In the rapidly evolving landscape of digital transformation, the importance of cybersecurity cannot be overstated. As organizations embrace digital technologies to enhance their operations, innovate, and connect with customers in new and dynamic ways, they simultaneously become more vulnerable to cyber threats.
This talk will discuss the importance of having a well thought through approach in dealing with cybersecurity in the form of a strategy that lays out the various programmes and initiatives that will underpin a secure and resilient digital transformation journey. Not surprisingly, having a pool of well-trained cybersecurity personnel is one of the key ingredient in a cyber strategy as exemplified in Singapore's own national cybersecurity strategy.
2. Copyright National University of Singapore 2
Overview of Cyber Threat Landscape
for Asia (2022-2023) Target for Cybercriminals
Asia has a rapidly evolving digital economy
and technology which also makes it a target
for cybercriminal activities
Most Attacked Region
APAC was the most attacked region in
2022: it accounted for 31% of attacks
globally.
Victims
Most frequent victims of cyberattacks were
government agencies (22% of total attacks on
organizations), industrial companies (9%), IT
companies (8%), and financial institutions (7%).
Major Threat
Ransomware poses a major threat to
businesses in the region. Its main victims were
industrial companies, which accounted for
34% of successful attacks.
Source: Cybersecurity threatscape of Asia: 2022–2023 (ptsecurity.com)
3. Copyright National University of Singapore 3
The Need for Stepped-Up Attention on
Cybersecurity
Source: Cybersecurity threatscape of Asia: 2022–2023 (ptsecurity.com)
4. Copyright National University of Singapore 4
What is Cybersecurity ? Why Bother?
• Encompasses many aspects that are needed to protect the underlying fabric of the digital transformation journey
• Digital transformation will result in the generation, processing and storage of sensitive data. E.g. customer’s
Personally Identifiable Information (PII), financial information and so forth.
• Data confidentiality, integrity and availability are the key tenets for cybersecurity
Cloud
Security
Data
Security
5. Copyright National University of Singapore 5
Samples of Cybersecurity Considerations for
Digital Transformation (1)
C-Suite & Board Involvement
Cybersecurity is a top-down priority with
involvement from the executive leadership
and board of directors to set tone and provide resources
Risk Assessment & Strategy Devt
Comprehensive risk assessment . Develop
cybersecurity strategy that aligns with the
organization's overall goals and objectives
Data Protection & Privacy
Implement strong data protection measures to
safeguard sensitive data. Ensure compliance
with relevant regulations
6. Copyright National University of Singapore 6
Samples of Cybersecurity Considerations for
Digital Transformation (2)
Vendor and 3rd Party Risk Mgmt
Assess the security practices of third-
party vendors and partners
Incident Response and Recovery
Develop a comprehensive incident
response plan and test it regularly
Continuous Monitoring & Testing
To detect and respond to security threats in
real time. Regular VAPT to identify weakness
8. Copyright National University of Singapore 8
What is a Cybersecurity Strategy?
Cybersecurity Strategy
1
2
3
4
A plan of actions designed to improve the security
and resilience of an organization's infrastructures
and services to support digital transformation
Technology agnostic and covers a time horizon of
3 to 5 years.
Review annually as cyberthreat landscape
changes rapidly and the strategy needs to adapt
and pivot where necessary
5
Position as a key decision item for the Board for
endorsement and to provide the requisite
budget
A high-level top-down approach to cybersecurity
that establishes a range of organizational
cybersecurity strategic outcomes
9. Copyright National University of Singapore 9
Hierarchy for Cybersecurity
Strategy
Architecture
Programs
“What” & “Why” - Aligned with the
organization’s business goals and
priorities and endorsed by management
“How” – secure design of systems, networks
and applications, governance instruments
such as policies, standards and best
practices (e.g. open source frameworks)
“Who”, “When”, “How Much” –
implementation of specific initiatives,
technologies, products with timelines, roles
and responsibilities
10. Copyright National University of Singapore 10
Example of Cyber Strategy Mission/Vision
(Defining the Desired Outcomes in support of Biz goals)
1 Achieve the best in breed cybersecurity
programs in support of business outcomes
2 Protect the organization’s assets from
cyberattacks
3 Mitigate cyber risks to desired levels in
accordance with the company risk appetite
and tolerance
Provide exceptional cybersecurity protection
to our clients and business partners
Align cybersecurity strategies across the
enterprise
4
5
11. Copyright National University of Singapore 11
Examples of Cybersecurity Strategic Objectives
(Supporting the cyber mission/vision)
1
2
3
4
Adopt a risk-based asset
protection regime
Architect multi-layered security
protection
Integrate “security by design” into the
operational & development process
Increase cybersecurity awareness
across the organisation
5
Determine future initiatives based on
risk, threats, gaps, and performance
Protect the
organization’s assets
from cyberattacks
12. Copyright National University of Singapore 12
Examples of Cyber Strategy Principles
(Use in the design of the architecture & development of programmes)
CIA Triad
Confidentiality, Integrity, and
Availability
Rapid Adaptability
To address emerging threats,
new technologies, and
business models
Defense in Depth
Implement multilayered
security mechanisms
Diversity
Use different products in the
defensive layers
Source: www.securereading.com
13. Copyright National University of Singapore 13
Linking Strategy to Programme and Initiative
(Example)
Programme
Implement a
“Detection &
Monitoring” program
covering critical
systems, networks
and applications
Initiative
Deploy a SOC
Setup a 24x7
Security Operations
Centre (SOC)
1
Strategic Outcome
Ability to monitor
and be forewarn of
impending attacks
2 3
3a
3b
Perform Threat
Analysis & Hunting
Using the logs from the
various security controls
and end points that are
sent to the SOC
14. Copyright National University of Singapore 14
NIST Cyber Security Framework
• A well regarded and commonly referenced framework that
addresses cybersecurity concerns. Well suited as a valuable
resource in the development of a cybersecurity strategy
5 cores, 23 categories,
108 sub-categories
Version 2.0 is planned for release in early 2024.
Will add “Governance” as a core capability amongst
other improvements
Programmes
Source: https://csf.tools/reference/nist-cybersecurity-framework/v1-1/
16. Copyright National University of Singapore 16
General Risk Management Process (1)
Gather Information
Open source info,
commercial threat intel,
expert opinions. Construct
risk scenarios
Evaluate and
Analyse Risks
Evaluate the likelihood
(probability) and
severity of the potential
consequences/impact
of each identified risk
Risk Prioritisation
Rank the risks based on their
impact and likelihood
01
02
03
04
Identify Threats
Potential to cause
harm, disrupt
operations, or
negatively impact the
organization.
05
Risk
Response
Determine how to address
the risks i.e. which ones to
accept, avoid, transfer or
mitigate by comparing with
organization’s risk appetite
and tolerance
17. Copyright National University of Singapore 17
General Risk Management Process (2)
Implement Mitigation Strategies
Making operational changes,
updating procedures, investing
in safety equipment, or training
personnel.
Monitor and Review
Data collection, tracking
incidents; comparing the actual
outcomes with the predicted
outcomes from the risk
assessment.
Update and Improve
Continuously review and
update your risk assessment as
new information becomes
available or as conditions
change.
06
07
08
09
Develop Mitigation
Strategies
Include preventive,
detective controls, risk
transfer thru’ insurance etc
10
Communicate
and Document
Share the results of your risk
assessment with relevant
stakeholders. Proper documentation
(using a risk register) is essential for
transparency, accountability, and
regulatory compliance.
Addressing cyber risks through a Cybersecurity Strategy
18. Copyright National University of Singapore 18
Examples of Relevant Risks at Different
Stages of Digital Transformation
19. Copyright National University of Singapore 19
Initiation Phase
Financial
Risk
Budget
Constraints:
Inadequate
funding can
hinder the
planning and
initial stages.
Strategic
Risk
Lack of Clear
Strategy: Not
having a well-
defined digital
transformation
strategy can lead
to directionless
initiatives.
01 02
Organisation
Risk
Resistance to
Change:
Employees and
stakeholders
may resist
changes,
impacting
adoption.
03
20. Copyright National University of Singapore 20
Implementation Phase
Cybersecurity
Risk
Data Security:
As more data is
digitized, the risk
of data breaches
and cyberattacks
increases.
01
Technology
Risk
Technology
Integration:
Challenges in
integrating new
technologies with
existing systems
can disrupt
operations
02
Project
Risk
Project Delays:
Implementation
delays can result
from technical
issues or
unforeseen
complexities.
03
Capability
Risk
Skills Gap:
Insufficient staff
expertise can
hinder
successful
implementation.
04
Cybersecurity Risk - other then Data Security, other cybersecurity risks to consider will
include, systems, networks and applications. All of the cyber risks need to be addressed in
the cybersecurity strategy
21. Copyright National University of Singapore 21
Steady State Phase
Technology
Risk
Changing Technology Landscape:
Rapid technological advancements
can render current solutions
obsolete.
Scalability
Risk
Scalability Issues: As the
organization grows, the
digital infrastructure may
struggle to scale
effectively.
Adoption
Risk
User Adoption: Sustaining
user enthusiasm and adoption
of new digital tools can be
challenging.
01
02
03
04
Maintenance
Risk
Maintenance and
Upkeep: Keeping
newly implemented
systems up to date
and secure requires
ongoing effort.
23. Copyright National University of Singapore 23
National Level Cyber Strategy
Foundational Enabler 1: Develop a Vibrant Cybersecurity Ecosystem
Foundational Enabler 2: Grow a Robust Cyber Talent Pipeline
Strategic Pillar 1
Build Resilient
Infrastructure
Strategic Pillar 2
Enable a Safer
Cyberspace
Strategic Pillar 3
Enhance International
Cyber Cooperation
CYBERSECURITY
STRATEGY
Singapore’s
Cybersecurity
Strategy:
Launched in
2016, updated
in 2021
Pillar 1
Defend critical
infrastructure
Shape market
forces to drive
security and
resilience
CYBERSECURITY
STRATEGY
Pillar 2
Disrupt and
dismantle threat
actors
Pillar 3
Pillar 4
Invest in a resilient future
Pillar 5
Forge international
partnerships
USA’s
Cybersecurity
Strategy: Launched
in Mar 2023
Source: The Singapore Cybersecurity Strategy 2021 (csa.gov.sg)
Source: National-Cybersecurity-
Strategy-2023.pdf
(whitehouse.gov)
24. Copyright National University of Singapore 24
The Urgent Need for Cyber Security Professionals
• The US and Singapore
governments in their respective
national cybersecurity strategies
have rightly identified the need to
boost the pool of cybersecurity
trained personnel
• NUS-ISS, as a premier training
institution, working with our
partners, fully supports the
government’s drive to uplift the
cybersecurity workforce of
Singapore through the various
cybersecurity courses and
certifications that we have on
offer.
Extract from Singapore’s Cybersecurity Strategy
Extract from USA’s Cybersecurity Strategy
SG Initiative: Talent Devt Fund (NUS-
CSA) build pipeline of cybersecurity
talent
25. Copyright National University of Singapore 25
Rounding Up ….
Symbiotic relationship between cybersecurity
and digital transformation is a paramount factor
in shaping the future of our digital organizations.
Cybersecurity is not merely a safeguard; it is an
enabler of innovation, a protector of trust, and a
guarantor of continuity. To implement cybersecurity
effectively entails the implementation of a
cybersecurity strategy to address risks
Potential benefits of digital transformation are
vast, but they come with an inherent set of risks
that demand our constant attention and
cybersecurity provides the oversight to address
cyber risks