Frontline
Mr David Koh, Chief Executive, Cyber Security Agency of Singapore, CSA, at GTACS 2018, held on 21st May 2018. Photo Credit: ISACA Singapore Chapter
Governance, technology audits, control and security (GTACS) 2018 Conference
G By Jane Lo ASM Correspondent
26 | Asia Pacific Security Magazine
iving the Welcome Speech as the Guest-ofHonour at the Governance, Technology Audits, Control and Security (GTACS) 2018 Conference, organised by ISACA Singapore Chapter, on 21st May 2018, at MBS Convention Centre Singapore, Mr David Koh, Commissioner of Cybersecurity for Singapore, Chief Executive, Cyber Security Agency of Singapore, Deputy Secretary (Special Projects) and Defence Cyber Chief, Ministry of Defence (Singapore), emphasized that cybersecurity is a C-Suite responsibility. The tone-from-the top is key to building an effective cyber risk management culture within an organization. “Cybersecurity is a team sport” was a theme that Mr David Koh highlighted at the ASEAN Ministerial Conference on Cybersecurity, as part of the Singapore International Cyber Week 2016 (SICW), requiring close partnerships among all involved, including governments in the region and industry partners in the private sector. Expanding on this theme at GTACS 2018, he said that it is important for C-Suite leaders to understand cybersecurity issues, so as to make informed decisions on risk management and its trade-offs. From the perspective that “Cybersecurity is not an IT problem, it is a risk management issue”, tone-from-the-top, where the Board and senior management are highly engaged and understand what comprises information ‘Crown Jewels’, is a foundational building block for effective cyber risk management. The Singapore Cybersecurity Strategy, launched at the inaugural SICW 2016 by Prime Minister Lee Hsien Long, mentions the importance of C-Suite engagement, under
capacity building (“Larger companies could also define apex cybersecurity positions at the C-Suite level”), and more comprehensive Cybersecurity exercises (which “will enhance the capability of the sectoral cyber response teams and the quality of incident management by the C-Suite decisionmakers in the Critical Information Infrastructure operators”). Responsibility and accountability of CII (Critical Information Infrastructure) operators in the event of cyberattack is set out in a new 2018 initiative - the Singapore’s Cybersecurity Act (2018) - which was passed into law by Parliament in February 2018, and received the President’s Assent in March 2018. Referring to the use of operational technology (OT) used to manage power stations and water treatment plants, Mr David Koh said “it is true that the cybersecurity solutions and awareness for the OT or industrial control systems is actually less developed than in the IT world.” To boost the nation's defences, the Act requires operators of 11 CII sectors - Government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency and media – to secure their infrastructure and report incidents. It has four key objectives: a. First, to strengthen the protection of CII against cyberattacks. The Act provides a framework for the designation of CII, and provides CII owners with clarity on their obligations to protect CII from cyber-attacks. b. Second, to authorise CSA to prevent and respond to cybersecurity threats and incidents. The Act empowers the Commissioner of Cybersecurity to investigate cyber threats and incidents to determine their impact and
