BDO Advisory’s Cecil Su talks about cybersecurity amidst the rise of e-commerce and fintech

Cecil Su shares his advice to firms on strengthening their cybersecurity as attacks become more sophisticated.

Cecil Su is the Director for Cyber Security at BDO Advisory, focusing on IT Security research and security testing, Advisory, IT Assurance and Digital Forensics. He also leads the firm’s DFIR unit. 

His specialisation in IT Security merits his involvement in security assurance services for clients across different industries. Cecil’s services have helped clients go beyond compliance, government regulations and corporate initiatives, resulting in the better cyber protection of their critical information assets. His current projects include leading engagement teams on diversified advisory, security testing and incident response projects across vertical industries. 

As a trusted IT advisor, Cecil has successfully managed wide-ranging initiatives in both the government and commercial sectors. Some of his affiliations include an ExCo membership for the Association of Information Security Professionals (AiSP), a Subject Matter Expert for WorldSkills Singapore for Cybersecurity, a contributor to the OWASP Testing Guides v3 and v4, and advisor for the Singapore Honeynet Chapter.

With an extensive career in IT, Cecil Su got himself a seat at the judges’ table in this year’s SBR Technology Excellence Awards, Cecil sat down with Singapore Business Review to talk about the evolving cybersecurity landscape and how organisations can better protect their digital assets.

Tell us a bit about your career path. What is your role as the Cyber Security & DFIR unit for BDO Advisory?

In the early part of my career, I started off in support and development roles in the hospitality industry. During then I spent a period of time in the front desk and back office helping to develop interfaces and integrating data for the hotel and F&B industry before I joined a firm that focused on middleware solutions for the financial services industry. This was where my interest in IT Security (now commonly known as Cybersecurity) came about and thereafter looked at how to build security controls and resilience into middleware solutions for the clients. 

From then on, I joined a local MSSP organisation that pioneered digital assets security monitoring and surveillance for both commercial and government-wide agencies. This was where I gradually built my information security skillsets, learned from my peers and started the information security certification tracks. From then on, I had been with different organisations from mid-tier, Big4 and specialist security firms. The journey had me involved in diverse information security projects from security testing, information assurance and governance as well as digital forensic and incident response all along assigned to different teams servicing vertical sectors of the industry and government entities. 

At BDO Cybersecurity, my primary role is to build the team in terms of technical capabilities as well as expand the portfolio of services throughout the years as we scale and increase our footprint and presence in the market. It is not easy for a mid-tier firm to do that but we are gradually getting there.  

Having achieved your accomplishments, what other goals do you have in your career?

The field of cybersecurity is ever-evolving and does not remain constant for long. With that, it is my passion and goal to see how I can contribute to the next generation of passionate cyber enthusiasts and entrepreneurs and those transiting into this domain. It would be nice to help in some small way to mentor and coach others who are willing to join the field and help them grow and achieve their dreams of getting into the profession and promoting the profession to those seeking to embark on more diverse cybersecurity skillsets. The general idea is to get the participants to “breaking bad” and “building safer and more secure systems”.

Two of the initiatives that I have been involved in in the past are being a judge in the annual Cybersecurity Awards organised by CSA and AiSP, and being an SME and judge for the WorldSkills Singapore Cybersecurity.

With the rise of fintech, e-commerce, and digital transformations, how can organisations implement tighter security measures to protect key information assets of businesses and consumers?

It is inevitable that with the rise of digital transformation and the increasing significance of fintech and e-commerce, the attack surface and the number of vulnerabilities continue to increase. The threat actors have become more sophisticated, advanced and even agile in their modus operandi. With that, it is imperative that organisations have the appropriate situational awareness of what is happening to their respective organisations as well as to the industry and global threat landscape as a whole. In order to do that, they would have to take stock and be able to baseline what digital assets and exposure the organisations encounter. From there, they would first need to work out that they have identified the existing gaps, allocated adequate security controls, if not alternative mitigation measures and have appropriate monitoring and surveillance in place (be this on their digital assets or organisation as a whole), 

The organisation also needs to understand that security needs continuous validation and this does not mean that today is secure, tomorrow may still be secure. It is not one-size-fits-all and each situation needs to be addressed in its own context, Threat actors are continually probing and finding ways to get into organisations. This is also probably why making sure that all basic cyber hygiene needs to be addressed upfront before well investing in greater security toolsets for the organisation.

What IT security trends in Asia Pacific, particularly in Singapore, do you foresee as emerging?

There are a number of IT security trends that are debated every year. Some of these trends do remain as trends and some may pick up whereas some may just wean off after a while. There have been a lot of buzzes and talk in the areas of AI/ML, 5G, robotics, and even quantum security. We may see more of these areas in the near future in such that many products may embed such technologies but at the same time maybe a two-pronged approach in that AI can be used for both good and evil in cybersecurity. Therefore it is imperative that AI and ethics play a part in the whole ecosystem in trying to address some of these issues and risks at hand.

Other more notable areas are in Zero Trust architecture and design, as well as more DevOps or DevSecOps shifting left. The zero trust model will likely address the persistent strict identity verification of the security aspects for assessment, control and recovery operations. For "shifting left" in security, this would mean the efforts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle instead of just having security as only an afterthought when the application is already fully developed.

What skills can you recommend for the next generation of IT security professionals in Singapore? How can they be at par with the world’s best professionals?

Basic, foundational skills are still core necessities. This would mean domains like TCP/IP, networking, operating systems, and increasingly be able to develop at least in a scripting language (like Python Rust, Go) if not in actual development platforms like C/C#/C++.

Thereafter, in a nutshell (although not entirely exhaustive), everything else from here will consist of different specialities in the ADR approach. Essentially this means that the candidate can focus on either Attack(A), Detect (D) or Respond (R) or a combination of these three focus areas.

To protect today's enterprise, we need a broad understanding of attacker techniques and specialisation in modern technology stacks. An example could be the use of cyber ranges. Instead of "leading the witness" to the right answer with traditional exams or gamified training, a cyber range reflects the real-world approach to understanding preparedness. You have to know the particulars of the technologies, understand how the system works together, look for clues in error messages, make interlinking decisions, etc. As a result, you can accurately identify security stars but more importantly, baseline and reduce staff risk.

In short, in order to set up a candidate that may be able to be on par with many of the creme-de-la-creme, he or she must have the passion, curiosity, ethics, strategic thinking mentality, critical thinking skills and very importantly appropriate technical chops/skills.

As a judge in the SBR Technology Excellence Awards, what projects or innovations are you expecting to find amongst the entries? What are your criteria for judging?

Personally, I would like to see how the project sponsor differentiates business, market and technology that translates into winning value propositions. From there I would like to look at how the business model will provide defensible and scalable profit sources.

Also, I may think that it is important to note if the project candidate is able to develop and launch innovations quickly and effectively, and thus to win by creating and capitalising on external networks.

Finally, it would also be nice to know if the employees of the organisation are motivated, rewarded and organised to innovate repeatedly.