#WorkinginCSA: Building Cyber Resilience Across Singapore's Critical Infrastructure

1. Tell us more about your team’s work and your role as a Deputy Director.

CII Division’s last working day at MND Building Annex A.

One of many team lunches.

CSA Anniversary Dinner 2025.

A key pillar of Singapore’s Cybersecurity Strategy is “Building Resilient Infrastructure.” My department, Critical Information Infrastructure (CII) Division works on executing this. As Deputy Director, I lead a specialised team of Governance, Risk and Compliance officers responsible for enhancing and overseeing cybersecurity resilience across Singapore's CII sectors.

My role encompasses both strategic oversight and operational coordination to ensure our CII remains robust against evolving cyber threats. One thing I've learnt is that we can't just impose regulations and walk away. Each sector has its own operational realities and constraints, so we collaborate closely with them to find solutions that make sense for their specific context.

Most of my time is spent in meetings with CII owners, discussing where they have compliance gaps and how we can help them build better capabilities. These aren't just tick-the-box exercises. We're usually problem-solving together on challenges they're facing. I spend quite a bit of time reviewing and updating our guidance documents too. The threat landscape changes constantly, so our frameworks need to evolve with it. Recently, I've been collaborating with stakeholders on digitalising our oversight processes and exploring how AI might help us do better supervision and monitoring.

2. What inspired you to become interested in cybersecurity/ pursue a career in this field?

What sparked my interest in pursuing a career in cybersecurity was the opportunity from my previous workplace in switching to a Governance, Risk and Compliance Role where I saw firsthand how security policies translate into real-world operations.

Working in those critical sectors also showed me how much we all depend on these systems running smoothly. When I was in the transport sector, any system downtime could affect thousands of commuters. In energy, the stakes were even higher, where our systems meant whether we could keep “the lights on”. I started thinking more about the bigger picture, not just building systems but protecting them so they can keep serving people reliably.

The move to CSA felt like a natural next step, bringing what I'd learned on the operational side to help strengthen Singapore's overall cyber resilience.

3. What are some projects you’ve worked on in CSA that you found particularly interesting and/or challenging?

Industry partnerships are key to a healthy CII ecosystem

SICW 2019 VIP Invitations Team after a successful Ministerial Lunch

Two projects stand out as particularly ineresting and challenging during my time at CSA:

Cybersecurity Code of Practice for Critical Information Infrastructure (First Edition)

This project was especially meaningful as we were developing Singapore's inaugural cybersecurity code of practice for CII from scratch in 2017, with no local precedent to reference, we were charting entirely new regulatory territory. The complexity lay in coordinating with multiple stakeholders across different sectors. Sectoral partners with unique operational requirements, private sector organisations who would implement these practices, and government policy stakeholders, each bringing different perspectives and technical requirements. We navigated this through structured consultation sessions and a phased approach that allowed for iterative feedback, ensuring the final framework.

VIP Invitations Officer-in-Charge (OIC) for Singapore International Cyber Week 2019

Serving as the OIC for VIP invitations at SICW 2019 was a different but equally engaging challenge. This role required meticulous coordination of both overseas and local VIP invitations, as well as organising the ministerial lunch component of the event. What made this particularly interesting was the diplomatic sensitivity involved in managing high-level stakeholders from various countries and organisations, each with specific protocol requirements and expectations. The challenge was ensuring the high standards expected for such a prestigious international event. To manage this, I developed tracking systems for invitation responses, established clear VIP liaison protocols, and worked closely with protocol officers to ensure all diplomatic courtesies were observed.

Both experiences enhanced my ability to work effectively with diverse stakeholders and manage projects with significant national importance and visibility.

4. Tell us something about your job that not many people know about.

Most people think Governance, Risk and Compliance (GRC) work is just paperwork, but it requires technical skills. When people hear about GRC, they picture someone writing policies all day. In reality, effective cybersecurity policies can't be developed without understanding how the technology works.

When a new vulnerability emerges, GRC professionals need to quickly assess what it means, which organisations are at risk, and what actions to recommend which requires reading technical reports and understanding how systems connect. The core challenge is translation. Taking something like multi-factor authentication, for instance, it's not enough to simply mandate "implement MFA." The role requires understanding different MFA types, how they integrate with existing systems, and the trade-offs involved — then communicating that clearly to business leaders who need plain English to make decisions.

People are often surprised to learn that GRC professionals can explain how cyberattacks work or discuss system architectures. The expectation is that compliance work involves only rules and regulations, but it's quite technical. The role involves translating technical risks into practical guidance that organisations can implement.

5. How do you unwind from work?

Outside of work, I enjoy tinkering with rapid application prototypes using AI coding tools, experimenting with low-code platforms, and setting up agentic AI automation for everyday tasks like managing emails or summarising content.

This hobby work feeds back into my day job. When I'm wrestling with getting a prototype to behave properly or figuring out why an AI agent isn't doing what I want, I'm experiencing the same frustrations and breakthroughs that our stakeholders go through in ensuring their systems function properly. It keeps my technical skills current, but more importantly, it gives me genuine empathy for how people think about and interact with technology.