THE
MCI (P) 100/09/2019
CYBERSECURITY SEEKS DIVERSITY 02 Decoding the Future of Cybersecurity 06 What is in a Cybersecurity Career
SOCIETY
08 Say “Hi” to Superhero of the Digital Age
The Magazine of the Singapore Computer Society
10 Teo Chin Hock Explains Why Cybersecurity is Essential to Our Smart Nation Vision
Issue
03 2019
Contents Vision To be the leading infocomm and digital media professional society in Singapore
Mission
EDITOR’S MESSAGE
POWER BOOST
01
15
Are We Truly the Weakest Link in Cybersecurity?
16
Ways to Stay Ahead of Cyber-attackers
THE BIG IDEA 02
Decoding the Future of Cybersecurity
06
What is in a Cybersecurity Career
08
Say “Hi” to Superhero of the Digital Age
Lead the Way To lead and contribute to the vibrancy and growth of Singapore’s infocomm and digital media industry
Add Value To add value to the infocomm and digital media professional’s career and personal development
Cybersecurity is Hiring
SPOTLIGHT 10
Teo Chin Hock Explains Why Cybersecurity is Essential to Our Smart Nation Vision
12
Tay Bee Kheng Speaks About Resolving the Cybersecurity Talent Crunch
#LATEST@SCS 19
SCS Golf Day 2019
21
Winners of Best Tech Company to Work For Award 2019 Revealed
22 Tech3 Forum 2019: Digital Economy
GEEK SPEAK 25
Why Cybersecurity Seems Like Mission Impossible
Be the Voice To engage and be the voice of the infocomm and digital media community
This issue is published in collaboration with
10
12
The Magazine of the Singapore Computer Society
Back to Contents
FROM THE EDITOR’S DESK
9:41 AM
We are Hiring!
T
he word is out. The tech industry is on the hunt for cybersecurity professionals. It is no secret that there is a growing demand for cybersecurity professionals in Singapore and around the world. As you will hear from Dr Ong Chen Hui – a veteran cybersecurity professional with Trustwave, cybersecurity presents many growth opportunities in both your career and personal development. This excitement is similarly echoed in the words of our cybersecurity youths when they share their journeys of self-discovery and aspirations for their future career. Of course, with security at stake, one can imagine that cybersecurity is serious business – not for the faint-hearted. It requires passion, perseverance and a repertoire of skills; or as some will call them – superhuman capabilities. On a deeper level, cybersecurity is not a new concept – just think antivirus software in the 1980s. But thanks to the increasing pervasiveness of tech, threats are multiplying in numbers and complexity. Therefore, rightly so that Teo Chin Hock, Deputy Chief Executive
EDITOR Tan Teng Cheong CONTRIBUTING WRITERS Ben Chua Vladyslav Koshelyev Alwis Lim Sean Low Dr Ong Chen Hui Tan Pei Si Tan Teng Cheong EDITORIAL SUPPORT Claudia Lim
ADVERTISING SALES & ADMIN Claudia Lim For ad sales enquiries, Tel: 6226 2567 ext 12 Email: claudia.lim@scs.org.sg Mailing Address 53 Neil Road Singapore 088891 EMAIL scs.secretariat@scs.org.sg EDITORIAL & DESIGN Lancer Design Pte Ltd
of Cyber Security Agency, sees the importance of taking a total approach towards building a healthy cybersecurity ecosystem. To which, Tay Bee Kheng from Cisco Systems affirms that both Institutes of Higher Learning and companies play equally important roles. Indeed, employers are central to enabling opportunities for a more diverse cybersecurity workforce. Their commitment underpins the realisation of a healthy, inclusive and growth-conducive work environment and, more importantly, the success of a thriving cybersecurity community. Enough said – there is a future in cybersecurity. But if you are still curious about what a career in cybersecurity offers, this issue will lend insights to help in your exploration – and possibly landing a cybersecurity job eventually. Have fun reading! TAN TENG CHEONG Editor Fellow, SCS tan.teng.cheong@scs.org.sg
FEEDBACK We value your feedback for this magazine. Simply email scs.secretariat@scs.org.sg with your comments to help us produce an even more interesting and relevant magazine for you in subsequent issues. You are welcome to submit articles for inclusion consideration. For advertising enquiries, please call 6226 2567 or email scs.secretariat@scs.org.sg. The IT Society is the official publication of the Singapore Computer Society. Any part of this publication may be reproduced as long as credit is given to the publisher, Singapore Computer Society. All views expressed by contributors are their own and do not necessarily reflect the views of the Society.
01
02
THE BIG IDEA
THE IT SOCIETY / Issue 03/2019
Back to Contents
THE FUTURE OF CYBERSECURITY:
Decoded
Darkened room. The back of a person wearing a hoodie furiously typing away on a keyboard. Is that what comes to mind when you think of a career in cybersecurity? Well, this cool, clichĂŠ image popularised by movies such as Mr Robot, Blackhat and Hackers is far from reality and certainly not the main lure of careers in cybersecurity. Then, what is? Perhaps the following three young aspiring cybersecurity professionals can offer some insights.
What Made Me Fall in Love with Cybersecurity – Again and Again Many people will either not take the ambition of a 14-year-old seriously or completely dismiss it. Unsurprisingly, my parents were among these naysayers. But with my passion, perseverance and determination, I have proven everyone wrong.
T
hese days, it is no secret that everybody wants to join cybersecurity to secure a good, promising future. However, my motivation to join the industry stems from a different place. THE BEGINNINGS OF MY LOVE FOR ALL THINGS TECH As a kid, I was always intrigued by all the cool thingamajigs that superheroes like Ultraman and Power Rangers use to fight off evil monsters and do good. Fast forward to two years ago, I decided
that while I probably cannot become a superhero, I could come up with gadgets that even superheroes would be proud to use. TASTING FIRST FRUITS OF SUCCESS My journey into tech and, more specifically, cybersecurity can be traced to my June school holidays in 2017. I went into front-end web development on a freelance basis after self-learning HTML, CSS and Javascript. I had lots of fun and was getting paid for it. Naturally, I fell in love with designing and creating websites.
The Magazine of the Singapore Computer Society
ALWIS LIM WEI YAO (16 years old) Secondary 4, Chung Cheng High School (Yishun) Successful Early Admissions Exercise to Diploma in Infocomm Security Management, Singapore Polytechnic
WINNING OVER OBJECTIONS Deciding to pursue this interest more seriously, I shared with my parents my intention to enrol in Diploma in Information Technology. Doubtful of my technical ability, they were unsupportive. Unfazed, I registered for Google Code-in – an annual international competition incepted in 2010. I eventually emerged as one of 54 Grand Prize Winners – out of over 3,000 participants from 77 countries – to be invited to Google’s Headquarters in Mountain View, California for a fully sponsored trip; I am also Singapore’s third youngest person to win the competition. Most importantly, I earned my parents’ support! DISCOVERING A PASSION FOR CYBERSECURITY Around this time, I read an article about network security and got curious. That led to my learning to crack my own Wireless Application Protocol (WAP) password, analysing network packets and protecting myself from WAP attacks. My newfound knowledge that there are at least a dozen of different attack vectors and nearly an infinite number of ways to exploit these vectors was both an amazing and an intriguing realisation. I love the idea that there are new systems to be protected and new solutions to be found every day – no day is the same. I changed course to pursue a Diploma in Information Security Management instead.
Back to Contents
GETTING SERIOUS ABOUT CYBERSECURITY LEARNING Earlier this year, things took a more serious turn when my school’s computing teacher signed me up for the June 2019 edition of the Youth Cyber Exploration Programme (YCEP). It is the biggest one yet, with participation from all five polytechnics and Cyber Security Agency of Singapore (CSA) hosting the Central Capture-the-Flag (CCTF) competition. Leading up to the Capture-the-Flag (CTF) competition at Singapore Polytechnic (SP), I had an exciting three days – learning about Attack-Defense, Cryptography, Cyber Kill Chains and more from studentlecturers at SP who were enthusiastic, engaging and knowledgeable about the contents. Then came the CTF competition. While my prior HackNTU experience came in handy, we still got stuck now and then. Each time, we would discuss, experiment and look for similar test cases online – the dynamism in cybersecurity is just incredible! After coming in second in the competition, our team was selected to proceed on to the CCTF competition – wow! CCTF was a level up and we had to learn SQL injection, new tools and file upload vulnerabilities. In the end, although we did not win in the “Teams” category, I came in first in the “Individuals” category. More significantly, the experience was enriching – I had learnt to be a better person, a better team player and a better hacker.
THE BIG IDEA
03
TAKING CYBERSECURITY LEARNING TO THE NEXT LEVEL Thanks to YCEP, I have gained a better understanding of the small but growing community and found people sharing the same passion for cybersecurity. I have also made many new friends, networked with fellow participants, mentors and lecturers whom I’ve kept in touch with. The latest development is that I have received my Early Admissions Exercise (EAE) confirmation and am accepted by SP for the Diploma in Infocomm Security Management. I still have a long way to go in cybersecurity. But by taking a piece of every pie – network security, website security and application security, I hope to find my specialisation in the next three years. Perhaps I will, perhaps I won’t. However, one thing is for sure – I love and I will be in cybersecurity. PUTTING CYBERSECURITY CAREERS IN PERSPECTIVE If you are considering to join cybersecurity because it is popular now, don’t. But if you’re genuinely passionate about security, and defending systems that everyone uses every day, then you should join programmes like YCEP – go for them, go for every one of them, you will learn more than you expect. You should also continue learning outside of these programmes. The journey may not be easy, but it will be fun – I am having fun.
continue on next page
04
THE BIG IDEA
THE IT SOCIETY / Issue 03/2019
Back to Contents
How I Went from Knowing Nothing About Cybersecurity to Championing Its Cause For youths who have grown up with little interaction with tech, cybersecurity is a removed concept and an even less interesting career prospect. For me, my appointment as the cyber wellness ambassador in secondary school seeded my passion for cyber awareness – and cybersecurity.
BEN CHUA (18 years old) Year 3, Diploma in Infocomm Security Management, Singapore Polytechnic
W
ith almost no background in technology, I took a big risk when I decided to apply for Diploma in Infocomm Security Management at Singapore Polytechnic (SP). But I have never regretted that decision because my struggles have made my journey richer. GOING FROM CYBER IGNORANT TO CYBER AWARE I became passionate about cyber awareness when my appointment
as a cyber wellness ambassador in secondary school required me to research on cyber safety and cyber hygiene, and share these knowledge with my schoolmates. My interest was further piqued after coming across terms like “cyber wargaming” at a career talk later. After ‘O’ levels, uncertain about my next step, I took a leap of faith and applied for Diploma in Infocomm Security Management at SP. SEEING THE NEED TO MARRY CYBERSECURITY AND PSYCHOLOGY CONCEPTS While the thrill of hacking into a machine and the ideation of solutions to solve cybersecurity issues excite me, I am more fascinated by humans’ role in cybersecurity – because all it takes is for one person to click on a phishing link to compromise the best cyber defence solution. And after taking a Diploma-plus in Applied Psychology, I am even more convinced about the importance of user education – the variable administrators have least control over.
HOPING TO SHARE MY EXPERIENCE WITH JUNIORS I have been involved in the Youth Cyber Exploration Programme for two years now. I am touched to see so many secondary school students sacrificing their holiday to attend the programme. It speaks volumes of their hunger to learn and interest in cybersecurity. That is how I came to start a still-to-be-named community – I was inspired by their passion and potential. I also wanted to help youths like me by providing them with a platform to explore and learn cybersecurity concepts together. More information on this community will be shared towards the end of 2019. GIVING ADVICE ABOUT DOING WELL IN CYBERSECURITY Given that I had little tech knowledge when I entered my course – and I can do it, I am sure anyone who puts their heart to it can do just as well. Technology today is moving so fast that a patch today could be an exploit tomorrow. Hence, no educational institution can fully prepare you for a career in cybersecurity – diligence, perseverance and passion to learn more every day is key.
The Magazine of the Singapore Computer Society
Back to Contents
THE BIG IDEA
From Easy Target to Protector – My Journey in Cybersecurity Like most 9-year-old kids who accidentally downloaded malware that crippled their computer system, I panicked. But something also stirred in me. The stirring became stronger when I stumbled across hardware security expert Joe Fitzpatrick’s blog.
times I rebooted the computer. From then on, I trod around anything tech with care, until I read about how Joe Fitzpatrick hacked hardware like Nikon camera accessories. It sparked my interest and continues to develop and grow – till this day. TAN PEI SI (19 years old) Data Centre Technician, Google
N
obody is born to be a cybersecurity professional. I can attest to that – because it was far from love at first sight for me, and more like a battle of wills. But that’s history. Today, I look forward to diving deeper and learning more about malware analysis and hardware hacking. MY FIRST BRUSH WITH CYBERSECURITY All I remember was seeing the blue screen of death no matter how many
MY GOAL TO PURSUE CYBERSECURITY AS A CAREER When I found myself going through different ransomware samples and analysing their impact on virtual machines – despite not being able to read a single line of code – during my free time in secondary school, I knew pursuing cybersecurity as a career is what I want to do eventually. MY EXCITEMENT IN MEETING LIKE-MINDED ENTHUSIASTS I am always curious about people who are as passionate as I am about cybersecurity, and I cannot wait to hear their take on the industry. I never fail to learn something new from their experiences and our exchanges – so it’s really exciting.
I didn’t use to know anyone until I started attending conferences and meetup groups (especially Division Zero). That’s how I meet professionals who give great advice, boost my confidence and provide certainty to my career direction. Most of us in the cybersecurity community are friendly, so come up, say “hi”, and ask questions. Everyone starts out that way. ONE REALISATION ABOUT CYBERSECURITY If you are really interested to do well in cybersecurity, you need to keep trying even if you’ve failed multiple times. It’s not unusual for me to find myself stuck in challenging situations where the task seems unsurmountable and I feel I lack the skills to resolve. Sometimes, I also end up failing to complete tasks, but each time, I always learn something – skills that I would have missed out on if I didn’t try. So, don’t give up. Also, don’t be afraid to approach others!
05
06
THE BIG IDEA
CYBERSECURITY:
Making a Career of IT
Back to Contents
THE IT SOCIETY / Issue 03/2019
Over the course of a 20-year career, I’ve seen cybersecurity grow and develop into a major global industry, against the backdrop of a rapidlychanging threat landscape. But one thing has remained constant throughout my professional journey, and that’s my love for the job. An increased demand for cybersecurity services around the world means that there’s never been a better time to pursue a career in this dynamic field.
The Magazine of the Singapore Computer Society
DR ONG CHEN HUI Member, SCS Senior Director, Emerging Security Technologies, Trustwave
Back to Contents
THE BIG IDEA
THE WORK WE DO IS IMPACTFUL At its core, cybersecurity is about protecting people and vital infrastructure from harm and one key area of focus is in industrial control systems (ICS). My team and I are tasked with creating solutions to protect ICS, thereby ensuring that critical infrastructure such as industrial devices and networks is resilient and secure. We are also building tools to analyse how threat groups are behaving and changing, enhancing the effectiveness of the global security monitoring centres of Trustwave. The work we do is impactful. Recently, our researchers identified a vulnerability that led to an equipment manufacturer issuing security advisories to its customers worldwide.
Across the industry, there is a global shortage of trained cybersecurity experts, and studies have projected a shortfall of a few million practitioners over the next few years.
As the lead for the Emerging Technologies team at Trustwave, my focus is on identifying cybersecurity needs in emerging technology domains. My job requires me to provide insights and make strategic recommendations that align with business goals. Besides technical know-how, I take into account business objectives, customers’ needs and market realities, to successfully deliver services and solutions. Building commercially viable cybersecurity products requires an environment where new products can be incubated and distributed globally, and a platform which brings together people in research, engineering, product leadership and those with business acumen.
Within my team, I’ve seen, firsthand, the benefits of having people from diverse backgrounds and perspectives. Several are mid-career converts, proving it’s not impossible to switch directions and pursue something you’re passionate about. We have software developers who are now Offensive Security Certified Professionals, industrial control engineers who front our consulting engagements, and data scientists who work on cybersecurity-relevant models. 30% of my team are women, and we aim to boost that number as we build up the business. I value the diversity of my team because their different backgrounds enable us to look at problems with fresh perspectives and develop tools that better cater to the evolving needs of our customers.
As the world gets hyper connected and more digital, more cybersecurity technology solutions and services will be required to protect businesses against increasingly sophisticated and complex threats. Given this changing landscape, my team has since moved beyond our initial focus on ICS security to concentrate on cybersecurity data science, automotive security and 5G security.
A CAREER IN CYBERSECURITY IS EXCITING A career in cybersecurity is exciting and there is always something new to learn. In fact, there is great flexibility to experience different roles and industries. There are roles, in the public and private sectors, catering to different inclinations and aspirations, be it in deep technical expertise, consultancy or in leadership and management. On a personal note, I’ve gained invaluable skills over the years, working in defence R&D, consulting, product engineering, applied research and now, management.
As we grapple with a future that’s digital and hyper connected, we need more people to become cyber professionals. So come on over, join us and let’s make an impact!
07
08
THE BIG IDEA
Back to Contents
THE IT SOCIETY / Issue 03/2019
AGENT 0101:
Superhero of the Digital Age
VLADYSLAV KOSHELYEV Member, SCS Academy Lead, Facebook Editor, Two Footsteps
For years, millions of people immersed themselves in stories about special agents, and are mesmerised by characters such as James Bond, Beatrix Kiddo and Jason Bourne. Today, Agent 007 has become the archetype for someone who fights powerful and cunning villains, often facing great odds, but ultimately prevails – thanks to exceptional wits, resourcefulness and, of course, advanced tech. Unsurprisingly, the charming appeal of the figure is driving many to secretly wonder what it would be like to have a similarly exciting and thrilling job.
F
or much of human history, jobs of security specialists entail physically operating in the domain they are securing – travel to a faraway city, safeguard the location, then neutralise the suspect. As the world becomes more digitally connected, security has a new added dimension. Securing the digital infrastructure has become just as important as the world outside the window, if not more – lower your guard and an intruder will infiltrate the network, copy valuable trade secrets, steal hard-earned money and even compromise the security of your physical environment which is increasingly filled with objects connected to the net.
However, unlike Agent 007 who roams the streets in a luxury supercar, Agent 0101 – our present-day agent – brandishes a sleek laptop to patrol virtual realms for signs of hackers.
SUPERHEROES WANTED Cybersecurity is rapidly becoming one of the most exciting fields in technology. As an emerging discipline, its constant evolution offers many opportunities for growth. Combined with heightened awareness of its importance, cybersecurity specialists are in high demand and greatly valued by organisations. No wonder so many tech professionals are showing keen interest in cybersecurity. Question is, what does it really take for one to have a successful career as Agent 0101? SUPERHUMAN SKILLS NEEDED Cybersecurity is a complex discipline that often requires a combination of very different skills.
The Magazine of the Singapore Computer Society
Back to Contents
THE BIG IDEA
09
TECHNICAL KNOW-HOW
BUSINESS SAVVINESS
INTERPERSONAL SKILLS
To start with the obvious, technical knowledge is essential for someone operating in the digital domain.
Yet, technical excellence is just one part of the cybersecurity skill set. After all, safeguarding complex networks calls for a complete approach.
This leads to two other important traits of the cybersecurity expert – emotional intelligence and people skills.
A solid insight into how organisations operate, their structure and the way they conduct their business ensures that devised solutions are tailored to meet the organisation’s needs and achieve optimum impact.
Empathy for the motivations, psychology and thinking behind hackers’ actions helps the cyber-agent to stay one step ahead and beat them at their own game.
A good understanding of cloud technologies and Internet of Things is becoming crucial since many companies are increasingly relying on distributed computing.
An appreciation for the processes that are essential for their success, as well as what makes them vulnerable arms the agent with a good grounding of not only the “How” but also the “Why” of a potential attack and move fast to mitigate or prevent it.
Being a strong communicator is handy when it comes to explaining complex aspects of the job to colleagues, put everyone on the same page, get necessary resources and enjoy a faster career progression.
SUPERSIZED SATISFACTION GUARANTEED As we see, just like Agent 007, the job of Agent 0101 offers an incredible mix of fun and excitement. Be warned though that the job also has its share of challenges
and demands, like ceaseless learning and mastering of new skills. The good news is, for those of you who can rise above it all, you will have a chance to embark on an adventure just as thrilling as one of Ian Fleming’s books.
A strong grasp of programming languages such as C++, Java and PHP is fundamental for a sound understanding of what is going on in the system back end.
Knowledge of how malware works enables the guardian to identify threats and secure networks in times of crisis.
Indeed, to do well in this field, you will need to be a technologist, a consultant and a people person all at once – just like superheroes with their supernormal powers.
10
SPOTLIGHT
THE IT SOCIETY / Issue 03/2019
Back to Contents
A VIBRANT CYBERSECURITY ECOSYSTEM:
The Foundation of a Secure Cyberspace TEO CHIN HOCK Deputy Chief Executive (Development), Cyber Security Agency of Singapore (CSA) Age: 62 Earliest Tech Experience: Air Force engineer, developing command, control and communication, and intelligence system for the Air Force Currently Reading: “That Will Never Work: The Birth of Netflix and the Amazing Life of an Idea”, Marc Randolph Pet Topic of the Moment: Blockchain and cryptocurrencies Favourite Way to Relax: Surfing the web
Just as the stability of any infrastructure lies with its foundation, Singapore’s ambition of a Smart Nation depends on a robust cybersecurity ecosystem, to ensure the reliability and security of our digital infrastructure. Overseeing key development areas in Singapore’s cybersecurity, Teo Chin Hock, Deputy Chief Executive (Development) of Cyber Security Agency of Singapore (CSA), explains to The IT Society what it takes to build a thriving ecosystem and CSA’s role in advancing Singapore’s Smart Nation vision. Q: Question, CH: Chin Hock Q: Why is it important for Singapore to build up a vibrant cybersecurity ecosystem? CH: Cybersecurity is a key enabler for Singapore’s Smart Nation initiatives. We can only reap the benefits of technology if our systems can be trusted. To support Singapore’s cybersecurity needs, we need a vibrant ecosystem consisting of a sustainable pool of skilled cybersecurity talents, technologically advanced companies and strong research performers. Cybersecurity is a field that will open up opportunities in the digital economy, with an expected market growth of S$3 billion by 2030. With advanced infrastructure and a highly skilled IT workforce, Singapore is wellplaced to build a vibrant cybersecurity ecosystem.
Q: What steps have CSA taken to foster a healthy cybersecurity ecosystem? CH: CSA recognises that there is a current shortage of cybersecurity professionals, and is drawing from different talent pools to address this. Initiatives such as the Singapore Cyber Youth Programme (SG Cyber Youth) provide students with early exposure to cybersecurity through training camps, competitions and learning journeys, and encourage them to consider it as a career. Students who are keen to pursue technology roles within the public service may also receive support through the Smart Nation Scholarship. Fresh graduates and mid-career ICT and STEM professionals also have opportunities to be up-skilled for the cybersecurity profession through the Cyber Security Associates and Technologists (CSAT) programme.
Cybersecurity requires both men and women with varied experience and perspectives to tackle challenges effectively. As such, we encourage more women to come forward to join the profession. At the Singapore International Cyber Week (SICW) 2019, CSA coorganised the first Women in Cyber event, where women cybersecurity leaders and practitioners gathered to share best practices on attracting more females to the industry and expand the talent pool. In addition to building up a skilled workforce, CSA has rolled out several initiatives to drive innovation in cybersecurity. This includes the launch of the Cybersecurity Industry Call for Innovation, where solution providers propose innovative ways to address the challenges faced by users. Selected proposals will receive funding under the Co-innovation and Development Proofof-Concept (CID-POC) funding scheme. We also collaborated with government
The Magazine of the Singapore Computer Society
agencies and enterprises to establish the region’s first cybersecurity entrepreneur hub, Innovation Cybersecurity Ecosystem at Block71 (ICE71) to develop and accelerate cybersecurity start-ups. The cybersecurity ecosystem has been further enhanced with our recent achievement as a Certificate Authorising Nation under the Common Criteria Recognition Arrangement (CCRA). This helps to boost the marketability of cybersecurity products developed locally through certification against a globally recognised quality standard. Q: How are the responses so far to your efforts in developing Singapore’s cybersecurity ecosystem? CH: Response thus far to our recent initiatives on innovation and manpower development have been encouraging. For instance at the Cybersecurity Call for Innovation in 2018, we received more than 70 proposals from 58 companies of which eight proposals have been awarded
SPOTLIGHT
Back to Contents
with funding. With double the available funding this year, we hope to have more cybersecurity solution providers coming forward to take up this challenge. Through the ICE71, about 200 mentors have provided guidance on go-to-market strategies to cybersecurity start-ups. The ICE71 have also organised 40 events and reached out to more than 50,000 members of public in less than a year. Since January 2019, 6 evaluation laboratories, including laboratories that are globally recognised, have been approved to perform product evaluation under the Singapore Common Criteria Scheme, and several cybersecurity products have since been certified locally. In terms of manpower development, responses to our programmes have been encouraging as well. We saw increased participation in the Youth Cyber Exploration Programme, a key programme under SG Cyber Youth, from 100 secondary school students last year to around 400 students this year. The goal is to reach out to 10,000 students over the next 3 years. We also saw an almost three-
11
fold increase in applications for this year’s Smart Nation Scholarship. Q: What does it take to pursue a career in cybersecurity? CH: When most people think of a cybersecurity career, the mental image is typically that of a monotonous routine of staring at computers all day. In reality, a career in cybersecurity is far from monotonous. It is a dynamic field and it offers rich and diverse career paths. In the cyberspace, threats are ever evolving and becoming more sophisticated. Thus, we need people with sound technical skills, keen analytical abilities, and willingness to learn constantly in order to keep up with the fastchanging cyber threat landscape. It is also crucial that we have professionals in this domain who are forward-thinking to formulate cybersecurity strategies and policies, in addition to having communication skills to effectively engage the cybersecurity industry and public. The cybersecurity industry requires multidisciplinary competencies, and I welcome people who have what it takes to consider joining this meaningful profession.
“When most people think of a cybersecurity career, the mental image is typically that of a monotonous routine of staring at computers all day. In reality, a career in cybersecurity is far from monotonous. It is a dynamic field and it offers rich and diverse career paths. The cybersecurity industry requires multi-disciplinary competencies, and I welcome people who have what it takes to consider joining this meaningful profession.”
Everyone should care about cybersecurity because...
One should consider a career in cybersecurity because...
What is your hope for Singapore’s cybersecurity ecosystem? What keeps you going?
12
SPOTLIGHT
Back to Contents
THE IT SOCIETY / Issue 03/2019
THE CYBERSECURITY TALENT CRUNCH:
How Can We Satisfy the Hunger for Talent TAY BEE KHENG Managing Director, APJC Customer Experience Renewals, Cisco Systems (USA) Pte Ltd Earliest Tech Experience: Playing Street Fighter at the video arcade Currently Reading: Human, All Too Human by Friedrich Nietzsche and The Plague by Albert Camus Pet Topics: Psychology, philosophy and particle physics Favourite Way to Relax: Reading and running on the weekends
According to the Cyber Security Agency of Singapore (CSA), Singapore is set to face a potential talent shortage of 3,400 cybersecurity professionals by 2020. The IT Society finds out how we can tackle the issue and introduce more diversity into the industry from Tay Bee Kheng, Managing Director of Customer Experience Renewals for Asia-Pacific, Japan and China at Cisco. Prior to taking on this role in August, Bee Kheng was the Managing Director for Cisco Singapore and Brunei for three years. Q: Question, BK: Bee Kheng Q: Why does cybersecurity matter? BK: Singapore is making a push towards becoming a Smart Nation. The three key pillars that support the Smart Nation goals are: Digital Economy, Digital Government and Digital Society. The first is about adopting and embracing digitalisation across the economy. The second focuses on using data, connectivity and computing decisively
to transform the way citizens and businesses are served, and the way public officers are enabled to contribute fully to their work. Finally, a Digital Society is about ensuring all Singaporeans have access to technology that can enhance our everyday lives, and equipping people with the skills and know-how to use technology safely and confidently. The combination of these three will bring immense opportunities for everyone.
However, cybersecurity has to be the foundation on which these are built. New digital initiatives can only be sustainable and successful if they are secure and people have confidence in them being secure, not least because we are living in a hyper-connected world, where hackers have new opportunities every day to attack businesses, governments and consumers alike. Luckily for us, Singapore recognises this, and the government has taken various measures to ensure our digital efforts have cybersecurity embedded in them right from the start. Q: What is the biggest challenge facing the industry today? BK: One of the biggest challenges for the industry is the shortage of talent, which is a trend across the globe. Various estimates put the worldwide talent shortage in the sector between 2.5 million to 3 million security professionals in the next couple of years. Challenges exist in both capacity and capabilities. Certain skill sets such as systems architecture design, behavioural analytics, and digital forensics are in short supply. There is also inadequate expertise in cybersecurity support sectors, such as cyber insurance.
The Magazine of the Singapore Computer Society
Back to Contents
SPOTLIGHT
13
“In Singapore’s drive towards fulfilling its Smart Nation vision, there are plenty of career prospects for cybersecurity professionals. The future is bright and paved with exciting career opportunities.”
Perhaps that is one of the reasons why, despite cybersecurity being a topic of discussion for many years, many companies are still lagging in their preparedness. Cybersecurity needs to be foundational to all digital efforts in any company. While we have made good progress, there is a lot more that needs to be done. That is why we need the right talent. Q: How then can we overcome this barrier? BK: I think all key stakeholders, government, educational institutions and the corporate sector need to work together to address the issue. In Singapore, the government has launched various initiatives, such as the SG Cyber Youth and Smart Nation Scholarship, to help promote and increase awareness of cybersecurity as a career option. Educational institutions are also starting to offer more cybersecurity courses as part of their curriculum. In my opinion, the corporate sector has a huge role to play on this front, not least because of the technical expertise they have in the sector. At Cisco, we are working with 17 Institutes of Higher Learning through our Networking Academy to train students across the country. Since its inception, the Networking Academy has trained more than 60,000 students in the country, including almost 1,500 students who have taken cybersecurity courses, to date.
Q: Do you think these measures are sufficient to drive a healthy tech talent landscape in Singapore? BK: I do believe these measures will help. But I also think it is important that we sustain these efforts in the long run. Technology is changing and advancing at an unprecedented pace. This means that skill sets required five years from now, including in cybersecurity, could be very different from what is needed today. We need to ensure that we not only equip the future workforce with the relevant skills but also continue to retain and upskill the current pool of workers in the sector. This will be critical to ensure we have a strong talent pool with energy and innovative ideas to drive Singapore’s tech industry and Smart Nation vision forward in a secure manner.
being flexible with work arrangements. At Cisco, we empower employees to work any time, from anywhere and using any device. It is not surprising that our senior leadership team consists of many women. At the same time, instead of worrying about juggling family and work, women must have faith that they can do it – and just try. Only then can they truly find out what they are able to achieve.
Q: Much has been said about increasing the diversity of the tech industry’s talent pool. What is your take on it? BK: A diverse talent pool makes for better innovation and creativity, both of which are crucial to growing our tech industry. However, despite available opportunities, few women are joining the industry. For instance, at the recent session of the Youth Cyber Exploration Programme (YCEP) organised by CSA and in collaboration with all five polytechnics, only a handful of girls participated. It is critical that we make an effort to make cybersecurity more attractive to girls and women. One of the ways companies can do that is by
Q: What would you say to encourage youths interested in joining the cybersecurity industry? BK: My advice is simple: Don’t give up. I have found that the more time and effort you put in, the higher the possibility that opportunities will come knocking. Besides, there is never a dull moment in the industry. So, if you don’t want a boring and monotonous career, you should consider joining the cybersecurity industry. In Singapore’s drive towards fulfilling its Smart Nation vision, there are plenty of career prospects for cybersecurity professionals. The future is bright and paved with exciting career opportunities.
It is not just about gender diversity and inclusion. We should also adopt an open and learning mindset where hiring diverse talent is concerned. At Cisco, one of our colleagues from HR in Singapore decided to pursue a career in cybersecurity. He took the necessary courses, gained relevant knowledge and is now working full time with the cybersecurity team.
Mohd Izzat Bin Mohd Noor National Cyber Incident Response Centre
csa_recruit@csa.gov.sg
www.csa.gov.sg
The Magazine of the Singapore Computer Society
POWER BOOST
Back to Contents
15
The Weakest Link in Cybersecurity:
Our Greed and Fear It is not an understatement to say that we “live” on the Internet these days. First thing in the morning, we turn on our phone; last thing before we go to sleep – after saying “Good night” to family members – we check our phone. This is how connected (addicted?) we are to the Internet. But we forget – for all these to work, data (and instructions) is constantly flowing between our device and many unknown ones out there.
N
o wonder there are so many articles on how and what tools to use to keep one safe from cybersecurity threats. Rather than regurgitate what these articles share ad infinitum, I wish to highlight the proper mindsets and attitude to safeguard the weakest link – us. WE COULD BE THE NEXT VICTIM Yes, the Internet can be likened to the lion’s den, where dangers lurk. Bad guys are somewhere out there, and they’re constantly finding ways to do bad things and steal from us – even our identities. Hence, we should always be careful and mindful of our actions as we venture into the vast wilderness of the wild wild web. STAY CURIOUS AND CAUTIOUS We can find almost everything we need to know on the Internet. It is so convenient and readily available that many of us take for granted that everything on the Internet is true. But this is far from the truth – especially when the Internet is no longer just a domain for information sharing but also e-commerce
and trading where large amounts of money are spent and large fortunes are made. Nicely packaged traps touted as panacea and cure-all for anything from medical illnesses to instant wealth and fame are laid every day, all the time, with one sole purpose – for you to part with your money. Therefore be sure to remember that not everything you read and research online is true – stay cautious. DON’T JUST TRUST AND BELIEVE – VERIFY AND VALIDATE By now, all of us know what’s “fake news”. What’s not obvious though is that “fake news” is often created to serve a purpose. Rather than dismissing them as the work of bored minds, “fake news” is often the handiwork of scheming ones who are trying to influence election outcomes, incite racial disharmony and influence people’s opinions. It is common for them to be written (and reported) as “news” when in fact they’re persuasively written opinion pieces.
TAN TENG CHEONG Fellow, SCS Director, BetterIDEAS
IF IT’S TOO GOOD TO BE TRUE, IT PROBABLY IS Articles, videos, advertisements advertising “Get Rich Quick” schemes, and many others that promise wealth (and sometimes fame) are no strangers to most of us. Often, they are so well produced with photos, videos and even testimonials from people we know and trust that it is easy to believe their authenticity and part with our hard-earned money. Fortunately, many top political leaders and tycoons have stepped forward to disassociate themselves from these campaigns voluntarily. So, if something seems too good to be true, we must assume that it’s too good to be true indeed. Even though tools have been created to reduce “phishing”, scams and others, new scams continue to sprout and exploit our human weaknesses – greed and fear. And no amount of installing good and effective cybersecurity tools can help, unless we can curb these two instincts. Only then, can we truly stop being – The Weakest Link.
POWER BOOST
16
Back to Contents
THE IT SOCIETY / Issue 03/2019
6 Ways to Protect Your Business A silver bullet to solve all your company’s cybersecurity woes may never exist, but the 6 Essentials mapped out by the Cyber Security Agency of Singapore (CSA) come pretty close. Here are the 6 adapted ways:
#1: Know what your assets are As Sun Tzu says, “If you know the enemy and know yourself, you need not fear the result of a hundred battles”. Similarly, in the cyber battle, defending starts with knowing what cyber assets your company owns.
CHECKLIST Make a list of all current IT equipment, software and cyber assets owned by the company Update the list (ideally automatically) to include new acquisitions
#2: Allow only authorised software to work Now that you have the whitelist of cyber assets, it becomes more accurate when detecting unapproved software (and hardware) running in your network. Prevent all unauthorised applications from running by practising application control.
CHECKLIST Install an application control solution that is integrated with anti-virus software Review the list of blocked applications periodically and remove all unnecessary applications Monitor and track all anti-virus alerts
The Magazine of the Singapore Computer Society
#3: Patch and update in a timely manner
Back to Contents
POWER BOOST
17
CHECKLIST Track software and firmware patches/updates for all devices on the company network
Those notifications reminding you to install new patches or updates might seem annoying, but don’t ignore them. They contain fixes for vulnerabilities or bugs that cyberattackers exploit, for example, to break into your network.
Test all patches/updates, on devices not linked to the company network, prior to deployment Update anti-virus definitions as soon as they are available Phase out outdated software that is no longer supported
#4: Be selective with admin accounts Users with administrator privileges (or admin) can do many things, like adding users and accessing sensitive data. Which means: if malware infects an admin’s account or computer, your network can be severely compromised.
CHECKLIST Review the privileges for all accounts
#5: Detect breaches promptly When it comes to cybersecurity (and many other things), speed is of the essence. Continuous monitoring and frequent reviewing of audit trails and security logs can help you detect – more swiftly – unauthorised access, modification or export of data. Hence, subsequent containment of damage and eradication of threat can take place earlier too.
CHECKLIST Enable users’ audit trail and security logging on all devices Restrict access to security logs to authorised users only Monitor and review security logs regularly for anomalies
Give users the minimum level of privileges needed to do their work effectively (not everyone needs to be an admin!) Ensure that admin accounts can only be accessed after passing through multi-factor authentication Monitor the use of all accounts, especially admin accounts
#6: Secure your network with multiple locks Besides scouting for weaknesses in your company’s network, cyber-attackers can crack weak passwords with ease. Multi-factor authentication serves as an additional line of defence to stop them from penetrating your network and doing damage.
CHECKLIST Enable multi-factor authentication, especially for users with privileged access For more comprehensive information and cyber tips for safeguarding your business, refer to CSA’s Be Safe Online: How to Defend Your Business Against Cyber-attacks at www.csa.gov.sg/gosafeonline/ resources/be-safe-online-handbook
Manage and audit the use of every authentication factor Configure accounts so that users gain access only when they get every authentication factor right
The Magazine of the Singapore Computer Society
#LATEST@SCS
Back to Contents
SCS Golf Day 2019: Great Times on the Greens
O
n 23 August, more than 180 avid golfers – beginners and enthusiasts alike – swapped out their office wear for specially designed SCS golf polo shirts and caps for SCS Golf Day 2019. As always, this year’s edition held at the Orchid Country Club was met with much excitement. Everyone brought their A game, going all out to claim the top spots. After spending a lovely day on the fairway engaged in friendly and competitive fun, the golfers adjourned to the Jade Foyer for a hearty, well-deserved dinner. There was plenty of good cheer when the second most anticipated segment of the day – the lucky draw – came around with attractive prizes worth close to $10,000 up for grabs. Winners walked away with the latest drones, tech gadgets and gift vouchers. Thank you to all SCS members, industry leaders and sponsors for your great support. Be sure to join us on the greens again next year!
Individual Tournament Prizes Dendro – Vanda Course
Vanda – Aranda Course
Aranda – Dendro Course
Winner
Bob Seth
Winner
James Ong
Winner
Francis Goh
2nd
Gilbert Tan
2
Dennis Tan
2
Raymond Chee
3rd
Peter Goh
3rd
Lee Chong Win
3rd
Vincent Loh
4
th
Lawrence Lim
4th
Ray Chan
4th
Darren Teo
th
Bernard Lai
5
Shaw Ngok Chin
5
Orlando Tan
Best Gross
Francis Goh
5
nd
th
nd
th
19
The Magazine of the Singapore Computer Society
#LATEST@SCS
Back to Contents
21
Winners of Best Tech Company to Work For Award 2019 Crowned
T
here is one common talent management trend across winners of the Best Tech Company to Work For Award 2019 – employee autonomy. Regardless of seniority or years of service, everyone is encouraged to have a voice (and are taken seriously) in initiating and driving growth, be it for the company’s interest or, more importantly, self-development. In addition, recognition is given to staff going out of their way to help others beyond work.
LARGE ORGANISATIONS
MID-SIZED ORGANISATIONS
START-UPS/SMALL ORGANISATIONS
• ThoughtWorks (Overall Winner)
• M-DAQ (Overall Winner)
• Web Imp (Overall Winner)
• HP Inc.
• ViSenze (Overall Winner)
• Rewardz
• Microsoft Operations • Singtel • Unity Technologies
• ShopBack
See details of the 10 Best Tech Companies to Work For 2019: http://bit.do/scsBTCaward2019
In its third instalment, the Best Tech Company to Work For Award is a biennial award SCS inaugurated in 2015. Check out this year’s top 10 Best Tech Companies “You get to be yourself, make your to Work For in the table on the right.
own decisions, drive initiatives you are passionate about and continue to learn. You have the freedom to follow your own career path.”
– A ThoughtWorks employee
(Photo Credit: The Straits Times)
Representatives from the Overall Winners of the Best Tech Company to Work For Award 2019. From left: Richard Koh (M-DAQ), Oliver Tan (ViSenze), Wong Wen Shun (ThoughtWorks) and Wilson Tan (Web Imp)
“M-DAQ staff are encouraged to check out if the grass is greener on the other side. And even when they leave, they’re welcome back any time. The ‘Boomerang Award’ is given to our staff when they come back. We build relationships beyond the terms of employment.” – An M-DAQ manager
“At ViSenze, staff are given the ‘Stitch Award’ for acts of care. As quoted from the Lilo & Stitch movie, ‘Ohana means family. Family means nobody gets left behind or forgotten’.” – A ViSenze employee
“Work-life balance pushes and motivates the team at Web Imp, keeping us laserfocused at work. A flexible working structure also allows us to take ownership of our work schedule as long as organisational and personal goals are achieved.” – A Web Imp director
Congratulations to the Top 10 Best Companies to Work For 2019
#LATEST@SCS
22
Back to Contents
THE IT SOCIETY / Issue 03/2019
Tech3 Forum Takes Stock of Journey Towards Digital Economy
D
igital transformation is a familiar topic among professionals in Singapore. After all, it comes up frequently in the news and is also widely discussed by the leaders of our nation. The topic came up again at the latest Tech3 Forum attended by close to 500 tech and non-tech professionals, including members from the Association of Chartered Certified Accountants (ACCA) Singapore, Singapore Academy of Law (SAL) and Singapore Manufacturing Federation (SMF). During his address, Mr S Iswaran, Minister for Communications and Information, said, “Singapore has
KEY TAKEAWAYS FROM TECH3 FORUM 2019
embarked on an exciting journey to realise our vision of a Digital Economy. We envisage a digital economy where every company is digitally empowered, every worker is digitally skilled, and every citizen is digitally connected.” The message is clear. Digital transformation is inevitable – and not an option. However, where are we in our journey to foster a Digital Economy; and what has to be done to take us there? Attempts to address these questions took place over the course of the oneday Forum – from the morning plenary featuring keynote speaker Prof Subra
Suresh from Nanyang Technological University (NTU) to a subsequent panel discussion moderated by Howie Lau from Infocomm Media Development Authority (IMDA), and three different workshop tracks focusing on Accounting Tech, Legal Tech and Manufacturing Tech. Notably, concluding Tech3 Forum 2019, everyone agreed that although technology advancements cannot be stopped in Industry 4.0, we need to be mindful of implications of technology on humanity and society at large – it is said that the next big technology trend is humanity.
Individuals
Organisations
There will always be jobs for you, and we should always invest time to learn, relearn and unlearn.
It’s time to look at an organisation-wide shift, or you might get disrupted before you know it. Think Kodak.
Tech3 Forum Organising Committee and Speakers
The Magazine of the Singapore Computer Society
#LATEST@SCS
Back to Contents
Workshop Track on Accounting Tech
Workshop Track on Legal Tech
Workshop Track on Manufacturing Tech
SCS EVENTS 2020 JAN
13 JAN
17 MAR
6
DevSecOps: Strengthening Quality with a Cybersecurity Mindset
Site Visit to SP PowerGrid
SCS Gala Dinner & IT Leader Awards Ceremony
JAN
14
UiPath Academy Live Workshop
21
Cloud 201 Series: How the Modern Cloud is Allowing Businesses to Build Machine Learning without ML Specialists
MAR
SCS Annual General Meeting
JAN
26
JAN
16 MAR
5
Student Chapter: Learning Journey to PSA
Learning Journey to Nongsa Digital Park
The event listing provided above is correct at the time of printing. You are encouraged to visit the SCS website for updates and latest information about the events.
23
The Magazine of the Singapore Computer Society
Back to Contents
GEEK SPEAK
25
Mission Impossible By
T
Sean Low
he impact of cyberspace security lapses is often so negative that it’s hard to make light of the situation.
So after trashing about 10 drafts, I contacted John, my C-beh-ta-kong-ISO friend for help. He arrived on short notice from Hong Kong, listened to my blocked chained problem, and then complained in disbelief, “You dragged me to Singapore on my birthday for this?” I put my hand around his shoulder, “Mai hiam lah, Mr Woo. Not every day you get to travel for work, look at chiobus in the airport, stay at 4-star hotel with travel allowance – and a Mission Impossible for birthday present! Count yourself lucky!” Taking my cue, John went straight to business and told me that if someone with malicious intent got hold of a notebook already logged in, they can steal files, read emails and access social media account to impersonate the
person. The only comfort is – they cannot install drivers without permission! “Not funny lah John, it is too real. I see this happening every day,” I said. “Anyway, my ah ma has a better cyber joke – to prevent stealing, she doesn’t allow any of us to put cookies into her fridge to secure it.” John then showed me a mooncake – ah ma’s favourite – and asked if she would have accepted this. John’s logic being mooncakes are trojan horses – they are technically underweight pies resembling oversized cookies but labelled as cakes. It is packed with deceptively delicious calories that ah ma should avoid accepting in her fridge. This went on for hours but the cyber jokes humour levels kept running dry. But towards the end of the meal, John found inspiration to share with me a nugget of wisdom that could be funny.
Years ago, on his last day as CISO of a company, he gave his incoming successor one important advice: “Whenever there is a security breach, open one of these three envelopes I am leaving behind….” He shared that each envelope contained advice, to be used in the order they are marked – 1, 2 and 3. The contents are as such: First Envelope – Blame the predecessor for the first breach Second Envelope – Blame your team or vendors for the second breach Third and Final Envelope – Prepare three envelopes And with that, John left walking into the setting sun with his fishing rod like Tom Cruise pretending to be Clint Eastwood.