Avoiding mistakes for cyber preparedness

Industries that are regulated and operating critical infrastructures are expected to be more prepared against cyber-attacks, says KPMG Singapore’s Lee Ser Yen.

Lee Ser Yen’s 25+ years of experience in various leadership roles has seen him become an established industry figure when it comes to information security, with focuses spanning risk and compliance, security architecture design, product development, and solution implementation. Along with this, Lee has oversaw the development of information security products and solutions that successfully met stringent government and defence requirements for data protection and secure communication with his extensive operational experience in project management and product marketing.

Currently, Lee serves as a partner for cyber advisory in KPMG in Singapore. With his expertise in technology advisory, cyber security, data security and privacy, cryptography, identity and access management, and GRC technology, he leads the Cyber Transformation services team at KPMG in Singapore.

As an upcoming judge in the Singapore Business Review (SBR) Technology Excellence Awards 2022, SBR sat down with Lee to trade insights on what he believes is the way forward to a more robust approach in cybersecurity and his expectations for the future of the industry,

Please tell us more about your role as the Partner, Cyber, Advisory in KPMG Singapore.

As the cyber transformation services lead at KPMG in Singapore, I believe technology is a key enabler and force multiplier in tackling cyber threats and risks. My role involves advising clients to find effective approaches to secure their businesses by bringing people, process, and technology together. This area of work has been the mainstay for most of my career, where I’ve been involved in designing and delivering information security solutions for clients. 

My team assists clients to design, deploy and improve their data protection, identity and access management (IAM), security monitoring and governance, risk & compliance (GRC) functions. In addition, I also provide consultancy to assist in strengthening enterprises’ data protection regime, with regular briefings on the latest trends and changes in the data protection, privacy, and regulatory landscape. 

In your experience, what mistakes do organisations often commit in their cybersecurity strategies and how can these mistakes be corrected?

Most companies today must be prepared to deal with a major cyber incident. Hence, aside from detecting a breach, an organisation needs to act fast enough to limit damage. 

A common mistake by companies is to assume that they are not valuable targets for cyber criminals and hence not seeing a need to build rigour into their cyber security strategies. Cyber security professionals and chief information security officers (CISOs) should pay equal attention to likelihood reduction (reducing the chances of cyber incidents occurring) versus consequence management (responding adequately and swiftly when an incident does occur). 

It is thus important to have a holistic cyber security plan in place and test the plan to ensure responses to different scenarios cover the depth and breadth of potential cyber incidents. Organisations should also seek regular opportunities to rethink their cyber security defences and strengthen their recovery strategies. 

Increasingly, organisations should also learn to anticipate their exposure to cyber threats. With rising expectations on accountability, boards and management expect cybersecurity leaders to have greater visibility over their cyber postures mand manage cyber risk proactively. Hence, besides understanding the overall risk landscape, organisations should evaluate the effectiveness of their controls, whilst identifying when their organisation is operating outside of its risk tolerance. These are critical insights that can drive more informed, data-driven decisions on cybersecurity resources and spending. 

From the Singapore government perspective, what measures or laws need to be created to curtail cyber threats such as data or identity theft, hacking, etc?

As cyber-attacks become more sophisticated, targeted and frequent, some companies may feel that they are constantly playing catch-up to bolster their security. Whilst there are no silver bullets against cyber threats, everyone has a part to play. 

With the acceleration towards a permanent hybrid nature of work, a greater use of cloud services and digitalisation, organisations will inevitably be exposed to more vulnerabilities. Certainly, governments can play a critical role in supporting companies to boost their capabilities in coping with these evolving threats. These can come in the form of additional grants to adapt current software and procedures for this new environment or funding to adopt newer cyber security solutions. Governments can also promote the adoption of cybersecurity standards and trust marks which will assist both companies and individuals to make more informed choices when selecting cybersecurity products and services.

Governments should also consider how various legislations on cyber-crime and data protection may need to be reviewed alongside possible new scenarios and incidents that may emerge. Ultimately, policy decisions should encourage companies to take proactive steps towards curtailing cyber threats but at the same time, come down hard on those that suffer serious breaches due to their complacency. 

What cyber security trends or technologies can we expect in the short, medium or long term in Asia Pacific, particularly in Singapore?

According to KPMG’s 2021 CEO Outlook Survey, cyber security risk was ranked as the top organisational threat amongst CEOs in Singapore. As digital risks proliferate, 24 per cent of CEOs identified this as the greatest threat to their organisation’s growth in the next three years. In comparison, 12 per cent of global and 16 per cent of ASPAC peers felt the same. Against this landscape, data security has taken priority over all other technology investments in recent years. This will likely continue for the short- to medium-term in Singapore and in many parts of the world. 

As organisation continue to grapple with cyber risks and data security, there are few key trends and themes that we are likely to see. Firstly, attracting and retaining cyber security talent will remain one of the top challenges around the world. Globally, the ‘Great Resignation’ has hit hard for tech-related roles, exacerbating the already tight cyber security resource shortage. Whilst the loosening of travel restrictions in the coming months may provide some relief, organisations will still be looking for options such as offshoring, managed services and automation to keep their cyber security functions running.

Secondly, COVID-19 has highlighted and even accelerated the heavy reliance many organisations place on third parties and their supply chain. Organisations need to ensure that their inventory of third-party risks is updated, including checking if the cybersecurity controls of these third parties are in line with the ever-changing risk environment and meeting the organisation’s own cyber security standards.

Thirdly, ransomware attacks continue to be rampant across the world. These attacks may not be overly sophisticated in their tactics (e.g. phishing), but they can be effective in inflicting serious damage to organisations. This is a problem that will likely persist as long as there are companies willing to pay the ransom.

Lastly, with more companies moving towards cloud adoption, cloud security is also a key risk that will need to be addressed. Organisation should have access to cloud security skills and resources to ensure that there are no gaps in their security posture. On the contractual front, companies need to be fully aware of the shared responsibility agreements they are entering into and ensure that there are no misunderstandings between them and their cloud providers.

In your opinion, what industries are leading the way in cybersecurity? In contrast, what industries are lagging in cybersecurity and what can they do to catch up or protect their organisations better?

Cyber security spending has been largely driven by regulatory compliance, responses to recent incidents and breaches, and concerns over reputation damages. As such, sectors that have long been key targets for cyber-attacks, including defence, government, and financial services, have generally invested more towards building up their cyber security defences and capabilities. Industries that are more regulated and those identified as critical infrastructure are being increasingly scrutinised for their preparedness against cyber-attacks. They will thus also be more incentivised to spend on cyber security. 

However, with increasing digitalisation, every business is now a digital business with heavy inter-dependency on its supply-chain and third parties. Hence it is crucial for all organisations, regardless of the industry or sector they are in, to do more to manage cyber risks. For a start, business leaders will need to assess their companies’ cyber hygiene and ensure they get the basics right. These may include instilling admin account management processes and updating company software in a timely manner. 

What certifications, degrees or courses are essential for an IT security professional? Also what personal character traits are most valued to be a good IT security professional?

Cyber security professionals today are expected to have strong knowledge and understand of the IT technologies and landscape. These fundamental skills these allow a cyber security professional to effectively identify and manage cyber risks within an organisation.  

However, whilst IT security started out mainly as a computer-based topic, the scope of work and its impact on organisations and individuals have evolved in recent years. It is now practically an interdisciplinary field, encompassing not just the technical skills but also other non-technical aspects, including business and legal concerns. 

Beyond having the relevant skills, cyber security professionals today will also need to be good problem solvers and effective communicators. This is because cyber security professionals will have to manage both internal and external stakeholders, whilst acting as a bridge the align every employee with the organisation’s cyber security strategy. As the landscape continues to evolve rapidly, they should also remain curious and be ready to keep themselves updated with new knowledge and skills.