At a recent CXOCIETY C-Engage roundtable among ASEAN CIOs and CISOs, the discussion revealed to the extent that leadership is aware of the challenges their organisations face as regards to securing the enterprise.
Earlier, FutureCIO spoke to two security practitioners in Singapore on the cybersecurity landscape in Singapore in 2020. Steven Sim, vice president of ISACA’s Singapore Chapter and Kenny Yeo, associate director and head of Asia Pacific Cyber Security Practice, ICT, Frost & Sullivan.
The PodChat was in relation to the second annual survey conducted among ISACA members in Singapore.
Survey findings:
The survey revealed that enterprises in Singapore are enhancing digital transformation programs because of the pandemic, with 59% of respondents specifically pushing this to enhance their customer engagement.
The survey also revealed that Singapore enterprises are accelerating towards the cloud with 82% mentioning that they have production projects on cloud, or are cloud-first.
The human factor was identified as a risk in 2019 and remains a threat in 2020.
Human factor related threats, such as unintentional human error, phishing, business email compromise or malicious employee actions, are the most worrisome among Singapore enterprises.
The scale of cyber security expertise shortage is getting more serious, with the top three HR challenges faced today being:
- Lack of trained cyber security work force
- Difficult to hire new experienced security professionals due to the lack of talent
- Stretched budget to hire new resources
In terms of losses, even though board and management typically most concerned about monetary impact, but non-monetary losses have the most impact on enterprises. These types of losses include reputational, productivity and business data loss.
But the good news is that the perception of cyber security among SG enterprises is improving! 67% of SG enterprises say that the perception of cyber security has improved, and the senior management is more aware of cyber risk issues. This is primarily due to more effort from risk teams to conduct regular briefings on cyber risk. This has also led to 62% enterprises increasing their IT security spending in the next 12 months.
Podchat for FutureCIO
Click on the podchat player to listen to Sim and Yeo share their views on the following:
- In the joint ISACA-Frost survey of organisations in Singapore, you indicate that the supply chain as the new threat. This should not be a surprise – given that we are in a connected economy and businesses establish connections first and for most to grow revenue. Everything else (including security) is an afterthought. What needs to happen (a) internally; (b) externally (perhaps third-party legislation or government intervention like in banks)?
- Also, human factor stood out as the undisputed weak point when it comes to cybersecurity. Are all the efforts by CISOs and the infosecurity team going to waste if employees do not practice cyber security policies?
- One of the action items of becoming a digital enterprise is the drive towards becoming data-driven. How does an enterprise become data-driven while ensuring that this data remains protected throughout its lifecycle?
- Given that more organisations are outsourcing some parts of their processes, including IT and security. Is it advisable to add “data-protection” clauses into these engagements? Who should take charge of this?
- The ISACA-Frost study identified a lack of trained cyber security staff as a HR challenge. What is the minimum internal staffing complement to make sure that someone within is policing adherence of cybersecurity issues and guidelines?
- The ISACA-Frost report cited “reputational loss” as the highest risk to a company. But with humans the constant source of cyber insecurity, how do you introduce change throughout the organisation that would minimise risk failings when it comes to cyber security (and any other security issue)?
Recommendations
Enterprises need to protect their most important assets, the people working for their organization. They need to actively manage the human factor.
Information security needs to be handled holistically, not just in the IT and cyber security teams, but also among the management and board.
Enterprises must grasp that cybersecurity is a business issue and that cyber losses are often not direct financial losses. But these indirect losses still critically impact the business and thus cyber risk needs to be actively managed.
