#WorkinginCSA: Shaping Cloud Security Policies to Safeguard Singapore’s Digital Future

Outside of work, he enjoys traveling, air pistol shooting, and building up his home automation system.

1. Tell us more about your team’s work and your role as a Senior Assistant Director in CSA’s Cloud Cybersecurity Programme Office (CCPO).

Cloud Cybersecurity Programme Office (CCPO) serves as the central subject matter expert within the Cyber Security Agency of Singapore (CSA) for all matters related to cloud security governance, consultation and technologies. Our core mission is to secure Singapore's cloud-enabled digital economy. We do this by demystifying complex cloud security issues on public and private cloud platforms, promoting clear guidelines to manage security risks, engaging with industry experts to address emerging threats, and securing the deployment of critical national projects in the cloud.

My role is to help shape and evangelise the adoption of cloud security policies and industry best practices. This enables the Singapore Government, our Critical Information Infrastructure (CII), and the wider ecosystem to harness the power of the cloud securely, resiliently and confidently. A typical day is dynamic and involves a mix of strategic policy work, technical consultation and industry engagement. This could mean developing and refining national cloud security guidelines - such as the Cloud Security Companion Guides, which we co-developed with partners like major cloud providers and cloud security solution vendors, or providing security consultation for critical government systems and CIIs migrating to the cloud. It also involves collaborating with industry partners through forums and speaking engagements to understand emerging threats and share best practices.

My technical expertise is currently focused on translating policy into practical and scalable implementation for organisations moving into the cloud. My approach is pragmatic and risk-based – organisations should first get a feel of the cloud and understand how to secure it before taking bigger steps ahead, especially for highly sensitive systems.

2. What inspired you to become interested in Cloud Cybersecurity and pursue a career in this field?

My journey into cybersecurity evolved naturally from my background as a solution architect and my experience building one of Singapore's most critical pieces of digital infrastructure.

A key, formative period for me was my time at GovTech, where I was one of the architects for the National Digital Identity (NDI) platform - a strategic national project at the heart of Singapore's ‘Smart Nation’ ambition. Working on a mission-critical, cloud-native system like NDI gave me a profound, firsthand understanding of the immense responsibility involved in securing digital services at a national scale. We were leveraging a modern, cloud-native tech stack and an Infrastructure-as-Code (IaC) approach to build a resilient and secure platform from the ground up.

This experience at the forefront of the government's cloud migration was the primary catalyst for my shift into a dedicated cybersecurity role. I saw directly that the cloud is a double-edged sword. On one hand, it was a ‘vital backbone for government digital services’, enabling rapid improvements and new capabilities that were essential during the COVID-19 period. On the other hand, I saw the persistent and complex security challenges that came with it - the difficulties in maintaining full visibility of assets, the nuances of the shared responsibility model, and the trade-offs between speed and security.

It became clear to me that for Singapore's digital transformation to succeed, we needed more than just innovative services; we needed a robust, practical, and automatable security framework to underpin the entire effort. This motivated my transition from a ‘builder’ role at GovTech to a ‘guardian’ role at the CSA. I wanted to apply the practical lessons I had learned in the trenches - about what works and what doesn't when building secure systems at scale - to help shape the national policies that protect our entire digital ecosystem and enable all organisations to navigate their own cloud journeys safely.

3. What are some projects you’ve worked on in CSA that you found particularly interesting and/or challenging? What made them interesting, and how did you navigate the challenges?  

A significant and ongoing project that I find particularly interesting is our work with industry partners and government agencies to review and shape the next revision of Singapore's Multi-Tier Cloud Security (MTCS) standard. This isn't just a routine update; it's a critical initiative to ensure our national cloud security benchmark remains robust and relevant. MTCS is a tiered-based cloud security standard and is voluntary for any cloud service provider (CSP) in Singapore, making it a cornerstone of our private and public sector's digital foundation.

The core challenge is keeping a national standard ahead of the curve. To navigate this, the process is deeply collaborative but also evidence-based, and this is where our CSA Cloud Lab becomes a critical asset. The lab allows us to move beyond theoretical discussions by providing a secure, scalable platform to validate new security controls and simulate emerging threats in a controlled ‘sandbox’ environment.

Another project which I find very rewarding is helping organisations adopt the Cybersecurity Code of Practice (CCoP 2.0) under the Cybersecurity Act in Singapore. To provide clear, actionable guidance for cloud environments, my team have co-developed with GovTech the CCoP for Cloud, which defines the specific technical, security, and operational controls required on top of the existing CCoP 2.0. The challenge is always bridging the gap between regulatory requirements and the day-to-day reality for engineering teams. To address this, we are actively working with the major cloud service providers to co-develop the CCoP (Cloud) Companion Guide. 

This is where we champion the use of ‘Policy as Code’ (PaC) by moving it from theory to practice. We are currently co-prototyping the use of PaC to continuously monitor CII) systems for compliance with the CCoP in cloud

4. Tell us something about your job that not many people know about.

People often assume my role involves set policies in isolation, far removed from real-world implementation challenges. My approach to cloud security policy is deeply rooted in hands-on experience. As a former Senior Solution Architect at GovTech, I helped design and build the cloud-native infrastructure for the NDI platform - a strategic national project. This experience continues to shape how I approach my current role at CSA.

People often assume my work revolves around policy writing. In fact, I transform policies into actionable, scalable technical solutions. When I speak to the tech community, I help teams meet the requirements of national standards without slowing down innovation. It’s about making security an enabler, not a roadblock.

Here's another misconception – that we work alone. In reality, we constantly collaborate with industry partners and other government agencies. This isn't about ticking boxes; it's about a continuous, strategic effort to ensure our national standards evolve to address new threats and technologies, keeping Singapore's entire digital ecosystem secure and resilient.

5. Outside of work, do you have any hobbies and interests? How do you unwind from work?

Beyond work, I pursue diverse interests: international travel, competitive air pistol shooting, and home automation projects. These hobbies not only help me unwind but also enhance skills relevant to my cybersecurity career.

Air pistol shooting teaches precision and control - skills crucial in cybersecurity where a single oversight can compromise an entire system. Similarly, my home automation project serves as a personal sandbox, keeping me hands-on with emerging technologies and providing practical insight into the challenges organisations and engineers face.

International travel challenges me to navigate unfamiliar environments and plan for contingencies - much like in cybersecurity. Plus, these breaks help me return to work refreshed and focused.