#WorkinginCSA: Managing Risk and Governance in Cutting-Edge Tech

Published on 28 Mar 2024

Tan Yourong is a Senior Consultant in CSA’s Chief Information Officer (CIO) Office, and he is a part of the Governance, Risk & Compliance team, working on establishing and maintaining policies and processes for decision-making, accountability, and control throughout the organisation. Outside of work, he is a busy dad of a newborn, where he strives to balance work and family commitments.

1. Tell us more about your team’s work and your role as a Senior Consultant in the Chief Information Officer (CIO) Office.  

We’re a dynamic team managing various tasks, like guiding digital transformation, optimising IT budgets and ensuring tight ICT security. As a part of the Governance, Risk & Compliance team, we provide guidance and advice to the different CSA divisions in areas such as ICT risks and governance. 

My work involves looking at risk assessments for CSA projects and providing recommendations on mitigating controls to lower or negate risks. For new projects, I provide inputs on technical specifications – this ensures the projects include solutions that will aid in complying with government standards. My work also involves advising my team on critical tech decisions like sourcing for technical solutions to help achieve organisational compliance. 

No two days are ever the same – they could involve us diving deep into data to understand our internal systems’ behaviour so we can make better security recommendations, to engaging with ICT auditors. The thrill lies in finding creative solutions that bridge the gap between cutting-edge tech and real-world business impact.

At the CIO Office, we oversee multiple projects, some of which require consultation with or approval from a higher authority. As such, we try to see if we can run things in parallel, with each team member overseeing one track to speed things up – this makes us a well-coordinated team, as we have to work closely together. 

2. What inspired you to become interested in this field? 

I wanted to make a positive impact in the organisation that I am part of. I saw Governance, Risk & Compliance teams as the invisible foundation beneath thriving organisations, ensuring they operate with integrity and resilience. 

Moreover, the ever-evolving nature of the cybersecurity field, as well as the need to constantly adapt to new cyber threats, promised a career steeped in continuous learning and had the potential for me to make a real difference in safeguarding people and data. 

Because of this, I chose to deepen my understanding of cloud security as well as defensible security architecture. I’ve also had the opportunity during my time at CSA to pursue and obtain certifications such as the GIAC Public Cloud Security and GIAC Defensible Security Architecture.

3. What are some projects you’ve worked on in CSA that you found particularly interesting and/or challenging? What made them interesting, and how did you navigate the challenges? 

The biggest challenge when assessing the security posture of a system often lies in the complex interconnected nature of cloud servers and on-premises environments, where you need to untangle shared responsibility models, assess the security posture across diverse providers, as well as keep up with the evolving technology that the different service providers use.

Utilising our risk management framework and leveraging on available tools to map dependencies and identify vulnerabilities become a thrilling chess match against potential security gaps. Ultimately, the reward comes in crafting a clear roadmap for CSA, helping us to achieve security compliance.

4. Have you had a mentor whose guidance helped shape your professional journey in CSA? Tell us more about it. 

I guess I am one of those lucky enough to have had good supervisors throughout my cybersecurity career. They guide me to think holistically and foster my habit for constant learning, and I am thankful for them.

5. Are you involved in any tech or cyber communities outside of work?  

I used to have an air gap network in my house to set up lab exercises for cybersecurity-related studies. Now they are in storage to make time for my newborn daughter, and I hope to deploy them again later, when she has grown up a bit more.