Present cybersecurity as a competitive advantage fostering customer trust, advises BDO’s Cecil Su

From transforming cybersecurity into a business enabler to sharing recent research findings shaping the industry's future, Cecil Su provides a comprehensive perspective.

In the dynamic realm of technology, excellence isn't merely a benchmark—it's an ongoing pursuit that shapes the future. As businesses navigate the intricate landscape of cybersecurity, the role of technology becomes increasingly pivotal. To glean insights into the evolving facets of technology excellence, we turn to a seasoned professional, Cecil Su, Cybersecurity Director at BDO LLP.

Leading the Cyber Security & DFIR unit for BDO Advisory, Su is at the forefront of safeguarding critical information assets. With a focus on cybersecurity research and security testing, Su's expertise extends across diverse advisory roles, adversarial security testing, and threat intelligence projects. His commitment to elevating cybersecurity standards is reflected in his contributions to organisations like the Association of Information Security Professionals (AiSP) and his role as a Subject Matter Expert for WorldSkills Singapore for Cybersecurity.

Su's impact is not confined to the national stage; he has left an indelible mark as a contributor to the OWASP Testing Guides and co-lead of the OWASP Singapore Chapter. His multifaceted approach to cybersecurity positions him as a trusted advisor, propelling clients beyond compliance and corporate initiatives towards a robust cyber protection framework.

In this interview, Su shares his valuable perspectives on the technological landscape, encapsulating the challenges, opportunities, and ethical considerations that define the future of cybersecurity. From the essential skills future cybersecurity professionals should cultivate to the common vulnerabilities organisations must address, Su delves deep into the intricacies of the field.

What do you believe are the key skills and knowledge areas that future cybersecurity professionals should focus on, given the evolving threat landscape?

Personally, I believe that future cybersecurity professionals should prioritise skills in cloud security, understanding that data and applications are increasingly being migrated to cloud environments. They should be proficient in threat intelligence and incident response to quickly identify and mitigate breaches. Knowledge of regulatory environments and compliance standards is critical, as businesses must adhere to various data protection laws.

Familiarity with artificial intelligence (AI) and machine learning (ML) is equally essential, as these technologies are being used to both enhance security postures and develop sophisticated attack vectors. Cybersecurity professionals must also focus on developing strong analytical skills to continuously assess and improve security frameworks.

Finally, soft skills like communication and collaboration are invaluable, as cybersecurity is a cross-functional domain that requires interaction with various departments within an organisation.

What are some of the most common vulnerabilities or weaknesses you encounter during assessments? How can organisations proactively address these vulnerabilities to enhance their overall security posture?

Some of the most common vulnerabilities encountered during some field assessments include weak authentication mechanisms, such as the use of default or simple passwords, and insufficient network segmentation (which are low-hanging fruits if you think about it), which can allow lateral movement if a system is compromised. Outdated software and missing patches are also prevalent issues, leaving systems exposed to known exploits. Additionally, inadequate encryption practices, especially for data in transit and at rest, pose significant risks.

On the other end of the application security spectrum, deserialisation issues occur when user input is not properly sanitised or validated before being processed. Other field observations encountered are RCE (remote code execution) attacks, which are a type of security vulnerability that allows attackers to run arbitrary code on a target host.

Organisations can proactively address these vulnerabilities by implementing robust password policies and multi-factor authentication, ensuring regular updates and patch management processes are in place, and segmenting networks to restrict access to sensitive systems. They should also enforce encryption standards for sensitive data and conduct regular security training for employees to recognise and mitigate social engineering attacks. Regular vulnerability assessments and penetration testing can help identify and remediate weaknesses before they can be exploited.

Cybersecurity is often seen as a cost centre within organisations. How can cybersecurity leaders change this perception and make cybersecurity an enabler for business growth and digital transformation?

Cybersecurity leaders can change the perception of cybersecurity from a cost centre to a business enabler by framing it as a competitive advantage that can drive customer trust and facilitate safe digital transformation. They should communicate how robust cybersecurity measures enable organisations to confidently innovate and leverage new technologies. Demonstrating compliance with security standards can open doors to new markets and customer segments that prioritise data protection.

Additionally, leaders can highlight case studies where strong cybersecurity frameworks have accelerated mergers and acquisitions as well as third-party risk by ensuring due diligence. They can also showcase the potential cost savings from avoiding breaches, which often far exceed the investment in cybersecurity. Integrating cybersecurity strategies with business goals, such as enabling secure cloud adoption or IoT integration, can directly contribute to business agility and growth, further solidifying its role as a fundamental aspect of modern business operations.

With the growing adoption of AI and machine learning in cybersecurity, what ethical considerations and challenges do you foresee, and how should organisations navigate these issues whilst leveraging these technologies?

With the growing adoption of AI and machine learning in cybersecurity, ethical considerations and challenges centre around data privacy, bias, and accountability. Ensuring that AI systems are trained on diverse, unbiased data sets is critical to preventing the perpetuation of existing biases. Additionally, respecting user privacy when utilising large datasets for machine learning models is paramount.

Organisations must also address the potential for over-reliance on AI, maintaining human oversight to ensure accountability, particularly in the event of failures or breaches. Transparency in AI operations and decisions is essential to building trust amongst stakeholders.

Finally, there should be clear guidelines and frameworks in place for ethical AI use in cybersecurity, and organisations must stay informed about evolving regulations and ethical standards in this dynamic field. Navigating these issues requires a balanced approach that maximises the benefits of AI technologies whilst minimising potential risks and ethical concerns.

You mentioned your involvement in cybersecurity research. What are some key insights or findings from your recent research that have the potential to shape the future of cybersecurity practices or technologies?

As a cybersecurity enthusiast researching in the areas of cyber threat intelligence, key insights from recent research indicate that a multi-layered security approach is increasingly vital. Findings suggest that threats are becoming more sophisticated, utilising AI and machine learning to bypass traditional security measures. Research emphasises the importance of proactive threat hunting and the integration of behavioural analytics to detect anomalies that signify potential breaches.

Additionally, some of the studies highlight the growing need for collaboration between the private and public sectors to share threat intelligence. There is also a push towards developing quantum-resistant encryption methods, as quantum computing poses a future risk to current cryptography standards. These insights point towards a future where cybersecurity is adaptive, intelligence-driven, and collaborative, with an increased focus on emerging technologies to secure digital assets against evolving threats.

As a judge at the SBR Technology Excellence Awards, what criteria do you consider when assessing the excellence of technology projects?

When assessing the excellence of technology projects for an awards programme like the Singapore Business Review (SBR) Technology Excellence Awards, the criteria would typically include:

• Innovation: Evaluating how the technology project introduces new or significantly improved processes, products, or ideas.
• Impact: Considering the measurable benefits the technology has delivered, such as performance improvements, cost reductions, or revenue growth.
• Scalability: Assessing whether the technology can be effectively expanded or adapted to meet growing or changing demands.
• User Experience: Looking at how the technology enhances the user experience, including ease of use, design, and accessibility.
• Security: Examining the robustness of the technology's security measures and how it protects against potential threats.
  Sustainability: Considering the technology's environmental impact and how it promotes sustainable practices within the industry.

With these, I hope the criteria help determine not only the technological achievements of the project but also its broader contributions to business and society.