THE DEFINITIVE CYBERSECURITY GUIDE

FOR DIRECTORS AND OFFICERS

SINGAPORE

SUPPORTED BY
 

NAVIGATING THE DIGITAL AGE

THE DEFINITIVE CYBERSECURITY GUIDE
FOR DIRECTORS AND OFFICERS

SINGAPORE

Published by
Navigating the Digital Age:
The Definitive Cybersecurity Guide for
Directors and Officers – Singapore
Printing and Binding: Timesprinters

Navigating the Digital Age:

The Definitive Cybersecurity Guide for Directors and Officers – Singapore

is published by:

Forbes Media
499 Washington Blvd.
Jersey City, NJ 07310 USA

First published: 2016

Navigating the Digital Age:

The Definitive Cybersecurity Guide for Directors and Officers – Singapore
© 2016 Palo Alto Networks Inc. All rights reserved.

Cover illustration by Tim Heraldo

DISCLAIMER

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (the Guide) contains sum-
mary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial
publication (October 2016). Although the Guide may be revised and updated at some time in the future, the publishers
and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to
update such information. The publishers and authors make no representation as to the completeness or accuracy of any
information contained in the Guide.

This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional advice.
Professional advice should always be sought before taking any action based on the information provided. Every effort has
been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this
guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions con-
tained herein. It is your responsibility to verify any information contained in the Guide before relying upon it.
   Foreword

Foreword
Dr Yaacob Ibrahim, Minister for Communications
& Information and the Minister-in-charge
of Cyber Security

C
ybersecurity is an important enabler, allowing us to
connect, interact, and transact confidently and securely.
Cybersecurity professionals work tirelessly behind the
scenes to ensure that our critical infrastructure is resilient
and services remain safe from cyber-attacks.
Notwithstanding our efforts, cyber threats are grow-
ing exponentially in scale and complexity. Cyber-attackers
are getting smarter, and they continue to target the weak-
est link. They can be anywhere, coordinating attacks with
fellow perpetrators across the globe. Governments and
businesses find themselves fighting to stay one step ahead
of these attackers. It is a serious situation, and there is no
quick solution. That is why everyone must play his or her
part to build a resilient, sustainable, and secure cyberspace
so as to uphold Singapore’s reputation as a reliable and
trusted partner.
Together with its partners, the Cyber Security Agency
of Singapore (CSA) has developed a national cybersecuri-
ty strategy for Singapore. Singapore’s Cybersecurity Strat-
egy—launched by our Prime Minister at the inaugural
Singapore International Cyber Week in October 2016—is
a statement of Singapore’s vision, goals, and priorities in
cybersecurity. It underscores the Government’s commit-
ment to build a trusted and resilient cyber environment
for Singapore.
Cybersecurity deserves attention at the highest level at
every organisation. Consequences of a breach can be dire,
ranging from the high costs of resolution to damaged rep-
utations and loss of customer trust. For these reasons, cy-
bersecurity issues can no longer be regarded as the prov-
ince of experts and technicians. Boards and management
should devote adequate attention and invest sufficient re-
sources to ensure cybersecurity measures are deployed to
protect their systems and networks. I believe that mind-
sets are gradually shifting, and companies are beginning

 iii ■
NAVIGATING THE DIGITAL AGE
to take cybersecurity more seriously. The
Singapore Government is also taking steps
and investing 8% of the budgets set aside for
IT on cybersecurity.
Our vision of a dynamic cybersecurity eco-
system is one that comprises strong local cy-
bersecurity firms co-existing with established
global companies, fed by a talented workforce
and strong research and development. Across
the economy, businesses must also be sensi-
tive to cyber threats and adopt the right level
of cybersecurity measures, regardless of size.
Similarly, employees need to remain vigilant
by staying informed of cyber risks and taking
preventive measures to secure their computer
systems and digital devices.
With the right knowledge, expertise, and
attitude, we can reap the full benefits and
■ iv 
possibilities of the vast cyberspace. Yet we
recognise that the landscape remains uneven
across cyber defenders, be it at the national,
sectoral, or company level. We need more
people to come forward to share their exper-
tise and experience. This practical guide to
cybersecurity—the first of its kind in Singa-
pore—is a good step in this direction, with
invaluable lessons and insights from real-
world experience. I trust this initiative by
Palo Alto Networks will inspire others to fol-
low in their footsteps.
I look forward to continuing to work
with all our partners and stakeholders to
strengthen Singapore’s cybersecurity pos-
ture and realise Singapore’s Smart Nation
vision together.
   Preface

Preface
Forbes Media – Bruce H. Rogers,
Chief Insights Officer

W
e have never been so connected. The Fourth Indus-
trial Revolution is transforming industry with its bil-
lions of connected endpoints and blurring the lines
between the cyber and physical worlds. Smart city initia-
tives around the globe, such as Singapore’s Smart Nation
Platform, revolve around pervasive connectivity and the
efficient sharing of sensor data. But when everything is con-
nected, everything is hackable—in theory and, as it turns
out, in practice. Many of the devices, sensors and machin-
ery that are now integrated into enterprise systems were
designed to perform a specific function; they were not de-
signed for security.
This hyper-connectivity is not lost on cybercriminals.
Bad actors can now find a way into a system through
an industrial control system, an MRI machine—even a
printer that is operating offline or a device that is proper-
ly air gapped. Cybercriminals are themselves a well-con-
nected bunch. They rely on social media and a thriving
underground network to ply their trade, buy malware,
and sell stolen data. Yet most of the organisations they at-
tack tend to see security as an internal matter to be sorted
out behind closed doors—sometimes by designated se-
curity personnel alone. It is easy to see how a go-it-alone
policy could put any organisation at a clear disadvantage
against a well-connected criminal network in a hyper-
connected world.
One thing is clear: cybersecurity is not merely a com-
petitive advantage. A successful attack against one organ-
isation can ripple through the entire network of that or-
ganisation and affect confidence across related industries.
The theft of data is easy enough to understand. But as the
number of connected endpoints proliferate, so do the pos-
sibilities to do damage. A competitor could gain access to
vital equipment and quietly rewrite the quality controls
to sabotage production or destroy machinery. A hacker
network could ransom the data of a healthcare company.

 v ■
NAVIGATING THE DIGITAL AGE
A state actor could threaten power plants or
transportation systems to make a point. The
effects of such attacks are felt far beyond the
walls of any one organisation.
Bad actors may seem to have the advan-
tage, but it is possible to shape an organisa-
tion’s culture around cyber awareness and
to build security into every product, service,
and investment by design. This takes a good
plan, the right expertise and leadership from
the top. Today there are sophisticated means
to protect, identify, and defend against cyber
■ vi 
threats, even in a hyper-connected enterprise.
That is why cybersecurity decisions are best
made with a plan and a purpose about what
to protect, how much to invest in security, and
what to do in case of a cyber event. For boards
and C-suites, it is a question of finding the
right balance between accessibility and pro-
tection, and of setting standards that ensure
good practice from all partners and extend be-
yond the walls of their organisation—just as
their enterprise now extends far beyond their
on-premise systems.
  Introduction: The Importance of Cybersecurity for Executives in Singapore

Introduction:
The Importance of Cybersecurity
for Executives in Singapore
Palo Alto Networks Inc. – Sean Duca,
Vice President, Regional Chief Security Officer

F
or years, every time a new security challenge impacted
an organisation, this forced it to spend valuable capital
on cybersecurity products that focus on narrow cyber
risks or the specific ‘threat-du-jour’. It’s IT staff cobbles to-
gether products and services from one legacy vendor to the
next with little strategic planning or thought about what
the business core risks are. And they hope that their moun-
tain of legacy technology is updated often enough to pro-
vide some defence against the fear, uncertainty, and doubt
being spread about cyberthreats in the daily headlines.
However, with the number and severity of breaches on
the rise around the world, this approach to cybersecurity
clearly isn’t working today. What may seem like fear-mon-
gering is in fact a new reality: the falling price of comput-
ing power has allowed cybercriminals to launch low-cost,
low-risk attacks yielding high returns. Hacker toolkits—
easy-to-use, highly effective malware that’s growing
in popularity—enable novices with minimal technical
knowledge to understand your digital environment better
than you do, and breach your increasingly expensive and
complex legacy cyber defences.
The traditional answer to these challenges have us add-
ing more legacy technologies one on top of another. Yet the
point products were never designed to interoperate or share
information as they worked in their own respective silos.
Ultimately, this becomes a gap that only human operations
can fill by manually getting the relevant information from
each source. Rather than protecting us, these additional lay-
ers force organisations to feed threat information into indi-
vidual products, analyse what is happening, and then take
action—slowing down the ability to keep up with attackers
as they go deeper into our networks.
With the rise in successful cyberattacks, cybersecurity is
becoming an increasingly strategic concern that threatens
the foundations of enterprise value for business leaders in
Singapore and the Asia-Pacific region. Although Singapore

 vii ■
NAVIGATING THE DIGITAL AGE
is one of the leading countries to build a ro-
bust digital infrastructure, it also means that
Singapore is at a high risk of facing cyberat-
tacks to its infrastructure.1 Most public-sector
services are available online, and people rely
on online banking services for their day-to-
day banking needs. Singapore is also home
to major global and local banks in the region.
It is no surprise that cybercriminals have
been targeting banking customers in Singa-
pore by infecting their devices used for bank-
ing transactions.2 Indeed, Singapore has seen
an increase in the number of cyberattacks in
the past couple of years, and the Singapore
Government and the public sector have both
been the victim of such attacks.3
No leader wants his or her organisation to
be splashed on the front page of a newspaper
due to a cybersecurity breach that hurts its
reputations and profitability and undermines
its business model, but this is the reality we
face today.
In light of how our businesses are evolv-
ing, our approach to solving security chal-
lenges needs to evolve as well. We need to
look at how these manual processes can be
automated and move beyond technical point
product solutions, towards deploying defenc-
es to protect what is of most value to compa-
nies (and attackers). By increasing the speed
and automation of our defences, we can slow
down and potentially deter the adversaries by
reducing their success rate.
How then can you forestall and thwart an
attack?
JJ Lessons from abroad
Many companies—particularly those in
Singapore—believe that their current strat-
egies around the technologies they have
deployed, the teams of people they have to
manage and operate them, and the process-
es they use aren’t perfect, but seem as if they
are good enough; and many companies are
confident that any problem will right itself
eventually. Some may even believe that a
major breach could never happen to them,
impacting only large enterprises, the gov-
ernment, or companies in the United States
and Europe. However, history—and the
■ viii 
range of stolen data­—has shown that any
company, irrespective of size and location,
is vulnerable.
Breaches tend to hit the news only when
someone outside the organisation discovers
and exposes them. What may be contribut-
ing to this perception is the lack of manda-
tory data breach disclosure laws in Asia-
Pacific. Because no regulation in Singapore
forces public disclosure of data breaches—
and the public discussion that usually fol-
lows disclosure—companies, consumers,
and regulators may underestimate the full
scope of the threat and damage. Though
no regulation is a panacea, organisations in
Singapore, and elsewhere in Asia-Pacific, do
not need to reinvent the wheel: rather, they
can look to neighbouring continents that
have dealt with these pressing issues before
and answered them in the context of regu-
lation. These countries, such as the United
States and those in the European Union,
have multiple data breach notification laws
and have explored mandatory data breach
reporting and notification when personal
data is compromised.
So how should companies in Asia-Pacific
approach instituting a security approach that
is up to par with global standards? Not all les-
sons from abroad are mandates. For this rea-
son the National Institute of Standards and
Technology (NIST) Cybersecurity Framework
was developed in an open, collaborative part-
nership in the United States between NIST, a
US Government agency, and the private sec-
tor. This framework helps guide executive
management and boards of directors; points
to globally accepted, industry-driven stan-
dards for risk management; and provides a
common language and benchmarks for cyber
resilience across an organisation (from board-
room to IT analyst), when dealing with stake-
holders and third parties, or when operating
across borders.
Regardless of how executives and boards
structure their strategies for managing cyber-
security risk, they should not be merely lists
of technology check boxes, but rather should
be solution agnostic and interoperable among
different systems.
 Introduction: The Importance of Cybersecurity for Executives in Singapore

JJ Three investments to mitigating risk
There is no doubt cybersecurity provides
longevity to a business and can help dif-
ferentiate it from its competitors—for both
good and not so good reasons. Strong cyber-
security is fundamental to the growth and
prosperity of all organisations in the public
and private sector; to make Singapore’s on-
line systems and networks more resilient;
and to provide trust and confidence to its
citizens, businesses, and customers alike.
Towards that end, we need to look at how
we become efficient with our security ef-
forts. Instead of chasing after a silver-bullet
security product, organisations in Singapore
should target investment in three areas to re-
duce cybersecurity risk:
JJ Prevent and respond
In Singapore and beyond, the prevailing
perception is that cyberthreats are becoming
so advanced that companies can’t keep up.
The logic goes that if getting compromised is
inevitable, efforts should be focused on clean-
up after a data breach. Yet isn’t an ounce of
prevention worth a pound of the best cure?
If we continue to focus on reacting to each se-
curity challenge, how have we evolved, and
how will that impact our businesses in the fu-
ture? We need to protect our digital way of life

THREE INVESTMENTS TO MITIGATING RISKS

JJ Strong cyber defences. Companies should practice good cyber hygiene to protect and
maintain their systems and devices appropriately, ensuring they are up to date. By
taking an inventory of your environment and applications, you can ferret out gaps
or deficiencies and note where you lack visibility in your network. Organisations
should conduct regular health checks around where and how their data is secured,
what applications are in use in their network, who are the users, what do they have
access to, as well as the risks and exposures that exist in their organisation.

JJ A well-trained workforce. According to the 2014 IBM Chief Information Security Officer
Assessment,4 human-related errors lead to nearly 95% of all security issues. Com-
panies should therefore educate employees on how to identify and protect their
organisations from threats such as phishing, when hackers pretend to be a legitimate
entity in an email. Cybercriminals may search online for an employee’s interests and
hobbies to craft an attack, in the hopes of luring the worker into opening an infected
attachment. Organisations should look to move beyond a compliance check for this
training and see how they can invoke change to better defend themselves. Busi-
nesses should encourage users to protect their data and their systems at home, as this
will naturally flow into the workplace.

JJ Automated platform. With adversaries using automated tools, organisations should

seek out automated defence technology that has been built to act seamlessly
behind the scenes—part of a platform smart enough to take actions on your behalf,
with a minimum of manual effort by your security professionals.

 ix ■
NAVIGATING THE DIGITAL AGE
by believing that prevention is possible. This
doesn't mean that you must expect to be 100%
perfect all the time, but we need to make it
fundamentally harder for attackers each time,
so they are not successful. With this approach
to defence, attackers will need to design and
develop unique tools every single time they
want to attack an organisation.
The defeatist thinking is due in part to
our over-reliance on siloed legacy security
products. Companies are forced to chase af-
ter each problem coming in, treating every-
one at the same level of risk, and potentially
allowing the gravest ones to slip through the
net. In this stacked security model, products
such as legacy firewalls, intrusion preven-
tion systems, antivirus software, and the
like are purchased in isolation, from differ-
ent vendors. Piled on top of one another, the
pieces fail to tie together and it’s easy to lose
visibility on potential threats.  sations prevent only known behaviour,
While more products may seem to be get-
ting you closer to solving the problem, in fact
they are creating unnecessary complexity.
Ironically, the more technologies deployed in
an organisation, the more complex they be-
come to manage, and the less secure you be-
come. The more complex a system, the more
room there is to overlook gaps or miss criti-
cal alerts, making it more likely an adversary
will discover a way to bypass it. Complexity
is the enemy of any security program.  block, and also brings to light previously
For years we believed that simply blocking
attacks at ‘the front door’ to your organisa-
tion was enough, but in fact, that’s when the
clock starts ticking. From that point on, how
can you limit your attackers’ ability to move
around your network and reach their objec-
tive—stealing your information, disrupting
your services, or undermining the integrity
of the data held by your organisation? After
gaining entry on one computer, an adversary
will look to move around an organisation’s
network like most users would, ultimately
mapping out a route to the servers that store
your organisation’s crown jewels. Tools will
be installed to allow the attackers to remote-
ly control systems from afar. Cybercriminals
then hide or encrypt your data before send-
ing the data out of the organisation. So if all
■ x 
of our efforts are focussed on protecting the
entry to our organisation, we lose the ability
to block the attackers at any stage of the at-
tack lifecycle, allowing the attackers to reach
their objective. Organisations can, in fact,
develop prevention controls to disrupt the
entire attack lifecycle and prevent a negative
material impact from a cyber incident.
In order to accomplish the disruption of
the attack lifecycle, these are the elements of
prevention your organisation needs: threat
prevention, threat detection, and threat
eradication.
JJ Threat prevention uses known methods
to thwart campaigns at each phase of the
attack lifecycle. Because of the adversaries’
propensity to reuse the playbooks against
multiple targets, many organisations are
aware of these clues. However, if organi-
they will likely miss an adversary’s attacks
employing the newest hacking techniques.
JJ Threat detection automatically hunts for
clues throughout the enterprise at each
phase of the attack lifecycle—it inves-
tigates unknown anomalous behaviour
wherever it is found and takes the appro-
priate actions. Detection uncovers attacks
that security controls did not initially
unknown malicious activity that organisa-
tions must eradicate or minimise.
JJ Threat eradication blocks future attacks
by analysing the new methods and
installing additional means to thwart the
adversary. In this two-pronged-strategy,
organisations must first use newly dis-
covered signs of an attack to protect their
networks. Second, they must understand
the adversary’s objectives to determine
what else they can do to prevent the
adversary from succeeding.
While similar, all three of these essential
tasks are important in their own right, but indi-
vidually are not sufficient to prevent material
damage. With a strong security architecture in
 Introduction: The Importance of Cybersecurity for Executives in Singapore
place, businesses will be positioned to prevent
every threat that is known, discover new and
unknown threats as they emerge, and quickly
deploy countermeasures to prevent adversar-
ies from reaching their objective.
Each of these tasks should be automated
as much as possible. However, this is in-
credibly difficult to pull off with multiple
security solutions that were never designed
to work together or share threat intelli-
gence. One way to address is by having se-
curity professionals work to make strategic
investments across an integrated platform
that automatically correlates intelligence
collection and the deployment of preven-
tion controls for their organisation.
JJ Conclusion
Like any business risk, cyberthreats are
evolving—and so should your organisa-
tion’s response. Security risk should be a top
concern of executive management and the
board of directors in order to protect your
business and your customers. Too often,
business leaders view security as a matter of
compliance and control, which can set up a
clash between the needs to protect assets and
to foster productivity.
However, cybersecurity can support the
goals of senior executives to keep the com-
pany running and profitable. Executive lead-
ership must set organisational strategy that
builds cybersecurity considerations into the
business planning process. Adopting a frame-
work of standards and accountability will
help organisations develop a plan that spells
out who is responsible for responding to cy-
ber incidents from a technical, legal, and ex-
ecutive standpoint. Toward that goal, techni-
cal and non-technical personnel should enter
into a common lexicon to discuss cyber risk.
The chief information officer (CIO) and
chief technology officer (CTO) are always
looking for new ways to innovate and differ-
entiate the company in the marketplace. By
working closely with the chief security offi-
cer (CSO) or chief information security offi-
cer (CISO), they can achieve that innovation
in a secure manner that mitigates cyber risks.
Leaders can also learn from one another. By
joining communities such as the Security
Roundtable,5 they can stay up to date with
best practices from peers and experts in
the cyber arena. The criminal underground
shares the latest techniques to launch their
attacks, so it only makes sense that we as de-
fenders should share our lessons learned as
well. The more we share, the better we can
defend ourselves by driving up the cost of a
successful cyberattack exponentially.
Armed with the expert insights in this
practical guide, organisations can meet this
global cybersecurity challenge. Security is a
sport best played as a team, and the steps we
take now will have a significant and long-last-
ing impact on the Singapore economy now
and in the future.
The insights in this guide include advice
and best practices from Singaporean and
international thought leaders who are chief
executive officers (CEOs), chief innovation
officers, CISOs, lawyers, consultants, and
former and current government officials. At
the heart of every business should be effec-
tive risk management, a thorough under-
standing of the risks, as well as pragmatic
solutions, which include better training and
awareness. In cybersecurity knowledge is
the key to prevention. And knowledge starts
right here.
Works Cited
1. https://securityintelligence.com/news/
singapore-an-emerging-target-for-
cyberthreats-and-banking-trojans/
2. http://www.cio-asia.com/resource/
security/cybercrime/singapore-banks-
under-malware-threat/
3. http://www.sgcybersecurity.com/list-of-
cyber-hackings-in-singapore/
4. ‘Fortifying for the Future’ - Insights from
the 2014 IBM Chief Information Security
Officer Assessment
5. https://www.securityroundtable.org
 xi ■
 TABLE OF COntents

TABLE OF CONTENTS
iii. FOREWORD
Dr Yaacob Ibrahim, Minister for Communications
& Information and the Minister-in-charge of Cyber Security

v. PREFACE
Forbes Media – Bruce H. Rogers,
Chief Insights Officer

vii. INTRODUCTION: THE IMPORTANCE OF CYBERSECURITY

FOR EXECUTIVES IN SINGAPORE
Palo Alto Networks Inc. – Sean Duca,
Vice President, Regional Chief Security Officer

Navigating the Digital Age

3. 1. CYBERSECURITY STRATEGY: COLLECTIVE DEFENCE IS THE KEY
Cyber Security Agency of Singapore – David Koh,
Chief Executive

7. 2. WHAT CORPORATE LEADERS NEED TO KNOW AND DO

ABOUT CYBERSECURITY
Good Harbor Security Risk Management –
Richard A. Clarke, Chairman; former White House Advisor
on Cybersecurity & Counterterrorism

9. 3. CLEAR AND PRESENT DANGER

Singtel – Bill Chang, Chief Executive Officer, Group Enterprise

13. 4. BUILDING AN INTEGRATED, WORLDWIDE RESPONSE

TO GLOBAL CYBERSECURITY THREATS
Khoo Boon Hui, former INTERPOL President;
retired Singapore Police Commissioner

21. 5. THE FOURTH INDUSTRIAL REVOLUTION –

WHY SECURITY CANNOT WAIT!
Quann – Professor Yu Chien Siang,
Chief Innovation Officer

 xiii ■
NAVIGATING THE DIGITAL AGE

25. 6. SAFE TRAVELS: CYBERSECURITY FOR PUBLIC TRANSPORT,

FROM OPERATING TECHNOLOGY TO INFORMATION TECHNOLOGY
Land Transport Authority – Huang Shao Fei,
Director, IT Security, Governance & Risk Management

29. 7. WHAT 30 YEARS OF CYBERSECURITY HAS TAUGHT

SECURITY PROFESSIONALS
Singtel – Baey Chin Cheng, Chief Information Security Officer

32. 8. BUILDING CYBER RESILIENCE

NTUC FairPrice – Seah Kian Peng, Chief Executive Officer

35. 9. SECURING THE INTERNET OF THINGS:

CYBERSECURITY FROM IT TO OT
Nanyang Technological University –
Professor Lam Kwok Yan, Professor of Computer Science,
School of Computer Science and Engineering, College of Engineering

45. CONTRIBUTOR PROFILES

 Dr. Yaacob Ibrahim
•
• Bruce H. Rogers
• Sean Duca
• David Koh
• Richard A. Clarke
• Bill Chang
• Khoo Boon Hui
• Professor Yu Chien Siang
• Huang Shao Fei
• Baey Chin Cheng
• Seah Kian Peng
• Professor Lam Kwok Yan

■ xiv 
Navigating the Digital Age
   Cybersecurity Strategy: Collective Defence Is the Key

Cybersecurity Strategy:
Collective Defence Is the Key
Cyber Security Agency of Singapore –
David Koh, Chief Executive

T
he world has become increasingly interconnected. The
advancement of digital technologies and the pervasive
use of the Internet have brought about major changes
to people’s work and lives and opened up new opportuni-
ties for businesses. Information is readily available with the
click of a mouse, and organisations can now reach out to
their customers with ease. Productivity has increased, and
possibilities are limitless.
Here in Singapore, we have begun our journey towards
the vision of a Smart Nation with the aim of improving the
lives of citizens, creating more opportunities, and building
stronger communities. Connectivity is the crucial piece of
this vision. While a connected nation brings countless new
possibilities and conveniences, being open is not without its
challenges. People are now more vulnerable to cyber threats,
as connectivity has created a new frontier for cybercrimes
and malicious activities. These threats are multifaceted and
extremely challenging, in particular with the emergence of
sophisticated Advanced Persistent Threats, Distributed De-
nial of Service attacks and the myriad of cybercrime tools.
The stakes got higher with the recent news about the online
auction of US$500 million of cyber weapons, fanning talks
of a Cyber Cold War between two superpowers.1
According to the findings by Cybersecurity Ventures,2 an
average of one new zero-day vulnerability was discovered
every day in 2015. New malware samples are produced by
cybercriminals at an alarming rate of 230,000 per day, and
targeted social engineering tactics, such as spear-phishing
campaigns, have increased drastically, by 55 percentage
points from 2014 to 2015.3 These techniques have been
consistently used by criminals to deploy malware, and the
impact has been felt in government organisations as well
as private companies, from small businesses to large en-
terprises. Over the course of the year, more than half a bil-
lion personal records, as well as identities, were stolen or
lost from cyber breaches. Financial losses arising from data

 3 ■
NAVIGATING THE DIGITAL AGE
breaches averaged US$4 million per breach in
2016,4 with most data breaches arising from
malicious or criminal attacks. The total cost of
data breaches has increased by 29 percentage
points since 2013 globally, and this figure is
expected to rise rapidly.
Just recently, the Singapore Police Force
released its mid-year crime statistics, which
showed that online scams and e-commerce
crimes are on the rise.5 There is, thus, a com-
pelling need to be more vigilant and for us to
take steps to create a safer cyberspace.
The Singapore Government established
the Cyber Security Agency of Singapore
(CSA) in April 2015, to provide dedicated
and centralised oversight of Singapore’s
national cybersecurity functions. CSA con-
solidates and builds upon the government’s
cybersecurity capabilities, including those
that used to reside separately in the Ministry
of Home Affairs and the Infocomm Devel-
opment Authority of Singapore (IDA). The
idea is to bring together previously dispa-
rate areas of policy and operations under a
single roof, so as to enhance collaboration
and synergy to achieve greater effectiveness
in strengthening Singapore’s cyber defence.
We are driven by two strategic priorities: 1)
strengthening the cybersecurity of the core
of information infrastructures and 2) build-
ing cyberspace resilience through nurtur-
ing a cybersecurity ecosystem, promoting
awareness, and international collaboration.
Together with partner agencies, CSA has de-
veloped Singapore’s Cybersecurity Strategy,
which outlines the government’s plans to
build a resilient infrastructure, create a safer
cyberspace, develop a vibrant cybersecu-
rity ecosystem, and strengthen international
partnerships. However, the success of the
strategy depends not only on the govern-
ment but also on individuals and enterprises
taking a collective responsibility to tackle cy-
bersecurity challenges.
JJ Making cybersecurity a business priority
Cyber-attackers are becoming increasingly
sophisticated, and enterprises are discover-
ing that traditional methods of defence no
longer provide sufficient protection. To be
■ 4 
able to better deal with cyber threats, enter-
prises must recognise and treat cyber risks
as important business risks. The responsibil-
ity of defending against cyber-attacks does
not rest only on the IT personnel or the chief
information officer (CIO). When there is a se-
rious major breach in an organisation, senior
management is often expected to shoulder the
responsibility. The security chief of JP Morgan
Chase & Co., Jim Cummings, was replaced a
year after a massive breach that involved data
theft of 83 million customers.6 In another inci-
dent, Target’s CIO, Beth Jacob, resigned after
40 million credit and debit card details were
stolen in 2013.7 Shortly after Jacob’s resigna-
tion, Gregg Steinhafel, president and CEO of
Target and chairman of the Target board of
directors, stepped down, ending his 35-year
career with the company.
Cybersecurity deserves attention at the
highest level at every organisation. Breaches
can lead to dire consequences, such as dam-
aged reputation and loss of competitive advan-
tage. Boards and management should devote
adequate support and invest sufficient re-
sources to ensure relevant cybersecurity mea-
sures are deployed to protect their systems and
networks. Organisations should recognise the
importance of cybersecurity and the impact of
cyber-attacks on businesses, and invest wisely
in cybersecurity tools and resources.
JJ Developing a dynamic cybersecurity industry
The dynamic and fast-growing cybersecurity
industry presents new economic opportuni-
ties to be seized. Many innovative companies
are ready to ride this wave, and they recog-
nise that there is tremendous potential to fur-
ther cybersecurity research and development
(R&D) to overcome the issues that may im-
pede industry growth. Imperative to the de-
velopment of the industry is the participation
of industry partners with strong solutions
and research capabilities. The Singapore Gov-
ernment welcomes more of these innovative
companies to anchor advanced capabilities in
Singapore to testbed their solutions, while at
the same time, helping to build up deep tech-
nical expertise within Singapore’s talent pool
and create better jobs for the workforce.

Many global cybersecurity companies
have chosen Singapore as the regional base
for Asia Pacific because Singapore has a
highly skilled workforce. Based on a report
by World Bank,8 Singapore is also one of the
easiest places to run a business. Today, the
cybersecurity market in Singapore is worth
about S$570 million, and it has the potential
to double in value by 2020. Singapore will
continue to pursue collaborations with stra-
tegic domestic and international partners.
This is critical in aiding the development and
growth of the cybersecurity industry and en-
suring it keeps pace with the rapidly chang-
ing cybersecurity threat landscape.
JJ Innovation through research and
development
To deal with the rapidly evolving cyber threat
landscape, there is a need for close collabora-
tion and cross-pollination of ideas among ac-
ademia and industry, both local and foreign.
Cybersecurity R&D does not involve just
developing engineering solutions to difficult
technical problems; emphasis must also be
placed on research into policy, governance,
and legislation, which are equally essential.
As a global hub for multiple economic
sectors, such as banking and finance, logis-
tics, and telecommunications, Singapore is
well-positioned for piloting cybersecurity so-
lutions across the region. With a strong gov-
ernance framework and a supportive govern-
ment in place, Singapore is the ideal location
to testbed cybersecurity solutions, especially
at the national level.
The National Cybersecurity R&D Pro-
gramme, which was launched in 2013, pro-
vides S$130 million worth of funding over
five years and plays an important role in
developing Singapore’s cybersecurity R&D
expertise and capabilities. The programme is
coordinated by the National Research Foun-
dation of Singapore (NRF) and CSA to pro-
mote collaboration among academia, research
institutes, and the public and private sectors.
In 2016, the government further strength-
ened its commitment to the programme by
extending it from 2018 to 2020 with an addi-
tional funding of S$60 million. As part of the
Cybersecurity Strategy: Collective Defence Is the Key
programme, NRF introduced the Corporate
Laboratory@University scheme to encourage
public-private R&D collaboration between
universities and companies. NRF is also in
the process of setting up the National Cyber
Security R&D Laboratory, which is a shared
infrastructure that provides computing re-
sources and data sets for researchers to col-
laborate. The initiative will better align aca-
demic research with industry needs, which
will eventually raise the overall standard of
cybersecurity in Singapore.
JJ Building a vibrant ecosystem
A vibrant cybersecurity ecosystem is key to
the building of strong and sustainable cyber-
security capabilities and readiness. A trusted
and resilient cyber environment needs to be
built upon the strong foundation of a capable
and competent workforce.
Over the years, Singapore has developed
a pool of talented and dedicated cybersecu-
rity professionals. However, there is a short-
age of skilled manpower in the industry. Ac-
cording to the Annual Survey on Infocomm
Manpower9 by IDA, there is a total demand
for 4,700 cybersecurity professionals, with
about 1,000 cybersecurity positions left un-
filled in 2015. Good security requires highly
skilled practitioners with deep expertise.
With the demand for cybersecurity profes-
sionals projected to increase further within
the next three years, there is a need to sup-
port new entrants as well as to train and
upgrade the skills of current professionals.
In order to meet the high cybersecurity man-
power demand, CSA is collaborating with
Institutes of Higher Learning to craft an in-
dustry-oriented curriculum and provide on-
the-job training for new entrants to cyberse-
curity. The government will build on existing
scholarship and sponsorship programmes to
strengthen the branding of cybersecurity.
This initiative will help to attract more en-
trants into the cybersecurity industry.
To further ramp up the cybersecurity
manpower supply, CSA will facilitate the
conversion of experienced professionals
from related fields to cybersecurity with the
introduction of the Cyber Security Associates
 5 ■
NAVIGATING THE DIGITAL AGE
and Technologists (CSAT) programme. Pro-
fessionals will be able to train and up-skill
themselves for cybersecurity roles under the
CSAT programme. CSAT training partners,
such as Singtel and ST Electronics, are al-
ready working with the government to grow
the pool of cybersecurity experts in Singa-
pore. Besides the CSAT programme, CSA is
also working on other initiatives, such as the
Cybersecurity Professional Conversion Pro-
gramme with the Workforce Development
Agency, to further augment Singapore’s cy-
bersecurity manpower pipeline by convert-
ing jobseekers and reskilling them to take on
cybersecurity jobs.
The talent development programmes will
not be successful without the support of in-
dustry. The Partnership for the Advance-
ment of the Cybersecurity Ecosystem (PACE)
programme, initiated by CSA, is an example
of a meaningful public-private partnership
that co-develops customised solutions with
industry partners to raise Singapore’s cyber-
security posture while supporting efforts to
develop cybersecurity skills in the workforce.
CSA also works closely with industry associ-
ations, such as the Association of Information
Security Professionals (AISP), to introduce
and build strong communities of practice
for cybersecurity professionals in Singapore.
This also serves as a platform to facilitate in-
formation and ideas exchange among like-
minded cybersecurity professionals.
The growth of a capable, adept, and com-
petent workforce is sustained by strong ca-
reer prospects. There is a need to continually
examine ways to promote cybersecurity as
a rewarding career to enable companies to
attract and retain cybersecurity talent. The
government will work with the industry to
define a competency framework for cyberse-
curity. Companies are also strongly encour-
aged to work with CSA to help cybersecurity
professionals develop complementary skills,
such as risk management and risk communi-
cation, to facilitate the translation of cyber-
security issues into enterprise risk manage-
ment at a corporate level. Larger companies
ought to define apex cybersecurity positions
at the C-suite level in recognition of the fact
■ 6 
that cybersecurity is no longer a domain
solely for CIOs. To do so, CSA will work
with industry partners to conduct C-suite
education as well as reach out to small and
medium-sized enterprises.
JJ Conclusion
CSA is committed to developing Singapore’s
cybersecurity ecosystem. However, no one
agency, organisation, or individual can deal
with cyber threats by itself. The government
can lay the foundation by building the nec-
essary infrastructure; developing strategies,
policies, and legislation; as well as providing
platforms to facilitate meaningful collabora-
tions to contribute to the cybersecurity eco-
system. However, it needs the support of all
stakeholders, from government agencies to
industry players, to businesses, and to the
man-in-the-street. After all, we are only as
strong as the weakest link. Collective defence
is the key to creating a safer cyberspace.
Works Cited
1. Source: http://www.straitstimes.com/
opinion/cyber-cold-war-heats-up
2. Source: A 2016 Report from
Cybersecurity Ventures sponsored by
Herjavec Group
3. Source: Symantec 2016 Internet Security
Threat Report
4. Source: Ponemon Institute, 2016 Cost of
Data Breach Study: Global Analysis
5. http://www.channelnewsasia.com/
news/singapore/crime-rate-down-in-
first/3081968.html
6. http://www.bloomberg.com/news/
articles/2015-11-04/jpmorgan-chief-
security-officer-jim-cummings-
reassigned-to-texas
7. http://www.nytimes.com/2014/03/06/
business/targets-chief-information-
officer-resigns.html
8. Source: Doing Business 2016 by World
Bank Group
9. Source: IDA Annual Survey on
Infocomm Manpower for 2015
  What Corporate Leaders Need to Know and Do About Cybersecurity

What Corporate Leaders Need to

Know and Do About Cybersecurity
Good Harbor Security Risk Management –
Richard A. Clarke, Chairman; former White House
Advisor on Cybersecurity & Counterterrorism

E
very company has or will be subject to cyber attack. That
can be disastrous for a company, or it could be a minor
nuisance. The difference may be determined by whether
the leadership of the company understands cybersecurity
sufficiently and can act on their understanding.
Because no corporation can function without its IT net-
work, and because of the risks inherent in running such
networks, every corporate leader must have a basic un-
derstanding of cybersecurity, just as they must understand
the basics of accounting or corporate laws and regulations.
But what do leaders need to know and do? They do not
need to be able personally to write computer code or to
understand the alarms being sent to their company’s Secu-
rity Event and Incident Management (SEIM) system. Rath-
er, they need to understand where cybersecurity fits into
their overall Enterprise Risk Management (ERM) system
and strategy. To do that, corporate leaders must review
four key elements of the relationship between cybersecu-
rity and their corporation.

First, they must understand the full range of risk—what

could go wrong because of malicious activity on or di-
rected against their data network and their Internet of
Things (IoT). The company could be attacked by corpo-
rate espionage actors, cyber criminals, or disgruntled em-
ployees. Various types of data could be stolen, or altered,
or erased. Production or delivery of services could be
slowed or stopped. Products could be damaged. Money
could be stolen. Embarrassing information could be pub-
licly revealed. The reputation of the company could be
harmed. Customers could turn away. Stockholders could
sell off the stock or move for a change in leadership. Gov-
ernment regulators could punish the company. Competi-
tors could steal market share, or even use the company’s
own research.

 7 ■
NAVIGATING THE DIGITAL AGE
The risk register and the prioritisation of
the risk is unique to each company. No two
companies are alike. Thus, corporate leaders
must ‘discover’ their risks and then deter-
mine their importance. This process is called
determining the company’s Risk Profile and
then its Risk Tolerance.
Cyber risk planning is different from com-
pliance with government regulations and
audit standards. Many companies that have
been fully compliant or had recently passed
‘penetration tests’ have still been hacked and
severely damaged.
The risk approach focuses on what is spe-
cific to an individual company’s needs and is
built on the realisation that no standards or
best practices will eliminate all risk.
Second, leaders must ensure that their gov-
ernance system is designed appropriately for
handling cybersecurity. It is not an issue for
the chief information officer (CIO) alone to
worry about. Nor is it only the concern of a
security officer. It is a ‘whole of company’ is-
sue because it can put the entire company at
risk. It is not the job of the CIO to determine
what risks the company should or should not
run, or what level of risk is appropriate. Im-
plementing a responsible corporate approach
to cyber risk requires the informed participa-
tion and regular review of a council of senior
company officers. Boards of directors must
also be well informed and agree to the cyber
risk approach.
■ 8 
Third, company leaders must ensure that
they have a two- or three-year plan to im-
prove their cybersecurity, a plan that is based
on their risks, reducing the most important
risks first. Leaders should not buy cybersecu-
rity products and services without knowing
that what they are buying is directly tied to
what they think are their priority risks.
Fourth, leaders must expect and be ready for
cyber incidents or breaches. They must un-
derstand that risks cannot be eliminated, only
mitigated. No plan and no technology can get
a company to zero cyber risks, but an appro-
priate plan tailored to the needs of a company
may reduce the chances of the most damaging
risks occurring. A plan may also make it more
possible for a company to rebound quickly
when a cyber incident does occur. Resilience
is as important as a goal as is prevention.
Thus, leaders must know what they and all of
the members of their team would do in a cy-
ber crisis. Leaders must ensure the readiness
of their company for such an incident, with an
adequate and detailed plan that they exercise
and on which there is appropriate training.
Using information technology smartly can
differentiate a company and make it a leader;
it can make a company highly profitable. Not
understanding or being prepared for the cy-
ber risks that come with being a 21st-century
company could, however, mean failure for a
company and for its leaders.
   Clear and Present Danger

Clear and Present Danger

Singtel – Bill Chang, Chief Executive Officer,
Group Enterprise

T
he global digital economy is growing rapidly and is
bringing about productivity improvements, increas-
ing business efficiency, and creating tremendous val-
ue. Singapore is also aiming to be the world's first Smart
Nation. As the digital footprint grows with the economy
and our country becomes more wired up with high-speed
digital highways, while also connecting to a plethora of
smart devices with IOT (Internet-of Things), it will open
up a much larger surface area of vulnerabilities for cyber-
attacks to occur. The rapidly increasing trend of cyber-at-
tacks has been cited as among the top risks facing econo-
mies, according to the World Economic Forum’s Global
Risks Report in 2016.
While the cyber criminals’ modus operandi has evolved
rapidly in sophistication, scale, and frequency of attacks,
companies, on the other hand, are struggling to under-
stand the nature of the threats and keep up with these fast-
evolving cybersecurity challenges. Company boards and
top management are increasingly recognising that cyber
threats are one of the top three enterprise risks that their
organisations can face.

JJ From boardroom to ops room

This is no longer a technology issue left to be handled by the
CIOs or CISOs (chief information security officers) alone;
it also needs to actively involve the C-suite management
and boards. Board directors need to be more educated in
the fast-rising risks of cyber threats so as to provide over-
sight and governance with management in cyber risk as-
sessment. In the financial industry, regulators now require
board members to undertake cybersecurity awareness
training and also involve a number of them in cyber drills.
This helps boards provide better oversight for the financial
industry. It also helps companies to be more prepared for
cyber-attacks and to be in a better position to manage the
situation in the event of a cyber breach.

 9 ■
NAVIGATING THE DIGITAL AGE
More can be done to help train our com-
panies' boards and C-suite management. A
comprehensive program should cover areas
like greater awareness of cyber risks, risk as-
sessments, and the decisions and investments
made to mitigate those risks. Boards have to
ensure an ongoing review with management
(given the very fast pace of cyber threat evo-
lution) on cyber defence strategy, and must
ensure adequate funding and resources are
allocated while reviewing the associated level
of risk tolerance.
Board members should also assess the
skills and experience of their bench to ensure
they have adequate digital and cyber talent.
In a number of companies, boards are start-
ing to bring in digital- and cyber-savvy tal-
ent to augment their board's bench. This will
not only help the company leverage digital
technologies to accelerate growth and trans-
form its business, but will also help to advise
TOP RISKY INSIDER THREATS
General Lack of
Security Training
7%
10% (2015)
Failing to Install Security
Updates and Patches
9%
10% (2015)
Weak Passwords
11%
Top Risky
9% (2015)
Insider
Access and
Threats
Privilege
Modification/Escalation
18%
18% (2015)
■ 10 
management and provide key oversight and
governance in the area of cybersecurity.
JJ ‘Within and beyond’ company walls
The training should also help boards and
management build a framework to instil a
culture of cybersecurity readiness, as well as
advise them on what to request for periodic
updates with management, and how to assess
the effectiveness of ongoing programs to con-
stantly help evolve their cybersecurity matu-
rity curve over time.
It is also key to note that six out of ten cy-
ber breaches are the result of internal lapses,
whether due to weak enforcement of poli-
cies, employee negligence, or malicious in-
tent. A recent survey in Singapore, with a
sample size of 194 respondents, highlighted
many ways these internal lapses can occur.
There is a need for progressive internal user
education to be more aware of the ‘Dos and
Unauthorized File Transfers,
Such as Via Email
or the Cloud
31%
28% (2015)
Installation of
Unauthorized
Software or Malware
24%
25% (2015)

Don’ts’ in cybersecurity, as these can lead
to serious compromise of sensitive systems.
CISOs also have to play a key role in advis-
ing their boards and reviewing with them
the prioritised areas to enhance their cyber
defences, as it would be too costly to defend
everything that the enterprise covers.
Beyond their company walls, they also
have to look across their supply-chain cyber
risks, as all companies have connected cus-
tomers and suppliers. This is to ensure the
cyber risk assessment is reviewed as part
of their overall supply-chain program. As
a matter of fact, many of the very high pro-
file cyber breaches in the world are due to
supply-chain risks—like the Target retailer
breach in the US, which was caused by one
of their subcontractors, losing 40 million of
their customers’ records eventually.
Many SMEs (Small & Medium Enterpris-
es) have little or no cybersecurity awareness,
let alone appropriate security measures in
place to protect themselves and their supply
chains. They also lack the security expertise
to advise, implement, and defend their busi-
ness. More needs to be done in educating
SMEs on this serious security challenge to
their business and also to their supply chain,
involving their customers, partners, and sup-
pliers. Cloud-based security solutions and
managed security services, which are cost
effective, are best suited for SMEs' adoption
due to the lack of expertise in-house.
JJ Not ‘IF’ but ‘WHEN’ mind-set
Beyond awareness, risk assessment, and risk
tolerance, boards should also be trained to
cover the post-breach crisis management and
communications process. We have seen that
in many high-profile breach cases, the poor
handling of post-breach crisis management
and engagement with stakeholders actually
resulted in the destruction of the company's
value and loss of trust with customers,
even incurring serious probes and penalties
from regulators and class-action suits from
shareholders. The big challenge with cyber
breaches for many companies: usually they
do not have enough information on what
was lost, how or when it happened, who
Clear and Present Danger
caused it, or how to prevent it. Meanwhile,
the press, stakeholders, or regulators may
be all over the company if their customer or
critical data breach has already been made
public. Very frequently, the company un-
der breach may not know the answers until
months later—all while it faces the barrage
of the stakeholders' and media's queries, as
well as regulatory investigations. Succumb-
ing to this pressure, this is where most com-
panies make the mistake of giving partial or
even incorrect information, resulting in loss
of confidence and causing the impacts earlier
described. Boards and management should
be trained in post-cyber-breach manage-
ment to develop their protocols, and even
regularly update and conduct drills involv-
ing boards and management—not with the
mind-set ‘IF’ a cyber breach will happen but
‘WHEN’ it will happen.
Beyond training boards and management,
it is also key to train their CIOs, CISOs, and
cybersecurity operations staff. This is to con-
tinually sharpen their cyber defence skills
in the midst of a very fast-changing cyber
threat landscape. Globally, there is already
a shortage of 1 million cybersecurity-trained
professionals in 2016, according to Forbes. In
Singapore, our total cybersecurity profes-
sionals are only about 1% of our overall ICT
workforce. This will not be sufficient for Sin-
gapore’s needs as we strive towards our vi-
sion to be a Smart Nation, which will require
much higher numbers of cybersecurity pro-
fessionals in a number of fronts. Compound-
ing that challenge, more businesses are also
accelerating their digital transformation,
which means they will also require greater
numbers of cyber defenders as their digital
footprint grows.
So, in a very tight cyber talent market
globally, it is key that companies invest in
the ongoing training and development of
their cybersecurity professionals to better
defend themselves and also retain their rare
talent. As for companies without the core tal-
ent of cyber professionals, which also have
to defend themselves against ongoing cyber
threats, they should consider partnering with
a managed security service provider (MSSP).
 11 ■
NAVIGATING THE DIGITAL AGE

In this aspect, they have to consider MSSPs

with deep and global capabilities, consider-
ing the nature of this global threat phenome-
non that we will face for a long time to come.

This article was adapted from an earlier article

‘Trekking in a clear and present danger cyber
world’, which was published in the fourth-quar-
ter issue of Directors’ Bulletin, a publication of
the Singapore Institute of Directors.

■ 12 
  Building an Integrated, Worldwide Response to Global Cybersecurity Threats

Building an Integrated,
Worldwide Response to
Global Cybersecurity Threats
Khoo Boon Hui, former INTERPOL President;
retired Singapore Police Commissioner

C
ybercrime is a borderless enterprise. Most cybercrime
takes place across national borders, creating a chal-
lenge for law enforcement as well as corporate directors
and senior executives. While cybercriminals gain strength
through sophisticated international networks and a thriv-
ing market in malware, most private organisations lack the
kind of coordination that could enhance the detection and
containment of cyber threats.
From a law enforcement perspective, cybercrime has
much in common with terrorism and organised crime. Just
as terrorism changed the face of law enforcement in recent
decades, so is cybercrime pushing public and private se-
curity professionals to find new ways to protect the con-
nected world—both digital and physical. To combat the
threat of organised crime and terrorism requires coordina-
tion across national borders and between the public and
private sector. Combating cybercrime is no different.
Cybersecurity is not a competitive advantage. When one
organisation is attacked, reputations suffer across industries
and confidence is undermined. A cyber breach can ripple
through the entire supply chain, user base and digital ecosys-
tem of an organisation—spreading the effects well beyond
the point of the breach. Add to this the question of safety
at power plants, factories, transportation systems and the
growing network of connected sensors and devices known
as the Internet of Things and it is easy to see why cybersecu-
rity is an imperative that is bigger than any one organisation.

JJ The problem
Hackers can now craft attacks with unprecedented so-
phistication and correlate information not just from pub-
lic networks but also from different private sources, such
as cars, smartphones, and wearables. This affects not just
individuals but also businesses and nations. As a result,
these advances have made countering such attacks an in-
creasingly daunting task.

 13 ■
NAVIGATING THE DIGITAL AGE
These cyber threats are further compli-
cated by the evolving modus operandi of
cybercriminals. They are engaging in rapid
information sharing and the streamlining of
operations and processes as they perfect the
means to remain undetected while carrying
out intelligence on their target organisations.
Cybercriminals search for what works best
and continually adapt for success. Malware
is recognised as the tool of choice in most
cybercrime. Criminals and state actors alike
reuse and adapt malware and rely on local
services to help them.  For example, Shifu
malware, an advanced banking trojan dis-
covered by IBM Security X-Force and named
after the Japanese word for thief, was made
up of different elements of existing mal-
ware and stitched together by a modern day
Dr Frankenstein to create a new monster.  previously demonstrated how to hack air-
Cybercriminals will attempt to under-
stand the local situation. The criminals know
that authorities are looking for them and re-
searching them.  Hence, they make their in-
trusions hard to detect by adopting cutting-
edge technology to mask their identity.
They have been benefitting from the lower
costs of acquiring tools, informal partner-
ships, access to cheaper and more powerful
automated computing power, and even out-
sourcing hacking or DDOS attacks through
services offered on the Darknet. They also
collaborate constantly.  The latest trend is for
cybercriminals to incorporate social media as
an attack vector and a platform to form learn-
ing communities and a marketplace for train-
ing. They are no longer hiding underground.
Facebook, for example, has become the open
platform of choice for cybercriminals. Twitter
is being exploited for hacktivism in financial
fraud, and we are increasingly exposed to the
use of WhatsApp as the new Darknet. Using
social media as a platform to generate learning
communities, cybercriminals have harnessed
the potential of technologies available today,
extending their reach beyond the Darknet to
the Internet world at large.
If international organisations and compa-
nies want to leverage the Fourth Industrial
Revolution to their benefit and create a long-
run competitive advantage, they must not
■ 14 
only invest in upgrading their production
facilities but also rethink and refresh their
existing IT security standards. Traditional
security tools against traditional threats re-
main indispensable, but it is necessary to
continuously adapt to emerging digitisation,
supplemented with new, innovative meth-
ods of defence.
Even once fail-safe defences can be un-
done with the right technology. For example,
the Singapore Government plans to sepa-
rate Internet access from the workstations
of government officials by June 2017. How-
ever, even this air gapping may not be good
enough. Israeli researchers have discovered
a way to extract limited amounts of data
from air-gapped computers using the sound
emitted by their cooling fans. The group has
gapped machines using radio waves and
other techniques.
The PricewaterhouseCoopers Global Eco-
nomic Crime Survey 2016 revealed that cy-
bercrime has been on a steady increase every-
where since it first appeared in the survey in
2011.1 Cybercrime has now jumped to second
place, while asset misappropriation, bribery
and corruption, procurement fraud, and ac-
counting fraud—the traditional leaders in
this category—all show a slight decrease.
Between 2013 and 2015, the costs of cy-
bercrime quadrupled, and Juniper Research
predicts that the costs of data breaches will
quadruple again between 2015 and 2019, to a
collective $2.1 trillion globally.2 Ransomware
is currently the biggest cybersecurity threat.
It has replaced advanced persistent threat
(APT) network attacks as the most problem-
atic cyber threat. In a recent study done by
Cyber Threat Alliance (CTA) on Cryptowall
3.0, ransomware has been used to extort a
staggering $325 million from tens of thou-
sands of victims worldwide.3
There is much to be learnt from the evolu-
tion of the ransomware scheme. A lot of dam-
age caused by ransomware could be undone
by regularly backing up data and by moni-
toring systems for such threats. Ransom-
ware started by attacking home-users, and
expanded quickly to target law enforcement
 Building an Integrated, Worldwide Response to Global Cybersecurity Threats
agencies, business corporations, and even
hospitals. This is simply due to the fact that
the data at ransom did not have the neces-
sary backup. In other words, there would be
nothing to ransom if enterprise and personal
data were regularly backed up, properly
serialised, and secured in an offline envi-
ronment. Instead, cybercrime groups often
incorporate ransomware as a serendipitous
add-on to their malware attacks, preying
on individuals and organisations that fail to
take simple precautions.
JJ Working toward a better defence
The old adage “prevention is better than
cure” is still relevant. Where cybersecurity is
concerned, we should not take the easy way
out by letting the bad guys have free rein
and hope that your more expensive system
is better than your competitor’s, thus mak-
ing him the alternative target. Cybersecu-
rity must deter criminals by increasing their
costs of launching successful attacks by de-
ploying fit-for-purpose technology. The key
is to invest prudently in systems that are
prevention-oriented rather than detection-
oriented, and which are well integrated and
automated rather than a complex aggrega-
tion of various legacy systems requiring hu-
man intervention.
Just as in countering terrorism, cyber de-
fenders have to be vigilant 24/7; adversaries
need to be successful only once. Again as for
terrorism, there is a critical need for multi-
layer, multi-modal defence. Such defence in
depth is required to secure the perimeter, see
the threat that is coming, and detect anoma-
lies within the system.
The focus of cybersecurity should not be
just internal. Senior leadership can influence
the security practices of suppliers and part-
ners—whether by a direct set of minimum
requirements asked of them in contractual
negotiations, or indirectly through efforts to
advocate for their own uplift in security ca-
pability via the sharing of knowledge, threat
intelligence, or other resources.
In many successful attacks, the bad guys
are deploying machines while the defenders
are heavily dependent on human expertise,
which is in short supply. This is why we need
machine (smart use of technology) and method
(process excellence, design, and innovation)
to support the human (expertise). This is why
directors and senior executives—as well as
security professionals—need to recognise
that their challenge is not just a technical is-
sue but also a human one.
JJ Minimise damage with a proactive response
The stakes are clearly high when it comes to
data breaches. Companies should be proac-
tively protecting themselves against cyber
threats, yet the recruitment and retention of
skilled cybercrime specialists continues to
be a challenge. Consider the cyberattacks on
the giant discount retailer Target Corp. and
on the banking giant JP Morgan Chase and
Co., which caused the companies to spend
an additional $100 million and $500 million,
respectively, on security post-breach. Many
believe that this cost can be significantly
reduced if a breach is responded to quickly
and properly with the right mix of methods,
machines and experienced manpower.
Businesses need to recognise that perfect
cybersecurity does not exist. They should,
instead, focus on adopting a defence-in-
depth approach to protect their key assets
and be adequately prepared to react to inci-
dents when they occur. From cybersecurity
testing, compliance, and risk assessment to
protecting businesses with round-the-clock
security monitoring, to establishing security
incident response plans, organisations re-
quire an all-round approach towards cyber-
security protection.
An organisation needs an effective reme-
diation and incident response plan that can
manage cyber events to minimise damage,
boost the confidence of external stakehold-
ers, and reduce recovery time and costs. This
includes a crisis management plan, full me-
dia training for any spokespeople, and a war
games exercise to test resilience.
Senior management and the board must
understand and act upon the fact that cy-
bersecurity is not just an IT problem. And
because successfully protecting confidential
data is a must, sufficient resources have to be
 15 ■
NAVIGATING THE DIGITAL AGE
made available so that a customised incident-
response plan can be devised and executed.
Legal, corporate communications, finance,
HR, and various other departments need to
work in lockstep to enable mandatory breach
notification, thorough incident investigation,
and timely and coherent initial and follow-up
communication with other relevant stake-
holders, including employees, customers and
suppliers. Such communication must provide
stakeholders the opportunity to ask questions
and provide feedback.4  Some examples of successful information-
JJ Educate and educate
With recent breaches reported in the press,
organisations tend to focus on technology,
but these events mostly happen because of
employee negligence. It could be as simple
as a well-meaning employee sending busi-
ness documents home to work on over the
weekend, or losing an unprotected laptop,
or forwarding an email to the wrong per-
son. According to the PricewaterhouseC-
oopers 2016 Information Security Survey,
employees remain the most cited source
of compromise at 34%, with ex-employees
accounting for another 29%. Worryingly,
incidents attributed to business partners
climbed to 22%.
The most sophisticated and advanced se-
curity technology in the world cannot guard
you securely unless employees understand
their roles and responsibilities in safeguard-
ing sensitive data and protecting company re-
sources. This involves establishing and imple-
menting practices and policies that promote
security and training employees to identify
and avoid risks. You need to foster a security-
conscious culture within the company and
among key stakeholders.
Continuous training in security awareness
can raise employee alertness to the reality of
threats, vulnerabilities, and the consequenc-
es, and help them take active roles in secur-
ing your enterprise information. Employees
should be educated on current key security
issues, including information protection, so-
cial networking, virus protection, password
security, web browser security, email security,
mobile security, and more.
■ 16 
JJ Information sharing is key
As cybersecurity information and knowledge
progresses, with new technologies emerging
every day, organisations must leverage new
means to harness this knowledge. This can be
done through information sharing. Many se-
curity incidents could be avoided if informa-
tion is transmitted across organisations and
industries in time. Information sharing is also
a useful tool to make it prohibitively costly for
cybercriminals to launch successful attacks. 
sharing platform include the following:
JJ The FS-ISAC, which is a U.S. information-
sharing facility and an industry forum for
collaboration on critical security threats
facing the global financial services sector
using STIX™ and TAXII™. Structured
Threat Information Expression (STIX™) is
a structured language for describing cyber
threat information so it can be shared,
stored, and analysed in a consistent man-
ner, while Trusted Automated eXchange
of Indicator Information (TAXII™) is a
free and open transport mechanism that
standardises the automated exchange of
cyber threat information.
Such information sharing within the pri-
vate sector, when acted upon, can increase
the cost to the cybercriminal of launching suc-
cessful attacks. Bianco’s “Pyramid of Pain” is
a useful guideline for security protection (see
diagram). This concept is based on the under-
standing that not all indicators of compromise
are the same—they have varying degrees of
impact on cybercriminals.5 
The pyramid defines the pain or difficulty
it inflicts on the adversary when the authori-
ties or potential victims deny those indica-
tors to them. For example, adversaries can
adapt with relative ease to the disclosure of
their hash values or Internet Protocol (IP) ad-
dresses, but disclosure of characteristic tactics,
techniques, and procedures (TTPs) are much
more difficult—and expensive—to overcome.
 Building an Integrated, Worldwide Response to Global Cybersecurity Threats

JJ Role of governments: businesses have a firsthand understanding

The need for public-private partnerships
Moving beyond the organisation, cybersecu-
rity efforts must expand across sectors and
even national boundaries because of the speed
and pervasiveness of cyber threats and their
serious repercussions. Today’s cybercrime de-
mands strong public-private collaboration to
defend against this formidable challenge and
tackle ever-evolving cyber threats.
Establishing the capacity to combat cyber-
crime requires coordinated and committed
multi-stakeholder efforts—a collective re-
sponse. This response requires understanding
the threat environment, sharing information,
and implementing the best practices across
the public and private sectors. Corporate dif-
ferences and conflicts of interests should be
put aside to create expert analysis and intel-
ligence, and develop coordinated and proac-
tive responses.
Combating cybercrime is a shared re-
sponsibility. The private sector is a rich
source of expertise and innovative capacity.
As one of the main victims of cybercrime,
of the threat landscape. Evidence required
by law enforcement officers to prosecute
cybercriminals is often held by the private
sector. Public-private partnerships enable
cybersecurity experts to combine their re-
spective strengths, overcome individual
limitations, and reduce any blind spots in
combating cybercrime.
There have been several remarkably suc-
cessful operations executed by public and
private entities. For instance, the takedown
of the Simda and Dorkbot botnets, under-
taken by INTERPOL, various law enforce-
ment agencies, and private sector technology
IT-security firms, exemplifies the successes of
public-private collaboration.6 Equipped with
data and intelligence provided by the private
sector, INTERPOL was able to support these
operations through active and live coordina-
tion with law enforcement officials in partici-
pating member countries and other regional
law-enforcement organisations to take down
malicious servers and identify cybercrimi-
nals with the aim of prosecuting them. This

BIANCO’S PYRAMID OF PAIN

n Tough!
Tips

Tools n Challenging

Network/ n Annoying
Host Artifacts

Domain Names n Simple

IP Addresses n Easy

Hash Values n Trivial

 17 ■
NAVIGATING THE DIGITAL AGE
extends the private-sector pyramid of pain
to exposing the cybercriminals real identity,
disrupting their botnets and criminal net-
works, and even arresting and prosecuting
the individuals responsible.
JJ Cultivating trust in a borderless world
Information gives the good guys the knowl-
edge we need to defeat cybercrime. But trust
gives us the will and courage to use this
knowledge to protect ourselves and oth-
ers who may be vulnerable. In a borderless
world where attacks may come from any-
where, trust becomes increasingly important
for us to collaborate and foster relationships
among stakeholders.
Already, organisations such as the Eu-
ropean Cybercrime Centre (EC3) in The
Hague, INTERPOL Global Complex for In-
novation in Singapore, Japan Cybercrime
Control Center (JC3), and National Cyber
Forensics and Training Alliance (NCFTA) in
Pittsburgh have been set up to develop trust-
ed networks among authorities and corpo-
rate sectors to cooperate and enhance global
competencies against cybercrime.
Global megatrends have radically altered
the contemporary situation in national and
global security. The increased mobility of
money, people, goods, and information, the
intensity of these flows, and the rise of global
interconnectivity have all led to a high vol-
ume of crime and security issues originating
far beyond the jurisdictions they affect. Ten
years ago the Singapore Police began a closer
coordination with the global network of law
enforcement to better appreciate threats and
to collaborate on enforcement. But inter-
national law enforcement has not adjusted
fast enough to this new global reality and
remains highly decentralised. International
cooperation, meanwhile, is still characterised
by self-interested interactions at the bilateral
or multilateral level.
While the bad guys have established their
own networks, the new connectivity police
paradigm requires a wider perspective that
incorporates global policing elements at all
levels and maintains communication and
intelligence sharing among them. The new
■ 18 
paradigm acknowledges that there is a global
common interest to combat crime that might
hit any country. The focus needs to shift from
not just national or local security concerns
but to global security considerations.
This was one of the reasons that Singapore
built the INTERPOL Global Complex for In-
novation to allow experts in the future of po-
licing to work together with the private sec-
tor. Already some success has been achieved
through this approach where, acting upon
private-sector information, large-scale bot-
nets hosted in countries that may not nor-
mally collaborate bilaterally have been taken
down. The culprits may never be brought to
justice, but their identities have been exposed,
their attack infrastructure has been disrupted,
or their malware has been revealed—all of
which help to drive up the cost of cybercrime.
Unlike terrorism and organised crime, the
private sector—especially cybersecurity pro-
viders—have greater access to expertise and
information than the public sector. The pri-
vate sector should not wait for the authorities
to lead the way but instead initiate their own
alliances to share best practices and—more
importantly—threat information. Some see
the intelligence they own as a competitive ad-
vantage not to be freely shared, but it would
help put defenders of cybersecurity on stron-
ger footing if incentives were devised where
access to the products of such sharing could
be dependent on the quality and quantity of
the inputs shared.
JJ From the server room to the boardroom
Businesses are increasingly concerned with
cyber threats, but there is a tendency to treat
cybersecurity as just another risk to be miti-
gated. Many boards rely on management to
handle cyber risks, which are often further
delegated to the CTO or CISO. Some com-
panies have never had a meaningful board-
room discussion on cybersecurity, nor do
they have a crisis management plan in place
specifically to handle a breach. Boards fail
to appreciate the differences in risk velocity
between the physical world and the cyber
world in terms of the speed, scale, and po-
tential impact of a cyber incident.
 Building an Integrated, Worldwide Response to Global Cybersecurity Threats
Furthermore, there is a growing conver-
gence of physical threat and cyber threat vec-
tors, from data exfiltration to financial ran-
somware, to attacks that are now targeting
critical infrastructure. Indeed, some boards
in the United States have even formed se-
curity committees to oversee both physical
threats and cyber threats. An exposition on
vulnerability and the potential consequences
to the confidentiality of intellectual property,
integrity of data, and availability of services
are board-level concerns.
JJ Conclusion: The challenging road ahead
The discipline of cybersecurity is often char-
acterised by attempts to conjure up some-
thing definitive in an environment plagued
with uncertainty. Traditionally, the approach
of securing the perimeter through signa-
ture-based detection to keep the bad guys
out provided a good enough approach. To-
day, a threat-based and anomaly-based ap-
proach requiring intelligence and sensors is
required. This is similar to how authorities
deal with homegrown and self-radicalised
terrorism except that much of the informa-
tion is in the hands of the private sector.
Security operations today endeavour to
be intelligence-driven. This prioritises efforts
and controls against recently encountered
threats, as well as over-the-horizon threats
the cyber intelligence function has to antici-
pate. This requires the building of alliances.
The risk of being under attack is much high-
er given the industrialisation of cybercrime.
Today’s hackers either work for complex
operations that are akin to businesses or of-
fer their services or stolen data on the dark
web for organised crime to exploit. That’s
why public- and private-sector cybersecurity
professionals need to match the capabilities
of the bad guys, recognising that there is no
silver bullet to addressing security issues,
whether physical or cyber.
Today, a systems-and-networked approach
should be mandatory, using the right plat-
forms in both physical security and cyber
protection. At the same time, cybersecurity is
as much a human issue as it is a technology
issue. Attitude matters. The board and senior
executives can lead by fostering a security-
conscious culture both within the company
as well as with key partners. Because cy-
bersecurity is a complex issue, it demands a
complex solution. The key elements are:
JJ Proactive security measures
JJ Education and information-sharing
platforms
JJ Public-private partnerships and
JJ Cultivating trust
The global community needs to ensure
that government leaders, boards and chief
executives alike recognise the threat of cyber-
crime. Leadership is required to enable societ-
ies not just to provide the response but to be
prepared for the future. We have to take the
lead in organising ourselves to be prepared
for even more sophisticated cybercriminals.
Leaders need to develop legal and technologi-
cal structures where stakeholders share real-
time information and best practices, and iden-
tify risks and challenges to enhance our efforts
against cybercrime. Regular dialogues on cy-
ber strategies to enhance capacity building as
far as legal frameworks permit are required to
raise the game against cybercriminals. These
committed efforts need to be based on trust
and collaboration across countries in the pub-
lic and private sectors in order to keep our cit-
izens and customers, our businesses, and our
information and infrastructure systems safe.
A collaborative and cohesive system is where
we can harness our greatest potential in this
fight against the cybercriminals.
Works Cited
1. PricewaterhouseCoopers Global
Economic Crime Survey 2016, http://
www.pwc.com/gx/en/services/
advisory/consulting/forensics/
economic-crime-survey.html
2. http://www.juniperresearch.com/
researchstore/strategy-competition/
cybercrime-security/financial-corporate-
threats-mitigation
 19 ■
NAVIGATING THE DIGITAL AGE
3. http://www.darkreading.com/
endpoint/with-$325-million-in-extorted-
payments-cryptowall-3-highlights-
ransomware-threat/d/d-id/1322899)
4. http://www.disaster-resource.com/
index.php?option=com_content&view
=article&id=2685:data-breaches-how-
to-protect-corporate-reputation-and-
the-bottom-line&catid=6:information-
technology
■ 20 
5. http://rvasec.com/slides/2014/Bianco_
Pyramid%20of%20Pain.pdf)
6. http://www.interpol.int/Media/Files/
News-Media-releases/2015/2015-038-
Simda-botnet-operation-%E2%80%93-
Questions-and-Answers, http://
www.interpol.int/News-and-media/
News/2015/N2015-215
   The Fourth Industrial Revolution – Why Security Cannot Wait!

The Fourth Industrial Revolution –

Why Security Cannot Wait!
Quann – Professor Yu Chien Siang,
Chief Innovation Officer

R
evolutions, such as the American and French revolu-
tions, are periods of radical change that leave wide-
ranging impacts on our world. Industrial revolutions
are no different. Apart from the economy, they also im-
pact our society, politics, and culture. To Klaus Schwab,
best known as the founder of the World Economic Forum,
we are already into the early stages of the Fourth Indus-
trial Revolution.
In each of the three prior Industrial Revolutions, the
economics, the society, and the politics of the time and the
succeeding decades saw great upheaval. These revolutions
brought with them the promise of socioeconomic mobility,
facilitated the rise of the middle class, created new prod-
ucts and services, and enabled a higher quality of life. This
Fourth Industrial Revolution is like no other. The speed
at which it is unfolding, its scale, and its impact on the
global economy is unprecedented. These include the ex-
pansion and pervasiveness of mobile Internet access, the
prevalence of cloud computing, the Internet of Things,
quantum computing, and the adoption of artificial intel-
ligence (AI) with deep-learning capabilities. Never before
has the world been connected so quickly and so tightly.
Already, in Singapore, we are creating a Smart Nation,
where connectivity between everything and everyone of-
fers us limitless possibilities in doing things and solving
problems. Tomorrow’s economy, the Cognitive Enterprise,
will see the integration of AI into every facet of govern-
ment, corporates, and individuals. This is the Internet of
Everything (IoE).

JJ Tomorrow’s dangers here today

Every Industrial Revolution has had its own fair share of
problems and negative externalities. These include envi-
ronmental damage, social/economic marginalisation and
alienation, and the entrenchment of privilege and wealth.
The characteristic hyper-connectivity brought about by

 21 ■
NAVIGATING THE DIGITAL AGE
this Fourth Industrial Revolution too brings
with it unintended consequences, such as
the security vulnerabilities arising from the
fact that new business models and technolo-
gies are evolving far more rapidly than secu-
rity solutions.
For a start, many IoE devices are inher-
ently insecure. Any device that connects to
the Internet, corporate networks, and data-
bases is a potential security risk. In fact, any
device that is connected to a power line is
inherently vulnerable, as data can be trans-
mitted over power. For example, printers
and copiers may appear innocuous, but they
have the potential to store a tremendous
amount of sensitive information. In short,
hyper-convergence is making mobile secu-
rity riskier as more functions, such as busi-
ness cards, credit cards, and access cards, are
being consolidated on the ubiquitous mobile
phone. A report by Kaspersky revealed that
the incidences of Android ransomware have
increased by four times in one year. Ransom-
ware can lock screens and even SIM cards,
and malware can intercept any incoming
SMS by replacing them with false ones.
Cognitive Enterprise models also create
new security risks. The “Crown Jewel” of
the new economy is data. Corporations and
Smart Nations that are able to collect, anal-
yse, and make sense of large data sets will
be able to differentiate themselves from their
competitors. The art then lies in translating
these insights into meaningful services for
citizens or products and services for con-
sumers, corporations, and governments.
One of the vulnerabilities of the new
economy lies in its dependency on Global
Positioning Systems (GPS). Many govern-
ments and critical infrastructure companies
are over-reliant on GPS tracking systems as
the single data source to provide positional,
navigational, and timing data. Imagine the
impact if such systems were affected through
error or unavailability.
In brief, the threat is real, and the fallout
is deadly. In the face of an ever more danger-
ous future, it is crucial that one starts prepar-
ing now. Preparation, to paraphrase the old
adage, is better than scrambling for a cure.
■ 22 
Robert Mueller, a former director of the FBI,
said that there would be only two types of
firms in the near future: those that know
they have been hacked, and those that have
not yet realised it. This sentiment, that every
organisation will be targeted and eventu-
ally compromised, has been echoed by many
other cybersecurity experts. With all this in
mind, it becomes ever clearer that every or-
ganisation must prepare, and that they must
do so now.
JJ A holistic view of enterprise security is
needed. Now.
What is certain is that it cannot be busi-
ness as usual. Breaches will occur. Many
cybersecurity plans, however, remain one-
dimensional. Organisations might use Open
Authorisation Authentication methods and
have multiple firewalls, but these measures
are less useful at dealing with intruders who
have managed to overcome these perimeter
defences. Similarly, in our experience, many
organisations have deployed the latest and
most sophisticated hardware and software
to defend their systems, but do not engage
security monitoring services or have contin-
gency plans. When the Singapore Govern-
ment announced that it was cutting Internet
access on public servants’ computers, many
corporate entities asked if they should do
the same. Even if a system is air-gapped,
has all its data encrypted, and is part of a
Cyber Iron Dome, breaches will occur, and
organisations need to respond quickly and
appropriately.
The reality is that no silver bullets exist.
Organisations need to have a comprehensive
cyber-defence policy that adopts best prac-
tices such as security-by-design and multi-
layered defences-in-depth. Organisations
also need to be proactive: they need to begin
preparing even before they are threatened. A
holistic approach is necessary, as cybercrimi-
nals themselves are extremely sophisticated,
dynamic, and creative, and will circumvent
any single and static measure that is put in
place. Cybercriminals should not be under-
estimated, especially when they have time,
money, and the initiative on their side.
 The Fourth Industrial Revolution – Why Security Cannot Wait!
The first step is to examine your organ-
isation’s business model and identify its
key assets: does your organisation rely on
online transactions, or does it hold private
and sensitive data of multiple individuals?
How important is social media in promoting
your business? This will help you plan and
prioritise the key assets that your firm will
have to secure and check first in the event of
a cyberattack.
The next step is to set aside a budget for
your cybersecurity needs. Already, the Sin-
gapore Government has put aside 8% of its
IT budget for cybersecurity, and non-gov-
ernment organisations should follow suit.
This is important not just because your or-
ganisation needs to invest in cybersecurity,
but also because responding to breaches can
be expensive. Investing in a comprehensive
cybersecurity framework ex ante will like-
ly cost less than responding to a breach ex
post. In Singapore, the case law, whether
civil or criminal, on such breaches is still at
a very nascent stage, but the ex post recov-
ery costs can soar, especially in jurisdictions
that are litigious.
And finally, your organisation should en-
gage in Vulnerability Assessment and Pen-
etration Testing, or VAPT. These are tests
and exams that probe your organisation’s
cybersecurity stance, readiness, and abil-
ity to react. These tests are critical because
they can reveal valuable information about
your organisation’s weaknesses, thereby
enabling your organisation to patch them
up before these vulnerabilities are exploit-
ed. To paraphrase Sun Tzu, it is of utmost
importance to at least understand your own
capabilities.
With the above, you will then be ready
to put together the various pieces of your
cybersecurity framework. First, from a tech-
nical perspective, the VAPT should have
revealed the key vulnerabilities in your sys-
tem. A typical first step is to secure the pe-
rimeter with firewalls and intrusion preven-
tion systems. These security devices should
be actively managed and monitored by a
24/7 Security Operations Centre to ensure
that any breaches are detected promptly
so that remedial action can be undertaken.
Second, the risk of an insider threat is real.
According to the IT Security Risks Survey,
in 2015, nearly three out of four organisa-
tions were victims of insider threats. These
may arise from malicious insiders or purely
from poor security practices by employees.
This is where education is important. It en-
tails educating and training employees to
internalise and implement cybersecurity
best practices and protocols, and raising the
level of cyber wellness in the organisation.
Finally, it is imperative to raise the cyberse-
curity skill sets within your organisation’s
technical department, as they will be your
first line of defence. Just as organisations
have physical security Business Contin-
gency Plans (BCPs), organisations need to
develop cyber incident response plans pro-
actively and pre-emptively. An incident re-
sponse plan should cover an entire range of
processes, from incident response planning
to threat analysis, to containment, eradi-
cation, recovery, and then post-incident
recovery. These human elements are par-
ticularly important, because cybersecurity
is as much of an art as it is a science, and
therefore requires the very human elements
of judgment, discretion, and discipline.
JJ The art and science of being cyber secure
Undergirding these tangible policies and
action plans, however, are more immediate
mind-set shifts. The first and most immedi-
ate thing for any leader to recognise is that
the Fourth Industrial Revolution is indeed
upon us, and that every organisation needs
to plan for this Industrial Revolution. As
with another force of change, this Industrial
Revolution brings with it the potential to
both benefit and harm. Security must keep
pace with the developments of this Indus-
trial Revolution, lest an equivalent Cyber
9/11 occur.
At the end of the day, there are but two
major takeaways for leaders. Does your
firm already have a relevant and effective
cybersecurity strategy in place? Do not just
assume that it exists or that it is relevant
and effective: have it presented to you and
 23 ■
NAVIGATING THE DIGITAL AGE
examine it closely. The other takeaway is
that you should ensure that your organisa-
tion possesses the right capabilities to protect
itself in the cybersecurity domain. Not all IT
professionals are cybersecurity equipped.
There is a chronic shortage of cybersecurity
talent the world over, and Singapore is no ex-
ception. Consider partnering with an estab-
lished Managed Security Service Provider
■ 24 
to de-risk and meet the growing complexity
of your business. They would typically have
the economies of scale and necessary prod-
ucts, services, and manpower to support
your business.
As we forge ahead into the brave new
world brought about by the Fourth Indus-
trial Revolution, this is what we need to do.
And we need to do it now.
  Safe Travels: Cybersecurity for Public Transport, From Operating Technology to Information Technology

Safe Travels: Cybersecurity for

Public Transport, From Operating
Technology to Information Technology
Land Transport Authority – Huang Shao Fei,

Director, IT Security, Governance & Risk Management

F
or more than a century, railway systems have been en-
gineered for safety. The operating technology that runs
the railways of the world has evolved with reliability in
mind, and is meant to last for many years of continuous op-
eration. But modern railways have entered the digital age
with information technology now integrated into many
control systems. Many of the industrial control systems
used are from the pre-Internet era and do not have adequate
cybersecurity built into them. Nor are these systems sched-
uled to be patched regularly, given their long lifecycles.
Cybersecurity is just as critical to ensuring safety and
reliability in public transit today as the physical security
on which rail transportation was built. This is a very dif-
ferent cybersecurity challenge than that faced by financial
and consumer organisations. Online fraud, web deface-
ments, and information theft can result in reputation loss
and financial damage at worst. In transportation, lives
may be at stake.
This is particularly worrying for public transporta-
tion systems, as it is for power plants, oil rigs and other
industrial and infrastructure facilities. Cyber-threat actors
targeting major critical infrastructure such as transport-
control systems are unlikely to be script-kiddies or hack-
tivists, since the usual cybercrime motives would not ap-
ply. There is nothing to steal and little leverage in laying
claim to a defaced website or an embarrassing expose. In-
stead, threat actors targeting transport systems could have
far more sinister intentions.

JJ The cyber challenge

While many control systems remain stuck in the pre-In-
ternet era, cybercriminals are very much on the cutting
edge. Cybersecurity threats are increasingly targeted,
complex, and stealthy. In the past, air-gapped networks
were enough of a barrier to protect against viruses, bots,
and hackers. But now even systems that are not connected

 25 ■
NAVIGATING THE DIGITAL AGE

to the public Internet are no longer immune. ‘…there are known knowns; there are things
Advanced Persistent Threats, such as those we know we know. We also know there are
orchestrated by state actors with long time known unknowns; that is to say we know
horizons and complex motives, show that there are some things we do not know. But
perimeter security controls no longer guar- there are also unknown unknowns—the ones
antee security. The reality today is that the we don't know we don't know. And if one
level of attack sophistication is usually one looks throughout the history of our country
step ahead of state-of-the-art vulnerability and other free countries, it is the latter catego-
exploitation techniques—the tools that or- ry that tend to be the difficult ones’.1
ganisations use to test their own system for It is the same for transportation systems.
possible vulnerabilities. First, it is necessary to identify known-un-
Singapore’s policy response to cyber knowns such as ‘indicators of compromise’
threats has evolved along with the threats that are not picked up by signature-based so-
themselves, as described in the timetable lutions such as antivirus software. But more
of Singapore’s National Cyber Security critical—and more difficult to detect—are the
Approach shown below. In reaction to the unknown-unknowns or ‘black swans’.
BlackEnergy malware aimed at Ukraine Sophisticated attacks have a far longer
news media and electric power infrastruc- gestation period and cannot be detected with
ture, for example, Singapore’s parliament is traditional security solutions. Ponemon Insti-
working now on a new cybersecurity bill to tute discovered that it takes more than seven
be tabled next year. months on average to identify a malicious or
criminal attack.2 So far, the known cyberat-
JJ Singapore’s National Cybersecurity Approach tacks on transportation systems don’t seem to
The reality is that while cybersecurity ex- be designed for disruption or sabotage. They
perts continue to monitor known threats and appear to be surveillance operations. But they
related vulnerabilities, the key challenge is are a wakeup call to address vulnerabilities
to distinguish the signals from the noise, to in industrial control systems so important to
distinguish emerging threats and hidden the operation of industry and infrastructure.
vulnerabilities. As Donald Rumsfeld, the for- These efforts are instrumental to ensure our
mer U.S. Secretary of Defense, once stated: transport systems are safe and reliable.

Singapore’s National Cyber Security Approach

2007: Singapore updates
Computer Misuse and
Cybersecurity Act to 2017: New
address cyber threats to Cybersecurity Bill
Singapore's Critical to be tabled in
2008-2012: National 2013-2018: National Singapore
Information Infrastructure
Infocomm Security Cyber Security Parliament
(CII)
Masterplan 2 Masterplan 2018

1993: Singapore enacts 2005-2007: National

Computer Misuse Act Infocomm Security
Masterplan

1988 1993 2005 2007 2008 2010 2011 2013 2016 2017
and beyond
Morris Virus
1st Computer Worm “Operation
Discovered Estonia Malaysia” BlackEnergy
Comes under Massive Anonymous attacks Malware aimed at
Denial-of-Service Attack 91 Malaysian Ukraine news
Government websites
Stuxnet media & electrical
power
Cyber Weapon
organisations
Discovered in
Iran

Copyright © Land Transport Authority | Innovation & InfoComm Technology Group | April 2016 | 6

■ 26 
 Safe Travels: Cybersecurity for Public Transport, From Operating Technology to Information Technology
JJ The engineering challenge
Cybersecurity is a challenge for every indus-
try. For industrial, infrastructure, mining,
and certain healthcare equipment, there are
the additional challenges of integrating in-
focomm security with operating technology
(OT). Adapting IT security controls to OT sys-
tems requires in-depth domain knowledge of
engineering systems—something that cannot
be learned overnight—in order to ensure op-
erational safety and reliability are not com-
promised. This poses a significant challenge
as the whole industry requires IT security per-
sonnel with not only IT security capabilities
but also knowledge of engineering systems.
There is no off-the-shelf solution.
To deal with the cybersecurity challenges
facing land transport systems, the traditional,
domain-centric view of engineering proficien-
cy and capability development needs to be
revisited. In most engineering organisations,
engineers are assigned to work in domains for
which they are trained, and they typically re-
main in their own fields for their entire techni-
cal careers. In today’s context, the convergence
of OT and IT requires cross-domain skills and
knowledge. Only then will there be harmoni-
sation of IT security and standard operating
procedures on the ground.
Another challenge is the lack of industry-
specific cybersecurity standards for rail sys-
tems. While there are internationally accepted
IT security standards for IT systems, such as
ISO27001, there are no similar cybersecurity
standards for operating technology and in-
dustrial control systems, not to mention for
rail systems. Because of this, most IT security
consultants, including auditors, use IT secu-
rity standards to design and benchmark the
cybersecurity of non-IT systems, which do not
adequately address operating environment
and business constraints. To be clear, standards
provide product manufacturers, vendors, sys-
tem integrators, and customers with a com-
mon point of reference for architecting and de-
signing secure systems. This remains a pivotal
challenge for not only transport regulators and
operators, but for the entire IT security indus-
try as well; there is no model to follow, and the
operating environment is not IT-based.
JJ An approach to cyber safety for public
transportation
To deal with the evolving landscape of cyber
threats—and the expanding vulnerability
of cyber-physical systems—requires a mul-
tipronged approach: governance, ongoing
vigilance, incidence response, and capability
development. The steps that follow will help
to ensure an effective security program for
transportation systems:
JJ Institute holistic, practical treatment of
cybersecurity risks that cover people, pro-
cesses, and technology across the whole of
land transport.
JJ Reduce the likelihood of attack through
a good multi-layered design and strong
operational and maintenance procedures.
JJ Improve monitoring of the effectiveness
of systems and procedures to ensure early
warning of attack. 

JJ Enhance alignment between public trans-
port operators and regulators for man-
aging cybersecurity for critical systems,
particularly in terms of security-by-design
for new systems, information exchange
of threats and advisories, cyber-incident
management and escalation.
JJ Mitigate disruption if systems come under
attack by developing, testing, and main-
taining incident response plans.
JJ Perform regular cybersecurity exercises to
validate public transport operators’ readi-
ness to handle cyber incidents and coordi-
nation with law enforcement. 

JJ Set industry security standards. For exam-
ple, the Cyber Security Workgroup under
The International Association of Public
Transport, a non-profit advocacy organi-
zation for public transport authorities and
operators, is exploring this together with
policy decision makers, scientific insti-
tutes, and the public transport supply and
service industry.
JJ Conclusion
Cybersecurity is no longer contained within
the IT realm. Security needs to extend to op-
erating technology and control systems, not
only to mitigate organisational risk but also
 27 ■
NAVIGATING THE DIGITAL AGE
to ensure public safety. As such, cybersecu-
rity should be on the agenda of any board as
part of managing the organisation’s risk and
should be viewed with the same level of ur-
gency as corporate financial performance and
business strategy. The fact is, cybersecurity
undergirds the existence of many organisa-
tions and should be part of strategic conver-
sations by senior levels of management. For
industrial, infrastructure, and engineering
organisations, cybersecurity is more than
an existential matter. It is a question of pub-
lic safety that requires collective knowledge
■ 28 
from the realms of infocomm and engineer-
ing as well as the concerted effort of boards,
management, and regulators.
Works Cited
1. http://archive.defense.gov/Transcripts/
Transcript.aspx?TranscriptID=2636
2. Ponemon Institute, 2016 Cost of Data
Breach Study: Global Analysis, http://
www-01.ibm.com/common/ssi/cgi-bin/
ssialias?htmlfid=SEL03094WWEN
  What 30 Years of Cybersecurity Has Taught Security Professionals

What 30 Years of Cybersecurity Has

Taught Security Professionals
Singtel – Baey Chin Cheng,
Chief Information Security Officer

A
s the C-suite works to understand its cyber risk, we
must also work to provide an understanding of what
its security professionals have been facing as these
risks have grown up around them. Thirty years ago, a
strong door with a lock gave information security profes-
sionals assurance of a good night’s sleep. But the world is
changing so quickly. What was once regarded as ‘master
security professional’ know-how is considered basic to-
day. At the same time, the world is so much more connect-
ed that vulnerabilities can be found in places that were
never thought to be part of an enterprise system, while
the biggest source of IT disruption still comes down to
human error.
The tools and techniques of security have evolved since
the worldwide web emerged three decades ago. But se-
curity professionals hear some of the same questions and
excuses today that they did when the desktop PC was a
new invention. Some of the rationalizations that follow are
short-sighted, while others are destined for failure.

A. We have always been doing it this way!

Sound familiar? When asking about what can be fine-tuned,
it is usual to hear this. ‘Things are just fine. The way we do
things is tried and tested, and there have not been any inci-
dents. You don't want to change a working formula’.
How does one overcome such well-intended advice?
Humans are generally concerned about being told that
they are doing the wrong thing or making a wrong deci-
sion. Sometimes a decision is right when it is made. But
circumstances change, and it is worth taking another look
to take advantage of newer ways of doing things. History
has shown us that if we don't try, we will never know. What
worked previously may no longer be relevant.
Before concluding that it is the user that is wrong, IT
professionals also need to look at themselves. In the bank-
ing industry, for example, the cloud was traditionally a

 29 ■
NAVIGATING THE DIGITAL AGE
taboo topic. Comments such as ‘you don't
know where your data is’ or ‘you are not
in control’ were common reasons that the
cloud was not viewed as a viable option.
Well, the cloud is here to stay. Technology
has improved, and the world has moved on.
If we don't embrace the cloud—and secure
what we put on the cloud—what will be left
to secure? At many organisations, there is a
great deal of attention paid to securing on-
premise systems, even as most of the enter-
prise is run over the cloud.
B. I will adopt security if it gives me a 100%
guarantee that I have nothing to worry about.
There are only two things that are certain
in life: death and taxes! Other than that, the
world is evolving and changing constantly.
What is a hero today can quickly turn to a
zero tomorrow.
Security is possible, but there will always
be trade-offs. If being hacked is the primary
concern, then don’t connect to the Internet.
But then there are internal risks. So, you can
make your system a stand-alone. That is an
improvement. What about the person who
has to clean the room where the computer re-
sides? You could switch it off, bury it under-
ground and make sure that no one can access
it except with a crane, bulldozer and excava-
tor. Now that's 100% secure.
On a more practical note, it is important
to remember that security is like many other
risks that need to be managed in business.
You need to understand the environment,
know where the taboo areas are, know the po-
tential impact of a breach or outage and make
a calculated call. Nothing in life is risk-free.
It is how much risk one wants to take. And
whose job is it to make that call?
Our job as security professionals is to try
to mitigate the risks and explain the residual
risks and potential impact to senior execu-
tives. If we feel that it is a big issue, explain
why. If we believe that it is reasonable, tell
them so. At the end of the day, someone has
to make a call. But we must give our profes-
sional opinions, and we all know opinions
are always right.
■ 30 
C. If someone else can do it, I don't see why we
can’t do the same.
What the statement above does not tell you is:
JJ a) What the compensating controls that
the other party has implemented are
JJ b) Why it was allowed and
JJ c) What the risks involved for the organi-
sation that allowed it are
Security sometimes comes at the expense
of openness or ease of use, but that does not
mean it is not necessary. For example, in one
organisation, a single signatory is required
for transactions up to $2,000,000. Does this
mean that all organisations can adopt this
freely? Obviously, the answer is no. There
could be multiple checks and balances be-
fore reaching the one signatory. And it is for
payments to pre-authorized recipients, and
the bank is aware of this. Security has to be
looked at holistically. Security is about lay-
ering of controls. One needs to know all the
different layers of controls to determine the
risks involved.
D. But we have a security team to handle that!
What is the role of the security team? Is it to
be responsible and accountable for all things
related to information security? Yes and no.
Security professionals are actually tech-
nology risk managers. If the organisation is
to be considered truly secure, everyone from
the CEO down to the office attendant has a
role to play in making sure that the infor-
mation assets of a company are protected.
How many times have we seen press reports
about organisations losing data because of
a genuine mistake made by someone with
legitimate access to a system? What about
the staffer who plugged in a thumb drive he
picked up and caused a massive malware
outbreak? Information security profession-
als can do only so much. If security is left
only to the professionals, then we will never
have truly secure organisations. The risks in-
volved cannot be effectively managed by one
individual or department alone. It is every-
one’s responsibility.
 What 30 Years of Cybersecurity Has Taught Security Professionals
E. Our security is assured because we use the best
encryption algorithm.
Encryption is one of the best tools for a vari-
ety of tasks. It could be to ensure the confi-
dentiality of information, ensure integrity of
information, or to authenticate an individual
or process. To have strong security, we all
know that we need to implement an indus-
trial-strength encryption algorithm. There are
many vendors out there who will tell you that
they have the most current and industry-best
algorithm, and it is being used by all the big-
ger organisations, both government and fi-
nancial institutions.
Is it correct that the encryption algorithm
plays a vital part in security? Yes. Data En-
cryption Standard (DES) was once the de fac-
to standard and said to be unbreakable. It has
been broken. A key reason is that encryption
is about computation power. With the power
available today, DES can be broken easily.
Assuming that we were to go back 30
years, does it mean that something protected
by DES could not be broken? No. An easy
way would be to hit the guy who knows the
encryption key on the head with a hammer
to get it. Once we know the encryption key,
we can get at whatever DES was used to pro-
tect. A sound management process for both
the keys of encryption and regulating access
to systems and data play equally important
roles in ensuring security.
Security must be maintained in many layers
and on many fronts. Failure to maintain any
aspect can undermine the security intended.
Look at things holistically, and don’t rely on
only one element to give you assurance. We are
only as strong as the weakest link.
F. Should we not trust our own staff to do the
correct thing?
Why are we so suspicious of our staff? We
have a rigorous staff selection process, per-
form background checks and put them
through intense training. Should we not trust
that they can do what they are paid to do and
that they will not fail us?
It’s a sad fact, but we humans are the weak-
est link for most cyber breaches and outages.
Someone clicks on an attachment and causes
a major virus outbreak, even after he was told
not to do it. And there have been many people
who called up to say that they have provid-
ed their personal credentials and password,
even after being educated on the hallmarks of
phishing. Why did they do it? Some of them
are just curious and some of them are clueless.
The most basic of controls in the financial
industry is ‘segregation of duties’. No one
should have control of a process from cradle
to grave. This person becomes far too power-
ful, and if he or she fails or their access is com-
promised, then your controls fail too.
Security professionals have many interests
to balance, but there is one overarching goal:
protect the information assets and interest of
the organisation. Sieve through the noise and
the answer will be clear. Understand the en-
vironment, and remain relevant. Some things
that worked previously may no longer be rel-
evant or acceptable. Accept change, but build
security into every innovation.
 31 ■
 Building Cyber Resilience

Building Cyber Resilience

NTUC FairPrice – Seah Kian Peng, Chief Executive Officer

T
he pace of change in today’s technology landscape is
unprecedented, and its impact on the business world
as we know it will continue to be a disruptive force.
The low cost of digital platforms is enabling digital start-
ups to challenge, and in some cases, overtake market in-
cumbents. An often cited example is the disruption Uber,
Airbnb, and Alibaba have created in the taxi, hotel, and re-
tail industries respectively. The effect of this phenomenon
is felt across all industries, including the supermarket and
consumer goods sector.
At the confluence of this technology push and con-
sumer pull, companies are driven to rethink their business
model, customer proposition, and operating systems in a
bid to transform themselves into digital businesses—busi-
nesses that capture the new opportunities and economic
benefits associated with seamless hyper-connectivity,
massive data analytics, and innovative technologies. But
while pervasive digitisation creates tremendous value, the
operational, reputational and economic risks escalate cor-
respondingly. The stakes become higher in the event of a
breach or disruption.
Organisations become increasingly dependent not only
on information systems that they operate but also on those
managed by their supply-chain partners, technology pro-
viders, as well as their customers. In this era of cloud, mo-
bile, social media, and the Internet of Things, the digital
landscape becomes an expansive ecosystem to secure and
manage. The traditional paradigm where organisations
focus on securing the perimeter between them and the ex-
ternal world is no longer adequate nor relevant in the con-
text of today’s digital landscape. In the context of a retailer
such as FairPrice, our customers interact with us through
their mobile devices and over social media, while much
of our supply chain is interconnected and automated. We
also interact with our products and infrastructure digitally
through a network of sensors and RFID technology. Secur-
ing all these connections extends far beyond the walls of
our enterprise. As such, digital security is no longer simply

■ 32 

an IT issue; it has become an enterprise issue
and a management issue. It is an issue for ev-
ery employee and every business partner in
the digital ecosystem.
JJ From cyber insecurity to digital security
In 2015, the estimated worldwide informa-
tion security spending amounted to a stag-
gering US$75.4 billion. According to the
World Economic Forum, most cybercrime in-
cidents go unreported, and most companies
conceal their losses to avoid risk to their rep-
utations. Lloyd’s estimates that cyber-attacks
cost businesses US$400 billion a year in direct
damage and post-attack disruption.
Closer to home, high-profile cybersecu-
rity incidents in recent years include the
breach affecting over 3 million SingPass ac-
counts, loss of customers’ personal data by
a popular karaoke chain, and the breach of a
prominent government agency’s IT systems,
to name a few.
This tension will continue to escalate be-
tween an organisation’s drive to embrace
digital innovations and at the same time
control cyber risks. Every organisation
needs to evaluate the way cybersecurity is
strategically managed and embedded into
the business to enable the continued pursuit
of its digitisation agenda. It is, thus, impor-
tant to ensure security is built into every
digital innovation.
JJ Pursuit of cyber resilience
The threat of a cyber-attack is ever present,
and the question is not if but when an organ-
isation will be subject to some form of attack.
While a strong immune and defence capabil-
ity is essential for survival, the key is how or
whether an organisation will respond and
emerge from such an experience.
While it is vital to protect systems, infra-
structure, and data in the digital environment,
organisations need to move beyond protec-
tion. In an interconnected, always-on world,
organisations need to develop cyber resil-
ience: the capability to prepare for, withstand,
adapt to, and rapidly recover from negative
impacts of cybercrime.
  Building Cyber Resilience
At FairPrice, we adopt four paths to man-
aging cyber resilience.
1. Managing digital risk as a component
of enterprise risk management
2. Creating a culture of cybersecurity
awareness
3. Building effective cyber defences
4. Developing cyber-recovery plans and
a regime to test them
JJ Digital risk as a component of enterprise risk
management
Until recently, most organisations treated cy-
bersecurity as something for the IT team to
sort out. While cybersecurity is largely in the
technical domain, mitigation can often sit out-
side the IT function.
We view cybersecurity as a priority risk
and an integral part of overall corporate risk
management and governance. In so doing,
senior leadership and board directors are en-
gaged in cybersecurity decisions that have
strategic and business impact. Deciding what
to protect, how much to invest in protection,
and how to ensure that security is built into
every new product, application, or service re-
quires a framework that extends beyond the
IT function.
Such a framework entails developing an
enterprise view of business risks across the
entire value chain, the priority of the underly-
ing information assets and agreed trade-offs.
This process involves assessing how much
risk the business can afford and developing a
means to quantify the financial impact of dif-
ferent types of risk, including costs related to
business downtime, recovery, and remedia-
tion efforts; potential damage to reputation;
and mitigation efforts.
This is not a one-time activity, because
we recognise that over time business mod-
els change, new technology capabilities are
introduced, and cyber risks evolve. It is
for this reason that we have put in place a
structured, repeatable process for the cyber-
security team, while the management team
continually reviews information assets, pri-
oritises business risks, and aligns on differ-
entiated protection.
 33 ■
NAVIGATING THE DIGITAL AGE
JJ Creating a culture of cybersecurity
awareness
Employees have been generally identified
as the biggest vulnerability an organisation
has. Common breaches range from choosing
weak passwords to downloading files from
insecure links. One of the ways we look to
address this is segmenting users based on
the data they need to access and helping each
group understand the business risks associ-
ated with their everyday actions. In the quest
for cyber resilience, it is imperative to bring
employees on board as allies in the defence
against cyber threats.
We also impress upon the senior man-
agement team to ensure that IT security, risk
management processes, and principles are
incorporated into the company’s corporate
processes by design rather than as an after-
thought. Through this, we aim to create a
culture of risk management and resilience
throughout the organisation to ensure that IT
security becomes an integral part of the or-
ganisation’s culture, where compliance with
IT-security policies is part of every project
process from the start.
JJ Building effective cyber defences
To ensure that a security campaign is suf-
ficiently robust, we assess the effort from
multiple dimensions. Three of the most im-
portant are technology, cost, and the potential
negative impact. Getting the technology right
entails understanding and quantifying the
value of the risks that the company is trying
to mitigate. After which, we look to identify
the technologies that are available for dealing
with the risks of greatest concern.
Given that a totally secure environment is
impossible to create, the senior management
team evaluates the best level of security. In
other words, what is the maximum risk (rep-
utational, operational, or financial, including
the cost of remediation) that the company is
willing to live with and then gauge the mar-
ginal value of any additional security to be
gained through further spending. Through
■ 34 
this process, we can then decide what level of
spending is optimal given the business strat-
egy, tolerance for brand and operational risk,
and other considerations. In this sense, cyber
risk is similar to other risk management de-
cisions that corporate directors and senior
leaders have been making for decades.
In the deployment of cyber defences, we
recognise the need to develop the capability
to aggregate and analyse the most relevant
information, proactively engage with at-
tackers, and tune defences accordingly. The
robustness of our technology architecture is
also constantly reviewed to enhance our abil-
ity to protect ourselves while continuing to
drive digital innovation.
JJ Developing a cyber-recovery plan
Despite our best efforts, we recognise that
a security breach of some type is likely in-
evitable, since it is not possible to be 100%
secure. As such, we prepare ourselves ac-
cordingly by testing systems and the ability
to recover, regularly identifying vulnerabili-
ties, and designing emergency operating
procedures and response plans. The ques-
tions we ask ourselves include: can we take
the company offline in a controlled manner
if necessary? Is our communications depart-
ment prepared to manage the necessary in-
ternal and external communication efforts in
the event of a breach?
JJ Conclusion
No defence system is invulnerable. While
there are ways to stack the odds in one’s fa-
vour, we will all face a cyber incident at some
point, no matter how cautious or prepared
we are. Whether this causes only minor dis-
ruption or has more severe consequences
depends on how prepared we are, the speed
of reaction, and the depth of our defences.
However, when cyber resilience elements are
adopted effectively as a coherent whole, it
builds the organisation’s cyber resilience and
enables it to realise the value of digitisation in
this brave, new, and uncertain world.
   Securing the Internet of Things: Cybersecurity From IT to OT

Securing the Internet of Things:

Cybersecurity From IT to OT
Nanyang Technological University – Professor Lam Kwok
Yan, Professor of Computer Science, School of Computer
Science and Engineering, College of Engineering

JJ Cyberspace and cybersecurity

Cybersecurity is gaining ever-increasing importance on
the board’s agenda and is an area of phenomenal growth
internationally. The pervasive adoption of Internet technol-
ogy has led to its evolution from an internetworking tech-
nology to the notion of a cyberspace in which individuals
and organisations conduct many daily activities. Due to
the ever-increasing demand for improved productivity
and business agility, the world has witnessed a pervasive
adoption of infocomm technology in every sector—from
government to telecommunications, to energy, education,
and financial. Furthermore, within each sector, the under-
lying information systems and industrial control systems
are increasingly interconnected, and each in turn becomes
part of cyberspace. Figure 1 (following page) illustrates a
scenario where a financial IT system as well as an indus-
trial control system are connected to the Internet.
Cyberspace is a global interconnection of infocomm in-
frastructure that is woven into the fabric of our daily lives—
a virtual space created by technological components inter-
connecting various stakeholders, including state organs,
government agencies, business enterprises, and individu-
als. The activities carried out in cyberspace include govern-
ment operations, businesses transactions, supervisory con-
trol and data acquisition of critical utilities infrastructures,
remote access to information assets, and the social interac-
tions of ordinary citizens. (See Figure 2.)
Cybersecurity has also evolved from a purely technical
issue of network and systems security to a vastly different
and highly complicated issue of national security signifi-
cance and economic impact. It is obvious from experience
that cybersecurity incidents could lead to serious disrup-
tion of daily activities and even social unrest. Cyber terror-
ists and state-funded cyber warfare activities tend to take
a long-term, low-profile approach, gradually infiltrating

 35 ■
NAVIGATING THE DIGITAL AGE

FIGURE
IT system and ICS system
interconnected in cyberspace

FIGURE
Cyberspace as a virtual space for
interconnecting various economic activities

■ 36 
 Securing the Internet of Things: Cybersecurity From IT to OT
critical information infrastructure (CII) sys-
tems. But cybersecurity is not limited to CII
as sophisticated cyber attackers tend to make
use of non-CII systems as stepping-stones to-
wards more critical targets.
The scope of cybersecurity is much bigger
than traditional enterprise security. While
the latter typically aims to address the pro-
tection needs of IT (information technology)
systems, the former also put a great deal of
emphasis on the protection needs of OT (op-
eration technology) such as industrial con-
trol systems (ICS), SCADA (supervisor con-
trol and data acquisition) systems, as well as
other cyber-physical systems found in hos-
pitals, factories, refineries, construction sites,
and buildings.
The objectives and the underlying tech-
nological requirements of OT security are
very different from the traditional enter-
prise security with which most practitioners
in the ICT space have been familiar. Tradi-
tional enterprise security is characterized
by a technology framework that covers the
protection needs of the various layers of a
typical IT system.
In order to address the new challenges
of cybersecurity in the OT space, there is a
pressing need for cybersecurity profession-
als to develop a deeper understanding of OT
systems (particularly systems and applica-
tion architecture and software, communica-
tions and control protocols) in various secu-
rity-critical sectors.
JJ Evolution of security from IT to OT
In most enterprise IT systems, security mech-
anisms are designed in layers that correspond
to enterprise architecture. For example, a typi-
cal security architecture will include the fol-
lowing components:
JJ Hardware security to provide protection
at the processor level and, in the case
of tamper-resistant hardware, provide a
physically secured environment for pro-
gram execution and data processing
JJ Operating system security to provide pro-
tection at the process level, i.e., memory,
address space, devices, and file systems
JJ Cryptographic modules and security pro-
tocols for meeting the protection needs of
inter-process communications (IPCs) as
well as for supporting distributed authen-
tication of network-based client-server
application systems
JJ Access control and authorisation, which
are based on the presence of some robust
authentication mechanisms, to enforce
security policies in network-based distrib-
uted application systems and
JJ Application-level security for providing
security protection of application trans-
actions that are executed remotely and
within the untrusted environment of the
open Internet
Such layering of security mechanisms
helps simplify design and analysis of tradi-
tional centralized and distributed IT applica-
tion systems such as e-commerce, e-banking
and e-government systems. In order to facili-
tate the design and implementation of such
security mechanisms, a well-structured enter-
prise security architecture typically will begin
with some security infrastructure services
such as:
JJ Perimeter network architecture created
by multiple tiers of firewalls and possibly
virtual private networks for remote user
access
JJ Key management services such as public
key infrastructure as well as identity and
privilege management services and
JJ Other system-wide security services such
as intrusion detection and audit logs
A widely adopted enterprise security ar-
chitecture will incorporate these security
components and infrastructure services in a
manner that complies with the relevant secu-
rity standards and guidelines. When decid-
ing the balance among security protection,
deployment costs, and user convenience,
enterprises almost invariably adopt a risk-
based approach to enterprise-security archi-
tecture design that aims to achieve security
in a cost-effective and user-friendly manner.
(See Figure 3.)
 37 ■
NAVIGATING THE DIGITAL AGE

FIGURE
Structured approach to security design of
enterprise information systems

Transaction Security
Security Technology Authentication, Access Control, Audit
Crypto, PKI, Smart Cards

Security Accreditation
Anti-Virus, OS, Audit

Security Certification
Firewalls, VPN, Scanner, IDS
Security Standards

Security Audit
Security Implementation
Security Operations
Security Design and Planning
Security Review

Risks Management and Control

Risks Analysis and Assessment
Security Requirements

Security Objectives

Security Management

Now, however, cyberspace has evolved
into a kind of distributed computing system
consisting of computers, network, and devic-
es designed to support industrial control and
operations as well as enterprise systems. In a
typical OT deployment, the networking com-
ponents play a crucial role of interconnecting
devices (such as sensors and actuators) and
computer systems in order to facilitate dis-
tributed monitoring and control functions
of industrial operations such as power gen-
erators, oil refineries, and production lines in
advanced manufacturing. Sensors are typi-
cally needed for monitoring some physical
characteristics of industrial operations, which
are critical for the control systems to make
timely and effective decisions through some
supervisory and control interfaces such as the
SCADA. The process control decisions made
by the control systems will affect the physi-
cal process by sending commands to actuator
devices, which also play a critical role in OT.
Figure 4 (following page) illustrates the typi-
cal components of a SCADA system where
there are remote terminal units (RTUs), which:
JJ Collect sensing data from the field
environment
JJ Send sensing data to the SCADA server
via a communication server
JJ Receive control commands from the
SCADA server via the communication
server and
JJ issue commands to physical devices to
which the RTUs are connected.
In the past, most of the SCADA systems or
ICS systems were not viewed as a distributed
computing system. Instead, they were viewed
as an integral part of some industrial process
and operations such as a power generator, pet-
rochemical plant, or oil refinery. The sensors

■ 38 
 Securing the Internet of Things: Cybersecurity From IT to OT
FIGURE
and actuators are also viewed as basic com-
ponents and devices of the industrial systems,
and are considered part of the proprietary
industrial systems operating within a closed
environment. Security was mainly a matter of
physical security and controlling access.
Due to the ever-increasing demand for
improved productivity and business agil-
ity, there has been a trend of interconnect-
ing SCADA and ICS systems to other IT
systems, bringing OT into the realm of IT
professionals. Picture a scenario where a
SCADA system is connected to the office
automation IT system, possibly for stream-
lining the billing and inventory control
workflow. (See Figure 5.) The IT system is in
turn connected to the Internet for support-
ing e-commerce applications.
The cybersecurity situation is further
complicated by aggressive plans to launch
ambitious smart city and smart nation
Components and connectivity
of a typical SCADA
programmes, embraced by most govern-
ments worldwide. Advanced cyber and data
technologies are being exploited and adopt-
ed to re-invent and enhance every aspect of
social and economic activity, from manufac-
turing capabilities to government operations,
to citizen mobility, healthcare, and quality
of life for the aged. Broadly, smart city and
smart nation technology aims to achieve the
following objectives:
JJ Automation
JJ Data-centric decision making
JJ Borderless markets
JJ Disruptive business models and
enhanced efficiency
In order to achieve the goals of improv-
ing business agility and operational effi-
ciency of public-sector services and munici-
pal functions, there have been an increasing
 39 ■
NAVIGATING THE DIGITAL AGE
FIGURE
number of OT-like cyber applications that
aim to collect and analyse sensing data in
a close-to-real-time manner so as to allow
timely reactions to dynamic, real-world
situations. With the pervasive adoption of
connected devices as integral parts of cy-
ber applications, the notion of the Internet
of Things (IoT) is now a key consideration
of cyber application designers and business
solution planners. The scope of cybersecu-
rity has evolved as well to include not only
traditional IT systems but also OT systems
and, more recently, IoT systems. Neverthe-
less, as a fast-developing and promising
■ 40 
Interconnectivity among OT, IT,
and the Internet
area in the future landscape of smart-na-
tion applications, but with limited prior
experiences in the adoption and security
protection strategies, IoT security remains
a challenge to cybersecurity practitioners.
Specifically, the issues include:
JJ The adoption strategy of IoT in cyber
applications
JJ The business process integration of IoT
JJ The development of security policies that
are relevant to IoT adoption and
JJ Security architecture that caters to the
needs of IoT security
 Securing the Internet of Things: Cybersecurity From IT to OT
The security of the IoT is a concern not
only for the wearable devices that most peo-
ple associate with connected devices, but also
for the critical information infrastructure on
which we all depend. The IoT will soon be-
come the biggest attack vector for most or-
ganisations, as the number of connected de-
vices is set to grow explosively. Nowadays,
organisations recognize the value of the IoT,
but most find it difficult to integrate into their
current business processes and struggle to
process the massive amount of heterogeneous
data being collected. They have not adequate-
ly addressed the risks associated with the
collection of that data and have not updated
their security architecture and cybersecurity
incident-response processes to address the
needs of IoT security.
In the area of cybersecurity design, it is
widely recognised that there is no one-size-
fits-all solution. In order to meet the con-
current needs of and balance among secu-
rity protection, cost of protection and user
convenience, security design tends to take
a risk-based approach, which starts from
a risk analysis based on the nature of the
applications. Security control mechanisms
are devised with the dual objectives of be-
ing cost-effective and not being prohibi-
tively complicated for users. Given the cur-
rent trend of fast adoption of IoT, but with
limited prior experiences in the associated
security issues and approaches, it is pos-
sible that IoT security could reach a situa-
tion where IoT systems are not adequately
protected for some applications and overly
protected for others. This is reminiscent of
the plight of public key infrastructure (PKI),
which was in a similar situation in deliver-
ing its promises in securing e-commerce in
the late 1990s.
JJ Cybersecurity challenges of IoT
Cybersecurity is a problem created by real-
world applications in cyberspace, and so,
too, the solutions must be. Specifically, cy-
bersecurity researchers and practitioners
must have a deep understanding of the fol-
lowing factors:
JJ The nature of the underlying data and
system to be protected
JJ The threat models of the open network
infrastructure in global scale
JJ The risk and trust models of application
systems in different industry domains
JJ Applicable policy and regulations for gov-
erning the behaviour and conduct as well
as rights and liabilities of all stakeholders
JJ Implementation of cybersecurity regimes
for policing and surveillance in order to
safeguard cyberspace as a safe and robust
environment for conducting business and
social interactions
JJ The design and establishment of light-
weight protocols and mechanisms for
meeting the security needs of low-cost,
resource-constrained IoT devices
JJ The risk associated with IoT devices and
data collected from IoT devices given the
heterogeneous nature of that data
JJ The design and establishment of proto-
cols and mechanisms for cross-border
cybercrime investigation and tracking of
cyber criminals
JJ The design and development of forensic
methodologies and tools for gathering
court-admissible evidence in cyberspace
in order to support law enforcement
Cybersecurity study is a natural extension
of traditional information security studies,
but there are important differences. Informa-
tion security tends to define the underlying
operating and threat models on information
processing systems, focusing on the design
and analysis of security algorithms and pro-
tocols, resource access control mechanisms,
and high assurance development of security
hardware and software components. The aim
is to protect information assets and detect
possible compromises.
Cybersecurity, on the other hand, aims
to address the design and analysis of mod-
els and mechanisms for safeguarding large-
scale cyber systems, covering traditional IT
systems as well as mission-critical OT sys-
tems. R&D on cybersecurity mainly focuses
on cyber protection, threat detection, and
mechanisms for responding to cybersecurity
 41 ■
NAVIGATING THE DIGITAL AGE

incidents. Current cybersecurity efforts put a
lot of emphasis on protection, detection, and
reactive measures such as information pro-
tection mechanisms, identification and trust
management, authorisation and accountabil-
ity enforcement of principals, user behaviour
analytics for anomaly detection, malware
analysis, digital forensics of computer and
network nodes, privacy protection, and ano-
nymity of individuals. (See Figure 6.)
When it comes to cyber protection, con-
cepts such as defence perimeters as well as
defence-in-depth still play a major role in
the security design of cyber systems. OT sys-
tems are assumed to be operating within a
relatively well-protected environment, with
connectivity to external networks being
well-controlled through tiers of firewalls. In
essence, the approaches of making use of an
optimized combination of network-access
control mechanisms for establishing tiers of
network perimeters form the basis of model-
ling a closed system in the open environment
of the cyberspace. Other IT security compo-
nents such as IT security management and
best practices as well as standards compli-
ance and certifications are still applicable for
security governance and assurance.
However, the introduction of the IoT into
cyber applications has led security designers
to revisit the existing approach to cybersecu-
rity architecture. As mentioned, the unique
features of IoT devices include:
JJ Low-cost, resource-constrained end-point
devices will by nature have difficulty run-
ning traditional cryptography-based secu-
rity mechanisms and managing crypto-
graphic keys securely
JJ IoT devices may operate in an open envi-
ronment, where physical security is dif-
ficult to assume
JJ The security requirements of IoT data are
highly diversified. For example, some IoT
data, such as wearable medical sensors,
require strong privacy protection, while
some, such as ICS sensors, require strong
integrity assurance, as unauthorised modi-
fication of the IoT data could lead to disas-
trous consequences
JJ The connectivity and message-passing ser-
vices between IoT devices and backend
infrastructure require some kind of authen-
tication between the communicating enti-
ties in order to minimise risks of unauthor-
ised access to the backend systems

FIGURE
Multi-pronged approach
to cybersecurity

Cybersecurity
Approach

Cyber Protection Threat & Anomaly Response &

Measures Detection Contingency

■ 42 
 Securing the Internet of Things: Cybersecurity From IT to OT
The IoT network is driven by interoper-
ability and efficiency rather than security. It
is built on digital infrastructure for intercon-
necting IoT devices to wireless networks and
the Internet, with some cloud computing to
support the analytics and intelligent-control
needs of IoT systems. As a result, authentica-
tion of sensors in the IoT network is a signifi-
cant challenge for the following reasons:
JJ The limited and constrained resource of
sensors, in terms of computation and com-
munication
JJ The massive number of sensors involved
in an IoT network and
JJ Cost versus benefit considerations
These make the applicability of many tra-
ditional strong cryptography-based identity-
and-authentication mechanisms questionable
in this IoT scenario. Hence, making the con-
cept of ‘identity’ within the Internet of Things
difficult to implement.
Identity or identification is fundamental
to most security-control mechanisms, such
as access control, authorisation and account-
ability. Thus, there is an urgent need to bet-
ter understand the notion of identity of IoT
objects for authentication purposes. At the
same time, an increasing number of mission-
critical applications are being deployed us-
ing IoT networks and big data analytics for
intelligent decision making. This results in
the recent R&D trend in lightweight authen-
tication mechanisms for sensors’ identity in-
side an IoT network.
The research community not only inves-
tigates lightweight cryptographic techniques
for supporting the security operations of IoT
devices, but it also attempts to investigate the
feasibility of establishing a sensor’s identity
at the network infrastructure layer by analys-
ing the sensor device behaviour (for example,
what kind of data a sensor device pushes to
the IoT network backend). Such an approach
is based on the paradigm of ‘cybersecurity at
the edge’, where attempts are made to move
some of the cyber-protection functionalities to
the network gateways that provide connectiv-
ity to remote IoT devices.
This approach of cyber defence at the
edge tries to provide behaviour analytics
and anomaly detection capabilities so that
some form of authentication can be estab-
lished between IoT devices and the remote
cloud computing backend. The key idea is
to use selected data from some window of
the data stream that the IoT devices have
captured and communicated recently back
to the backend or cloud data server as an
important factor for authentication. The al-
gorithmic complexity of the authentication
is a concern. However, the advantage of this
approach is that, since authentication is on a
sliding basis, it offers a smaller window to a
security breach and thus a potentially stron-
ger resistance. Although this approach might
be limited to authenticating IoT sensors that
are used mainly for monitoring and tracing, it
is still a useful direction to explore, since this
would cover most IoT systems.
IoT security has attracted much interest
among industry practitioners and researchers
in recent years. Together with the explosive
growth of IoT adoption are new IoT tech-
nologies and innovative ideas of deploying
them in disruptive business models. With
the rapid development of IoT and IoT secu-
rity ideas and technologies, one should not
underestimate the multitude of risks associ-
ated with IoT systems. The corresponding
security objectives of IoT applications will
also evolve rapidly, hence IoT security needs
to be developed with a pragmatic and far-
reaching vision that can meet the operational
and business needs of early adopters of IoT
and remain relevant to the rapid development
of the IoT industry as well as the associated
regulatory, policy, and standards compliance
issues that have yet to emerge.
JJ Summary
Though IoT security is an emerging field that
is still fast evolving, it is useful to identify ar-
eas where IoT and IoT security are different
from traditional IT and OT systems. Some of
the key issues relevant to security designers
of IoT systems for supporting future cyber ap-
plications include the following:
 43 ■
NAVIGATING THE DIGITAL AGE
JJ IoT devices typically operate in open envi-
ronments, where physical security is dif-
ficult to assume
JJ IoT devices operating in an open environ-
ment tend to face serious key management
problems such as tamper-resistant storage
of cryptographic keying materials needed
by security protocols
JJ IoT devices tend to be low-cost compo-
nents, which have limited computing
capabilities to perform traditional security
protocols such as strong authentication or
key distribution
JJ Higher-end IoT devices, such as surveil-
lance cameras for video sensing, tend to
be implemented as appliances operating
under the control of off-the-shelf operating
systems that make for easy targets
JJ Due to the heterogeneity of IoT sensors,
the security requirements of IoT sensing
data vary significantly depending on the
nature of the underlying IoT applications.
For example:
• Some sensor data, such as environment
sensors and traffic surveillance cameras,
expect little confidentiality protection
but require strong integrity protection,
as their quality will impact control deci-
sions made at the analytic servers
• Some sensor data, such as from sen-
sors installed in autonomous vehicles,
require strong integrity protection and
may also require a certain level of pri-
vacy protection
• Some sensor data, such as from health-
care sensing devices, require strong pri-
vacy protection, but most users tend to
have very low security awareness. This
may create a number of weak links in
the network and hamper the adoption
of proper IoT security functions
• IoT devices that implement control func-
tions on mechanical equipment (actua-
tors) require strong authentication and
integrity protection of data received
from the command and control centre
■ 44 
JJ Identification and authentication are the
key issues in IoT security, but, at the same
time, they are difficult to achieve in typical
IoT systems
JJ There is a lack of IoT security stand-
ards and reference architecture for guid-
ing the use of IoT technologies in cyber
applications. Hence, the industry may end
up with many diversified approaches to
implement IoT systems, making it difficult
to perform security and risk analysis, and
hard to compare and interoperate different
IoT systems in future
JJ IoT technologies are evolving, and so are
the associated legislative and regulatory
concerns regarding the handling and use
of IoT data. It is expected that necessary
legislation and regulation will be devel-
oped in future for protecting the interests
of consumer users of IoT systems. Hence,
a clear understanding of the IoT system
architecture and cybersecurity approach
from the earliest design phase of the sys-
tem development will help organisations
to manage regulatory risks—and to com-
ply with future regulations
To conclude, it is important to develop a
suite of IoT security standards and reference
architecture (application architecture and se-
curity architecture) to help address the afore-
mentioned concerns of the IoT community. To
facilitate this development, some coordinated
efforts by major IoT stakeholders, including
regulatory agencies, industry organisations,
and researchers, will be desirable to drive the
development of IoT and IoT security in order
to meet the anticipated challenges of the IT
and OT industries.
 Contributor Profiles

Contributor Profiles

 45 ■
 Contributor Profiles

DR YAACOB IBRAHIM
Minister for Communications & Information and the Minister-in-charge of Cyber Security

Dr Yaacob Ibrahim is the Minister for Communications & Information,

the Minister-in-charge of Muslim Affairs and the Minister-in-charge of
Cyber Security.
He was a structural engineer at Bylander Meinhardt Partnership before
receiving a scholarship to pursue a PhD at Stanford University (US). He
worked as a post-doctoral fellow at Cornell University (US) before joining
the National University of Singapore. He is currently on leave of absence
from the university as an associate professor.
Dr Yaacob has been active in community service since his school days,
and has been involved in the Association of Muslim Professionals, Jami-
yah, Majlis Ugama Islam Singapura and the Nature Society (Singapore).
Dr Yaacob also served as a board member of the Civil Service College, the
National Heritage Board, STV12 Pte Ltd, Temasek Polytechnic, and as a
trustee of NTUC Income, a union-linked cooperative. He has been associ-
ated with Yayasan Mendaki since its formation and has been its Chairman
since March 2002.
Since 1997, Dr Yaacob has served as a Member of Parliament. He served as
Parliamentary Secretary and Senior Parliamentary Secretary at the Ministry
of Communications and Information Technology before he was appointed
as the Minister of State for Community Development and Sports in Novem-
ber 2001. In March 2002, he was appointed the Ministry’s Acting Minister
and the Minister-in-charge of Muslim Affairs. The following year in May, he
was promoted to Minister for Community Development and Sports.
In August 2004, Dr Yaacob was appointed Minister for the Environment
and Water Resources. He was re-appointed in the same capacity following
the May 2006 General Election. After the May 2011 elections, Dr Yaacob
was appointed Minister for Information, Communications and the Arts.
In November 2012, with the restructuring of the ministries, he became the
Minister for Communications and Information. He has been re-appointed
to serve in this capacity following the September 2015 General Election. He
continues to be in charge of Muslim Affairs.
In April 2015, Dr Yaacob was appointed the Minister-in-charge of Cyber
Security and oversees the Cyber Security Agency, an agency formed under
the Prime Minister’s Office. He has been re-appointed to serve in this ca-
pacity following the September 2015 General Election.

 47 ■
NAVIGATING THE DIGITAL AGE

Forbes Media
BRUCE H. ROGERS
Chief Insights Officer

Bruce Rogers is the Chief Insights Officer for Forbes Media, responsible for
managing the Insights division, which creates and distributes thought-lead-
ership, research-based content for blue-chip customers such as IBM, Google,
KPMG, SAP, CIT, and Deloitte. Bruce also oversees the Forbes Insights con-
tent channel on Forbes.com, and writes a column for Forbes where he pro-
files thought leaders changing the business landscape.
Bruce is also the Head of Forbes’ CMO Practice, overseeing the group’s
creation of content through the Forbes CMO Network section of Forbes.com,
and events such as the annual Forbes CMO Summit. Under his guidance,
the CMO Practice recently released an in-depth report entitled, “Publish or
Perish: A CMO Roadmap to Managing, Systematizing and Optimizing the
Marketing Content Supply Chain”.
Prior to this role, Bruce was the Chief Brand Officer, responsible for all
integrated marketing, brand communication, research, and sales support
activities for Forbes Media.
From March 2000 to October 2008, Bruce was the Vice President of Mar-
keting for Forbes.com. In this position, he was responsible for developing
and implementing marketing strategies and programs to build the Forbes.
com brand, drive consumer traffic, create customer acquisition and reten-
tion programs, as well as initiate research and promotions in support of
advertising sales. During his tenure, Forbes.com grew from under 500,000
to 20 million unique monthly visitors.
From 1992 until March 2000, Bruce served as Vice President, Worldwide
Marketing Communications for Forbes Inc. In this capacity, he oversaw
brand building for the company. He directed marketing efforts for Forbes'
growing publishing assets and was directly responsible for Forbes.com's
and Forbes magazine's advertising campaigns. In this role, he inaugurated
Forbes' signature "CEO Profiles” ad series, which in 1995 won a Gold EF-
FIE award from the American Marketing Association.
Bruce serves as the President of the Business Marketing Association of New
York and is a board member of the Media Ratings Council and the advisory
boards for SBV Capital, Adtech, and BPA (Business Publishers Association).
He is the co-author of "Profitable Brilliance: How Professional Services
Firms Become Thought Leaders" as well as the previously published, "In the
Line of Money: Branding Yourself Strategically to the Financial Elite".
He has a BA in Human Communication from Rutgers University and re-
sides in Waldwick, New Jersey, with his wife and their two children.

■ 48 
 Contributor Profiles

Palo Alto Networks Inc.

SEAN DUCA
Vice President, Regional Chief Security Officer

Sean is the Regional Chief Security Officer for Asia Pacific at Palo Alto Net-
works, where he works on the development of thought leadership, threat
intelligence, and security best practices for the cybersecurity community and
business executives.
With more than 18 years of experience in the IT security industry, he
acts as a trusted advisor to organisations across the region, helping them
improve their security postures and align security strategically with busi-
ness initiatives.
Prior to joining Palo Alto Networks, he spent 15 years in a variety of roles
at Intel Security, with his last position as the Chief Technology Officer for
Asia Pacific. Before this, Sean was involved in software development, techni-
cal support, and consulting services for a range of Internet security solutions.
Sean actively discusses security issues in mainstream media, including
television, radio, print, and security-related broadcasts. He regularly par-
ticipates in forums, conferences, and panels, and provides intelligence on
cybersecurity matters to the public and private sector.

 49 ■
NAVIGATING THE DIGITAL AGE

Cyber Security Agency of Singapore

DAVID KOH
Chief Executive

Mr David Koh is concurrently the Deputy Secretary (Technology) and Dep-

uty Secretary (Special Projects) of the Ministry of Defence (MINDEF) and
the Chief Executive of the Cyber Security Agency (CSA) of Singapore. Prior
to his current appointments, Mr Koh served in the Singapore Armed Forces
and has held varied command and staff appointments in MINDEF and the
SAF. As the Chief Executive of CSA, he leads CSA’s efforts to provide dedi-
cated and centralised oversight of national cyber security’s functions.
These include strategy and policy development, cyber security opera-
tions, industry development and outreach. Mr Koh and his team will also
work closely with the private sector to develop Singapore’s cyber security
ecosystem.
He sits on the boards of the Media Development Authority (MDA), De-
fence Science and Technology Agency (DSTA), DSO National Laboratories
(DSO), and Temasek Defence Systems Institute (TDSI). Mr Koh graduated
from King’s College, University of London, UK, with a Bachelor’s degree
in Electrical and Electronics Engineering. He also has a Master’s in Public
Administration from Harvard University, USA.

■ 50 
 Contributor Profiles

Good Harbor Security Risk Management

RICHARD A. CLARKE
Chairman; former White House Advisor on Cybersecurity & Counterterrorism

Richard Clarke is Chairman and CEO of Good Harbor and an interna-

tionally-recognised expert on cybersecurity, homeland security, national
security, and counterterrorism. He served for 30 years in the United States
Government, including an unprecedented ten continuous years as a White
House official, serving three consecutive Presidents. In the White House
he was Special Assistant to the President for Global Affairs, Special Advi-
sor to the President for Cyberspace, and National Coordinator for Security
and Counter-terrorism. Prior to his White House years, he served as As-
sistant Secretary of State and held other positions in the State Department
and the Pentagon for 20 years.
Mr. Clarke serves as an on-air consultant for ABC News, taught at Har-
vard’s Kennedy School of Government for five years, and has published
seven books, including the national number one bestseller Against All En-
emies and Cyber War: The Next Threat to National Security and What to Do
About It. He served or currently serves in several advisory or board ca-
pacities: Member, President Obama’s Review Group on Intelligence and
Communications Technology; Co-Chairman, Virginia Governor’s Cyber
Security Commission; Member, New York Governor’s Cyber Security
Advisory Board; Senior Advisor to CSRA, Inc.; Chairman of the Board
of Governors, Middle East Institute; Member, Board of Directors of Vera-
code; Member, Board of Directors of Bit9; and Member, Board of Directors
of Nok Nok Labs.

 51 ■
NAVIGATING THE DIGITAL AGE

Singtel
BILL CHANG
Chief Executive Officer, Group Enterprise

Mr Bill Chang was appointed Country Chief Officer, Singtel Singapore on

12 September 2014. He is concurrently the Chief Executive Officer of Group
Enterprise, which provides innovative and comprehensive Information
and Communications Technology solutions to the Group’s enterprise cus-
tomers across multiple geographies. Prior to assuming this position on
16 July 2012, he was the Managing Director, Business Group, Singtel. He
joined Singtel in 2005 as Executive Vice President of Corporate Business.
Mr Chang serves on the boards of several wholly-owned and associate
companies of Singtel. He is the Chairman of US-based Trustwave Hold-
ings, Inc., one of the largest independent managed security services pro-
viders, which Singtel has acquired. He is also a board member of SingPost.
Mr Chang is the Chairman of the Singapore Polytechnic Board of Gov-
ernors. He was on the Board of the Workforce Development Agency for six
years, until 2011. For his contributions to Singapore’s workforce develop-
ment, Mr Chang received the National Day Public Service Medal in 2007.
In 2014, Mr Chang was conferred the honorary Fellow of the Singapore
Computer Society in recognition of his pivotal role in advancing the info-
comm industry in Singapore.
Mr Chang has served on the boards of Singtel’s associate companies. He
was a board member of Bharti Airtel from March 2006 to April 2007 and
Co-Vice Chairman of Globe Telecom from November 2007 to October 2009.
Before joining Singtel, Mr Chang was the Managing Director of CISCO
Systems’ Advanced Services Group, where he was responsible for the com-
pany’s operations in Asia Pacific.
Mr Chang holds a Bachelor of Engineering (Honours) degree in Electri-
cal and Computer Systems Engineering from Monash University.

■ 52 
 Contributor Profiles

KHOO BOON HUI

Former INTERPOL President; retired Singapore Police Commissioner

Mr KHOO Boon Hui began his career in the Singapore Police Force (SPF)
in 1977, after a short stint in the Singapore Armed Forces. In July 1997, he
was appointed Commissioner of the Singapore Police Force, a post he held
till January 2010. He also served as President of INTERPOL from 2008 to
2012. After his stint in the police force, Mr Khoo was appointed as the Se-
nior Deputy Secretary of the Ministry of Home Affairs from 2010 to 2014.
He concurrently assumed the appointment as Director of the Institute of
Leadership and Organisation Development, Civil Service College, on 21
January 2013. Upon his retirement from the Government, Mr Khoo was
appointed the Senior Advisor of the Ministry of Home Affairs on 21 January 2015, and a year
later was re-designated a Senior Fellow. He is also a Senior Fellow of the Home Team Academy
and the Civil Service College.
He is concurrently the Deputy Chairman of the Singapore Quality Award Governing Council
and serves on the boards of Singapore Technologies Engineering Ltd, Singapore Health Services
Pte Ltd, Singapore’s Ministry of Health Holdings Casino Regulatory Authority of Singapore,
Certis CISCO, and Temasek Foundation. He is an Advisor to INTERPOL, Standard Chartered
Bank (UK)’s Board Financial Crime Risk Committee, Singapore’s National Cybersecurity R&D
Programme and is a member of the Global Initiative Against Transnational Organized Crime.
He co-chairs the annual US-Singapore Law Enforcement Homeland Security and Safety Co-
operation Dialogue with his counterparts from the US Department of Justice and Homeland
Security. He also chaired the first two ASEAN Senior Officials’ Roundtable on Cybercrime held
in conjunction with the RSA Asia Pacific and Japan Conference.
He had previously served as Chairman of Technology Against Crime, the organiser of the
International Forum on Technologies for a Safer World, based in France; a member of World
Economic Forum Meta-Council on the Illicit Economy; and as an advisor to the Cambridge
University Police Executive Program, Oxford University’s Journal of Policing, the International
Centre for Sports Security based in Qatar, and the Independent Commission on the Future of
Policing in the UK.
He is also the Chairman of the Singapore Golf Association Governing Council and the
Singapore Island Country Club; and serves on the Singapore Symphony Orchestra Council and
YMCA Singapore’s Advisory Council.
Mr Khoo obtained his Bachelor of Arts (Engineering Science & Economics) from Oxford
University in 1976 and his Master in Public Administration from the Kennedy School of
Government, Harvard in 1982. He attended the Advanced Management Program at Wharton
in 2002 and has received numerous international honours and local awards.

 53 ■
NAVIGATING THE DIGITAL AGE

Quann
PROFESSOR YU CHIEN SIANG
Chief Innovation Officer

As Chief Innovation Officer of Quann Singapore Pte Ltd, Professor Yu is

responsible for cultural transformation, strategic problem solving, and in-
novations in areas such as Big Data, video and cognitive processing, Smart
Nation, Internet of Things (IoT), robotics, drones, and high-security soluti-
oning. He also leads Quann Labs, focusing on cybersecurity innovation and
anti-malware research.
Previously, Professor Yu held a similar role with the Ministry of Home
Affairs. He has worked in the Civil Service since 1981 and was awarded Na-
tional Day Honours, The Public Administration Medal (Silver) in 1993 and
The Public Administration Medal (Silver) Bar in 2004.
Prior to being part of the Civil Service, he was awarded the Carl Duisberg
Gesellschaft Scholarship, a Public Service Commission Scholarship, to pur-
sue his studies at Fachhochschule Munchen, where he graduated as a Data
Systems Engineer. During his studies, he received training at the Siemens
Research Laboratory and IBM R&D Laboratory in Boblingen.
Professor Yu has been active in the fields of IT management and IT secu-
rity for more than 20 years. He has led numerous national-level projects in IT
security and homeland security and has been instrumental in evolving their
architecture and fundamental mechanisms.
Professor Yu, a pioneer in the exploitation of microcomputers, is a for-
mer President of the Singapore Microcomputer Society. He is the inventor
of cost-efficient and unique smart card readers, cryptography systems, more
efficient protocols, and fault tolerant systems. He is also an Adjunct Associ-
ate Professor at the Department of Mathematics at the National University of
Singapore, where he teaches an introductory course on cybersecurity.

■ 54 
 Contributor Profiles

Land Transport Authority

HUANG SHAO FEI
Director, IT Security, Governance & Risk Management

As Director, IT Security, Governance & Risk Management, Shao Fei leads

the cybersecurity programme at Singapore’s Land Transport Authority and
in the land transport sector.
His work involves all aspects of IT and cybersecurity governance, rang-
ing from risk management, standards development, reviews, and compli-
ance, to his role as cyber security advisor to land transport stakeholders.
Prior to joining LTA, Shao Fei worked in various IT security roles at the
Ministry of Home Affairs, DSO National Laboratories, Ministry of De-
fence, and IDA Singapore.
Shao Fei received his Bachelor’s degree in Mechanical Engineering
from the University of Tokyo under the support of the Singapore Public
Service Commission (PSC) and Japan Monbusho scholarships. He also
holds an MBA from the University of Leicester, in addition to multiple
IT security certifications including CISSP-ISSMP, CISSP, CISM, CRISC,
and CISA.

 55 ■
NAVIGATING THE DIGITAL AGE

Singtel
BAEY CHIN CHENG
Chief Information Security Officer

Baey has  more than  30 years of experience, of which the past 25 years
were in the banking industry. Currently, he is the Chief Information Secu-
rity Officer at Singtel, a leading Singapore telco. Prior to this, he was the
CISO of two of the largest local banks in Singapore. In addition to bank-
ing, he has worked in other industries, including manufacturing, and in
the government.
Baey started his career at Price Waterhouse as an auditor after gradu-
ating with an accounting degree from the National University of Singa-
pore. Subsequently, he went on to obtain a postgraduate diploma in Sys-
tems Analysis from the Institute of Systems Science and an MA in Systems
Management from the University of Lancaster (UK).

■ 56 
 Contributor Profiles

NTUC FairPrice
SEAH KIAN PENG
Chief Executive Officer

Mr Seah Kian Peng is the Chief Executive Officer of NTUC FairPrice Co-
operative Limited.
Mr Seah first joined NTUC FairPrice in January 2001 as the Chief Oper-
ating Officer. Since then, he has worked with the team to transform Fair-
Price into a multi-format retailer, and has increased significantly its mar-
ket share, social impact and brand equity. Currently, FairPrice group has
a chain of about 300 stores, employs over 10,000 staff, and has an annual
turnover of over S$3.4 billion. FairPrice was also rated by Interbrand, a
global brand agency, as the most valuable retail brand in Southeast Asia
and the sixth top retail brand in Asia Pacific in 2014.
Mr Seah is also a Member of Parliament. First elected in May 2006, he was
re-elected in May 2011, and again in September 2015.
Mr Seah did his undergraduate studies in Australia under the Colombo
Plan Scholarship. He is a Fellow of the Chartered Institute of Marketing
and a Fellow of the Singapore Institute of Directors. He is the Chairman
of the Harvard Business School Club of Singapore. Prior to joining NTUC
FairPrice, he worked in both the public and private sectors.
Mr Seah sits on various boards, including The Consumer Goods Forum,
a global industry network that brings together the CEOs and senior man-
agement of some 400 retailers, manufacturers, and service providers across
70 countries.

 57 ■
NAVIGATING THE DIGITAL AGE

Nanyang Technological University

PROFESSOR LAM KWOK YAN
Professor of Computer Science, School of Computer Science and Engineering,
College of Engineering

Professor Lam is a professor at Nanyang Technological University

(NTU), Singapore. He has been a professor at Tsinghua University, PR
China (2002-2010), and a faculty member of the National University of
Singapore and the University of London since 1990. He was a visiting
scientist at the Isaac Newton Institute of Cambridge University and a
visiting professor at the European Institute for Systems Security. In 1997,
he founded PrivyLink International Ltd, a spin-off company of the Na-
tional University of Singapore, specialising in e-security technologies for
homeland security and financial systems. In 2012, he co-founded Soda
Pte Ltd, which won the Most Innovative Start Up Award at the RSA 2015
Conference. In 1998, he received the Singapore Foundation Award from
the Japanese Chamber of Commerce and Industry in recognition of his
R&D achievement in information security in Singapore. Professor Lam
received his B.Sc. (First Class Honours) from the University of London
in 1987 and his Ph.D. from the University of Cambridge in 1990. His re-
search interests include distributed systems, IoT security infrastructure,
distributed authentication, biometric cryptography, homeland security,
and cybersecurity.

■ 58 
CONTRIBUTORS
• Dr. Yaacob Ibrahim
Minister for Communications & Information
and the Minister-in-charge of Cyber Security
• Bruce H. Rogers
Chief Insights Officer, Forbes
• Sean Duca
Vice President, Regional Chief Security
Officer, Palo Alto Networks
• David Koh
Chief Executive, Cyber Security Agency
of Singapore
• Richard A. Clarke
Chairman, Good Harbor Security Risk
Management; former White House Advisor
on Cybersecurity & Counterterrorism
• Bill Chang
Chief Executive Officer,
Group Enterprise, Singtel
SecurityRoundtable.org
• Khoo Boon Hui
Former Interpol President; retired
Singapore Police Commissioner
• Professor Yu Chien Siang
Chief Innovation Officer, Quann
• Huang Shao Fei
Director, IT Security, Governance & Risk
Management, Land Transport Authority
• Baey Chin Cheng
Chief Information Security Officer, Singtel
• Seah Kian Peng
Chief Executive Officer, NTUC FairPrice
• Professor Lam Kwok Yan
Professor of Computer Science, School of
Computer Science & Engineering, College of
Engineering, Nanyang Technological University