The 2021 ISACA-Frost & Sullivan Survey: The Singapore Cybersecurity Landscape, revealed that 63% of respondent organisations were adopting the cloud more during the pandemic, than in prior years. The same study noted that despite a general perception of cybersecurity having improved, senior management is more concerned with cyber risk issues.
How have things changed twelve months on?
Following from last year’s dialogue with Steven Sim, president of ISACA Singapore Chapter and Kenny Yeo, director of global security advisory and head of Asia Pacific cybersecurity practice for Frost and Sullivan, Richard Wong, senior vice president, global head of security advisory at Frost and Sullivan, joins Sim to discuss the findings of this year’s survey.
Click on the PodChat player for a more in-depth discussion on the results of the 2022 survey and what our security practitioners recommend for 2023.
Give us a background of the collaboration between ISACA Singapore and Frost & Sullivan.
Steven Sim: I was invited by Frost & Sullivan to be on the judging panel for their awards back in 2017/2018, and that is when we first discussed the idea of having a Singapore-based ISACA membership-wide cybersecurity landscape research.
Now in its fourth year running, members have benefitted from it with many using it as a reference to determine their work plan and budget plus it caught the attention of our counterparts in the ISACA Malaysia chapter. I believe they have recently released their inaugural Malaysia-centric ISACA chapter research as well.
Richard, from your perspective, what are the specifications of the survey and the type of respondents that Steven alluded to?
Richard Wong: The profile is relatively like last year’s responses. This year, we had about 134 respondents from many of the larger enterprises in Singapore with cybersecurity and audit backgrounds, and all are our ISACA members.
The majority of these respondents are key decision makers, more at a senior and experienced level. They really know what the trends, issues and challenges within the cybersecurity space are.
What would you say are the top trends today as Singapore moves post-pandemic?
Steven Sim: The trends in terms of the key challenges are reflected in the ISACA global surveys, the digital trust survey as well as the Singapore survey.
There is an increase in the software supply chain risk that is still impacting digital trust. It has become a focal point for many organisations to tweak their phishing simulation exercises.
Are Singapore enterprises more at risk this year compared to previous years? Is Singapore on par with the rest of the world when it comes to the risks that organisations face around cybersecurity?
Richard Wong: We (Singapore) are not on par (with other markets). When you look at it globally, the risk is inherently tied to how digitalised you are. From an infrastructure perspective, less developed countries have a very rudimentary infrastructure.
It does not mean that they cannot be hacked but that they may not necessarily have all their critical assets or data, digital assets online.
If you look at Singapore as compared to the previous years, we are definitely more at risk. Enterprises have expanded significantly over time; more and more devices get connected and that is where the risk increases.
All connected devices could potentially be attacked or hacked. From our survey, the percentage of enterprises who are at risk increased by 2% over the previous year, over the 2021 results.
Some do not even realise they have been breached because they do not have security testing assessments or monitoring systems in place.
What would you say are your top recommendations to go past the risk that you and Richard mentioned, and how do we deal with one of the areas that you particularly alluded to supply chain attacks?
Steven Sim: Putting in place a strong risk governance framework. Not just applying compliance-based culture but really the risk governance aspect of it. It is about maximising and realising business benefits while optimising risk and resources.
Identifying potential concentration risks during threat modelling and adopting a resilient by-design approach is important. This includes MTTD (mean time to detect) compromises in the environment, and the MTTR, the mean time to respond to incidents, and recovery.
Any final recommendations for our readers around this?
Richard Wong: At the end of the day, it is really about a very holistic and continuous process. Humans are prone to making mistakes, hence educating your end users and more importantly, the senior executives are very critical for the right intelligence and information.
So wherever possible, protect and monitor every device at the enterprise level, you need a roadmap to identify your gaps and to plug them over time.
Steven Sim: Risk communication is key. We are truly only as strong as our ecosystem. We need to share intelligence, and best practices and cross-pollinate ideas and top leadership to stand against the hackers.
Joining communities like ISACA and ISAC information-sharing centres can help foster best practices and risk governance. Enterprises with trained intelligence can detect early, respond, contain, and recover fast if there is ever a breach.