The Singapore Government’s 2016 Cybersecurity Strategy states “Cybersecurity is a team effort, everyone has a part to play, and everyone has to play their part.” Whilst the Government is spearheading a host of cybersecurity initiatives, another important organisation contributing to the overall strategy is the Singapore infocomm Technology Federation (SiTF). To learn more, I spoke with Tammie Tham, Cyber Security Chapter Chairman at SiTF, to discover the role SiTF plays and its approach to enhancing cybersecurity in Singapore.
Richard Pain: What is SiTF’s role?
SiTF does several things, one is to be the voice of the industry. Our membership is based on companies, not individuals. Within my chapter there are slightly more than 100 security companies. These are large multinationals, government linked companies, start-ups and small tech vendors, all who are operating in Singapore’s cybersecurity industry. If there is any national initiative that impacts the industry, we bring our members together, collate everyone’s views and submit them to the authorities, so they're not just hearing the views of one company but from the whole cyber industry.
For instance, last year the Ministry of Communications and Information announced that we are going to have a standalone cybersecurity bill that will be debated in parliament towards the end of this year. We immediately organised a dialogue with the authorities to learn what to expect from the bill and how it will impact our industry. We then passed this information onto our members and gathered their feedback and comments. Our view is that when a bill like that is going to impact every one of our businesses, we need to make sure that we're very involved in at least influencing the bill at the drafting or crafting stage.
Richard Pain: The lack of cyber talent is a major challenge when it comes to cybersecurity. Do you think this issue is fixable in the short-term?
We all agree it's a global problem, but in Singapore I think it's slightly different because we have our authorities behind a lot of initiatives and really throwing money into them. The authorities are offering funding to SMEs who are willing to hire people who are not security trained and give them a chance to take on a security role. This is the Cyber Security Associates and Technologists (CSAT) Programme and it covers 50% of that staff member’s salary, which is great for SMEs.
Training and talent retention is also a challenge for companies. Sometimes the money in a particular role might be good, but unless you offer training and development then they will not stay. As a result, we tell our companies to invest in frequent training for the cybersecurity talent. Fortunately the CSAT programme can offer up to 50 – 75% of training expenses. SiTF also encourages SMEs to trial interns who are in the final year of their studies. In doing so, we also ensure that companies who accept interns actually assign them relevant jobs, not just photocopying. So if an intern is taken on as a security tester then they must really be testing software and applications. This benefits the interns, the schools and the companies themselves.
Richard Pain: Raising cybersecurity awareness is another issue that’s perpetually spoken about, but it feels like it’s never ending. Are there any strategies that would help make significant progress in this area?
It's a tall challenge to get the man on the street to understand the importance of cyber safety. It's also true that everyone has tried everything before from roadshows, to conferences, to workshops and so on. These activities have not changed much over the years and but they remain important and need to continue.
One approach that I find that works with SMBs, is emphasising that good cybersecurity can help differentiate them from their competitors. When SMBs partner with larger companies, there’s a risk that if they are not adequately protected, they can be used as conduits to attack their partners. So whilst SMBs want to sell to those larger companies, it’s important for them to use the right tools and keep their backyard clean, so to increase the chance of winning business.
Richard Pain: So if cybersecurity could be linked with business opportunities, rather than just security for security’s sake, then do you think we would see progress?
That’s right. We are taking a two pronged approach targeting the sellers and the buyers to make sure that each one of them does their part in keeping the cyberspace safe. When larger companies are buying things and creating contracts, we want there to be certain terms and conditions that require the provider to meet the basic hygiene standards. This way, it's no longer a matter of looking at security as a cost business, but as a driver to get more business.
Apply CSS ClassOutside my role at SiTF I run a cybersecurity company and increasingly we are seeing tender specifications that require us to be compliant with the Personal Data Protection Act (PDPA). However this is mostly from the larger companies, I haven't seen a medium sized firm having similar clauses in their contracts yet.
Richard Pain: Do you expect there to be more cybersecurity requirements in business contracts in the near future?
Definitely. In one of our discussions with the Personal Data Protection Commission (PDPC) they said there is going to be an amendment to the PDPA. The original act was passed in 2012 so it's been a good four years already, so the time is up for it to be revised. In the new revision we expect to see more enforcement controls and there will be a clearer articulation of what will happen if companies do not comply. I think it will really shake up the industry and companies will get more serious about cybersecurity and compliance. Give it another one or two years, then I think we will be in a much better position than we are today.
Richard Pain: Are there any other upcoming initiatives that SiTF is working on?
Yes. We have constant visits from foreign trade associations and we always promote Singapore’s vibrant cybersecurity ecosystem to them. One common question they ask is how vibrant is our ecosystem and whether we can quantify this? Unfortunately we cannot at the moment, so to help with this question, SiTF is preparing a special publication about Singapore’s cybersecurity and data protection ecosystem.
Inside, we will list down all the service providers that offer cybersecurity services, it doesn't matter whether they are SiTF members or not. We are also going to reach out to the government stakeholders including CSA, PDPC, IMDA and ask them to provide a view of the landscape from the government's standpoint. There will also be a section about end users, companies that really train their people and adopt best practices.
We want to be able to give this to the schools to educate graduates about a career in cybersecurity. We also want to make it easier for SMEs, who need a lot of help in getting themselves cyber ready. We will also share this with foreign companies, who want to use Singapore as a launchpad to sell their products across the region. I hope that this publication will give them an idea of how many providers we already have and how mature our cyber ecosystem is.
So the next time someone says, "Hey, you said your industry is vibrant, quantify it!" I want to be able to tell them, "I have so many suppliers in so many different areas.” Then by tracking it on a yearly basis, I’ll also be able to show whether the industry has grown or shrunk and other related information. This will be an annual publication launching this year, we aim to have it out by the end of July.
Featured on: on 8 June 2017