EXCLUSIVE - How ISACA is helping Singapore bridge the cybersecurity skills gap
Above photo: ISACA and Cyber Security Agency of Singapore at the MOU signing ceremony held during Singapore International Cyber Week 2017 (Photo from Singapore International Cyber Week)/ Front row (starting from 3rd left)- Mr. Leonard Ong, ISACA Board Director; Mr. Matt Loeb, ISACA CEO and Board Director; Ms. Theresa Grafenstine, ISACA Board Chair; Mr. David Koh, Chief Executive, CSA/ Credit: ISACA
On September 19, during the Singapore International Cyber Week (SICW) 2017, the Cyber Security Agency of Singapore (CSA) signed a Memorandum of Understanding (MoU) with ISACA to facilitate collaboration on cybersecurity capability and workforce development.
ISACA is a leading body for information governance, control, security and audit professionals, with around 130,000 members in 215 chapters across 188 countries. ISACA’s IS (Information Systems) auditing and IS control standards are followed by practitioners worldwide.
OpenGov spoke to Ms. Theresa Grafenstine, ISACA Board Chair, and former Inspector General of the U.S. House of Representatives, USA and Mr. Leonard Ong, ISACA Board Director to learn more about the MOU and ISACA’s plans for Singapore.
Can you tell us about the MOU between CAS and ISACA?
Mr. Ong: As you know, Singapore released the Cybersecurity Strategy last year by the Prime Minister. And recently Singapore was ranked no. 1 on the Cybersecurity Index. We also know that Singapore is a financial hub, a regional data hub and a regional healthcare hub – they all deal with data.
You can’t successfully manage data or implement Smart Nation, if you can’t secure it. Because of that, we’re partnering with CSA to be able to develop the existing workforce in the cybersecurity area.
That would mean training people who are not in cybersecurity area to work in cybersecurity. We will continue to upskill those people, who are already working in the cybersecurity area, so that they can do more and stay up-to-date with the latest topics like IoT (Internet of Things) and other different kinds of emerging technologies.
Will ISACA be looking to upskill people who already have some experience in the area of ICT or will you also look at people with no experience in the field?
Mr. Ong: We realised that the demand for cybersecurity professionals is just way too much. You can’t just take someone from IT and put them in cybersecurity. That way you will create a shortage of IT professionals. So, we have to cast the net wide. We want to enable people who are moving from being trained in general IT to cybersecurity and we also want to remove the barriers for people who are not from IT to go straight to cybersecurity. We will also look at the polytechnic graduates, diploma holders, bachelor degree holders.
ISACA has knowledge services suited for individuals with no experience to existing professionals. We want to make sure that our knowledge services are accessible to everyone.
What will ISACA contribute to the training and development programmes?
Mr. Ong: We’re the owner of the content. So, we allow people to learn about governance, risk management and cybersecurity. We provide the assessment so the people can learn and be accredited for it. We certify people and we also provide the professional continued education for existing professionals.
Ms. Grafenstine: With ISACA, one of the ways we can step in and be able to help with the skills gap is through the Cybersecurity Nexus (CSX). What’s so wonderful about CSX is that traditionally for training, you go into a class, you receive information and then you leave. Or you go for a high-level conference and then you leave. The problem is those things is that the risk landscape changes so significantly from day to day. You need people to have deep experience. They can’t just have learnt it by reading a book. You need to actually understand what to do.
The CSX training platform allows you to actually go in and log into a virtual server. First you have the PowerPoint slides, so that you can read and understand the theory. And then it has a lab where you actually take that theory and implement it.
It’s fantastic because it goes way beyond textbook knowledge and provides hands-on experience. And what we’re doing is that we have things all the way from introductory to advanced. As you get to the more advanced levels, you would have to run network scans, understand the difference between false and actual positives, how to tackle issues and do all this in real time.
Can you tell us about the development of the next generation Capability Maturity Model Integration (CMMI)?
Ms. Grafenstine: ISACA acquired CMMI about one and a half years ago. Their capability maturity model has been widely used globally for years.
So, with ISACA’s acquisition of CMMI, we are actually taking the best of what ISACA has and what CMMI has, to come up with a cybersecurity maturity model. Once it’s finished, we will put it out for public comment. The goal is to be able to go in and assess organisations and use the same language across different industries, so that you would understand where your organisation sits in terms of cybersecurity. We’re looking to transform the industry by having this measurement tool. That doesn’t currently exist.
Will this measurement tool be used in Singapore also?
Mr. Ong: The model itself is universal and we definitely would like to see the CMMI model being widely adopted and used in Singapore.
In the recently proposed Cybersecurity Bill, one of the main focus areas is the Critical Information Infrastructure which includes power and water. Does this current partnership also encompass the cybersecurity aspects of those things and how is it doing it?
Ms. Grafenstine: SCADA (Supervisory control and data acquisition) systems weren’t designed for security. They’re designed to be functional and usable, so they’re wide open. I think in the past, one of the biggest challenges, universally, is when you’re dealing with applications such as water purification using SCADA systems, they didn’t really see why they would have any cybersecurity problems. The situation has changed. Now they definitely understand that being part of the critical infrastructure makes them a huge target.
Again, just like awareness helps you to prevent people from clicking links, awareness about the security risks of SCADA systems and industrial controls, the fact that they’re becoming more aware that they are targets, I think is a big part of moving towards becoming more successful in tackling the problem.
Mr. Ong: If you think about it, the concept of risk management and security is the same and ISACA is trying to make sure that people are equipped. We publish research papers to make sure our auditors and risk professionals understand what is SCADA, how do you audit SCADA systems. We do equip existing professionals who may not have touched ICS before, may not have audited ICS (Industrial control systems) before, to go and audit ICS systems.
Ms. Grafenstine: Another part that ISACA brings to the table is the people and networking and all the relationships. I’ve been an ISACA member for almost 20 years but the relationships, I can call on somebody I know from ISACA and I trust them. We may be in different industries but we’re facing the same problems. It’s really helpful to reach out to a colleague that you trust and say, “How’re you doing this and what are the problems you’re facing? How do you think I can tackle it?”
As we move towards a digital economy, are small companies equipped to deal with the proliferating cyber threats as they digitalise? Ms. Grafenstine: A lot of times, people think that cybersecurity has to be very expensive – in fact, a lot of it comes down to awareness and training. If you look at statistics in hacks and malware, it comes down to people – if people didn’t click the link, it wouldn’t have let the malware in, in the first place.
So that’s not just an IT thing, that’s an ‘all of us’ thing. Everyone needs to have a basic cyber awareness, I think ISACA is positioned well to help in ensuring that.
Mr. Ong: I fully agree. If you think about the basic concept, there are three parts: people, process and technology. Technology is out there in the market, there are a lot of tools, software and hardware that can help us with the security problems.
Also, you can create a lot of processes, standards and frameworks. The biggest challenge is always the people, whether the people know what they should be doing, what they can do, what they cannot do and so on.
We have been doing a study called ‘The State of Cybersecurity’ for the past 3 years. The 2017 Study found that for over a quarter of enterprises, the time to fill cyber security and information security positions is one-half year.
It’s a global problem whereby it’s hard to hire cybersecurity professionals not only in Singapore but everywhere in the world. The greatest bottleneck is people. We are all trying to find qualified candidates from the same limited resource pool. That’s why we’re very proud of the Singapore government having several initiatives to subsidise the training costs so that more people can be trained and certified.
Singapore has the right mix between legislation, people and the ecosystem. I think we’re moving in the right direction but we can’t be complacent.