By Kenneth Choo, Deputy Director, Cyber & Governance, Digital Technology, NTUC LearningHub
Embarking on a learning journey can be one of the most significant life investments that allow us to explore our passions, develop our skills, and shape our future in an introspective and transformative way. In this reflective piece, I will share my personal story and the impact continuous learning has had on both my personal life and career, particularly in the realm of cybersecurity. I hope this can motivate others to seize new opportunities and invest in themselves to grow and succeed.
My journey in the world of technology started with managing Information Technology (IT) infrastructure and operations. Then, I became aware of the significant role technology plays in our lives and the increasing need for robust security measures. Having the privilege to work across various industries from Healthtech, and to now Edtech for nearly 20 years, I witnessed the evolution of cyber threats and the potential risks they posed to organisations. This sparked my growing interest in cybersecurity even further.
I realise that cybersecurity is not just a technical field but a critical aspect for business operations to run seamlessly. By specialising in this field, I play a more direct role in protecting digital systems and data from malicious attacks. I also appreciate the unique community of cybersecurity, where like-minded professionals come together easily to share knowledge and secure the ecosystem as a whole.
THE BEST OF BOTH WORLDS
Throughout my career, various significant milestones shaped my path and propelled me forward in my pursuit of the cybersecurity domain. Having worked in the public and private sectors, I am able to compare the distinct differences, yet equally dynamic and challenging landscapes.
In the private sector, organisations are mainly driven by factors such as sales, profitability, and market competition. As businesses embark on digital transformation and rely on digital platforms to sell their products or provide their services, the need to implement robust cybersecurity measures becomes of paramount importance. However, more often than not, organisations are playing catch-up in this area and face a constant battle against cyber threats such as data breaches and ransomware attacks, especially Small and Medium Enterprises (SMEs). The increased focus on tightened regulation and personal data protection, such as the Personal Data Protection Act (PDPA), further amplifies these challenges. It can be challenging to achieve a good balance in the investment of cyber measures versus other areas of the business as well, and it is always tough to determine if the investment is adequate. To overcome this issue, the cybersecurity trend in recent years is towards a risk-bask approach, where practitioners identify assets of higher risk by value and apply the appropriate controls based on the risk level. This approach helps provide better guidelines and enables organisations to allocate their cybersecurity resources more effectively.
On the other hand, the public sector operates within a unique landscape with different objectives. At the broad level, it focuses on digitalising Singapore towards becoming a Smart Nation and using technology to improve citizens’ life. At the same time, they are also responsible for securing our critical infrastructure (such as power, transport, and healthcare) and protecting our sensitive information from sophisticated attackers. A successful cyberattack on a government system can have far-reaching and adverse repercussions, impacting citizen safety and the nation's reputation.
It was intriguing to witness the growing importance of cybersecurity in different sectors and the critical need for skilled professionals to safeguard vital information and infrastructure. This demand is still growing positively today and there is a need to have a bigger pool of experts in this domain to ensure businesses have the capability to protect themselves from cyberattacks, as more companies continue in their digital transformation journey.
YOU ARE ONLY AS STRONG AS YOUR WEAKEST LINK
In one of my previous roles, I witnessed a cyberattack initiated by a malicious actor planting a harmful thumb drive into an unattended and unsecured workstation. To mitigate the impact of this incident, the team responded by isolating the affected personal computer (PC), connected machines, and network for several hours. The operations team had to resort to manual processes to carry out their daily tasks, causing the support team to handle over a hundred customer complaint emails. Fortunately, the containment measures were implemented promptly, preventing sensitive data exfiltration. However, the organisation still experienced financial and reputational consequences from this incident.
In 2018, we also witnessed the significant impact of a cyberattack in Singapore's local public healthcare sector. This incident brought about a drastic transformation of the entire healthcare landscape, emphasising the critical need for robust cybersecurity measures to safeguard patient and health data. The attack originated by exploiting a vulnerability in a workstation, believed to be through an email phishing attack, and progressed through a series of steps and tools, ultimately resulting in the exfiltration of 1.5 million patient records. The incident had evident operational, financial, and reputational consequences, clearly demonstrating the sophistication of modern attackers and the advanced tools they employ.
Once again, this serves as a good reminder of the importance of securing all potential connections to our corporate network and not overlooking any potential weak link. We must always bear in mind that attackers are continuously targeting the weakest links. A good cybersecurity practitioner should always comprehensively assess the entire attack surface and adopt a mindset similar to that of an attacker. By doing so, we can better identify and understand potential vulnerabilities, weaknesses, and entry points malicious actors may exploit.
With evolving technologies such as Web 3.0, quantum computing, increased adoption of IoT technologies, and even artificial intelligence (AI) chatbots such as ChatGPT, cyber concerns will undoubtedly become more elevated and sophisticated. While ChatGPT can be used by many to improve their work, it is also a double-edged sword. For example, threat actors can easily obtain reconnaissance data, such as Internet Protocol (IP) address ranges, domain names, operating system vulnerabilities, etc. all within a single platform. It is also possible for threat actors to use ChatGPT in their weaponisation, delivery and exploitation stages, hence fast-tracking their attack chain.
FINDING OPPORTUNITIES IN THE PANDEMIC
When the COVID-19 pandemic hit, many companies were forced to adapt and expedite their digitalisation journey for survival. As the reliance on digital platforms and networks grew intensively, the importance of cybersecurity also increased exponentially. During the lockdown period and the transition to remote work arrangement, I realised that a unique opportunity arises. As some people might perceive this time as a setback, I chose to view it as a chance to further invest in my personal growth and learning.
With the reclaimed time from commuting and social engagement, I committed myself to various courses, dedicating weekends, and free hours to further upskill myself and broaden my portfolio. In addition to cybersecurity-related courses, I also explored other areas such as attending mindfulness workshops which helped to improve myself as an individual too. By doing this, I believe that I can position myself to thrive in the new norm and possibly open myself to more opportunities when the pandemic ends.
SEEK OUT THE SILVER LINING AND INVEST IN YOURSELF
My journey in cybersecurity, fuelled by a strong belief in lifelong learning, has been transformative. Besides shaping my skill set and broadening my perspective, it has also empowered me to make a difference in safeguarding digital systems and data.
By embracing opportunities, investing in myself, and prioritising continuous learning, I have grown both personally and professionally. As I reflect upon my journey, I am more convinced of the profound impact continuous learning has on our lives.
I encourage everyone, regardless of the field or industry you come from, to embark on your own journey of growth and transformation. Even during challenging times, it is essential to constantly embrace opportunities and seek out the silver lining behind them. Most importantly, invest in yourself and prioritise continuous learning as a pathway to success, self-fulfilment and making a positive impact in your role.
To my fellow cybersecurity practitioners, I encourage all to foster a collaborative and supportive mindset by sharing our knowledge and experiences whenever possible. Additionally, we should constantly nurture the next generation to ensure a robust pool of cybersecurity experts.
Let us embark on this lifelong learning journey together, where each step propels us closer to unlocking our full potential.