QS world university ranking.

NUS is known for its comprehensive education system, cutting-edge research, and visionary enterprise.

We are a vibrant university offering a wide range of undergrad, grad and professional degree programs across a diverse array of disciplines in STEM, humanities, social sciences and the arts.  

As the Chief Information Technology Officer (CITO) of the National University of Singapore (NUS), my role goes beyond that of a traditional cybersecurity professional.

I lead the university’s digital transformation efforts, which include shaping IT strategy, driving innovation, and ensuring operational resilience across our academic, research and administrative functions.

Cybersecurity is a critical part of this, and my responsibilities include safeguarding NUS’s digital assets.  

What kind of cyber threats does your organisation face on a regular basis? 

Our university regularly faces a variety of cyber threats that are common across the higher education sector, for example phishing, malware and so on.

To mitigate these threats, we maintain robust cybersecurity protocols, continuous monitoring, regular training, and incident response plans. 

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally? 

The public sector is a prime target for a wide array of cybersecurity threats due to the sensitive nature of governmental data, the scale of operations, and the potential for widespread disruption.

In particular, Advanced Persistent Threats (APTs) and state-sponsored attacks frequently target organisations in the public sector for espionage, intellectual property theft or to undermine trust.

These attacks are sophisticated, stealthy and persistent. Similarly, critical infrastructure such as utility, transport and health, is also increasingly targeted in geopolitical conflicts, with destructive malware and sabotage. 

Addressing these requires a comprehensive, multi-layered approach: robust technical defences, security awareness training for staff, strong identity and access management, regular incident response exercises, and a commitment to continuous improvement and collaboration with external partners.

At NUS, we are advancing on all these fronts, recognising that cybersecurity is not just a technical challenge, but a human and organisational one as well. 

To subscribe to the GovInsider bulletin, click here. 

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view? 

I agree with the statement. Attackers are increasingly leveraging AI to automate and scale their efforts.

For example, AI can help cybercriminals craft more convincing phishing emails, find vulnerabilities in systems more efficiently, and automate the process of probing for weaknesses at a speed and scale that would be impossible for humans alone.

Generative AI can also be used to create fake content or deepfakes that are harder to detect. 

On the other hand, cybersecurity professionals have been using AI-powered tools for defence long before ChatGPT came into the scene. These include systems that can detect anomalies in network traffic, identify potential threats in real-time, and automate responses to certain types of attacks.

AI can help sift through vast amounts of data to identify patterns or behaviours that may indicate a cyberattack, allowing for faster and more effective responses. 

However, it's important to note that AI is not a silver bullet. While it can enhance both attack and defence, it also introduces new risks—such as adversarial attacks targeting the AI models themselves. Therefore, human expertise and vigilance remain crucial.

Our approach is to combine advanced AI technology with skilled cybersecurity professionals, continuous training, and robust governance. 

Cybersecurity is often described as a team sport whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture?

A whole-of-government or whole-of-country cybersecurity posture is essential in today’s highly interconnected IT environment.

Since systems across government agencies, critical infrastructure, businesses, and individuals are all linked, a vulnerability in one area can quickly become a risk to others.

Cyber attackers often exploit the weakest link, moving laterally through networks and across organisational boundaries. This interconnectedness means that no single entity can address the full range of cyber threats alone. 

A unified approach to cybersecurity allows for better sharing of threat intelligence, resources, and expertise across different organisations.

When agencies and sectors work together, they can respond to incidents more rapidly and effectively, minimising potential damage. It also helps in developing and enforcing common standards, policies, and best practices, which closes the gaps that attackers might otherwise exploit. 

Moreover, public trust depends on the reliability and security of essential services. When the public sector presents a united front against cyber threats, it reassures citizens that their data and services are being protected.

At NUS, we actively participate in national cybersecurity initiatives and embrace collaboration, recognising that only through such collective effort can we build a robust and resilient digital ecosystem.

Cybersecurity truly is a team sport, and success depends on a spirit of partnership across government, industry, academia, and the wider public. 

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect?

The reality is that no organisation, however well-defended, is immune to breaches. It is not a matter of “if” but “when”, and what matters most is how effectively and quickly one can respond and recover from a cybersecurity breach. 

Having a well-defined Plan B, otherwise known as an incident response plan, is essential.

This plan should outline the steps to take immediately after a breach is detected, including isolating affected systems, containing the threat, and preserving evidence for investigation.

Clear communication protocols are vital to inform stakeholders and response teams internally, and to notify affected parties externally when needed.  

Equally important is the ability to restore critical operations and data swiftly and securely. This means maintaining robust, regularly tested backup systems and clear procedures for disaster recovery.

After the immediate response, conducting a thorough investigation to understand the root cause, assessing the damage, and learning from the incident is vital for improving defences and preventing future breaches. 

At NUS, we place a strong emphasis on preparedness through regular tabletop exercises, continuous improvement of our recovery plans, and fostering a culture where reporting and responding to incidents is timely and coordinated.

Ultimately, this is about building resilience: being able to withstand disruptions, recover quickly, and emerge stronger after an incident. Having the right mindset and preparation are just as important as strong technical defences. 

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on?

An unlimited cyber defence budget is a tantalising proposition – much like indulging in unlimited ice cream without gaining weight.

While we prefer not to lay out the exact blueprint of our defences, I would say that under such wishful circumstances, we would certainly take every opportunity to future-proof our infrastructure, invest deeply in intelligence-led capabilities, and ensure our entire university community is equipped to navigate the digital landscape securely.

But as always, it’s not just about how much you spend — it’s how wisely you invest in people, processes, and technology. 

What brought you to this profession and what do you love the most in your job and what would you like to improve?

What brought me to this profession is the path of least resistance. I stumbled upon IT when in my first month in JC I had to choose a subject to replace Biology.

I ruled out all other subject options for various reasons and Computer Science was the only one left. I included that as 1 of my A-level subjects and realized that I was pretty good at coding. So I went on to major in Computer Science in my university years, graduated to become a developer and got swept into the world of technology.

I can’t say for sure that there is something or someone that inspired me to stay on in a tech career. It’s more like, there’s nothing to steer me off a career in tech. So here I am today, still in tech! 

What I love most about my job is the opportunity to make a meaningful impact across the university community. Every day brings the chance to create new value through innovation and help shape the digital future of higher education.

I find great satisfaction in working with passionate colleagues and in seeing technology serve as an enabler of excellence. 

What I’d like to improve is the way we continue to align digital initiatives with the evolving needs of the University.

While we’ve made great strides, there’s always room to enhance communication, foster greater digital literacy, and build even stronger partnerships across the Institution.

My goal is to ensure technology not only supports but anticipates the needs of our community in a way that’s seamless, inclusive, and forward-thinking. 

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

This requires a multi-faceted approach. Firstly, education and training must be expanded and made more accessible.

Universities and institutions can play a key role by offering specialised cybersecurity programmes and integrating relevant skills into their curriculum. Partnerships with industry can ensure that the training is practical and aligned with current needs. 

Secondly, there should be greater emphasis on continuous professional development.

Cybersecurity is a rapidly evolving field, so ongoing upskilling through certifications, workshops, and hands-on experience is essential. Organisations can support this by providing learning opportunities and encouraging staff to pursue advanced certifications. 

Thirdly, we need to broaden the talent pipeline by encouraging diversity and inclusion in the cybersecurity workforce. This means creating opportunities for women, mid-career professionals, and individuals from non-traditional backgrounds to enter the field.

Outreach programmes, internships, and mentorship schemes can help attract and retain a more diverse range of talent. 

Finally, leveraging technology such as AI and automation can help alleviate some of the resource pressures by automating repetitive tasks, allowing cybersecurity professionals to focus on more complex and strategic challenges. 

At NUS, we are committed to strengthening the cybersecurity talent pipeline through our academic programmes, research initiatives, and industry collaborations.

Ultimately, addressing this shortage will take coordinated effort from academia, industry, and government to build a skilled, agile, and diverse cybersecurity workforce for the future. 

If you had a chance to restart your career from scratch, would you still want to be cybersecurity professional and why?

If I had the chance to restart my career from scratch, I would absolutely choose to be a CIO again. The role offers a unique blend of leadership, innovation, and problem-solving that keeps every day interesting.

With cybersecurity responsibilities, there’s the added challenge and privilege of protecting the university’s most valuable digital assets and ensuring a safe environment for learning and research.

It’s a role that demands constant learning and adaptation, and that dynamic nature is what makes it both rewarding and fulfilling. It’s like having coffee packed with adrenaline each day!