The not-so-obvious skill that cyber security professionals must learn or else


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The not-so-obvious skill that cyber security professionals must learn or else

  1. 1. Cyber Security The not-so-obvious skill all professionals must learn orelse… Darwin Jayson Mariano Dealing with cyber security in the government sector is a high stakes game, especially if the attack could affect thousands, if not millions of individuals, being served by a particular government agency or department. To combat cyber-attacks most effectively, cyber security professionals can no longer just be equipped with IT security skills, according to Naeem Musa, Chief Information Security Officer for Federal Energy Regulatory Commission, US Government. They also need to learn a skill many IT professionals don’t even consider. Q A How would you characterize the current level of cyber-attacks in the USA? What strategies do you employ to address these? Naeem Musa: Not only has there been an increased level of attack, we’ve also noticed an increase in the level of sophistication of these attacks. Whether it’s state sponsored or triggered by criminals looking to achieve financial gain, we need to stay vigilant. In the United States, we depend on IT systems in almost every aspect of our lives so we have to make sure that we have the means to keep our IT systems safe and secure. For more information about 4th Annual Cybersecurity for Government Asia, visit, email or call +65 6722 938
  2. 2. My role obviously involves protecting our infrastructure to ensure that our data remains confidential. However, lately, we see a heightened level of attacks on our financial institutions, mostly driven by organised crime whose objective is to commit financial fraud and identity theft. There are state sponsored attacks that our government is also obviously addressing but that is not something I’m directly involved in. In addressing these issues, one of the most effective strategies is to educate the user community. But in dealing with the larger issue of cyber security, it is important to be aware of this “three-legged stool” strategy, which is: 1) technology, 2) process and 3) people. You really have to focus on each of those areas. You have to have a streamlined process and procedures in place to respond to an incident. You have to have the right level of technology in terms of the right firewalls and Trojan infection mechanisms. However, all of that would be futile if you’re not educating your user community. In our case, we’re doing a lot of education to the user level to ensure that when those people are targeted by phishing attacks, whether by unscrupulous individuals targeting them or them visiting different websites, potentially getting infected, they know how to respond and act in a way that will not compromise our IT security. We’re also trying to create mechanisms to prevent people from going to the wrong sites so the chance of getting infected is minimised. We have this whitelisting and blacklisting of sites, we deploy all kinds of technologies to prevent unauthorised executables on the entire network. At the same time, we monitor and scan our network regularly to see if there is any anomaly and then we try to detect, analyse and figure out if those anomalies can pose a threat or if they are within the tolerance level. So, really, a combination of the three: focus on the technology, focus on the processes and creating awareness in the user community. Q A From your perspective, how can governments in Asia, given the relative uniqueness of this region, address issues related to cyber security? Q A Given the nature of these attacks, should special emphasis be put on public sector as opposed to private sector? Naeem Musa: I think the cyber world is borderless. Organised crime does not discriminate and will always go after the gain. They could launch targeted attacks in Malaysia, Southeast Asia, Canada, Australia or the USA. As long as there’s a gain to be had, they’re going to go after it. So in that regard, everybody is facing the same set of challenges, especially from organised crime and state-sponsored espionage. We’ve also heard in the news how specific countries are even targeting telecommunications companies within the European continent. Bottom line is: the same potential for attacks exists for everybody regardless of the region and physical geography. Naeem Musa: Yes, certainly. Because the public sector is engaged in services to citizens, any time there are attacks or disruptions; it impacts the level of services you give to the public. In addition, you need to deal with whether it’s critical infrastructure that is at risk or national security information that is at stake, which could potentially harm the country. So you definitely have to have more focus on the public sector to ensure that the information’s confidentiality, integrity and availability are protected. For more information about 4th Annual Cybersecurity for Government Asia, visit, email or call +65 6722 938
  3. 3. Q A What are the best practices that you use to implement a robust cyber security program for government agencies? Naeem Musa: I think every security professional has to understand that security is a journey, not a destination. That means you could never do enough as the level of sophistication of attacks increases at a very rapid pace. The bad guys are always one step ahead. So the best strategy is to understand that it’s a continuous process, a journey. You have to continuously implement measures and put mitigating procedures in place. You need to emphasise awareness among your employees and staff and get them the right training. You have to practise incident response and be able to understand where your data is in order to protect and assess the damage in case that data is compromised. I think data leak prevention technology is maturing with time and if put in place, it will help aid security professionals discover attacks. In the end, it all boils down to combination of people, process and technology. The other important thing that you need to ensure is buy-in from management. Educate your management, don’t scare them. Educating and convincing your management to be on your side is a lot better than using fear tactics. Cyber security professionals are no longer just IT professionals, they are politicians. You have got to be smart, be able to sell your ideas, lobby and be able to get support for what you’re trying to implement. It is important to be able to get the funding that you need for your programs because just like anybody else, you need budget. And it’s not going to come easy unless you have the sophistication to lobby and sell your ideas to the CFO or the agency that will fund you. Naeem Musa, Chief Information Security Officer, Federal Energy Regulatory Commission, USA , will be speaking about “Preventing Government Data Leaks in an Increasingly Connected World” at the 4th Annual Cybersecurity for Government Asia happening on 5-6 March 2014 in Malaysia. For more information, visit For more information about 4th Annual Cybersecurity for Government Asia, visit, email or call +65 6722 938