Keeping Singapore’s critical systems secure

As a senior consultant at the Cyber Security Agency of Singapore (CSA), Tracy Thng is part of a team that has been tasked to shore up the cyber security posture of the nation’s critical information infrastructure (CII) sectors.

Formerly from the military, Thng’s interest in cyber security was piqued by her fascination with the field, one which is increasingly multi-dimensional. While her learning curve was steep, her problem-solving and analytical skills, as well as her political science training, have enabled her to offer a different perspective to cyber security.

In an interview with Computer Weekly, Thng shares more about her career journey in cyber security, including what it takes to enter the field, the challenges in the job and her “3P” approach towards her career.

How did your career in cyber security begin?

Tracy Thng: I started my career in the military and slowly developed an interest in cyber security and emerging technological trends. It was fascinating to me how cyber security is intertwined with other fields such as geopolitics. My interest was further piqued as I read more on the topic and took up online courses and certifications.

Additionally, there are new challenges every day with global events like ransomware and supply chain attacks, such as the SolarWinds breach, that make the environment dynamic and exciting for anyone who wants to pick up new areas of learning.

Cyber security is a domain with many specialisations such as cloud security, software testing, penetration testing, digital forensics, risk management and governance, and anyone can find something they are interested in. At CSA, I enjoy the exposure to different aspects of cyber security, and in my daily life, I also help my family strengthen their device security.

What exactly is your job like on a typical 24-hour day – is it deskbound, or on shifts, who might you be with, where might you be and what might you be doing?

Thng: My team at CSA’s CII division oversees the strengthening of the cyber resilience of 11 essential service sectors. CIIs are computer systems that ensure the delivery of key services such as transport, banking and healthcare. The work requires me to be involved in cyber security through all aspects – governance, legislative framework, supervision and confidence-building engagements with industry players.

A typical workday involves engaging CII stakeholders, reviewing and monitoring key organisations to ensure compliance with the Cybersecurity Act and Cybersecurity Code of Practice, and also developing and communicating CSA initiatives to CII stakeholders.

Beyond the main job scope, I was given the opportunity to work on national-level projects like the CII Supply Chain Programme, a national programme to enhance the visibility and management of cyber supply chain risks and create structures for stakeholders in the ecosystem to improve cyber supply chain resilience of Singapore’s essential services collectively.

“Having the purpose and clarity of why you want to work in cyber security and knowing what you are doing has positive impact on society helps you to focus on overcoming new challenges”

Tracy Thng, CSA

I was also involved in work related to operational technology (OT), where I researched on OT topics related to cyber security domains across operations, engineering and governance for the Operational Technology Cyber Expert Panel (OTCEP) Forum, an annual event organised by CSA where notable OT experts join us in sharing their expertise to address cyber security challenges for Singapore’s OT ecosystem. The next OTCEP Forum will be held on 12 and 13 July 2022.

How do you recommend people outside cyber security to transit into the industry? Are there specific roles best suited for individuals in the transition process?

Thng: My first bit of advice from my own experience is to believe in life-long learning. The technology landscape is fast moving, and new technologies, tactics and techniques emerge every day. The best part of it is that even without an IT background, you can still accomplish a lot with self-directed learning and guided training. Continuous training and upskilling are not only useful for entry into the cyber security sector, but can also equip you with the relevant cyber security competencies to contribute at work and in your daily life.

The learning curve was steep for me as I did not come from a technical background, but there were transferable skills that have helped me in my transition from the military to cyber security. My background in the military has honed my problem-solving skills, shaped my analytical mindset and trained me to be an effective communicator. Leveraging the writing, research and analysis skills from my academic qualifications in political science have also enabled me to offer a different perspective to cyber security.

An option is to consider self-training with the wide range of free and affordable courses available on learning platforms like Udemy, Cybrary and Coursera, and also sharpening technical skills by getting hands-on practice through online platforms like Proving Grounds or HacktheBox.

As for certifications, basic professional certifications like the CompTIA Security+ and the Cisco Certified Network Associate certification will help candidates achieve proficiency in the basics of information security and network infrastructure, respectively. These certifications could help you to go on to the next level such as (ISC)², ISACA, Offensive Security and Sans Institute courses as you begin your journey in cyber security.

If you’ve always been curious about getting started in cyber security, start by figuring out what specialty interests you the most. Cyber security can come across initially as a very technical field, but it is actually a lot more diverse and requires skills from both technical and nontechnical disciplines.

It also helps if you read up, listen to webinars and learn from people in the field about their specialty. For example, by joining a local society like the Singapore Computer Society, you can start to build a foundation and learn the basic IT and information security skills.

Are certifications important in advancing one’s career in cyber security? Why and why not? If so, what sorts of certifications should one pursue?

Thng: There are many career pathways for cyber security professionals. One can choose to move into management or focused on specialised areas like penetration testing and digital forensics. There are also opportunities to make lateral moves to industries like finance as well as information and communications which make use of similar technical skills applied to those areas.

Beyond pursuing the relevant certifications mentioned above, being successful in cyber security requires a multi-disciplinary approach and thus knowing soft skills like project management and other IT-related certifications like agile methodology and Kanban definitely makes the transition easier.

In the longer term, the certifications need to be backed up with experience, and the most important advice is to go for the basic certifications and start your journey in cyber security today.

What does it take to succeed in your field of cyber security?

Thng: I always live by the three Ps: purpose, passion and people.

Cyber security is important work that makes a difference. Having the purpose and clarity of why you want to work in cyber security and knowing what you are doing has positive impact on society helps you to focus on overcoming new challenges. It is like a compass that guides the direction of cyber security work amid the risks, uncertainties and threats.

Passion in the field of cyber security is the fuel to keep going when the journey gets tough. Because the field is so varied and cyber threats are ever-evolving, there are always new knowledge and skills to learn and keep up with, and so it is crucial to ensure the passion and momentum is sustainable in the long term.

Cyber security is also a team sport. Cyber security professionals need to be able to work closely with all departments from IT to HR, as well as learn from each other’s experiences and perspectives in order to manage the trilemma between security, cost and usability. The people aspect is that as teams and organisations work better together, the easier it is to respond to evolving threats.

So far, what has been the biggest challenge you have ever faced in your job?

Thng: The biggest challenge is in developing and communicating national-level initiatives across 11 CII sectors with holistic coverage across policy, operational, technology and resource practices. The other challenge is to ensure that the initiatives are also proactive, consistent and flexible for the CII owners.

As cyber attacks evolve and present systemic risks to the delivery of essential services, cyber security risk management is one of the many cross-cutting issues that CII owners have to contend with. These include increased operational costs, delays in supply chains, insufficient resources, challenges in ensuring critical systems (business, IT and security) work together and more.

At CSA, communicating our initiatives to CII stakeholders requires empathy, understanding their concerns and knowing when and how to lean forward to help them to strengthen their cyber risk management in an evolving threat landscape. These threats are a race against time to beat malicious actors before they can act. Cyber security is thus becoming a critical function that individuals and organisations cannot afford to ignore.