Anthony Lim is a pioneer of cyber-security and governance in Singapore and the Asia Pacific region, with over 25 years’ professional experience, as a business leader, consultant, advocate, instructor and auditor. He has held inaugural senior regional business executive appointments at Check Point, IBM and CA (now Broadcom), and was also client CISO at Fortinet and NCS. He co-authored an acclaimed international cloud security professional certification.
Anthony is also an adjunct faculty at some universities and professional institutions. He has presented at many government, business, industry and academic seminars, committees, executive roundtables, workshops, trainings and media (print, broadcast, internet) in Asia and America.
Recently, in an exclusive interview with Digital First Magazine, Mr. Lim shared his insights on how cybersecurity has evolved as a discipline, his career trajectory, current roles and responsibilities as Fellow, Cybersecurity, Governance & Fintech at Singapore University of Social Sciences, and much more. The following excerpts are taken from the interview.
From your perspective, how has cybersecurity come to be defined as a field and a discipline?
Cybersecurity (formerly known as information security, information technology security, information & communications security, computer security, etc.) is surely by itself a field and discipline because of its vertical and specialty focus. Not only does it require knowledge of specific matters, but it also involves very much a certain perspective and thinking, whether it be at the “top layer” of governance and policy, or at the “lower layer”, troubleshooting, penetration testing and for that matter, (ethical, “white hat”) hacking.
(Note: Top or lower does not denote better or less, both are needed and to be hand in hand, just different parts of a “stack” – think OSI 7-layer architecture of the IT network – and even so it is now effectively 10 layers.)
10.Governance ) my take
9. Cloud )
8.Web application )
7.Application ) Original OSI Model
It is a special field of its own because one cannot just go and attend a course (certified, academic or otherwise) and become a cyber professional or specialist, even if one is good at studying, memorizing and/or passing paper exams. He/she needs physical onsite experience as a network engineer, system administrator, software developer or an IT vendor customer support or product development engineer.
Only then can one appreciate how cyber security works and plays out. Of course, on top of this, one has to have that interest, the curious mind and eye, and diligence – as it can sometimes get technical and dry – hence it’s often being disdained or sidelined by the uninitiated.
How do you see the interplay between government policies, technological innovations, economic forces, and social dynamics playing out in the near future in terms of cybersecurity, and how will that impact education and employment in the field?
The first thing I see is that over time, currently or recent-past or future, these are all converging or at least getting connected or associated, collaborating and/or one becoming a function of another.
For example, technological innovations like AI (generative or otherwise), and for that matter, cryptocurrencies (as an offshoot of blockchain, and along the way Web3 and Metaverse) are all inter-connected with economic forces and social dynamics, and are starting to get the attention of authorities, although in the short run not amounting to policies as yet.
Nonetheless, the proliferation of OT (Operational Technology) & ICS (Industrial Control Systems) getting connected to the internet and associated communications media such as WLAN, LTE/4G/5G and Bluetooth, to IT (information technology) and IP networks, and being remotely manageable by mobile-device apps, in the past decade or 2, all in the name of digital transformation and smart building/ cities / nation, end up with evil hackers (state-sponsored or otherwise) wreaking havoc by attacking these national critical infrastructure entities, causing possible danger, destruction, disruption, harm and even death, to citizenry, economy and life in general.
This calls for tough sweeping national policies to ensure the cyber safety, cyber sanity & thus cyber sanctity of these critical entities. For example, the Singapore Government recently issued a guideline for cyber audit for critical infrastructure.
This is important too because (a) such cyber oversight in this area has never been done before (because OT & ICS traditionally had never connected to the internet, IP and IT, and was not originally built to do so). And (b) this issue continues to proliferate with IoT (Internet of Things) and Smart Cities / Smart Nations / Smart Homes / Smart Buildings etc. – all thing smart were never there before and thus lack a policy or standard or framework for cyber security and governance. Meantime economic forces and social dynamics dominate the run of things in these domains.
Anthony, how did you first get started as a cyber security consultant, and where do you get your information on what is going on in the IT security industry?
For close to 20 years, I was a pioneering Asia Pacific business leader for cyber security solutions (it wasn’t called cyber yet, back then), introducing key solutions, starting and building business operations, marketing and channel partnerships in the region, for Check Point (firewall), CA (identity, access and asset management) and IBM (application security and cloud security) when the internet was starting to take off and take a life of its own.
Then when I crossed 50 years of age (in the 2010s), I woke up one morning and wondered for how long more I wanted to chase vendor revenue numbers, So, I felt I should leave this chasing to the younger ones, while I see how to ‘give back’ to the industry the wealth of knowledge and experience in this space which I had accumulated over the past 20 years, of which I, together with a “band of brothers” effectively started the Asia Pacific cyber security business community in the mid-late 1990s.
While I was trying to decide this, friends started contacting me (unprompted) with teaching, consulting, assessment, mentorship (including “shark-tank”) opportunities, so I decided why not … and realized I could do this and seemed well-regard in this area.
Along the way, I was on a team which built an internationally acclaimed cloud security professional certification, became an ISO-27001 Lead Auditor and also specialized in teaching & being a consultant for cyber-security & governance to business line managers, non cyber IT managers, board of directors and management executives. I presented at seminars in Washington DC, for NATO, at Stanford University, ITU, TsingHua University and Guangzhou Knowledge City. I was also into smart cities and operational technology cyber security by then.
Until today still, I am consulting and teaching for financial institutions, government organisations, telco’s, listed conglomerates, energy companies et al in Singapore and the region. I also appear often on media (print, internet, broadcast) like national TV news. Between 2015 and 2019, I was also managing a few national-level IT network infrastructure cyber readiness assessment projects for a telco, a listed conglomerate and a government body, to name a few.
What surprised you the most in your journey so far and what did you learn from it?
I get invited from time to time by some universities to do some sharing with final-year and graduating students about some ideas to keep in mind when going into the professional world. The first thing I tell them is that while it is good to have some career plans and goals in mind, for the first five years, don’t’ stick too hard to the plans – rather, go with the flow as opportunities and circumstances unfold, be daring to take these on; who knows where they will lead or what doors they will open. Be ready to learn new things – take on challenges, break paradigms … my life mantra is “we never know”.
What surprised me most so far is that we never really know what happens round the next corner. My mom wanted me to be a doctor, but I never made through med school and went to study economics – then came the recession when I graduated; I needed a job and ended up with an IT one. In early 1990s, I worked for an American company selling IT network equipment to the military and this of course involved authentication, encryption, access control etc so voilà! I am in cybersecurity sector.
Tell us about your role as Fellow, Cybersecurity, Governance & Fintech at Singapore University of Social Sciences. What’s the most challenging part about your role?
I am a cybersecurity and governance instructor, academic researcher, industry advocate, training module content developer, mentor, consultant and auditor (not necessarily in this order).
2 challenges come to mind here in this question – viz –
1. A key challenge of the job as a cybersecurity & governance consultant, advocate & auditor is empathising with the (end user) client (usually the CISO or IT security leader) who has to juggle, juxtapose, balance or align (however you put it) between cybersecurity needs, processes and best practices on one side, and on the other side, demands of business activities and also cost pressures.
If he (usually he) is strict on cybersecurity implementations, the business people will say “hey, you’re slowing down my process, you’re giving me hoops to jump through”, or “you’re a show-stopper – I need to close the deal and fast, man, I need to meet my business client’s requirements”, etc.
Then if the CISO bows to business or cost pressure, and a breach occurs (even if it’s not his fault), the boss or business people will be quick to ask him “Hey, what happened, man? Why like this?” And “CISO” becomes “Career Is Soon Over”.
So, we work hard to try to help him find the most optimal balance between security and productivity, to help him prioritise security according to his organisation’s business function and strategy (we have to pick our fights, we can’t have it all and surely not the best of both worlds) and find solutions that can do as best as it gets.
3. I help advise and consult for some FinTech startups, some of which the university curates – these kids are focused on the software applications and technology, and the Ferraris they are going to buy with the millions they rake in. Cyber security, governance, regulatory compliance, data protection are a zero (despite their tech prowess) and very far from their minds.
But they know they need it as they will need a government financial trading license; they will need cybersecurity framework certification, an information security policy and certified adherence to national personal data protection laws etc. Still, irrespective of financial ability or perceived value, they try to do the minimum, as with many other companies.
What do you think are the biggest threats for companies at the moment, and what are common weaknesses in IT security strategies?
It’s hard to exactly say what are the biggest threats, and I don’t want to suggest complacency by inadvertently suggesting that other threats are a lesser concern. We never know what vulnerability the bad guys will find to exploit, and we never know what new innovative exploit they may come up with. Similarly, we never know which department in our organization has signed up for which cloud service or deployed which application, without complete or adequate due diligence with regard to the cyber risks vis-à-vis the business process and data handling therein.
We cannot just throw it to the service provider to take care of our cyber security and governance requirements. There are many domains in cybersecurity to be taking into consideration at the same time, and their respective cyber risks taken therein – network & infrastructure, cloud services, application development, data protection, third-party / supplier / business-partner-ecosystem, BYOD (“Bring your own device”), smart building / IoT (Internet of Things) / OT (Operational Technology), mobile applications … and so on.
Anyway, if I really need to point to one biggest threat today to be concerned about, its Phishing – which has become the top social engineering attack … and in a variety of ways – email, phone messages (mishing or whishing), voice calls (vishing), … and many fraud & scam cases have come out of these.
Unfortunately, with AI and ChatGPT, phishing emails are getting better and harder to dismiss with a laugh and the giveaway bad grammar are now a thing of the past. Hence, it comes back to vigilance, diligence, education and a common dedication to want to be safe. Technology can help only to some extent, with Spam filters more often than not filtering out legit email from your colleague, boss or client. Staff (and all individual users) need to be skeptical, not in a hurry, not be greedy, or be intimidated (as phishing often tries to threaten or otherwise encourage or coerce someone take some unwitting action or give information in a hurry).
Staff must be adequately empowered and encouraged to escalate suspicious IT occurrences to their supervisor or appropriate technical resources for assistance or counsel.
Where would you like to be in the next 5 years?
Hard to say – as I get older, I guess I will continue to be a consultant, auditor, mentor, university instructor and researcher.
What advice would you offer others looking to build their career in cybersecurity?
First and foremost, most importantly, one must have or must undergo the physical experience of working in the IT network infrastructure environment (as a network engineer, systems engineer, software developer, systems administrator, or a pre-sales engineer at an IT vendor, or similar such roles).
As mentioned earlier, you cannot just go to attend a course and get a certificate to turn you into a cybersecurity professional or practitioner without they physical IT network experience. It’s hard to be a cybersecurity professional or practitioner if one can’t tell CSA from PPT, or TCPIP from DHCP, or port 443 from port 67, or PKI from GRC
One must also have a keen interest in discovery and taking alternate views of something (hence “hacking”); one must also have the sense of mission “to help make our cyber world a safer place for all” – it’s not about just being technically competent or having a job, irrespective of salary.
No less, one must be continuously diligent in learning and – new issues, technologies, processes, solutions etc. in the cybersecurity foray – soldiering on, as new things unfold over time – every year, in IT and digital transformation, we have new systems, new services, new applications, new devices and technologies.
Hackers are always trying to hack something new, or trying new ways to attack incumbent assets or technologies. We the good guys cannot be tardy or be behind, we need to keep moving and at least keep up, if not be one step ahead.