Introducing women with a deep interest in cybersecurity

I am the Ministry Chief Information Security Officer (MCISO) in the Ministry of Sustainability and the Environment (MSE). My role involves providing cybersecurity leadership to the Agency CISO in MSE HQ and the agencies in the MSE family (namely PUB, NEA and SFA) in charting the development of cyber and data security goals, strategies and action plans.

What brought you to the cybersecurity industry?

I started out in IT development and Project Management. After years of rushing out systems and code deployments, it suddenly struck me during a quiet moment, to question whether our common practice of leveraging open source codes and libraries would pose robustness and security issues for the systems we had developed. This aha moment piqued my interest to read up more on computer security and the rest was history.

What were your defining moments in this industry, and factors or guidance that helped you achieve them?

While IT Security had been around for decades with an established industrial capability and workforce, Industrial Control Systems (ICS) Security was a relatively new and niche area. A few classic ICS security incidents include the Stuxnet in 2010, where malicious code targeted the Supervisory Control and Data Acquisition Systems (SCADA) and Programmer Logic Controllers (PLC) in the ICS, causing severe explosion and damage to the Iranian’s Nataanz nuclear facility; the Black Energy attack in 2016 leading to the catastrophic shut down of the Ukraine power grid; and the Triton attack of a Saudi Arabian petrochemical plant in 2017.

A few years before the Cybersecurity Act was passed, we started to concentrate our focus on the cybersecurity resilience of our Critical Information Infrastructures (CII) and ICS. MSE was one of the ministries charged with overseeing the CII and ICS in its agencies, where my prior humble knowledge in ICS Security was put to good use. That ICS Security foundation had allowed me to subsequently further my ICS Security know-how and established good relationships and trusts with my stakeholders in the MSE family and CSA. My bosses and fellow MCISOs in the GovTech’s Cyber Security Group also played a large part to inspire me to strengthen my competency in other Cybersecurity areas.

What is it that you love most about your role?

I would attribute my work motivation to my job role as well as the people who I worked with.

The work responsibilities provide good opportunities for me to pick up new skills in the evolving realm of IT, ICS and data security, and in both breadth and depth. In particular, there are numerous cross sharing at the Whole of Government (WoG) level by both CSA and GovTech where I get to learn from cyber incidents and defensive measures beyond MSE. Such continuous stream of learnings make me feel confident and grounded in my work.

Colleagues often approach me for cybersecurity advices, even for non-work-related cyber hygiene. My bosses in MSE and GovTech have also been very supportive of my recommendations and action plans. Such gestures demonstrate the trust they have in me and create that positive reinforcement on why I love my work.

Prominent Cybersecurity trends:

What are some of the trends you have seen in the market lately, and what do you think will emerge in the future?

Software Supply Chain is going to pose a difficult cybersecurity challenge moving forward. We have already encountered the episodes of Node.js, SolarWinds and very recently, the Apache log4j vulnerability that have rocked the world’s IT industry and almost every enterprise that owns an IT system.

Modern IT systems run predominantly on software that comprised mainly external codes from open sources or Commercial-Off-The-Shelf (COTS) products. Typically, only a small fraction of the codes is bespoke and developed in-house, especially when code share, code reuse and development efficiency have always been a virtue of software development. This makes it lucrative for malicious actors to compromise popular open-source code repository or hijack software updates in widely-used commercial products, to create high impact and large-scale system vulnerabilities. Development team will therefore have to leverage on Software Composition Analysis (SCA) tools to continuously identify, mitigate and monitor the system and software risks associated with the embedded external codes.

Females in Cyber Security

What can we do to encourage more women to join the cybersecurity sector?

There are many disciplines within cybersecurity to fit different interests and numerous avenues to sample or explore an interesting career in cybersecurity. Take a cybersecurity elective in your in school or university curriculum; attend cybersecurity workshops, programs, activities and forums organised by SCS and AiSP; join a cybersecurity interest group, reach out and talk to professionals and female mentors in the cybersecurity industry; or participate in SSG’s SkillsFuture training and WSG’s Career Transition Program for mid-careerists.

Final thoughts

How can you debunk the myth that cybersecurity is only for men? Is there any indication this stereotyping is changing?

Cybersecurity is not a “high wall”, but it is a “long run”. It requires passion, regardless of gender, to continue the journey as technology changes quickly and cyber threats are always evolving. It is not a job that muscular strength has its advantage. What it needs is mental grit and resilience.