On the morning of November 3rd, OpenGov Asia and its partner Raytheon|Websense held an informative breakfast dialogue. The topic covered was on the new era of cyber security and Singapore’s journey towards a more secured and protected government. Twenty delegates from fourteen Singaporean public sector agencies were represented in this dialogue. Each gave insight into their own experiences with cyber security and what they consider to be formidable security strategies. The speakers included Mr. Mohit Sagar, Managing Director and Editor in Chief of OpenGov Asia, Mr. Anurag Madan, Head of IT Digital Services at Ministry of Social Development, New Zealand and Mr. David Barton, Chief Information Security Officer for Raytheon|Websense.
The breakfast dialogue began with Mr. Mohit Sagar, Managing Director and Editor in Chief of OpenGov Asia. He opened up the discussion by saying, “We know where we are in the current threat landscape, we are getting attacked every minute, and these attackers are not going away. There are many things we need to be considering when it comes to security. What’s most shocking is: most of these threats are internal, the shortage of skilled workers is increasing, and in 2017 there will be a 47% shortage in security personnel.” He went on to ask the delegates, “What are we securing? Is it our perimeters? Is it our borders?” Singapore is on the right track to becoming the world’s first smart nation. Making sure that the nation is secure will help make for a smooth transition towards being fully connected.
Mr. David Barton, Chief Information Security Officer for Raytheon|Websense, joined the discussion as a fellow CISO facing some of the same threats as the delegates sitting at the table. “Attackers have tools to send a lure into your organisation. Typically, if they are unprepared for this, an employee will respond to the email and be led to a compromised website. They are able to access your data. That data now leaves your network,” he said, “We are also studying the concept of ‘dwell time’, where the attacker is inside the network without being detected.”
Mr. Anurag Madan, Head of IT Digital Services at Ministry of Social Development, New Zealand, took the floor to share his experience introducing new security strategies in his organisation. He talks about the context of security within New Zealand and how it has put pressure on organisations to put further protection measures in place. Mr. Madan is running a project on simplification within MSD. This project drives digital uptake, reducing manual labor at the back end, using analytics to support risk mitigation, and taking on a cloud first strategy for speedier time to market. “With Mobile, Cloud, and IoT, there are more chances for attacks. The risk exposure is exponentially rising, we need to start thinking differently about security,” stated Mr. Madan. Getting reactive to adaptive security is a great vision for Mr. Madan and he says this can be attained by looking at security as a managed service.
We opened up the discussion by addressing the security threat landscape as it stands today. On this topic, Mr. Sagar stated, “Data security, means where ever the data goes… we have to protect where it lands.” The poll results show that when the delegates were asked: “What security threats worries you most?” 50% of delegates responded with Advanced and Targeted Cyber Attacks and 28% responded with Data and Identify Thefts. Mr. Chai Chin Loon, Director for Security Tech, Advisory, and Projects Division, Infocomm Development Authority, believed this question was difficult to answer, and explained, “The way the various security threats are presented, they are all important. A breach in any one of them is already enough to cause a major incident to occur.” Mr. Madan adds that as a public sector organisation, most of the concerns are around the vulnerabilities of the people. Governments are constantly under watchful eyes of attackers; this creates many worries for these organisations.
When it comes to challenges in security architecture, the growing threat landscape has created new challenges for those tasked with protecting their organisations. When delegates were asked: “What do you think is the biggest challenge in your security architecture?” the room was split, as 44% responded with Lack of Collaboration between Various Security Products and 44% responded with Lack of Data Awareness and Visibility. Mr. Sagar said, “I see that many consider a lack of collaboration between various security products as their main challenge… and I agree, but how do we manage this?” Mr. Chng Ho Kiat, Director for Preparedness and Resilience Division, Ministry of Communications and Information, answered Mr. Sagar’s question, and said that, “When it comes to having various products, we have to think about what are the things we want to keep and what can we do without.”
Mr. John Yong, Director of Integrated Operations and Preparedness, Infocomm Development Authority added on, “I do not think anyone in the room dares to say we have built enough security. The problem will become more complex but these security companies become more complicated, meaning they become less standardised. Thus, products are overlapping. I am challenged by lack of collaboration between various security products, as I see it is the most common pain points to my fellow CISO.” One delegate disagreed with the others, saying that they see lack of data awareness and visibility as their greatest challenge, because they felt this is the weakest link in an organisation. The delegate relayed to the rest of the delegates that awareness programs are very difficult to move forward within their organisation.
Each organisation will have a different security measure that is most important within their organisation. The poll results show that when delegates were asked: “Which of the following security measures do you think is most important to you?” 38% of delegates responded with Data Protection and Data Loss Prevention, 44% responded with Insight and Real Time Protection against Security Threats and 11% with Insider Threat Detection and Prevention. Mrs. Agnes Lim, Head Army CIO Office HQ Signals & Command Systems, Ministry of Defense, stated, “I picked Data Protection and Data Loss Prevention as most important, because the outcome is important and I want to ensure that data is protected.” The room of delegates agreed that all of the security measures considered are of great importance to ensuring the organisation is protected against all threats.
In discussing the security of mobile apps, we must remember how the data is being shared between the network and the endpoint. During this journey, information has the potential to be compromised and networks can be breached. Mrs. Geraldine Chin, Deputy Director for Corporate Systems Department 2, JTC Corporation, is especially concerned about this, she said, “I am responsible for more the application side, so I am frightened about data loss. We are wondering if there is some area we should pay especial attention to. There are certain measures in place but we must look at a holistic level to prioritise which are most important to the organisation.”
Mr. Madan responded, “With respect to apps, we could be looking to predict the data in transit. This will give us the benefit of knowing how the data is traveling.” To this, Mr. Yong said, “First off, understand your risk. With apps there is a risk in information exchange transaction, within that transaction you want to know what is going on. Do you have the visibility to manage this? Security design in most of the apps is built for the risks considered. Our challenge is whether or not we understand what the risk is.”
It can be believed that whoever is tasked with the responsibility of securing the network within the organisation is burdened with the blame of when something goes wrong. We found that many delegates believe that this responsibility should be shared. When asked about who within the organisation ultimately owns the responsibility for security, our delegates had a variety of answers. Mr. Chng Ho Kiat said, “Based on the intent of the question, it should be everyone. As much as we want to assign responsibility, it is a shared responsibility.”
One delegate thought that it is up to the senior management when something serious happens. Mr. Sagar prompted the question, “Rather than responsibility, it is about ownership, is this correct?” Mr. Yong responds saying it depends on the specifics of the situation, “There are different responsibilities so it is about who has been assigned the responsibility to protect the system…We must think how to assign the task clear enough otherwise there will be gaps.” If these gaps are left alone, this is where organisations are left most vulnerable.
Within the security community, it is known that there is potential for each organisation to have a number of internal attacks. When this was brought up, one delegate said, “We have so many employees and each employee is a security threat to themselves.” Mrs. Chin adds on to that, by saying, “I believe that the greatest threats lie inside, there are a lot of risks that we unintentionally create. In designing the app we must consider how we and others treat the data.” Mr. Darren Chan, CIO, Intellectual Property Office of Singapore, disagreed with both, and stated, “I picked outside as the range of threats available, range is wider from the outside.” The risk from outside can be seen as much harder to control, which is why some are more worried about what external threats are coming their way. It is worth considering the permissions and access granted to employees, as internal attacks are still possible.
We see a world where everything is changing towards more modern and digital processes. This requires us to revalidate our security strategies. We must make sure that people are protected from threats and consequences of cyber-attacks. It is thought that raising the security IQ of the employee base in an organisation will decrease our threat profile exponentially. Mr. Barton helps close out the conversation by saying, “What see trending in the security sphere is, it is not a matter of if you get attacked, but when.”
The threat landscape is fluid. It is clear that security strategies need continuous focus and improvement. “We are constantly saying that this threat landscape is constantly changing, constantly evolving, and this must keep us on our toes,” said Mr. Sagar. When it comes to security collaboration, Mr. Madan said, “You have to start looking at innovation, which is starting to take priority over standards. We have not solved the problem but we are trying to think out of the box. I hope this leads to collaboration within the security industry.”
Moving towards a more secure government requires responsive movement to meet a growing threat landscape. While working towards becoming a more secure government, although there are many solutions already in place, we must believe we are always vulnerable. Government plays a big role in dealing with security as they are at the forefront of attacks. “Government can play a role in helping organisations to wake up to this new threat landscape,” said Mr. Chng Ho Kiat. Delegates must now think about what they can do in their organisations to make improvements to their security infrastructure.