Published Nov 14, 2024, 05:59 PM
Updated Nov 20, 2024, 11:58 AM
SINGAPORE – The Cyber Security Agency of Singapore (CSA) is starting a study aimed at raising the productivity and professionalism of cyber-security workers.
It may result in an outline of the competencies required of chief information security officers, or Cisos, and their teams of security executives who are in high demand, given their key role amid surging cyber attacks.
Ms Veronica Tan, director of CSA’s safer cyberspace division, told The Straits Times: “For organisations, clarity in standards and desired skills for various roles will mean greater improvements in workforce competency and productivity.”
The study will involve industry players, training institutions and certification bodies, she added.
CSA’s plan comes as companies warm to the idea of designated cyber-security personnel, but sometimes find themselves hindered by limited budgets and a shortage of skilled talent.
Mr Nyan Tun Zaw, the first Ciso at Singapore cyber-security advisory firm Athena Dynamics, said: “The industry turnover rate for Cisos is unfortunately pretty high because it is a highly challenging and stressful job.
The title of Ciso, which arose in the 1990s after Citibank appointed one following a cyber attack, has risen in prominence in recent years as some countries made mandatory disclosures of material cyber breaches or attacks.
There have also been high-profile cases of criminal charges taken against such officers, such as at Uber and SolarWinds.
Mr Zaw took on the job at Athena Dynamics just over a year ago, after his team had expanded beyond just providing information technology infrastructure and support services.
His background spans a string of roles in areas ranging from engineering, cyber security and programming to business development and sales in the firm, since it was set up in 2014.
He added to his expertise by becoming a Certified Information Systems Security Professional, a title granted by the International Information System Security Certification Consortium, also known as ISC2.
He said: “We felt that there was a need to have a dedicated Ciso since we are also part of a listed company.”
Cisos spend their time securing their companies’ assets, learning about new threats and technologies, and working with cross-functional teams, he said.
“Ciso is a management position, so it is important for a Ciso to be knowledgeable in various aspects of cyber, ranging from governance, risk and compliance to network security architectures.”
In the 12 months leading up to September, job portal Indeed recorded that 48 per cent of its postings in Singapore sought communication skills in cyber-security leaders, compared with 38 per cent specifying expertise in IT, and 16 per cent in information security.
Around the same time, the number of postings for such roles on the portal dropped 36 per cent, suggesting that firms might be filling positions through internal promotions or team restructuring, said Indeed’s career expert Saumitra Chand.
“This decline may be due to the demanding nature of leadership positions like Cisos, which require high levels of expertise and specialisation,” he said.
To help small and medium-sized enterprises (SMEs) or non-profit organisations that cannot afford designated security personnel, CSA launched its Ciso-as-a-Service (CISOaaS) scheme in February 2023.
It has received about 200 applications so far.
Organisations tapping the scheme can use CSA’s panel of 19 vendors to audit their cyber health and guide them to attain CSA’s Cyber Essentials and Cyber Trust marks, with up to 70 per cent subsidies. CSA is planning updates to the two marks to reflect new risks in cloud, operational technology and artificial intelligence (AI), said Ms Tan.
Digital agency Digipixel, which has used CISOaaS, said achieving both trust marks helped it gain trust from customers.
Its director, Mr Leon Tan, said: “Pooled services can sometimes lack industry-specific context, but our collaboration with CSA has been a productive exchange.”
Mr Dave Gurbani, chief executive at CyberSafe, an appointed vendor, said: “We start by conducting a cyber-security health plan, like a doctor’s check-up.”
The firm then helps its mostly SME clients work through their internal controls, configurations, policies and training to pass the audits for CSA’s marks.
“Many SMEs still think of cyber security in terms of antivirus tools or maybe a firewall. To put it simply, that’s like thinking you’re ready for the day just because you have your socks and shoes on,” Mr Gurbani said.
Gaps that frequently show up include outdated systems, misconfigurations from third-party vendors, and weak access controls like shared passwords and a lack of multi-factor authentication.
“Without guidance, these vulnerabilities can be hard to recognise and fix,” Mr Gurbani added.
Another vendor, Momentum Z, takes firms calling on CISOaaS through a three-pronged assessment of employees’ cyber-security basics, company processes and policies, and cyber-security infrastructure such as firewall, antivirus, backup data use and end-point security.
CEO Shane Chiang said he has had clients that have not changed passwords for six years, or who had been granting external vendors remote access to their network with no inkling. “Clients are often surprised to learn the vulnerabilities in their systems, which reinforces the importance of having a Ciso to bring structure and foresight into cyber security.”
CSA’s 2023 cyber-security health survey released in March noted that only one in three organisations has fully implemented at least three of CSA’s five categories of recommended measures.
More organisations need help with knowing what data they have, where the data is stored and how to secure the data, CSA’s Ms Tan said. Businesses are also weak at safeguarding their systems and networks against malicious software, and guarding access to data and services.
She urged more organisations to tap CSA’s tools to raise their game, adding: “Unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks, especially as they accelerate digitalisation and adopt fast-evolving technologies such as AI. “Partial adoption of measures is inadequate.”