Beyond ‘blind compliance’: Strategic competencies are expected of government CISOs

It is important not to pursue cybersecurity in isolation, but apply it in context to strengthen integration between operations, policies and technologies, rather than achieve blind compliance, says Tham Mei Leng, Ministry CISO, GovTech Singapore, at GovWare 2023.

Leadership acumen and the ability to effectively engage with stakeholders are some of the key competencies expected of government chief information security officers (CISOs), shared GovTech Singapore’s speakers at GovWare 2023 as part of the Singapore International Cyber Week.

“CISOs need to be effective cyber security managers, ensuring that security functions and operations are well run end-to-end in their organisations.  

“But more importantly, they need to be trusted leaders within their organisations, building relationships with senior stakeholders, and communicating well on risks to secure buy-in for necessary security investments as part of overall business priorities,” said Soh Zhi Qi, Assistant Director with GovTech Singapore, in his presentation titled “Exploring CISO Challenges and the Government CISO Ecosystem” at GovWare 2023.  

To achieve this, GovTech has established competency frameworks to develop a broad range of cybersecurity competencies among its CISOs.  

Some of these non-technical competencies range from design thinking, risk assessment, to incident response, upon GovInsider’s browsing of its curriculum, offered by GovTech’s Digital Academy, the training arm of GovTech Singapore.

The shift of CISO’s role away from technology implementation was seconded by The CISO Report by cybersecurity software company, Splunk, where CISOs in almost all industries agree or strongly agree their role had transitioned from implementation and controls to security strategist.
 

‘Never trust, always verify’: The work of ministry CISOs  

This was echoed in a presentation titled “Cybersecurity in the Digital Era,” where Tham Mei Leng, CISO for the Ministry of Sustainability and the Environment (MSE), shared how she leads MSE in tackling its unique cybersecurity challenges while embracing digitalisation.  

On a day-to-day basis, this means ensuring cyber resilience across water, food, and environmental systems. 

“It is important not to pursue cybersecurity in isolation, but apply it in context to strengthen integration between operations, policies and technologies,” she shared.  

Rather than pursue strict regulations, MSE takes a risk-based approach to balance business requirements, operational efficiency, and cybersecurity, she shared.  

Some of the cybersecurity risks that MSE is currently monitoring include cloud vulnerabilities, the emerging use of artificial intelligence by malicious actors to improve attacks, and vulnerabilities within third party services. 

Tham has introduced a three-pronged approach to manage these, termed the “100 Plus” approach: establishing a security culture, enhancing cybersecurity resilience across people, processes, and technologies, and investing in Security Orchestration, Automation, and Response (SOAR) technologies to streamline cybersecurity. 

Beyond these fundamentals, MSE taps on the Singapore Government Tech Stack, a set of common digital services that government developers can use to build new applications securely from the get-go, she said. 

Tham also emphasised the importance of implementing zero-trust through network segmentation and role-based access controls, which ensures users can only access exactly what they need.
 

Centralising to build deep expertise: GovTech Singapore’s role 

The need to consolidate government’s cybersecurity capabilities is exacerbated by skills shortage in cybersecurity amid the accelerated rate of digitalisation across society.  

“Almost every large organisation is now a digital organisation. There is greater burden for CISOs to ensure the security of their technologies and digital assets that are increasingly critical to business operations,” Soh said. 

To put limited resources to better use, GovTech Singapore's Cyber Security Group (CSG) centralises its cybersecurity capabilities and drive a whole-of-government approach in tackling cyber threats, supporting government CISOs in their work. 

“CSG enables us to build a critical mass to consolidate and develop deep expertise across different domains, ranging from threat and risk assessment to zero-trust architecture, as part of a security-by-design approach. Some of these central capabilities can then be deployed across government agencies,” Soh explained.  

CSG also regularly brings together government CISOs across various agencies and ministries to enable knowledge sharing, collaboration, and peer support, he added.
 

Where industry partnerships support government cybersecurity capabilities  

Aside from centralising in-house capabilities, GovTech also supports the outsourcing process for government agencies. 

“[In-house capabilities are] still not sufficient for the volume of security activities required, especially with accelerating digital transformation. 

“We also support our CISOs in maintaining consistent standards and competency requirements in the service quality of cybersecurity services procured for their agencies,” said Soh. 

Another stakeholder engagement initiative rolled out by GovTech Singapore is a range of crowdsourced vulnerability disclosure programs inviting researchers and members of the public to both scrutinise and report vulnerabilities for government systems, including critical information infrastructures, as to supplement GovTech’s cybersecurity capabilities. 

The programmes are benchmarked against global technology firms, such as Google and Microsoft, according to a prior GovTech press release. 

Soh said that more than 2000 stakeholders have participated in the programmes. 

Singapore’s Smart Nation and Digital Government Group (SNDGG), which include GovTech Singapore, also earlier partnered with Amazon Web Services (AWS) to help set its “Dedicated Local Zones.” 

These dedicated local zones allow the government to host more sensitive systems within a dedicated cloud environment with more stringent and customised cybersecurity protocols.