“Making Cyber Resilience the New Boardroom Priority”
Ladies and gentlemen,
1. Welcome to the CXO Plenary 2019.
2. The CXO Plenary is an exclusive platform where C-Suite level executives are brought together to network, share, and exchange views on the key strategic developments in cybersecurity.
3. The theme that we have chosen this year - “Cyber Resilience: The New Boardroom Priority” - is especially pertinent to corporate leaders like yourselves, who play a critical role in guiding your respective organisations in adopting a strong and holistic cybersecurity posture. This is an important journey that requires key decisions and trade-offs to be made at the highest level of your organisations.
The Destructive Impact of Cyber Attacks
4. The Fourth Industrial Revolution (or Industry 4.0) is set to bring about significant transformation to the way we live, work and play. Industry 4.0 is a convergence of advances in a number of technological areas – such as artificial intelligence and machine learning, the Internet of Things (IoT), robotics, 3D printing, and quantum computing, to name a few. This has sometimes given rise to a blurring of boundaries between the physical, digital and biological worlds. We have already started to experience the transformative impact of Industry 4.0, but the pace of change is set to accelerate even further with the advent of 5G – which promises to connect everything from autonomous vehicles to rice cookers. But what does this mean for cybersecurity?
5. As business operations become increasingly reliant on networked systems, the attack surface area for cyber criminals, and frequency of cybersecurity incidents will also increase. Today, we already see real world consequences of cyber-attacks. Just slightly over two months ago, parts of Johannesburg were plunged into darkness after the city-owned utilities company - City Power - was hit by an unknown ransomware variant. The cyber-attack encrypted City Power’s network, databases, and applications, leaving some of Johannesburg’s residents and businesses without power.
6. As we enter the Industry 4.0 era of hyper-connected devices, cybersecurity incidents will likely have increasingly severe physical consequences – consider a world where autonomous vehicles, medical IoT devices, and industrial IoT systems are the norm. I am sure you can appreciate how these cyber-physical systems, if compromised, can possibly lead to real-world consequences or even loss of lives.
7. Even today, the economic case for cybersecurity is compelling. The NotPetya ransomware attack in 2017 caused more than US$10 billion in corporate losses. The combined losses at Merck, Maersk and FedEx alone exceeded US$1 billion1. Disruption caused by ransomware can also have indirect costs beyond mere dollars and cents. The reputation of your company, consumer confidence, or the brand value of your business can also be affected. All these are very good reasons for us to take cybersecurity very seriously.
The Singapore Context
8. Singapore is currently on its journey to become a Smart Nation. To complement our Smart Nation initiatives, cybersecurity needs to be recognised as a key enabler that is fundamental to fostering trust in the digital technologies that we adopt.
9. Against this backdrop, the Cyber Security Agency (or CSA) was established four and a half years ago with the objective of strengthening our national cybersecurity capabilities. With the passing of the Cybersecurity Act last year, owners of Critical Information Infrastructure (CII) are now legally obliged to put in place mandatory cybersecurity measures and to conduct regular risk assessments and security audits on their critical systems.
10. However, cybersecurity is not, and cannot be, solely the responsibility of governments and a small number of CII owners. I would like to suggest that there needs to be a new corporate culture – one that recognises the need for cyber risks to be treated as an essential corporate duty, akin to how companies today have a responsibility to identify and mitigate potential harm from the use of their products and services. I would like to spend the rest of my speech outlining some ways that you, as business leaders, can drive this mindset change within the respective organisations you lead.
Cybersecurity as a C-Suite Responsibility
11. First and foremost, cybersecurity needs to be recognized as a Boardroom and C-suite responsibility. It is not merely a technical issue that can be relegated to the IT team to deal with in the back room. Rather, it is a strategic business risk that requires careful deliberation in the Boardroom, where decisions on the trade-offs between business operations, cost, and security are made. Board members, CEOs, and CISOs, thus have the individual and collective responsibility to safeguard public trust and confidence in the digital technologies that their organisations adopt.
12. According to a Microsoft Asia and Frost & Sullivan Security Study, the financial loss due to cybersecurity incidents in the Asia Pacific region alone was estimated to be as high as US$1.7 trillion in 20172. This is more than 7% of the region’s GDP. In a separate survey conducted by Deloitte last year, it was found that financial institutions typically spend between 6 and 14% of their IT budget on cybersecurity. This translates to a range of around 0.2 to 0.9% of the company revenue3.
13. It might be useful to ask yourselves, how much of your organisation’s revenue, or how much of your total IT budget, are you spending on cybersecurity, to stave off this risk? There isn’t a single figure that is the “correct” level of cybersecurity spending for all businesses, as your organisation’s risk to cyber threats would largely depend on the nature of your business. But in my view, it is worth asking how much your organisation is spending on cybersecurity vis-a-vis the risk profile of your business.
14. As corporate leaders, some of you may be grappling with the issue of engaging your Board effectively in the area of cybersecurity. This is not a new issue, but nonetheless one that deserves more attention. In fact, in some countries, lawmakers have been considering making it mandatory for cybersecurity experts to be on the Boards of publicly listed companies. While there is no consensus on whether this needs to be mandated by law, it is nonetheless important for Board members to be informed and involved in the management of cyber risks.
15. According to a 2018 Public Company Governance Survey conducted by the United States’ National Association of Corporate Directors (NACD), only slightly more than half of the Board Directors interviewed were confident that they understand cyber risks sufficiently to provide effective cyber-risk oversight4. To address this, organisations could start by providing your Board members with a fuller understanding of the nature and legal implications of cyber risks faced by your organisation, which could help in facilitating a Board discussion on the issue. Boards could also be provided with sufficient access to cybersecurity expertise both internally and externally, such as access to cybersecurity briefings from independent third-party experts.
16. Lastly, discussions about cyber-risk management should be allocated adequate focus and time during board meetings, with relevant key metrics provided to the Board. These broad principles would help the Board to make better decisions about the organisation’s alignment of business and security objectives, overall risk management (including cyber risks), and response to cyber incidents.
Building Cyber Resiliency
17. The second step towards transforming your corporate culture into one that treats cyber risks as an essential corporate duty, is to recognise that there is no such thing as absolute, or “100% cybersecurity”. As cyber-attacks become more prevalent and complex to defend against, it is a matter of when, not if, our systems are breached. The SingHealth cyber-attack that took place last year, is a stark reminder of the skilled and sophisticated cyber attackers out there: attackers who are well-resourced, persistent, stealthy, and cunning. To prepare for this, organisations need to go beyond the traditional concept of cyber protection, to placing more emphasis on cyber resiliency, which focuses on detecting cyber-attacks early, and responding and recovering from it quickly.
18. Cyber resilience represents a more sustainable, adaptive, and holistic approach to cybersecurity. To be effective, this effort must be focused on three areas: technology, processes and people.
19. First, technology. CSA advocates that organisations adopt a “defence-in-depth” approach. This is a strategy that utilises a combination of technologies and security tools to protect critical data and block threats before they can reach the end goal. Organisations should implement the appropriate technology to not only prevent, but also detect, and respond to cyber-attacks. These include stronger encryption for data; heightened monitoring of database activity; and an integrated system to rapidly isolate and contain the infected systems. Privileged access to your organisation’s “crown jewels” should be accessible to only a tightly-controlled group of people, with additional safeguards in place to trigger alarms when abnormal activities are attempted.
20. Second, processes. As mentioned earlier, cybersecurity is not just a technical issue, but a risk management issue that requires balancing between operations, cost, and security. It is an issue that requires deliberation at the right level of the organisation’s hierarchy – by leaders who have a good grasp of the operational and business imperatives, as well as the accountability to make executive decisions involving these trade-offs.
21. To set a proactive and top-down culture of cybersecurity, organisations could start by reviewing their organisational and reporting structures, to ensure that cybersecurity issues are flagged to the appropriate level within the leadership team. Organisations should also review if its high-level cybersecurity policies and resource-allocation decisions are surfaced to the Board, to ensure that cybersecurity functions are executed with sufficient oversight.
22. Besides structural changes, organisations should also ensure that the right procedures are in place in the event of a cyber-attack, such as incident response, crisis communication, and business continuity plans. These plans must delineate clear roles, responsibilities and actions; and should be exercised regularly to test their effectiveness.
23. Third, and perhaps most importantly, is people. Front-end users are often the weakest link in cybersecurity. Even with the most advanced technologies, human error and complacency, combined with increasing sophisticated social engineering techniques, are key reasons why many cyber-attacks are successful. Corporate leaders should therefore seek to develop a culture of good cyber hygiene throughout the organisation. Simple measures, such as using strong passwords, patching software regularly, and learning to spot signs of phishing, will greatly improve the level of cybersecurity in an organisation. Employees need to be equipped with a basic awareness of cyber threats, and empowered to be the first line of defence against cyber adversaries.
Ensuring a Robust Manpower Pipeline
24. To support our businesses in the journey to enhance the cybersecurity of their computer systems and networks, CSA remains committed to work with our industry partners to build a professional cyber workforce with deep competencies. To this end, we launched the “Cyber Security Associates and Technologist Programme” in 2015 to up-skill fresh ICT graduates and mid-career technologists by equipping them with practical, in-demand cyber skills. In addition, to make sure that we will have a robust cyber talent pipeline, CSA has also launched initiatives such as the “Youth Cyber Exploration Programme” (or YCEP), which is designed to attract youths to consider cybersecurity as a career option from an early age. I am happy to share that the amount of interest in this programme from our students has been highly encouraging.
25. In closing, the increasingly digitalised and hyper-connected world presents governments, businesses and individuals with vast opportunities. But that also means that cybersecurity will become increasingly important; without which, our Smart Nation and digitalisation efforts would be impacted. I would therefore urge all the corporate leaders gathered here to embrace a new corporate culture that appreciates and treats cyber risk as an essential corporate duty. To drive this shift in mindset, organisations should recognise cybersecurity as a Boardroom and C-Suite responsibility. Organisations should also recognise the inevitability of cyber-attacks, and take a more holistic approach towards cybersecurity by adopting the concept of cyber resiliency.
26. I hope that these points will serve as a useful backdrop for a fruitful panel discussion later.
27. Thank you.