Mr Hord Tipton, Executive Director of (ISC)², presenting the honoree award to Ms Christina Gan |
Ms Christina Gan of IDA shares her experiences in infocomm security.
(ISC)², a global leader in educating and certifying information security professionals with nearly 70,000 certified members worldwide, announced the honorees of its fourth annual Asia-Pacific Information Security Leadership Achievements Programme in July. Among them was Ms Christina Gan, Senior Director (Infocomm Security & Assurance Division), Infocomm Development Authority of Singapore (IDA).
Ms Gan took up the security portfolio at IDA seven years ago, after a tour of duty that included postings with the Attorney General’s Chambers, Ministry of Foreign Affairs, Subordinate Courts, Commercial Affairs Department, Ministry of Law and the Ministry of Home Affairs. At IDA, she was involved in formulation of Singapore’s first Infocomm Security Masterplan and other initiatives such as the Cyber Security Awareness Alliance. She talks to IN.SG about these experiences.
Describe the function of IDA’s Infocomm Security & Assurance Division
As the security team of IDA, we are very much focused on ensuring infocomm security for the government but at the same time, we also have to look beyond this at national level initiatives. This includes deploying infocomm security infrastructure projects and working with the industry to promote infocomm security awareness.
How did the team go about formulating Singapore’s first Infocomm Security Masterplan?
First, we did our research. We looked around the world to see if there was something that could be modelled after. We found only one that was close – the Americans had a strategy which stated their broad intent in the area of infocomm security. However, for Singapore, we wanted something more concrete.
We went about developing the masterplan in a very systematic way and asked ourselves questions like: What security measures do we have today? What are we trying to deal with? What are the threats? We wanted to link what was out there with where we were at, at that point in time, and look at what was relevant to Singapore. Then we started to connect the dots.
We tried to involve as many people as we could and had roundtable discussions with the industry and focus group meetings which involved other government agencies. We also had the strong support of the IDA management and the National Infocomm Security Committee (NISC) which is chaired by the Head of Civil Service Mr Peter Ho. They gave us their perspectives and helped confirm the high-priority areas that should be addressed. In all, the process took about a year and the masterplan was launched in 2005.
The masterplan is a living document that is constantly refreshed and made relevant. Even today, we continue to enhance it and constantly ask ourselves - what are the demands, where are the threats, what more must we do to better secure our government and our critical infocomm systems. That is still very high on my list of priorities.
Another initiative that you are involved in is the Cyber Security Awareness Alliance. Tell us about the Alliance and its objectives.
The Cyber Security Awareness Alliance consolidates efforts to reach out to different communities in order to bring about greater awareness of infocomm security. It is about bringing different parties together. It could be the infocomm industry, for example, a company selling a product. It could be a trade association reaching out to a community, for example, the small and medium enterprises or the banking community. It could be the various government agencies. We want to bring about greater awareness to the respective communities, so that they understand the dangers of going online and that they practise and do the right things.
We are going out there collectively as an alliance and collaborating to bring the message to the market. The Alliance’s new tagline, "Go Safe Online”, serves as the guide. It denotes the action-oriented approach that we intend to bring to all our engagements with our audiences.
What are some of the challenges that you encountered in this effort?
Due to the varying composition of members of the alliance, it takes time to bring people onto the same page. We have had to generalise the message and make it simple before bringing it to the audience.
How were these overcome?
It had to be a win-win arrangement. We sat down in smaller groups to find out what was important to each stakeholder. This required a lot of understanding: What will make this successful for you? What will make it successful from our perspective?
We then tried to make the connections and bring in other relevant parties, and grouped people with similar interests. Once we had that, somehow things just started to click. We had their support and we began fine-tuning each idea. But it involved a lot of discussion way up front.
What would you say were the key success factors behind these infocomm security initiatives that you have been involved with?
In all that we have achieved, the support from senior management has been tremendous, from the support of the Chairman of NISC to all our IDA CEOs, without whom we would not have been able to get to where we are today.
The other people who played a pivotal role are my team members. We started with about 20 people and we are now 50-strong. Everyone has been there with me, getting us to where we are today.
What keeps you interested in infocomm security in general?
What’s keeping me going is the fact that I am still enjoying my work. Contrary to the belief that infocomm security is a specialised, niche area, in actual fact it really needs a wide variety of skill sets. Yes, you need to know what the threats are and understand the technology to deal with these treats, so you need an appreciation of the technical aspects of infocomm security. But to address these, it’s not just about technical solutions. It’s also about making sure that the stakeholders understand what is at risk, knowing how prepared they are to put in place the necessary security measures, and then knowing what controls you can then propose as a consultant.
We need to find the balance between being secure enough and allowing the business to continue functioning smoothly, and to do this in a cost-effective manner. What keeps me going is trying to find this balance. You have to be able to look at things from both the technical and non-technical perspective, and present them from the perspective of the senior management.
Just like the Infocomm Security Masterplan is a living document, so is our work in security. You know what you know today, and you do what you deem is best. There is no standard answer – it is about finding that balance at the point in time. But things change and you have to constantly re-examine the infocomm security landscape and ensure that is is just as secure down the road.