For example, by placing too much confidence in perimeter defences like firewalls, important precautions like encrypting private or sensitive data risk being viewed as unnecessary. "Although the tools are cheap and readily available, people have this mistaken notion that when you encrypt information, you can lose it, like if somebody forgets a password or leaves the organisation. But there are many ways in which encryption keys can be safeguarded and recovered, especially in a large enterprise, yet many organisations remain fearful of implementing encryption."
Then there is the issue of costs and resourcing, both of which are key challenges for CIOs and IT security decision makers. "It has been proven that when security is an after-thought, the costs of security increases," explains Tan. "Alternatively, if security is part of the design, deployment and development stages, the costs are substantially less." Whilst this sounds positive, the problem is that even if IT security decision makers are already aware of this, making this change requires buy-in from other senior business leaders, who are unlikely to be aware of the importance of this new approach.
It is worth noting that whilst cybersecurity regulations are gradually being introduced, the current level of cybersecurity risk demands that organisations rethink their approach to cybersecurity now rather than later. So to help drive change and encourage a new approach to cybersecurity, in April 2016, Singtel launched the Cyber Security Institute (CSI). This educational institute runs a wide variety of skills development and education programmes tailored to the varying needs of company boards, C-suite management, technology and operational staff. For example, when working with board level executives, the programme helps them understand security threats, helps them ask the right questions and crucially offer the right support to their IT security department.
One example of best practice can be seen in the Singapore government, which has already taken steps to ring-fence a percentage of their IT budget for cybersecurity, an approach that South Korea and Israel both follow as well and one that Tan commends. "This is important because when you are putting together a project, even at the planning stage, having the budget ring-fenced sends a clear message that security has to be considered. This means that people have to get involved early on and the IT architecture must be planned with security in mind."
Sign up for CIO Asia eNewsletters.