You are currently viewing Securing Singapore’s Critical Systems

Securing Singapore’s Critical Systems

As a Principal Consultant at the Singapore Cyber ​​Security Agency (CSA), Tracy Thng is part of a team that has been tasked with strengthening the cybersecurity posture of the Critical Information Infrastructure (CII) sectors of the country.

Formerly in the military, Thng’s interest in cybersecurity was piqued by his fascination with the field, which is increasingly multifaceted. Although his learning curve was steep, his problem-solving and analytical skills, along with his background in political science, allowed him to offer a different perspective on cybersecurity.

In an interview with Computer Weekly, Thng shares more about his career path in cybersecurity, including what it takes to enter the field, the challenges of the job, and his “3P” approach to his career.

How did your career in cybersecurity start?

Tracy Thng: I started my career in the military and slowly developed an interest in cybersecurity and emerging technology trends. I found it fascinating to see how cybersecurity is intertwined with other areas such as geopolitics. My interest was further heightened when I read more about the subject and took online courses and certifications.

Additionally, new challenges arise every day with global events such as ransomware and supply chain attacks, such as the SolarWinds breach, making the environment dynamic and exciting for anyone looking to explore new areas. of learning.

Cybersecurity is a field with many specializations such as cloud security, software testing, penetration testing, digital forensics, risk management, and governance, and everyone can find something that suits them. ‘interested. At CSA, I enjoy exposure to different aspects of cybersecurity. , and in my daily life, I also help my family to strengthen the security of their devices.

What exactly does your job look like during a typical 24-hour day: do you work in the office or in a team, who might you be with, where might you be and what might you be doing?

May: My team at CSA’s CII Division oversees the cyber resilience building of 11 critical service areas. CIIs are computer systems that ensure the provision of key services such as transport, banking and health. The job requires me to be involved in cybersecurity across all aspects – governance, legislative framework, oversight and trust building engagements with industry players.

A typical workday involves engaging ICN stakeholders, reviewing and monitoring key organizations to ensure compliance with the Cybersecurity Act and Cybersecurity Code of Practice, and developing and communicating of CSA initiatives to ICN stakeholders.

Beyond the main scope of work, I had the opportunity to work on projects at the national level such as the CII Supply Chain Programme, a national program to improve the visibility and management of cyber supply chain risks. and create structures for ecosystem stakeholders to improve the cyber resilience of Singapore’s critical services supply chain collectively.

“Having purpose and clarity of why you want to work in cybersecurity and knowing what you are doing is having a positive impact on society helps you focus on solving new challenges”

Tracy Thing, CSA

I have also participated in work related to operational technology (OT), where I researched OT topics related to the areas of cybersecurity in operations, engineering and governance for the Operational Technology Cyber ​​forum Expert Panel (OTCEP), an annual event hosted by ASC where leading OT experts join us to share their expertise to address cybersecurity challenges for Singapore’s OT ecosystem. The next OTCEP Forum will be held on July 12 and 13, 2022.

How do you recommend people outside of cybersecurity transition into the industry? Are there specific roles best suited to individuals in the transition process?

May: My first piece of advice from my own experience is to believe in lifelong learning. The technology landscape is changing rapidly and new technologies, tactics and techniques are emerging every day. The best part about it is that even without a computer background, you can still accomplish a lot with self-directed learning and guided training. Ongoing training and development is not only helpful for entering the cybersecurity industry, but can also equip you with relevant cybersecurity skills to contribute to the workplace and your daily life.

The learning curve was steep for me as I didn’t come from a technical background, but there were transferable skills that helped me in my transition from the military to cybersecurity. My experience in the military sharpened my problem-solving skills, shaped my analytical mind, and trained me to be an effective communicator. Leveraging the writing, research and analytical skills of my academic qualifications in political science has also allowed me to offer a different perspective to cybersecurity.

One option is to consider self-study with the wide range of free and affordable courses available on learning platforms like Udemy, Cybrary, and Coursera, and also to hone technical skills by getting hands-on practice through online platforms. like Proving Grounds or HacktheBox.

As for certifications, basic professional certifications such as the CompTIA Security+ certification and the Cisco Certified Network Associate certification will help candidates master the basics of information security and network infrastructure, respectively. These certifications could help take you to the next level, such as (ISC)², ISACA, Offensive Security, and Sans Institute courses, as you begin your cybersecurity journey.

If you’ve always been curious about getting into cybersecurity, start by determining which specialty interests you the most. Cybersecurity may initially appear to be a very technical field, but it is actually much more diverse and requires both technical and non-technical skills.

It also helps if you read, listen to webinars, and learn from people in the field about their specialty. For example, by joining a local society like the Singapore Computer Society, you can start building a foundation and learning basic computer and information security skills.

Are certifications important for advancing your career in cybersecurity? Why and why not? If so, what types of certifications should you look for?

May: There are many career paths for cybersecurity professionals. One can choose to move into management or focus on specialized areas like penetration testing and digital forensics. There are also opportunities to move laterally into industries such as finance as well as information and communications that use similar technical skills applied to those areas.

Beyond pursuing the relevant certifications mentioned above, succeeding in cybersecurity requires a multidisciplinary approach and therefore knowing soft skills like project management and other IT-related certifications like agile methodology and Kanban makes it easier. definitely the transition.

Longer term, certifications need to be backed up with experience, and the most important advice is to go for the foundational certifications and start your cybersecurity journey today.

What does it take to succeed in your field of cybersecurity?

May: I always live by the three Ps: purpose, passion and people.

Cybersecurity is important work that makes a difference. Having purpose and clarity of why you want to work in cybersecurity and knowing what you are doing is having a positive impact on society helps you focus on solving new challenges. It is like a compass that guides the direction of cybersecurity work amidst risks, uncertainties and threats.

Passion in cybersecurity is the fuel to keep going when the journey gets tough. Because the field is so varied and the cyber threats are constantly changing, there are always new knowledge and skills to learn and maintain, and so it is crucial to ensure that the passion and momentum is sustainable at long term.

Cybersecurity is also a team sport. Cybersecurity professionals must be able to work closely with all departments, from IT to HR, as well as learn from each other’s experiences and perspectives in order to manage the trilemma between security, cost, and usability. The human aspect is that the better teams and organizations work together, the easier it is to respond to ever-changing threats.

So far, what has been the biggest challenge you have encountered in your work?

May: The greatest challenge is to develop and communicate initiatives at the national level in 11 CII sectors with holistic coverage of policy, operational, technological and resource practices. The other challenge is to ensure that initiatives are also proactive, consistent and flexible for CII owners.

As cyberattacks evolve and pose systemic risks to the delivery of critical services, cybersecurity risk management is one of many cross-cutting issues that CII owners must address. These include increased operational costs, delays in supply chains, insufficient resources, challenges to ensure critical systems (business, IT and security) work together and more.

At ASC, communicating our initiatives to CII stakeholders requires empathy, understanding their concerns, and knowing when and how to lean forward to help them strengthen their cyber risk management in an evolving threat landscape. These threats are a race against time to beat malicious actors before they can act. Cybersecurity thus becomes a critical function that individuals and organizations cannot afford to ignore.

Leave a Reply