We are creating some awesome events for you. Kindly bear with us.

EXCLUSIVE – How ISACA is helping Singapore bridge the cybersecurity skills gap

EXCLUSIVE - How ISACA is helping Singapore bridge the cybersecurity skills gap
[social-share align="left" style="icon" size="m" template="18" counters="0" total_counter_pos="leftbig" buttons="linkedin,twitter,facebook,share"]

Above photo: ISACA and Cyber Security Agency of Singapore at the MOU signing ceremony held during Singapore International Cyber Week 2017 (Photo from Singapore International Cyber Week)/ Front row (starting from 3rd left)- Mr. Leonard Ong, ISACA Board Director; Mr. Matt Loeb, ISACA CEO and Board Director; Ms. Theresa Grafenstine, ISACA Board Chair; Mr. David Koh, Chief Executive, CSA/ Credit: ISACA

On September 19, during the Singapore International Cyber Week (SICW) 2017, the Cyber Security Agency of Singapore (CSA) signed a Memorandum of Understanding (MoU) with ISACA to facilitate collaboration on cybersecurity capability and workforce development.

ISACA is a leading body for information governance, control, security and audit professionals, with around 130,000 members in 215 chapters across 188 countries. ISACA’s IS (Information Systems) auditing and IS control standards are followed by practitioners worldwide.

OpenGov spoke to Ms. Theresa Grafenstine, ISACA Board Chair, and former Inspector General of the U.S. House of Representatives, USA and Mr. Leonard Ong, ISACA Board Director to learn more about the MOU and ISACA’s plans for Singapore.

Can you tell us about the MOU between CAS and ISACA?

Mr. Ong: As you know, Singapore released the Cybersecurity Strategy last year by the Prime Minister. And recently Singapore was ranked no. 1 on the Cybersecurity Index. We also know that Singapore is a financial hub, a regional data hub and a regional healthcare hub – they all deal with data.

You can’t successfully manage data or implement Smart Nation, if you can’t secure it. Because of that, we’re partnering with CSA to be able to develop the existing workforce in the cybersecurity area.

That would mean training people who are not in cybersecurity area to work in cybersecurity. We will continue to upskill those people, who are already working in the cybersecurity area, so that they can do more and stay up-to-date with the latest topics like IoT (Internet of Things) and other different kinds of emerging technologies.

Will ISACA be looking to upskill people who already have some experience in the area of ICT or will you also look at people with no experience in the field?

Mr. Ong: We realised that the demand for cybersecurity professionals is just way too much. You can’t just take someone from IT and put them in cybersecurity. That way you will create a shortage of IT professionals. So, we have to cast the net wide. We want to enable people who are moving from being trained in general IT to cybersecurity and we also want to remove the barriers for people who are not from IT to go straight to cybersecurity. We will also look at the polytechnic graduates, diploma holders, bachelor degree holders.

ISACA has knowledge services suited for individuals with no experience to existing professionals. We want to make sure that our knowledge services are accessible to everyone.

What will ISACA contribute to the training and development programmes?

Mr. Ong:  We’re the owner of the content. So, we allow people to learn about governance, risk management and cybersecurity. We provide the assessment so the people can learn and be accredited for it. We certify people and we also provide the professional continued education for existing professionals.

Ms. Grafenstine: With ISACA, one of the ways we can step in and be able to help with the skills gap is through the Cybersecurity Nexus (CSX). What’s so wonderful about CSX is that traditionally for training, you go into a class, you receive information and then you leave. Or you go for a high-level conference and then you leave. The problem is those things is that the risk landscape changes so significantly from day to day. You need people to have deep experience. They can’t just have learnt it by reading a book. You need to actually understand what to do.

The CSX training platform allows you to actually go in and log into a virtual server.  First you have the PowerPoint slides, so that you can read and understand the theory. And then it has a lab where you actually take that theory and implement it.

It’s fantastic because it goes way beyond textbook knowledge and provides hands-on experience. And what we’re doing is that we have things all the way from introductory to advanced. As you get to the more advanced levels, you would have to run network scans, understand the difference between false and actual positives, how to tackle issues and do all this in real time.

Can you tell us about the development of the next generation Capability Maturity Model Integration (CMMI)?

Ms. Grafenstine: ISACA acquired CMMI about one and a half years ago. Their capability maturity model has been widely used globally for years.

So, with ISACA’s acquisition of CMMI, we are actually taking the best of what ISACA has and what CMMI has, to come up with a cybersecurity maturity model. Once it’s finished, we will put it out for public comment. The goal is to be able to go in and assess organisations and use the same language across different industries, so that you would understand where your organisation sits in terms of cybersecurity. We’re looking to transform the industry by having this measurement tool. That doesn’t currently exist.

Will this measurement tool be used in Singapore also?

Mr. Ong: The model itself is universal and we definitely would like to see the CMMI model being widely adopted and used in Singapore.

In the recently proposed Cybersecurity Bill, one of the main focus areas is the Critical Information Infrastructure which includes power and water. Does this current partnership also encompass the cybersecurity aspects of those things and how is it doing it?

Ms. Grafenstine: SCADA (Supervisory control and data acquisition) systems weren’t designed for security. They’re designed to be functional and usable, so they’re wide open. I think in the past, one of the biggest challenges, universally, is when you’re dealing with applications such as water purification using SCADA systems, they didn’t really see why they would have any cybersecurity problems. The situation has changed. Now they definitely understand that being part of the critical infrastructure makes them a huge target.

Again, just like awareness helps you to prevent people from clicking links, awareness about the security risks of SCADA systems and industrial controls, the fact that they’re becoming more aware that they are targets, I think is a big part of moving towards becoming more successful in tackling the problem.

Mr. Ong: If you think about it, the concept of risk management and security is the same and ISACA is trying to make sure that people are equipped. We publish research papers to make sure our auditors and risk professionals understand what is SCADA, how do you audit SCADA systems. We do equip existing professionals who may not have touched ICS before, may not have audited ICS (Industrial control systems) before, to go and audit ICS systems.

Ms. Grafenstine: Another part that ISACA brings to the table is the people and networking and all the relationships. I’ve been an ISACA member for almost 20 years but the relationships, I can call on somebody I know from ISACA and I trust them. We may be in different industries but we’re facing the same problems. It’s really helpful to reach out to a colleague that you trust and say, “How’re you doing this and what are the problems you’re facing? How do you think I can tackle it?”

As we move towards a digital economy, are small companies equipped to deal with the proliferating cyber threats as they digitalise?

Ms. Grafenstine: A lot of times, people think that cybersecurity has to be very expensive – in fact, a lot of it comes down to awareness and training. If you look at statistics in hacks and malware, it comes down to people – if people didn’t click the link, it wouldn’t have let the malware in, in the first place.

So that’s not just an IT thing, that’s an ‘all of us’ thing. Everyone needs to have a basic cyber awareness, I think ISACA is positioned well to help in ensuring that.

Mr. Ong: I fully agree. If you think about the basic concept, there are three parts: people, process and technology. Technology is out there in the market, there are a lot of tools, software and hardware that can help us with the security problems.

Also, you can create a lot of processes, standards and frameworks. The biggest challenge is always the people, whether the people know what they should be doing, what they can do, what they cannot do and so on.

We have been doing a study called ‘The State of Cybersecurity’ for the past 3 years. The 2017 Study found that for over a quarter of enterprises, the time to fill cyber security and information security positions is one-half year.

It’s a global problem whereby it’s hard to hire cybersecurity professionals not only in Singapore but everywhere in the world. The greatest bottleneck is people. We are all trying to find qualified candidates from the same limited resource pool. That’s why we’re very proud of the Singapore government having several initiatives to subsidise the training costs so that more people can be trained and certified.

Singapore has the right mix between legislation, people and the ecosystem. I think we’re moving in the right direction but we can’t be complacent.

[easy-social-share align="center" style="button" size="xxl" template="59" counters=0 noaffiliate="no" sidebar="no" popup="no" float="no" postfloat="no" topbar="no" bottombar="no" point="no" mobilebar="no" mobilebuttons="no" mobilepoint="no" facebook_text="Share on Facebook" linkedin_text="Share on LinkedIn" buttons="linkedin,facebook"]


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.