#WorkinginCSA: Designing Cyber Exercises to Enhance Critical Information Infrastructure’s Readiness

08 Apr 2022

Staff Feature Leon Teo 600x400

Meet Leon Teo, an officer with CSA's Joint Operations Readiness Division (JORD), as he shares more on his transition from a non-technical background to working in the cybersecurity industry, as well as on his work in designing, developing and executing cyber exercises.

1. What sparked your interest in cybersecurity?

My first experience with cybersecurity began back in the late 2000s as a teenager when my family’s computer was infected with a virus, which prevented me from playing computer games on it. Slowly searching through system files to delete malicious .dlls was an arduous task, but it introduced me to the damage that could be wrought on computers by malware. Shortly after, I began reading up about the first generation of malware, and this led to a gradual interest in the domain of cybersecurity. 

Though this interest was not pursued in later formal education, it remained an area of interest for me, one which re-emerged around the time I was graduating with a bachelor’s degree in Political Science. This also coincided with a period when cybersecurity issues were becoming increasingly prominent in a digitalising world. Re-encountering cybersecurity in a university module I took also helped with connecting me back to the domain and assisting my entry into the industry.

2. What do you do at work? Can you share more on your involvement in Exercise Cyber Star?

Most would be familiar with the fire drills that schools conduct on a yearly basis, where a fire is simulated at some part of the building, and students are led by teachers in accordance with the fire evacuation route. Doing such drills on a regular basis helps familiarise all with procedures to be followed and gives them a baseline level of training. This also allows for identification of potential hazards to be removed, such as structures which could hamper a timely evacuation, before they are encountered during an actual emergency.

Cyber exercises are similar in nature and purpose: we simulate situations in which people and systems are put under stress, observe how participants respond, and suggest areas for improvement afterwards. My work is thus focused on the design, development, and execution of such exercises, with a focus on raising the cybersecurity readiness of Critical Information Infrastructure (CII) sectors in Singapore.

In these exercises, CSA invites participants from both public and private sectors and conducts the exercise at both sectoral and national levels. Realistic and relevant scenarios are developed through closely working with our stakeholders, and these scenarios are then responded to by the exercise participants. Through this, participants’ response plans are validated, and they are better able to understand their capabilities to mount effective strategies against cyber-attacks.

For the recently concluded Exercise Cyber Star, I was involved as a “full-cycle planner”, from the exercise’s conceptualisation to its conduct and reporting. Planning and designing began in late 2020, and development took place up till the exercise was conducted in late 2021 and early 2022. Coordinating with multiple stakeholders from the sectors, aligning the exercise scenarios to a broader overarching narrative, and participating in the operational component’s conduct was an eye-opening experience, but one which was a privilege to experience first-hand.

A typical day at work for me involves managing and working on projects of different timescales. Between planning how limited resources can be put towards achieving different goals, I also spend time actively working to bring these projects to fruition. Two examples of the tasks involved are as follows:

Keeping up to date with cyber incidents. It is difficult to plan high-quality cyber exercises without understanding recent cyber incidents and upcoming trends. Some time is thus spent updating myself on such topics in order to ensure the realism of the scenarios and exercises.

Participant management. Through taking time to understand the present and expected capabilities of the participants of a cyber exercise, I am able to better frame their exercise and ensure its utility for these participants. This process frequently involves close communication with potential and confirmed participants over an extended period of time, and yields rich results if handled properly. In turn, this also helps the participants understand their responsibilities before, during, and after the exercise, such as making an effort to remedy identified areas for improvement after the exercise has concluded.

3. Tell us something interesting about your job that not many people know about.

Exercise planning on such a macro scale allows us to raise awareness of potential issues to senior management, on a multi-organisational or even national level, before they occur. A skilled cyber defender can identify areas for improvement in their tactical or operational work processes, while an experienced Chief Information Security Officer (CISO) may be able to influence cyber practices for the entire organisation. However, it is through exercises conducted across multiple organisations that cross-cutting issues on a national scale can be identified. These issues or areas of improvement can then be raised to senior management for their consideration and potential remedy, thereby allowing changes to be enacted before a crisis occurs.

4. What advice do you have for those with non-STEM or non-cybersecurity background but are interested in this industry?

In most cases, skill or expertise can be taught, but not interest. This role is among several in the industry where being conversant in cybersecurity knowledge is helpful, but not as important as the non-technical skills. Some examples include juggling differing interests by various stakeholders, or being able to weave competing visions of what an exercise should be focused on into a coherent and compelling narrative.

Having come from a non-STEM and non-cybersecurity background, I recommend that others looking to enter this industry come with an open mind and good attitude for learning. In cultivating this interest and inquisitive spirit of learning, you may find yourselves pleasantly surprised at what you can achieve with a self-directed mindset and taking charge of your own learning goals and development.  

The learning curve can be steep at the beginning as one would need to go for cybersecurity courses in order to develop a basic working knowledge of the domain. Some work also goes into keeping up with these courses on a yearly basis, in order to ensure one’s knowledge is up to date. 

Remembering the original interest which drew you into this industry will help when the going gets tough, such as when you have to juggle working during the day with studying at night. Good time management and forward planning to balance work with studies were personally invaluable in my experience. Studying skills developed during university would also be helpful as one applies these familiar skills to a new domain of knowledge. 

Fortunately, these courses are only seasonal in nature, and as one becomes more familiar with the cybersecurity domain over time, more parts will fall into place. Your colleagues can also be helpful, as many come from different backgrounds within the industry (such as incident response, threat monitoring, auditing, and so on), and are usually more than happy to share their experiences. Beyond benefitting one’s knowledge of the domain, learning from them may prove to be fascinating.

With the accumulated knowledge and experience, it will become a little easier to do your work, and eventually, you would have successfully entered the industry despite the lack of a STEM or cybersecurity background

5. What are three qualities that are important for someone in your role to have?

Patience would be the most important, as even the best laid plans can (and probably will) change over time due to unexpected circumstances. Being patient and understanding with yourself, your superiors and your colleagues will be of great aid when inevitable changes happen. By keeping in mind that these large initiatives are rarely designed and developed alone, you can also develop a better understanding of what teamwork means, both within your own division and with other divisions as well.

Perseverance is also an important quality to have for two reasons. The first reason is persevering in one’s mission and goal despite dynamic circumstances causing unexpected changes to one’s exercise planning. The second reason is related to the initial steep learning curve mentioned earlier, as there will be periods when work and studying for work-related courses coincide, and perseverance will be critical to making it through.

The final quality important for this role would be attention to detail, as many aspects of exercise planning present innumerable levels of detail which need to be worked out and communicated. As some details are more important than others, the lack of attention to these details would result in the diminishing or degrading of the quality of the exercise, thereby reducing its effectiveness and value for participants. Knowing what should be prioritised when (based on one’s personal experience, that of their colleagues, or the institution as a whole) will thus help in allocating the necessary resources to the appropriate goal.

All in all, a systematic mindset and a consciousness of what should be developed at which stage of planning and execution would be beneficial. Coupled with a flexible attitude capable of adapting to fluid and dynamic circumstances, one would be able to thrive in this role. Of course, this is not easy to achieve, but through working closely with your team and integrating what is learned over time, it can be developed and will serve you excellently in this role and the next.