Cybersecurity Leaders – Shao Fei Huang
As Chief Information Security Officer at Singapore’s Land Transport Authority (LTA), Shao Fei spearheads the cybersecurity programme across land transport. He is also concurrently Director for Cybersecurity and Director for Data Science at LTA. Prior to joining LTA, Shao Fei had served in various roles at Singapore’s Ministry of Home Affairs, Ministry of Defence, Defence Science Organisation National Laboratories, Centre for Strategic Infocomm Technology and the InfoComm Development Authority.
Shao Fei received his Bachelors Degree in Mechanical Engineering from The University of Tokyo under the support of the Singapore Public Service Commission and Japan Monbusho scholarships. He also holds a Master of Business Administration from the University of Leicester, as well as CITPM and CISSP-ISSMP certifications. He currently serves as the President of the Infocomm Security (IS) Chapter of the Singapore Computer Society, and co-chairs the Cybersecurity Working Group at the International Association of Public Transport (UITP).
The job of CISO is never going to be an easy one, no matter what you do. The bad guys only have to be right once. How do you deal with that when it seems like an impossible challenge?
As the saying goes, “there are only two types of companies: those that have been hacked, and those that don’t know they have been hacked.” As a CISO, I adopt an “assume breached” principle when it is comes to implementing cybersecurity. Correspondingly, I think that traditional endpoint protection and multi-layered defences that are now commonplace in most organisations, are irrelevant if we do not get cyber detection, response and recovery right.
What should corporate boards knows about conducting information security?
First and foremost, that there is no such thing as 100% security. Information (or cyber) security risks will always be present, whether large or small, major or minor. It is therefore important for corporate boards to know what their cyber risk exposures are, and the consequences of cyber breaches, which could be quite different depending on the industries they reside in.
Second and more importantly, that cybersecurity is not an IT issue, and they should seriously consider appointing a CISO in the C-Suite to oversee cybersecurity, as well as including cybersecurity in the Board agenda. On the latter, many organisations have realised that cybersecurity risks need to be addressed at the Board as they need to be steered at the strategic level and not just left to IT departments.
How can CISOs better understand a business’ needs?
Many CISOs I know were appointed to their roles by virtue of their IT skills and expertise, and more often than not, they lack training in traditional business soft skills. To better understand a business’ needs, CISOs need to get out of their comfort zone, “unlearn” tendencies to use IT or technical terms, and acquire critical business soft skills in order to navigate the Board and C-Suite effectively. Among other things, two critical soft-skills for CISOs are to “think win-win” and “seek first to understand, then to be understood”, from Stephen Covey’s ‘7 Habits of Highly Effective People’ which I have found hugely useful in my personal career.
Threats are everywhere and always changing. How can we address this difficult reality?
Often organisations and even CISOs suffer from a misconception that compliance and technology hold the key to addressing cybersecurity challenges. I hold a different view. Building an underlying fabric of cyber-resilience in the business is far more important, such that should cyber breaches occur the business can quickly recover and regain customer confidence. Secondly, CISOs must recognise that they will never be “one-step ahead of the hackers” by buying the latest and greatest technology, regardless of what vendors tell them. Instead, CISOs should actively join and participate in professional communities, such as Singapore Computer Society in Singapore. Through such communities, they will be able to identify and network with CISOs from similar industries and step up their game against the evolving cyber threats.
Why do some CISOs use technology for its ‘cool’ factor instead of for securing or enabling the business?
Many CISOs were appointed into their roles not because they are experts in penetration testing systems or in reverse-engineering malware, but because they have done well in their IT careers. Inevitably, they would be excited about the latest and greatest technology, as their passion is in IT more than cybersecurity. Additionally, many CISOs are not involved in executive and board-level conversations outside of those related to cybersecurity. This makes it challenging for CISOs to align cybersecurity with the lines of business.
How has industry cooperation made an impact on cybersecurity?
According to (ISC)2, the shortage of cybersecurity professionals is close to three million globally. Asia Pacific (APAC) is experiencing the highest shortage, at around 2.15 million. It is unrealistic to expect that the shortage will be reduced dramatically anytime soon, but this is where industrial cooperation has the potential, and indeed to some extent, made a positive impact on cybersecurity.
In fact, the Singapore Computer Society’s Cybersecurity Career Mentoring Programme, supported by Singapore’s Cyber Security Agency (CSA) and in its 3rd year running, is one great example of industry cooperation between private, public and not-for-profit organisations. In this programme organised by a not-for-profit organisation, cybersecurity professionals from various industries, including the Government and private sector, are regularly invited to share their professional journeys and mentor both tertiary students and mid-career IT professionals who are interested in cybersecurity as a career.
The modern CISO is now more than just a technical leader. As a C-level executive, CISOs must not only possess strong technical knowledge of cybersecurity, but also develop a business mindset, effective communications skills as well as strong management and leadership qualities.