Cyber warfare has changed drastically in the last two decades. It was once a “hush hush topic”, but cybercriminals now run as large conglomerates, complete with payment processing platforms and victim service hotlines.
Cyber defense has had to evolve as well. One big change is how organisations have to be more careful about trusting users and products, says Huang Shao Fei, a leading cybersecurity expert in Singapore. Hackers have used legitimate cybersecurity software to carry out malicious activity, as seen in last year’s SolarWinds breach.
Huang currently leads the Singapore Computer Society’s Cyber Security Chapter, and is also the Land Transport Authority’s Chief Information Security Officer. He discusses the importance of understanding and embracing a zero-trust approach and the opportunities for growing the nation’s cybersecurity talents.
Four tips for zero-trust
Huang shares four tips for organisations looking to adopt a zero-trust approach to cybersecurity.
First, security chiefs must know what the “crown jewels” are in their organisations, Huang says. Organisations don’t have infinite resources and money to secure everything. Knowing who is accessing the most valuable data, and how they are being accessed, helps to balance risks.
Second, organisations should assume they have already been breached and direct their resources towards proactive security. Many security chiefs are focusing their limited resources on addressing compliance requirements and preventive measures, even as cybersecurity attacks are becoming more sophisticated and evasive, he says.
Third, security teams need to understand that zero-trust is not a one-size-fits-all solution, but a concept for proactive security, Huang emphasises. Some cybersecurity firms have picked up “zero-trust” as a “marketing buzzword”, leading organisations to buy “zero-trust” security solutions without a much-needed long term defense strategy, he notes.
Huang believes that cybersecurity threats today are rendering many traditional security measures less effective. “We need to pivot and brace ourselves for greater velocity, volume and variety of cyber attacks in the days and months ahead.”
Lastly, cybersecurity must be practical, and tie in with the objectives of the non-IT staff in the organisation. “If we start the zero-trust conversation as a systems or IT problem, we might end up losing the relevance of cybersecurity to the business.”
Advice to CISOs
It isn’t always clear if cybersecurity investments are worth it. As with buying insurance, allocating a budget for cybersecurity does not necessarily mean the organisation will be fully cyber-secure, Huang explains.
The trade-offs of ensuring security and delivering good services need to be part of the ongoing discussion between Chief Information Security Officers and their organisation’s leadership.
Security chiefs also need to be adaptive to the “new normal” of cybersecurity threats, or risk facing burn-outs in their security teams. Huang highlights the importance of creating a “safe to fail” environment. Security chiefs need to prepare their teams and ensure that even if systems fail, it won’t trigger any significant damage.
Growing the cybersecurity talent pool
To bolster Singapore’s cyber defenses, it needs a larger pool of cybersecurity talents and skilled professionals. The Cyber Security Agency of Singapore set out a masterplan in 2019 to grow the nation’s talent pool; and IBM launched a programme last year to train about 800 mid-career professionals in AI and cyber security.
Huang believes in “paying it forward” to grow Singapore’s cybersecurity talent pool. But he observes a challenge facing aspiring cybersecurity professionals. Companies prefer to hire people with hands-on, technical cybersecurity experience and skills.
“We need to be more open-minded as cybersecurity is not just a technical domain today. The industry must be more inclusive, and offer opportunities for diverse contributors and future generations of digital-natives.”
Huang says organisations can consider apprenticeship models, where students carry out their final-year project with a company and get offered a year-long contract. Singapore’s Institute of Technical Education is running a similar model.
Attracting people to join the industry is only half of the challenge in addressing the cybersecurity talent shortfall – keeping them in the industry is also a challenge, he adds. Organisations can offer cybersecurity professionals opportunities to grow and develop their career in roles across the organisation.
Given that cybersecurity has now “come of age” and become a priority for almost all industries, the workforce needs accredited cybersecurity practitioners, he says. The Association of Information Security Professionals, for instance, has a programme to help companies assess and validate the credentials of cybersecurity professionals in Singapore.
Huang is paving the way for aspiring cybersecurity professionals like him. These professionals, adopting a proactive zero-trust security mindset, will help firm up defences to protect Singapore’s cyberspace.