One of the things that I like about our hyperconnected world is how easy it is to virtually attend just about any tech conference. Most conferences today have streamed or recorded sessions that are well indexed and of high enough quality. Today’s post is about a session at the RSA Singapore conference in July. Before I talk about that, let me discuss why I think Singapore is so important for IT security professionals.
I have been interested in the island nation since I gave a talk there more than 20 years ago. Back then I saw the beginnings of where the country could go with playing a key role in IT. My audience had folks who spoke more than a dozen different languages and who came from almost as many nearby countries. Since then, Singapore has invested big-time in its IT development, particular with respect to smart city technologies: this is its fifth year of a series of major investments that include improving commutes, digital payments and secure identities. This year, the country will spend more than an additional US$1B in new smart city enhancements.
Part of these expenditures is in how the country has taken a page from the Israeli playbook. The nation has created various cybersecurity programs that are coming from a number of directions. For example, this summer it launched its third bug bounty program to improve its various digital services. And the government has helped to encourage startups with the incubator Innovation Cybersecurity Ecosystem@Block71, a partnership between the government, private investors and its National University. These government initiatives have encouraged others: in the past year, both BT and Cisco have opened up offices there to conduct research and support their southeast Asian customers.
Let’s turn to the RSA conference session that was led by President Rohit Ghai and covered issues on smart cities, privacy, and digital transformation by three panelists:
- Vishal Salvi, the CISO for InfoSys, a private cybersecurity consultancy based in India,
- Aswami Ariffin, Sr. Vice President of the Malaysian Cybersecurity Responsive Services Division, and
- Andrew Woodward, the Executive Dean at the School of Science at Edith Cowan University in Perth Australia
This panel is typical of the role that Singapore plays in that part of the world. It shows the diversity of nationalities and stakeholders that have to be assembled for successful cybersecurity solutions. If you watch the recorded video, you will first hear this panel express their concern about the cybersecurity toll that companies doing business in smart cities will have to deal with. Aswami Ariffin thinks that “we are opening the cyber floodgates with smart city implementations. We have to better understand the risks involved and make sure we have the right solutions.” He suggests that businesses look to partner and work collaboratively with government and communicate with the right stakeholders. Vishal Salvi pointed out that different industries have different cybersecurity implications when it comes to smart cities, both in terms of data risk and operations. “This could change conversations for their boards of directors, both in terms of basic cyber hygiene and infrastructure protection.”
When it comes to dealing with digital disruption, Andrew Woodward was concerned that many companies are still conducting business as it was done decades ago. “For many, their approach is still with a pre-digital mindset when it comes to risk management, with the justification that we have always done it a certain way.” Salvi mentioned that cybersecurity has always been behind IT innovation, particularly in the financial sector. “Now we have the sharing economy and connected cars where change happens in weeks, not months. This rate of change is putting pressure on CISOs and business owners to embed security while and where this change is happening. We have to provide agile solutions to support that transformation.” Ariffin gave his perspective for the appropriate role of government: “We don’t want to force businesses to create any white elephant projects. Our goal is to try to help private businesses over security hurdles and to educate them about other risks besides cybersecurity, such as with their operations and following regulations.” The Malaysian government has its Intelligence, Incidence and Investigation program as one of these activities.
Salvi mentions that cybersecurity should be front and center and set the foundation for any digital transformation future activities. But the price of doing nothing is also an issue. “Failing to do any digital transformation is the largest risk. You are looking at rapidly changing the foundations of your business models. We have to embed security in everything.”
Part of this challenge is when we empower users to take control over their data, it creates issues for security managers to protect this data and control appropriate access. “There is a tension between security and privacy, at some point we need a better balance,” said Salvi. “Eventually, the world will adopt better rights management and more common encryption methods.” Woodward said that this creates an “interesting tension with the drive to increase cybersecurity through regulation but we also want users to take control and be custodians of their own data.” This complicates how breach laws will be enacted and enforced, for example.
Given the dearth of qualified cybersecurity professionals worldwide, academia is rising to meeting these challenges by changing the way they are educating future cybersecurity workers. “The key is be able to work together with industry and government to address the right problems,” said Woodward. They have also reworked their curriculum and have created more online classes, even at the master’s level. “It isn’t one job for life anymore. We call them ‘conversion classes’ and they are designed for workers to become cybersecurity professionals in mid-career. Nowadays, students want on-demand classes with content-rich media and don’t want to attend lectures. It is all about reskilling and upskilling. We want our students to have hands-on experience when they graduate, so they are ready to join the workforce.” His reach goes beyond the traditional four-year degree too. “We have programs for elementary school students to get them to think about cybersecurity as a career.”
This panel could have taken place just about anywhere on the planet: cybersecurity challenges and solutions are truly universal.