CISO at Singapore’s Prime Minister’s Office talks security transformation

As one of the most connected cities in the world, and among the first to roll out a standalone 5G network, Singapore continues to invest heavily in upscaling its digitalisation. Earlier this year, a total of SG$200 million had been set aside by the government for efforts that will build digital capabilities among workers and businesses in the next few years.

As enterprise technologies continue to evolve at a breakneck pace, the government has underscored cybersecurity as an imperative component of any digital transformation effort. This was part of the Case Study on “Embedding Cybersecurity into the Digital Transformation Process” presented by Gabriel Foo, CISO of the Prime Minister’s Office & Smart Nation and Digital Government Office, during the IT Security Frontiers 2022 online conference, organised by Jicara Media.

“As the public service drives towards the goal of being a digital government, we recognise that being a fully digital government cannot be achieved unless cybersecurity is considered from end to end, as it helps us to safeguard our smart nation growth by keeping our systems and networks secure at the national level,” Foo said.

In Singapore’s digital government blueprint, which was developed in 2018, risks to data privacy and data security were among key considerations moving forward, he noted.

“The vision is to create a government that is digital to the core, where even though we are not physical, but in the digital space, a digital government is able to build stakeholder-centric services— stakeholders being citizens, businesses, and even internally as public offices,” Foo explained.

“In Singapore, transacting with the digital government will be easy, seamless, and more importantly, secure, and our public offices will then be able to continually upskill ourselves internally, adapt to the new challenges that (we are) presented (with), even in this COVID situation, and to work more effectively across our agencies, as well as with the citizens of Singapore,” he added.

What is digital transformation?

Digital transformation can mean a lot of things to different organisations. A large enterprise may decide to shift from on-prem to public cloud, or a mid-sized company may suddenly want to automate its HR processes. Both examples constitute digital transformation, but on a national level, what does the terminology mean exactly?

“Digital transformation is the integration of digital technology in all areas of businesses, and fundamentally changing how we operate. It’s also a cultural change that requires an organisation to continue to challenge the status quo, experiment, and get fit, (while being) comfortable with the failures along the way,” Foo explained.

But why must organisations integrate cybersecurity in any digital transformation journey?

“Digital data is now changing at a rapid pace than it ever did before in the last 10 or 20 years, and it continues to evolve. Data privacy and cybersecurity laws need to be continually complied with, or organisations may face hefty penalties,” Foo said.

Aside from massive fines, companies also need to be aware of the emerging security risks associated with the technologies that are coming out of the woodwork. 

“We’ve talked about IoT, we’ve talked about cloud computing— these are technologies that radically change the way businesses operate, and also introduce new sets of risks and vulnerabilities along the way. These never needed to be (seriously) considered previously,” Foo said.

“Because of the redesign of business processes and increasing connected environment, supply chains are no longer straightforward. Now organisations no longer work with one or two single parties. Now organisations, in order to provide the digital experience, will need to work with multiple parties. This presents the need for (tighter) cybersecurity, as vulnerabilities may arise from this increasingly connected environment,” he added.

Cybersecurity approach

According to Foo, one of their approaches to cybersecurity is through a tripartite cooperation between the government, businesses, and the people with digital know-how.

“We realised that we cannot omit one of the three parties in this journey, because what will happen is that you will have missed opportunities. You will not be able to digitally transform your business to the maximum if you do not involve people who have the digital know-how and cybersecurity practice. You will also have wasted money,” he said.

The security expert then enumerated five key areas of focus in integrating cybersecurity to digital transformation:

  • Leadership and governance
  • People factor
  • Risk management
  • Business continuity
  • Regulations and compliance

According to Foo, while it is also important for rank and file employees to rally behind security initiatives, getting the support of C-suite executives is paramount.

“Cybersecurity at the executive leadership will set the tone and pace at which cybersecurity can be successfully integrated. Now, the leadership will also give us a broader perspective on the bigger picture, and keep our team focused and cognisant of gaps that we may have otherwise missed,” he said.

Meanwhile, one of the possible hurdles to security design and implementation, Foo said, are the internal stakeholders themselves.

“Your people will definitely not make your digital journey easier. In fact, it may even derail your journey. You really need to create that trust, that (these) cybersecurity efforts are meant to improve the digital journey, (rather than) impede them. (But since people are) also (the) biggest assets, creating awareness and making sure that security focus has multiplier effects (are important). As we can see, the recent spate of ransomware and scams are really focused on the people factor itself.”

In order to have effective risk management, organisations must optimise risk, he added.

“We actually focus on security-by-design principles at the onset of our projects and digital journey. We’re not focused solely on our digital or even physical assets, but also consider people-process-technology holistically, through our end-to-end digital efforts. Not including the right people in managing risk will also be something that we look at, because we want to ensure that the right authority, and the domain experts are there to be accountable and responsible for their respective risks.”

Furthermore, Foo emphasised that a resilient business is key to any digital business. Hence, security must be in aid of the business continuity plan.

“Our focus here is really to make sure that your BCP efforts are truly aligned with the digital transformation as you move up this digital journey. And along the way, you continue to build trust by engaging the people, through constant exercises in the digital transformation and business continuation journey.”

Last but not the least, while compliance to laws and regulations will help avoid most security risks, how can enterprises enact a proactive culture among their employees?

“As evident with changes in the technology, as well as vulnerabilities and the threat landscape, laws will continue to evolve. Not being cognisant of these new laws could mean hefty penalties for us. Suddenly, it won’t make sense to check all the digital efforts in keeping to laws and regulations. So we really encourage and incentivise our people to perform regular self-assessment. And of course, we do conduct continuous awareness sessions to keep our organisation up to date on relevant regulations, and keep everyone abreast of any changes to regulations and laws pertaining to data and cybersecurity,” Foo said.

Digital migration

For organisations looking to embark on their digital transformation journey, Foo has laid out several pointers, particularly on the issue of migrating from legacy security processes and solutions.

“We came up with a list of what we have, and where we want to go. The whole maturity journey itself involves us saying ‘what it is’ and ‘what is to be.’ Then along the way, we designed projects around how to get there, to meet that digital transformation journey. It doesn’t have to restart from zero; it can start from something which you already have. Look at the maturity of tools or the system that (you) have in place. How does it meet up to the digital transformation?,” he said.

“It is a maturity program that we have put in place. It’s not a one-year or two-year program, but it’s a continuous annual process where we look at how to meet these goals with stakeholders,” he concluded.