Reflections with Steven Sim

By Vivien Kwai and Sonia Teo

Steven Sim is the Head of Group Cybersecurity at PSA International Pte Ltd undertaking CISO role. He is also the President of the ISACA Singapore Chapter. With over 20 years of experience, Steven has made numerous contributions to the cybersecurity field. In this article, Steven reflects on his experience in the industry and shares advice on how to enter the field, the future of cybersecurity and how we can adapt to the industry’s developments.

When people think of a job in cybersecurity, they think of it as very technical. Because of movies, they think of a nerd staring at the computer, typing away and in a zone of their own. In fact, not only is the persona of technical cybersecurity folks often misunderstood, cybersecurity also includes many domains such as governance, stakeholder management and managing education programs that raises awareness about the perils of cyberspace and responsibilities to keep the business safe. 

In the digital era of today, cyber attacks are rampant. It is crucial for companies to prevent cyber incidents from escalating and creating a serious impact on the business. Hence, our focus is on layered defences and disrupting the attacker before he or she can reach the digital crown jewels.

In the IT world, we have monitoring systems in place, just like CCTVs in the real world. Just like wrongdoers trying to circumvent CCTVs by wearing masks, in the digital world, their attacks may masquerade as legitimate traffic. Thus, we have a lot of monitoring, not just on the IT network but also at other areas including your endpoints such as your laptops.

Though you may have an antivirus program, it is not adequate as it is based on signatures. You need more advanced tools like endpoint detection and response (EDR). It is based on Artificial Intelligence (AI) and Machine Learning (ML), which generates telemetry information for behavioural analytics in order to look at anomalous behaviour and patterns. 

In cybersecurity, we talk about having a defence-in-depth. We have many layers of defence: protecting data on the network, endpoint, and your accesses when you are surfing the internet out through the web proxy, and securing your USBs, etc. Technology alone is inadequate and needs to be supplemented by people and processes. For instance, when you copy a sensitive file to the cloud, you need to encrypt it to prevent data leakage to the wrong parties. 

Having said that, defenses are not fool-proof. When an attack enters an endpoint, the attack gets detected and evaluated. If it is successful, it is tagged as a cyber incident, the endpoint is contained and the cybersecurity incident response team is activated to investigate the incident. 

There are typically five phases in incident response. Firstly, we identify and confirm the incident because we do not want to cry wolf. After an attack has been confirmed, we escalate to relevant stakeholders for the various tasks associated with each phase of incident response, such as containment or eradication. And this is where stakeholder management comes into play because you have to escalate to the relevant parties to manage the incident.

My typical workday starts off with a good breakfast, attending to any urgent needs and evaluating the latest cyber attack trends for any newly published attack methods before attending meetings and starting on the tasks for the day. Typically, such meetings and tasks help me get oversight into the various cybersecurity functions. This allows me to manage the cybersecurity team’s performance in elevating our cybersecurity governance, incident response and cybersecurity masterplan program management in order to meet PSA’s business objectives and risk appetite. 

On top of these meetings, I support our colleagues in regional and local cybersecurity functions across the globe to upkeep PSA’s global cybersecurity posture in tandem with my team. We also work closely with other functional departments as cybersecurity is increasingly integrated into every aspect of our work. 

One of our goals is to achieve resilience by design. This is an ongoing pursuit that entails not only the cybersecurity team’s involvement in the system development life cycle but also the ability to be resilient to the inevitability of cyber breaches. 

Apart from elevating our technical capabilities, we need to continually elevate our competencies through training and tabletop exercises during peace-time in order to strengthen our incident response to cybersecurity incidents. Together with my team, we actively promote knowledge, experience and tool sharing across our business units. We also cross-pollinate our experience with our partners and participate in community-based information sharing analysis centres (ISACs) to learn from and share with one another.

My experience has been both exciting and challenging. There has never been a boring day. I often learn new things and even have new revelations. This sector has really evolved rapidly over these two decades and the work has always been interesting. For example, in my earlier years, I developed solutions to auto-quarantine unknown malware. I also performed penetration testing and discovered zero-day vulnerabilities with both cybersecurity products as well as operational technology products. 

It is getting even more exciting with the fourth industrial revolution and emerging technology in the likes of blockchain, the Internet of Things (IoT) and 5G. It is also both challenging and exciting considering the approaches required to manage digital risk in both the much anticipated metaverse and the post-quantum era. 

What motivates me to go to work every morning is the sense of purpose for the business and the opportunity to leave a legacy behind that would benefit future generations. Cybersecurity is not just a business enabler but more importantly a business differentiator. So being able to protect our business or critical infrastructure to acceptable levels is rewarding. 

Recently, PSA was named among the recipients of IDG’s CSO 50 awards this year, which globally recognises 50 cybersecurity projects and initiatives around the world for their outstanding business values and thought leadership. The ability to elevate our cybersecurity standards really gives me a lot of satisfaction. 

What has made me continue staying is also the opportunity to be involved in the closely-knit cyber community. I have been a volunteer in ISACA Singapore Chapter for the past eight years and almost two years as the President. The work I am involved in allows me to actively contribute to the upskilling, cross-skilling and reskilling of professionals in our ecosystem, to cross-pollinate ideas and knowledge with the global community, and also help the underprivileged.

First and foremost, you must be passionate about what you do. Passion and purpose are really the fuel that can sustain us in this profession for the long run. 

To make an impact in the cybersecurity industry, one needs to be courageous, and supported by reasonableness and a good basis for doing what is best for the enterprise. This is often easier said than done because it has to be strategic courage and not just mindless bravado. 

Technical appreciation is a foundational must. A computing-related degree is definitely preferred. However, as we move into industrial revolution 4.0, cybersecurity is required in every aspect of our lives. Therefore, having multidisciplinary domain knowledge is a plus. For example, having knowledge in computing and law does not just help in legal technology, but also in making policies that are legally sound, yet not detached from pragmatic approaches. 

As we enter this new age, we need to be cognizant and comfortable with emerging technology, as well as the inevitable IT and OT (operational technology) convergence. For instance, a cybersecurity professional will need to know how to govern AI. They must know if someone has modified AI in malicious ways. Similarly, an auditor needs to know how to audit AI as well. 

A risk-based mindset is also important so that your work is aligned with business needs. Cybersecurity is both a science and an art. The science is with the technologies, and the art is with optimising risk and convincing stakeholders how much investment is sufficient to help the enterprise to meet its risk appetite. We need to continuously innovate and consider many perspectives before determining the best approach for work. 

All that being said, I feel that the most important attribute in this field is integrity. You need to be a trusted voice in your company.

Yes. For instance, some people are self-taught white-hat hackers. They have not attended any courses, but watched YouTube videos, downloaded software and tried and experimented the various hacking methods themselves. When they win hacking competitions, they get noticed by companies as they have proved themselves. 

That being said, there are courses that can help. As an example, ISACA provides courses in cybersecurity fundamentals (CSX) and IT Certified Associate (ITCA) courses to bridge the gap for fresh graduates and people considering having a mid-career switch, or even just picking up a new skill. The local Singapore chapter also offers mid-career conversion programs.

There are also online courses on Udemy, Coursera and LinkedIn, where you can get some “appetisers” before you dive deeper into any specific subject matter. Working professionals have many different routes as well – Harvard Business School and such have online or distance learning. Those who can afford it may fly over to take up those courses and training to get diplomas. Some polytechnics and IHLs have post-grad diplomas in cybersecurity as well.

It is often not a zero-sum game in cybersecurity. We need to think deeper into the art of stakeholder management and the ability to link business outcomes to what we are doing in the cybersecurity field. All too often, cybersecurity professionals are blinded to the fact that their purpose is not to build the most secure system out there when they are just starting out in their career. Instead, it is to assist the business in optimising its business risk. After all, as with any business, a business has to take some calculated risks. As mentioned, it is not practical to have fool-proof security. Therefore, knowing how to find the right balance of security controls and taking a risk-based mindset earlier on in one’s career will bring one closer and faster up the business value chain. 

As such, interested readers can grow these soft skills by joining communities and participating in student chapters (ISACA Singapore chapter, for instance, has student chapters across most of our institutes of higher learning) to meet with people in the industry and to learn from their experiences. 

Try to join a mentoring programme as well. Through learning and sharing your knowledge, you get more exposure and learn how to manage stakeholders better. And while there are courses and training available online, nothing beats practice as you get to put theories into practice. 

Taking up leadership positions will also help in managing stakeholders. As you run projects, you will be able to fine-tune your skillsets. This is in terms of managing stakeholders at different levels, both your peers, subordinates and even your bosses.

In general, people leave when there is a lack of vision and purpose in a company, and when there are weak leaders in that company. 

In PSA, because of our strong vision and great culture –embodied in our Fish! philosophy – we have staff who have stayed with PSA for decades. However staff turnover can still happen. 

There is also a highly competitive market out there for tech related talents and we can appreciate how staff recruitment and retention can be challenging, especially for SMEs who are up against bigger players.

Well, it used to be male-dominated but this has progressively improved over the years through initiatives from the government, enterprises, trade associations and private-public partnerships to embrace diversity. However, much still needs to be done. 

For instance, at the ISACA Singapore Chapter, we have a SheLeadsTech initiative which is one of our key diversity pillars. We created programmes and initiatives for passionate learners and mid-career women who want to switch to a cybersecurity career, even housewives who have decided to re-join the corporate world. Cybersecurity does not just cover technology; areas like cyber risk governance, management and assurance are all important areas where diverse mindsets and approaches help alleviate these cybersecurity domains.

One trend I have observed in the cybersecurity sector is Industrial Revolution 4.0. As we are increasingly connected globally, we are rapidly moving into Supply Chain 4.0 because we depend on very integrated supply chains nowadays. For instance, when you buy something from online platforms, it requires very strong supply chain connections for the goods to arrive on time. Therefore, critical information infrastructures such as utilities and transport are increasingly impacted digitally. 

At the same time, hackers are getting increasingly sophisticated and so is emerging technology. Hackers are also a very organised community. They are not just criminal gangs, but also nation-states with huge amounts of resources and intellect. We often note that attacks are asymmetric in nature. As a physical illustration of this point, let’s say we must secure an entire physical perimeter, such as a school compound. We have to fence up the entire perimeter. However, hackers just need to find a single hole to be able to penetrate and cause a successful breach. 

To make things worse, it is now not just a matter of securing our perimeters but our suppliers’ perimeters as well, with supply chain 4.0. Hackers are targeting suppliers with not only business email compromises but via sophisticated watering hole attacks. When you consider the ever-rising premiums in cyber insurance and the difficulty in setting limits by insurers, it is also a reflection of how complex and difficult cyber security is. 

However, as defenders, we can flip this asymmetry by working more closely, collaborating and sharing more information. This is where collective defence is important. Hackers take time to develop new attack methods – what we call an exploit. When we promptly share with others our detection of an exploit from our monitoring and analyses, we can render this exploit useless by developing a solution and disseminating it to others. 

The sector will be more fast-paced, and both companies and professionals will need to move more agilely to address cybersecurity issues and concerns. Coming up in a few years’ time, we will face a post-quantum era and may need to re-encrypt all our storage and back them up to ensure that they are secure. There is also the metaverse, which needs a whole new regulatory framework to protect against cyber attacks and cyberbullying. 

However, I think come what may, we will step up the game just like we have come a long way from horse carts to cars. Against today’s dynamic cyber landscape, we should embrace the new cybersecurity normal and hold our grit together as we continue on this evolving journey with our best foot forward.