Cybersecurity is a leading priority for CIOs in Singapore, as businesses grapple with protecting the enterprise while innovating at speed.\nBut where should security priorities lie? In educating the workforce to reduce risk or bolstering defences with the latest technologies?\nToward pervasive and continuous security\nPurushothama Shenoy (Puru), CTO of IBM Singapore, believes the greatest security challenges affecting enterprise businesses include the ability to optimise on intelligence, speed and accuracy in relation to prevention, detection and response. This is in part because increasing compliance mandates make cybersecurity even more complex. But also because good security talent is scarce.\nHe advises C-level executives to establish \u201cpervasive and continuous security\u201d procedures, alongside leveraging artificial intelligence to improve detection and response capabilities and simplifying user experience to enhance security controls.\n\u201cSecurity leaders must consider cognitive technologies to augment the skills and resource availability issues,\u201d said Puru. \u201cNow is the time to move towards frictionless and password-less authentication technologies to simplify user experience, as well as managing data and encryption consistently through hybrid cloud transformation.\u201d\nWeak spots\nIn assessing the security posture of an enterprise organisation, Chin Kiat Chim (CK), global CISO of Dyson, notes that traditionally, the focus of network security has been on prevention, through the deployment of firewalls and anti-virus software, for example.\n\u201cThe process was similar to setting up a frontier with the aim of stopping bad guys outside of the perimeter infiltrating the internal network and stealing the crown jewels,\u201d says CK, who joined Dyson in July 2019. \u201cMost of these technologies are designed to prevent cyber threats based on known patterns and signatures.\u201d\nHowever, unlike most physical targets, which are stationary, digital targets are \u201cwily and dynamic,\u201d CK says. They stealthily take advantage of poor cyber hygiene and human errors to infiltrate a whole network, infect computers and even steal confidential data.\nAs malware becomes more sophisticated and distributed across the world, traditional security approaches deployed by enterprise organisations are becoming less effective, CK says.\nMatthias Yeo, president of ISC2 Singapore Chapter, argues that employee negligence is not always the factor that leads to weak spots in enterprise security.\n\u201cMany sophisticated attacks do not necessary link to a human mistake, such as phishing,\u201d he cautioned. \u201cThe main weak spot in my opinion is the ability to understand what has gone wrong, or what is needed to be fixed. That means visibility into an enterprise network."\n\u201cTechnology should not fail in this day and age. While we talk a lot about business continuity plans that focus on fall backs in case of a technology fail, it should remain as a last resort.\u201d\nEvolving cyber threats\nEvan Dumas, regional director of Southeast Asia at Check Point Software, thinks that today the market is experiencing a \u201cfifth generation\u201d of cyber attacks \u2014 attacks that are proving more \u201cevasive, targeted and dangerous\u201d for Singaporean organisations.\n\u201cSecurity deployed by businesses is at a very concerning inflection point because most infrastructures are only at the second or third generation of security,\u201d he says. \u201cSimply put, business security is lagging behind and ill-equipped to protect against the level of attacks being launched today. This is an alarming problem that must first be recognised and then resolved."\nThese attacks are multi-dimensional, multi-vector and polymorphic and Dumas says that IT operations today require an innovative and holistic approach to assessing and designing their security toward an integrated and unified security infrastructure that prevents attacks in real-time.\nThis approach renders irrelevant the traditional check box method of building a security infrastructure, where a specific security technology is deployed to defend against a specific type of attack or to protect a specific type of application.\nMulti-layered approach\nCK explains that enterprise security is dependent on multiple layers of defence to ensure adequate protection These layers consist of identifying, preventing, detecting, responding and recovering.\nCK advises organizations to avoid spending too much money or effort on one single layer and instead to spread the focus into detection and response so that attacks can dealt with quickly and the damage can be minimized.\n\u201cIt\u2019s also important to not forget business continuity management, which is crucial in ensuring that during the worst-case situation, mission-critical business processes are still up and running even when the organisation is in the middle of cyber attack,\u201d he says.\nEchoing CK\u2019s observations, Yeo notes that the security posture of an organisation continues to be \u201cconstantly challenged\u201d on a daily basis, due to the emergence of new technologies and new business models.\nOrganizations can quickly become overwhelmed by the deployment of multiple security solutions. In order to be effective, Yeo says, security tools must align with the organisation\u2019s behaviour and culture.\nSpeaking as a global security leader, CK acknowledges that the industry today is \u201ccrammed with too many security vendors and products,\u201d with most failing to address organizations' pain points.\n\u201cThere are too many overlaps in term of solutions and features,\u201d he says. \u201cBuying individual products from these vendors without knowing how to integrate them effectively does not help an organisation enhance cyber defence capabilities.\u201d\nCK also warns that an increase in technology investment \u201cdoes not always guarantee\u201d increased protection. Frequently, organisations will buy individual solutions to tick the regulatory compliance box, but without a strategy to optimise their use.\n\u201cCyber security is not just about compliance, but more importantly, the \u2018defence\u2019 capability to secure an organisation from a cyber attack. Technology investment alone is not enough, the process and people also play a key part in bolstering the overall security posture of a business.\u201d\nEasy targets\nIn switching the cyber conversation to users, Viktor Pozgay, former CISO of financial software company Avaloq, cautions that \u201cit is easy to blame\u201d humans as the weakest link or least secure aspect of an enterprise, but that's not always the correct assumption to make.\n\u201cLeaders in charge of information security have to realise that a) humans are never going to be perfect and that people will make mistakes; and b) the human aspect is much wider than a person clicking on a malicious link,\u201d he says.\nPozgay thinks that good leaders manage risks by achieving a balance between people, processes, technology and investments.\nSpecific to the human element of security, the former CISO said best practice extends to the skills required to implement and manage technology and processes as well as the culture of the organisation and its ability to \u201cpush through\u201d objectives related to security. CISOs can have the best security strategies and plans, but those will go nowhere if they are not able to persuade stakeholders and business leaders.\nPozgay believes that security awareness and education must be \u201ctailored, more interactive and practiced\u201d at all levels of the company.\n\u201cYou need a mix of senior leader briefings, team and context specific security awareness and practicing through interactive and realistic scenarios \u2013 from phishing to an incident response exercise,\u201d he says. \u201cMost importantly, security awareness requires leadership across the board \u2014 senior managers and leaders in the company need to step up and help communicate the importance of security and risk awareness.\u201d\nCulture change at the core\nDespite accepting that both technology and human elements have flaws, Carolyn Chin-Parry (who was recently named Woman of the Year at the Women in IT Asia Awards)\u00a0 argues that humans are more challenging to manage and control from a security perspective.\nThis is partly because employees have different levels of maturity when it comes to security. However, protecting the organisation shouldn\u2019t be just the IT department\u2019s job but a common effort from all employees. But Chin-Parry acknowledges that mindset and attitudes are \u201csometimes difficult to change.\u201d\n\u201cTraining programmes may increase awareness, but it needs to lead to improved behaviours and workplace practices,\u201d she says. \u201cCultural change needs to occur where cyber risk is regularly considered, and employees feel \u2018safe\u2019 to check-in with IT whenever something looks potentially dangerous."\nTo achieve this, Chin-Parry says that organisations need to set up processes and praise those employees who take steps to protect the business, without the fear of being chastised if it is a falsa alarm.\nSteven Sim, vice president of ISACA, an international professional association focused on IT governance, says that despite arguments on both sides, the human element continues to be the least secure and controlled aspect of enterprise security.\n\u201cIf we look at most of the breaches out there, they almost always begin with a phishing attack for the very reason that humans are the weakest link in the entire cyber kill chain,\u201d he says. \u201cThe majority of cloud hosting breaches were also due to misconfigurations which could have been easily prevented if due care was exercised. Shadow IT is also a sticky problem because you cannot control what you don't know."\nBack-door access\nAttackers increasingly targeting individual users to gain access to the network. Pozgay notes that a great number of incidents start with a user visiting a malicious website or opening an infected attachment.\n\u201cWhat we see in terms of trends is that the sophistication and targeting of specific users is increasing \u2013 think phishing emails are more tailored to a specific person or function, more relevant to the context of the targeted user,\u201d Pozgay says.\nBut Pozgay says there is \u201cno silver bullet answer\u201d for how much security control a business can exert without compromising user privacy.\nThe level of control will depend on the laws and regulations the company is operating in as well as the nature of the business \u2013 and those controls should be aimed at protecting and safeguarding the employees.\nAs guiding principles, he adds, controls should be commensurate to the risks or exposures that a company faces, and, in general, they should come with disclosure to employees.\nWithin the boundaries of employment, Sim says a company's acceptable use policies could include having the employees' activities monitored. Furthermore, behavioural analytics can also be used to detect anomalies without revealing sensitive private details.\nUltimately, as the threat landscape becomes more sophisticated, more emphasis will need to be put on the detection, response and recovery phases, Sim says, since it is not a matter of if an incident will occur but when.