#WorkinginCSA: Developing Technology Standards and De-risking Adoption of Emerging Tech

A Systems Engineer with CSA’s Cybersecurity Engineering Centre (CSEC), Syazwan Suhaimi is part of the Standards & Technology team, where his team works to de-risk the adoption of emerging technologies. He  works with stakeholders to ensure a more seamless adoption process, by anticipating digital risks, driving technology exploration and development, and establishing standards.

1. You’ve been with CSA since 2019, first as an intern, and then joining as a full-time staff in 2020. Can you share what that transition was like, and what has kept you with CSA?

My journey with CSA has been fulfilling and enriching, transiting from a fresh intern to a dedicated full-time staff member. Having graduated from Singapore Institute of Technology (SIT) with a specialisation in Information Security, the transition to a full-time role felt like a natural progression. My internship involved the development of a dashboard that provides an overview of funded cybersecurity R&D projects, earning recognition through the Ministry of Communication and Information's IDEA award in 2020. The dashboard has given me the ability to synthesise disparate information sources and present insights in a manner that is simple to understand. In addition, I also got the experience of going through the process of threat risk assessment and penetration testing for the dashboard that I developed myself.

While in my full-time role, I discovered a passion for DLT (Distributed Ledger Technology) and blockchain security. Continuous growth, support, and encouragement from colleagues and mentors have been key factors keeping me engaged in my CSA journey.

2. Can you explain more about standards and why are they an important part of CSEC’s work?

Standards in technology are guidelines that ensure consistency and compatibility among products and systems, aiming for a common baseline cybersecurity level and interoperability.

As part of the Standards & Technology team in CSEC, we proactively anticipate digital risks arising from emerging technologies, such quantum, autonomous vehicles and blockchain. By developing standards and guidelines on local and international fronts, we seek to de-risk adoption, enhance cybersecurity posture, and improve risk management across the ecosystem. As not all risks can be eliminated, a strong baseline of controls and response measures can improve the ecosystem’s cyber hygiene and response to cyber incidents. If we can drive standards upfront, we can protect our digital way of life, power the digital economy and enhance national security.

Standards also play an important role in the international front by eliminating duplicative testing and facilitating market access. The Standards and Technology team in CSEC leads the development of an international standard, ISO/IEC 27404, a Cybersecurity Labelling Framework for consumer IoT that provides strategic guidance for the development of cybersecurity labelling schemes. By providing cybersecurity requirements based on existing standards as a starting point to facilitate mutual recognition among countries, ISO/IEC 27404 can expedite the mutual recognition process as developing mutual recognition agreements between countries can take significant time and resources for both sides.

3. What has been your favourite project to work on during your time at CSA, and why?

Engaging in initiatives beyond emerging technologies and CSA’s dedication to fostering a safer internet ecosystem further solidified my commitment to the agency. I actively contributed to initiatives like fortifying email security, spearheading proof-of-concept (POC) efforts for DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation, and devising strategies to safeguard email communication from insidious phishing threats for the Whole-of-Government. Additionally, I have had the privilege to delve into mobile app security and contribute towards the development of CSA’s Safe App Standard by referencing industry standards and best practices.

4. What do you think are some challenges you face in your field of work, and how are you prepared to overcome them?

The cybersecurity threat landscape is rapidly evolving, and we need to close the gap and try to think a few steps ahead of threat actors. As cybersecurity is a team sport and no one has a complete view of what threats will emerge, we consult widely, engaging technical experts in academia, industry and technology research companies on their technology outlook and perspectives. My view is that fostering effective communication and collaboration within the industry is crucial for capability development.

5. Cybersecurity may come across quite technical and inaccessible to those who don’t work in this field. Have you ever had to explain your work to family and friends? How?

Most people think that cybersecurity is all about hacking, but it is more than that. Explaining cybersecurity to family and friends involves highlighting its diverse aspects including cybersecurity defence, secure by design, governance, risk and compliance, international cooperation, manpower, and industry development.

I also highlight the growing need for and importance of cybersecurity in emerging technology and share real-life use cases when explaining cybersecurity to them. For those who are less familiar with IT and cybersecurity, I often employ analogies relating to everyday experiences  to illustrate the significance of cybersecurity.