Women in Cyber: A line of defence in Singapore's health system

By Shirley Tay

Tan Li Ann, Deputy Director, Cyber Defence Group-Compliance at IHiS shares how she is securing Singapore's health systems.


Health data has become a valuable commodity amongst cybercriminals. Healthcare institutions must establish protections to assure patients that their sensitive information is kept under lock and key.

Tan Li Ann, Deputy Director, Cyber Defence Group-Compliance at Singapore's Integrated Health Information System (IHiS), stands between hackers and patient data. She discusses her work securing public healthcare systems and the challenges she hopes to tackle this year.

Tell us more about your role. How do you protect the digital realm and improve citizens’ lives?

To ensure that the public healthcare system is resilient and robust against emerging and evolving cyber threats, IHiS has established a robust “Three Lines of Defence” structure as a risk management strategy. The 1st Line of Defence (1LoD) comprises teams which develop, deliver and operation the IT systems, the 2nd Line of Defence (2LoD) comprises teams who oversee the security strategy, risk management and compliance while the 3rd Line of Defence (3LoD) comprises checks and assurances independent of the first two lines of defence, IHiS and healthcare clusters.

I’m with the 2LoD team within the Cyber Defence Group (CDG). Primarily, my team has the responsibility to ensure that risks are adequately assessed and managed by the 1LoD.

Our roles and mandate as the 2LoD is constantly evolving in response to the changing risk landscape and organisational needs. We provide an independent check and balance to ensure that risks are properly evaluated and mitigated by project teams prior to implementation.

The 2LoD team monitors and reports cybersecurity risks, as well as provides healthy challenge and material support to the 1LoD technology teams to proactively identify and remediate cyber risks. We enjoy a collaborative and close partnership with 1LoD. It is especially heartening when the 1LoD team approach us to seek our views and valuing the advice we provide. It is even more encouraging when they express their appreciation for the work we’ve done to improve the control environment.

We have the responsibility to make sure that cybersecurity does not take a backseat when project teams need to implement their new systems or change requests quickly. When Covid-19 struck and there were projects which must be rolled out within tight timelines, we work alongside the project teams to make sure risks are properly identified and remediated prior to going live.

What sparked your interest in cybersecurity?

A few reasons. Against a backdrop of increasing cyber-crimes, cybersecurity is a rapidly expanding industry. There is an ever-growing demand for qualified cybersecurity professionals. In cybersecurity, there’s never a dull moment. A career in cybersecurity is constantly changing with tremendous growth potential and learning opportunities.

There are a wide variety of jobs and career paths within cybersecurity. One can chose to specialise in a certain track or gain experience in different areas such as incident responders, security specialists, etc.

What has been the most impactful project of your career?

I have been honoured to have a hand in building a strong CDG-2LoD team with diversified expertise and experience that is now integral to IHiS’ cybersecurity risk management approach. Our current 2LoD team come from diverse backgrounds coming from different industries such as banking, key consultancy companies and various telcos. Collectively, there is an amalgamation of expertise which helps the team to look at issues from varied angles through their experiences in different fields such as audit, IT risk, IT operations, project management and development etc.

In response to the rate of increase of cyber attacks and threats, IHiS has been working on strengthening the cybersecurity posture of public healthcare significantly over the last few years. As the 2LoD, I have been tracking the delivery of these initiatives closely, and most of the activities we have set out to complete are already in place. While there is still work to be done and continuous improvements have to be made to keep abreast of emerging threats, I am proud that the 2LoD has played an instrumental role to validate and provide an independent opinion of the completeness and effectiveness of the work done. When required, we step in to play an advisory role and do our part to help project teams reach the project milestones.

What challenges would you like to take on in the next year?

How to do more with less. Risk and compliance management can be labour-intensive due to the large volumes of data and information available nowadays. Moving forward, I want to work even more effectively through making use of new and emerging technologies to be able to identify, evaluate, analyse and respond to risk in this constantly-evolving cyber environment.

Who or what inspired you this year, and why?

In the midst of the pandemic, the frontliners in the healthcare family have inspired, motivated and shown the best of humanity. Despite the personal risks involved, they have selflessly showed up at work to keep things moving and to keep Singapore safe. Their professionalism and sense of responsibility and dedication to their work truly inspire the rest of us to also do our part and put our best foot forward and to contribute in our own way to fight against the pandemic.

What advice would you give to women looking to start a career in cybersecurity?

Push aside any self-limiting beliefs, have confidence and never give up. Cybersecurity is constantly evolving, there are new technologies, new threats and new things to discover every single day. It is important to be updated on the latest trends to ensure that we are able to put up the best defence. Never stop learning, keep learning, keep upgrading and growing your knowledge and experience.

If you could sum up your life motto in one sentence, what would it be?

The sky’s the limit! If I don’t succeed at first, I will continue to try again and again and again.