#WorkinginCSA: Building Secure Pipelines for Singapore's Digital Infrastructure

1. Tell us more about your team’s work and your role as a Senior Cybersecurity Consultant.

Lunch with my team from Chief Information Officer (CIO) Office.

The Operational Management Suite’s recognition at the 2025 MDDI IDEA Award.

As a Senior Cybersecurity Consultant in the CIO Office, my work sits at the intersection  of cybersecurity and operational agility. My focus spans secure pipeline engineering, process improvement, and enabling teams within CSA to adopt modern practices with confidence.

A core part of my role is designing and implementing secure automation for platform and application deployment and operations, including pipelines and infrastructure-as-code solutions that move software from development to production efficiently and securely. These pipelines embody a shift-left approach to security bycatching code flaws early in the development cycle, rather than after deployment.

On the operational side, my team and I built an Operational Management Suite. A consolidated dashboard that gives our operations team a unified view across project changes, incidents, and vulnerabilities.

My day-to-day toolkit centres on version control and CI/CD platforms, issue and change management systems, and the broader ecosystem of DevSecOps tooling. I stay current through continuous learning and hands-on experimentation, always with an eye on what's practical and what's worth adopting.

2. What inspired you to become interested in cybersecurity/ pursue a career in this field?

My path into cybersecurity was anything but a straight line and honestly, that makes it all the more interesting to tell.

I graduated right as COVID hit, which effectively closed the door on my original plan of becoming an air traffic controller. With airports shutting down and the future uncertain, I found myself at a crossroads. Around the same time, my younger brother was serving his National Service as a cyber NSF, and seeing what he was learning reignited my interest in cybersecurity.

As luck would have it, CSA had just launched a Cybersecurity Development Programme (CSDP). I applied, got in, and that was the beginning of a career I hadn't planned for but couldn't imagine trading away. Sometimes the career you end up in surprises you and I wouldn't have it any other way.

3. What are some projects you’ve worked on in CSA that you found particularly interesting and challenging?

Gartner IT Symposium Expo with the CIOO team.

One project that stands out for me is StackOps, a centralised monitoring solution for CSA's systems. The work involves adapting our existing CI/CD templates for the deployment of Infrastructure as Code on AWS and the real challenge has been making it both modular and secure at the same time.

Getting the IaC to be truly plug-and-play sounds straightforward in theory, but in practice, it required careful thought around how each component fits together without compromising security guardrails. There was a lot of deliberate trial and error, particularly when it came to piping GitLab logs over to AWS CloudWatch. Getting that flow right took several rounds of iteration before it behaved the way we needed it to.

The project is still very much a work in progress, which is part of what makes it exciting. The next step is to extend the log piping to Jira Service Management, bringing even more visibility into a single, consolidated view.

It's the kind of work where the goalposts keep moving, but in the best possible way.

4. Tell us something about your job that not many people know about.

Ask most people what cybersecurity looks like, and they will picture someone in a hoodie, furiously typing away in a dark room trying to break into systems. The reality, at least for me, is quite different. I work on the blue team, which means my focus is on defence, building secure systems, monitoring for threats, and making sure things don't break in the first place.

The funniest misconception is that friends and family assume I can solve every IT problem. More often than not, conversations end with me asking "Have you tried turning it off and on again?" to which they sheepishly admit they haven't. When that works, they conclude that my job must be easy.

If only they knew.

There's a quiet complexity to what we do that rarely gets the Hollywood treatment, and honestly, I’m perfectly fine with that. The best days in cybersecurity are the ones where nothing dramatic happens at all.

5. Outside of work, do you have any hobbies and interests? How do you unwind from work?

Skydiving Trip

Diving Trip

Outside of work, I like to be active. I'm part of a recreational handball club called 'Willows', participating in both local and overseas competitions. There's something about the team dynamic in handball that I genuinely enjoy, the coordination, the communication, the shared push towards a common goal. It's not so different from how good teamwork functions in a professional setting, just with a lot more running involved.

When I'm not on the court, I try to squeeze in a snowboarding trip and a diving trip each year, though I'll be honest, once a year never quite feels like enough. Both are very much on the wishlist to do more of.

In a way, staying active outside of work keeps me grounded. The problem-solving mindset that comes with picking up a physical skill, whether it's reading the slope or managing your buoyancy underwater, translates surprisingly well to navigating the kind of challenges that come up at work.