Categories
Resources & Articles

Balancing Between Senior Management & Board’s Expectations And CISOs’ Burnout

On 2 July 2024, ISACA SG Chapter (ISACA SG) and Chartered Management Institute (CMI) Singapore organised an inaugural round table discussion addressing the key concerns about balancing Chief Information Security Officers (CISOs) state of wellness and discharging Senior Management & Board’s expectations. The round table was well represented by ISACA SG and CMI invitees comprising CISOs, Technology Auditors, CEOs, Board members, Government Agencies, Risk Professionals and Associations’ Key Representatives to provide a holistic view of this discussion topic. The conclusion is that “Building a Resilient Cybersecurity Culture is A Whole of Company Approach”.

In today’s fast-evolving digital landscape, cybersecurity is not merely the responsibility of the CISO or the technology team; it is a collective responsibility that must be driven from the top by the board. The Tone-at-the-Top principle is crucial to drive the right behaviour of any organisation building a resilient cybersecurity culture.

The role of the CISO is critical, but it is part of a broader strategy that requires the entire organisation to be involved. This article explores the dynamics between boards and technology risk professionals, emphasising the need for a cohesive approach to managing technology risks, fostering resilience, and achieving business objectives.

“A recent survey report¹ released by ThreatReady from HackTheBox indicated that 90% of the CISOs surveyed are concerned about stress, fatigue, or burnout affecting their team’s well-being. Yet only 8% of them are considering quitting their jobs due to overtime, stress, burnout, or mental health challenges within their role in cybersecurity.”

Unrealistic Expectations and Misplaced Blame and Hidden Risks

One common issue is the expectation that technology professionals can solve all cyber security problems leading to misplaced blame when cyber-attacks arise. Boards must understand that technology belongs to everyone in the organisation, not just the technology (and risk) team. Accepting that there will be lapses in people, processes, and technology is essential, especially in a constantly changing environment. A recent findings of the World Economic Forum indicate that human error accounts for 95% of cybersecurity incidents. Therefore, Board has to take the whole of company approach to build cyber resilience and mitigate the business disruptions caused by cyber-attacks and threats.

If the attitude of the Board is not changed, it can result in the hidden risk of burnout of CISO and technology professionals.

Cybersecurity and Business Alignment

The Board and the C Suites face an uncertain and challenging operating environment caused by geopolitical tension, wars, intense competition, supply chain disruptions, capacity and talent constraints; and new and changing laws and regulations. These issues occupy the priority list of most Board Agendas. It is telling that cyber security risks are relegated to the Chief Technology Officer (CTO) and CISO and most Board do not have members who are familiar with managing cyber security risks.

The rise in cyberattacks, has disrupted business services, breached confidential and privacy data, caused harm to critical systems, and resulted in reputational damages and monetary losses. The Board and C Suites need to reprioritise resources to manage cyberattacks and build a culture of cyber resilience. Cybersecurity is not just about technology; it involves people and processes. Attackers often target employees, making them soft targets. Therefore, it requires the Board and C Suites to change mindset and make it a personal responsibility of everybody to be vigilant on cyber threats.

The Board has to include cyber threats as a key risk in the organisation enterprise risk management system. In setting the risk appetite and risk tolerance, the Board has to recognise it is not realistic to put a zero risk tolerance for cyber threats. It is proven that no matter how robust is your cyber defence orientation, clever hackers can still breach the defence. Therefore, the Board must work with Management to put in place a business continuity framework that ensures the protection of critical information infrastructure and the recovery of these infrastructures from cyber-attacks.

Effective Communications and Building Trust

CISOs and technology professionals need to build trust with Management and Board Members through effective communications. A common observation is that they do not consider business objectives and budgetary constraints when requesting capital investment in cyber security infrastructure. Some inject fear and go into technical details that befuddle the decision-makers. These are not helpful in building trust and obtaining buy-in from Management and the Board.

Accountability and Ownership

When a breach occurs, determining liability can be complex, especially if it stems from user errors. Building resilience means not relying solely on external support or government funding. Instead, organisations should focus on identifying and protecting critical information assets and preparing for recovery. Balancing cyber protection with investment cost is vital, and Board must be aware of the trade-offs involved.

“A Harvard Business Review article² wrote that Boards focus on protection when they need to focus on resilience, and Boards believe cybersecurity is a technical topic. Hence, Boards are having wrong conversations in their board rooms!”

Building a Culture of Resilience

A resilient organisation is one where the senior management, board and CISO work together to address and learn from incidents. Instead of seeking quick fixes, the focus should be on continuous learning and improvement. Security should be integrated into the business culture, with investments justified by their contribution to business benefits. Sudden budget increases are not the solution; a consistent and strategic approach is needed to make security an integral part of the business.

Building a culture of resilience starts with the board, which must shift from a compliance mindset to a growth and performance mindset. The board needs to provide:

  • Purpose and Direction: Clearly defining the organisation’s cybersecurity goals and objectives, including clear risk appetite of cyber risks. It is not realistic to take a zero
    tolerance approach to cyber threats.
  • Developing People and Capability: Investing in training and development to so that every staff is vigilant on cyber threats.
  • Building Relationships and Networks: Fostering collaboration across departments and with external partners through effective communication.
  • Leading Change and Innovation: Encouraging innovation in cyber resilience and stay ahead of evolving cyber threats.
  • Managing Resources and Risks: Allocating resources effectively to manage and mitigate cyber risks. Promote proactive risk management where risk professionals are consulted early to mitigate any cyber risks that lead to reputational damages and financial loss.
  • Achieving Results with Defined Outcomes: Setting and measuring clear outcomes to ensure the effectiveness of cybersecurity initiatives. Cybersecurity key performance indicators (KPIs) should avoid external factors that are not within the control of the CISO team e.g. number of breaches attempted from attackers, etc.

Communication and Education

“CISOs will not have a seat at the Board table. They are just too technical. Their reporting officer such as Chief Information Officer or Chief Digital Officer may be considered. Board’s role is to provide strategic directions and risk oversight of an organisation.” – commented by several experienced Board members in & outside of the discussion

Effective communication is key to aligning board expectations with technology realities. Boards, often composed of individuals with backgrounds in accounting, law, or business, may lack technical cybersecurity expertise. In addition, Board members with decades of experiences may likely come from the non-digital era where certain habits, knowledge and skills require time to (re-) develop.

Educating them on the importance of technology risks and using a risk-based approach is crucial. Simplifying technical jargon and focusing on the business impact can help bridge the understanding gap.

The role of the CISO is multifaceted, requiring both technical expertise and business acumen. It involves not just managing technology risks but also influencing organisational culture to foster resilience. CISOs must communicate effectively with the board, using storytelling to convey complex issues and justify investments. They should work closely with risk, audit and compliance departments to align risk strategies. The story is not for CISO to tell alone. It is a combined effort to showcase the value that risk investments are worth it.

The Role of Management

Technological landscapes are continuously evolving, and organisations must adopt a risk-based approach to manage these changes effectively. No matter how many controls are in place, there is always a risk of attacks. At the board level, discussions often focus on frameworks without integrating the people, processes, and technology components. Managing tech risk involves creating a resilient system that can detect, respond to, and recover from incidents. Boards must recognise that cybersecurity is not just about managing technology risks but ensuring business resilience.

At the management level, the right support provided to drive the right direction is very important. Management is often the cushion in between the Board and the CISO team. If the Management team leaves the technology risk effort to the CISO team alone, then everyone will get disappointed. Management can help to create adequate opportunities for the CISO team to engage with both Senior Management and Board to share technology risk insights. It should preferably not be the last agenda item on the Board agenda where 5-minute session was allocated to discuss cyber security risk. And it should not be a box ticking agenda either.

Currently, the position of CISO is not yet a core team member of the C Suites. Most CISO reports to a Chief Information Officer (CIO) or the Head of Technology, or the CFO. Therefore, cyber security issues continue to be relegated as an operational issue, not a strategic issue. It is necessary for the Board to consider elevating CISO to be a regular invitee to the board room before considering making CISO a core member of the C Suites. Regular attendance of Board room activities help to develop CISOs’ strategic thinking skills and may be one of the talent development opportunities to prepare CISOs for higher role and responsibilities.

Conclusion

A CISO’s role includes developing a robust risk management framework and coordinating with risk owners to mitigate cyber risks. They need strong interpersonal communication skills to effectively engage with risk owners responsible for managing cyber risks. Cyber risks must be a mandatory checkpoint for every business process design, incorporating technologies from the start. Many organisations make the mistake of adding cybersecurity as an afterthought, making the CISO’s job arduous and the expectations of the board difficult to meet.

Cybersecurity is not just the responsibility of the CISO; it is a collective effort that requires the involvement and commitment of the entire organisation, driven from the top down by the board. Realistic KPIs and the cyber vigilance of the entire organisation is necessary to mitigate the risk of cyber-attack.

Building a strong, collaborative relationship between boards and technology teams is essential for navigating the complexities of today’s digital world. By fostering a culture of resilience, aligning cybersecurity efforts with business goals, and improving communication and education, organisations can better manage technology risks and achieve sustainable success. A simple test of commitment from the Management and Board for a cyber/ business crisis management simulation can indicate the maturity of the organisation resilience commitment.

Lastly, committing to organisational risk resiliency is a journey. Businesses need to appreciate that good risk performance leads to good business performance.

Co-authors: Jenny Tan (ISACA SG), Hoi Wai Khin (CMI) and Tay Woon Teck (CMI)

1 Reference: https://resources.hackthebox.com/building-a-firewall-against-cybersecurity-burnout?utm_source=linkedin_newsletter&utm_medium=social&utm_campaign=building_a_firewall_against_cybersecurity_burnout_report&trk=article-ssr-frontend-pulse_little-text-block

2 Reference: https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity

Organisers:

  • CMI – Tay Woon Teck, Chairman and Hoi Wai Khin, Education Director, CMI
    About CMI (https://www.managers.org.uk/about-cmi/)
    Turning accidental managers into conscious leaders
  • ISACA SG – Jenny Tan, President and Yap Lip Keong, Vice-President
    About ISACA (https://www.isaca.org/about-us)
    A community of IS/IT professionals in pursuit of digital trust | We are working to build a better digital world

CMI and ISACA SG would like to thank the following persons for contributing their views at the round table leading to this article formulation:

  • Andreas Dannert, Principal Enterprise Security Architect, Standard Chartered Bank
  • Anthony Ong, Vice Chairman, CMI, Senior Advisor,Adera Global
  • Chan Meng Fai, Senior Manager IT IA, SingaporeAirlines
  • Chua Chay, Head MCISO, Mindef
  • Hardik Thaker, Executive Director, Tech & CyberRisk & Cybersecurity, GXS Bank
  • Murari Kalyanaramani, SID Digital ChapterCommittee Member, UOB CISO
  • Patrick Tay, COO & GM, Data ConnectTechnologies (Co Konica Minolta)
  • Phoram Mehta, Senior Director and CISO International Markets, PayPal Pte Ltd
  • Saw Ken Wye, Honorary Chairman, CMI, Director En-Vivo Pte Ltd
  • Siew Yim Cheng, Senior Vice President, Digital Value Chain Solutions, Yara Asia Pte Ltd, Council Member, CMIStephen Ching, President, IIA
  • Tan Boon Yen, Senior Director Risk Advisory, RSM Singapore
  • Veronica Tan, Director, Cybersecurity Agency of Singapore

Categories
Resources & Articles

2024 SheLeadsTech Conversion Programme (SLTCP) – Training Phase Completion Celebration

31 May 2024 is a very special day indeed! It marks the completion of the FY2024 SLTCP Cohort’s training phase, and the beginning of their three-month internship. ISACA SheLeadsTech (SLT) invited the cohort, SLT ambassadors, SLT mentors and SLTCP key corporate partners to celebrate together at Palms Bistro @ 60 Anson Road.

The event started off with a sumptuous dinner buffet. Jenny Tan (ISACA Singapore Chapter President) gave her opening speech, taking the attendees through the history of SLTCP – a partnership programme between ISACA SG Chapter SLT, Tech Talent Assembly (TTAB) and Employment and Employability Institute (e2i) that began in FY2022. The vision of SLTCP was to demystify technology and ease the conversion, growing a healthy pool of technology risk / audit professionals. One unique feature about our current FY2024 cohort is that it is a mix of both male and female participants. Recognition was also given to

SLTCP mentors, trainers and partners. Personally, I was struck by the passion and determination demonstrated in Jenny’s opening. It’s been a privilege to take the mentor role and be a small part of this meaningful programme.

Jenny Tan (ISACA Singapore Chapter President)
SLTCP mentors

The next segment was a motivational talk, very aptly titled “Designing your life” by Lance Foo (Group Talent Acquisition Leader, NCS). Lance inspired us with her own career story – from a biotechnology graduate who found her calling in Human Resources and boldly asked for the role Managing Director, not but twice, and succeeded when she was in her early twenties. She also imparted three wise messages to the attendees: 

1. Do not change. Evolve. 

2. Find your true north. 

3. Patience is a virtue.

Next was the highlight of the event. Each FY2024 SLTCP participant was presented by Jenny Tan, their certificate of completion of the training phase, and a word cloud of encouragement from their fellow participants. There were lots of smiles and cheers all around!

And when everyone thought that the award ceremony was the finale, Jenny announced a surprise “MOST” award, e.g. Most serious, Most caring. Winners were voted by the cohort themselves.

Last, but not least, the top three scorers of FY2024 were announced, walking away with generous cash prizes.

Overall, it was an enjoyable and heart-warming evening spent with like-minded technology risk professionals. Wishing our FY2024 SLTCP Cohort all the best in their internship!

 

Author: Cheryl Gan (SLT Ambassador), 11 June 2024
Each FY2024 SLTCP participant (1)
Each FY2024 SLTCP participant (2)
Categories
Resources & Articles

Singapore’s SheLeadsTech conference celebrates 5 years

The fifth annual ISACA Singapore Chapter SheLeadsTech Conference was held in Singapore yesterday, with more than 200 attendees in total for this hybrid event.

Guest-of-Honour, Puay Li Phua, and Jenny Tan, President of the ISACA Singapore Chapter shared the futuristic mission that SheLeadsTech hopes to achieve in the next 5 years.

In her opening keynote, Puay Li Phua affirmed, “The CSA is committed to promoting inclusivity within the tech industry. For example, the CSA SG cyber women’s initiative was established to attract a diverse local talent through partnering with professional associations and nonprofit organizations to encourage girls to pursue tertiary education in cybersecurity and inspire women to take on cybersecurity roles.

So over the past four years, we have supported outreach, engagement and training efforts reaching out to almost 3,000 girls and women. For example, in 2019, various industry associations and community partners jointly organized a series of events, ranging from a capture the flag competition for girls only career sharing relevance to technical workshops.

At the national level, the government has also implemented measures to provide more support to women at their workplace. For example, Minister Josephine Teo was the Minister in Charge of Cybersecurity, as well as, the Minister in Charge of Communications and Information recently announced that there will be new legislation to be introduced in the second half of 2024 to provide better protection against gender discrimination and ensure that job seekers have better access to job opportunities. The legislation will also provide better guidelines for employees when it comes to managing flexible work arrangements, given that women tend to still carry more of their caregiving load. This move will better support women by allowing them more flexibility in their schedules are mainly for work and family commitments.

So in light of these significant measures and programs being implemented at both the organization and national levels. Let us reaffirm our collective commitment and continue to support and uplift a more inclusive cybersecurity and technology industry.”

Photo-7-3-2024-8-49-19 am-scaled

Puay Li Phua, Senior Director (Policy and Corporate Development) of the Cyber Security Agency of Singapore (CSA)

The conference heard inspiring stories from our fireside chat speakers (Wynthia Goh, Beatriz Silveira ITIL Leader,CISSP,CISM,CRISC,CCISO, Shamane Tan) as well as student mentee (Candy Tam) and SLT Ambassador (Adeline Chan) benefitting from the SheLeadsTech Programme and how this platform has enabled them to pay forward too!

Fireside chat with L-R Beatriz Silveira, Wynthia Goh, Shamane Tan and Jenny Tan

The conference was not lost on technical content with presentations by Joyce, Lee Keng ChuaLorraine Lee, CIPP/EClaire LimDaiane FallerSiu Wei Lee and Qiyun Woo (胡绮芸) addressing data privacy, to AI governance, to AI regulations to ESG.

Photo-7-3-2024-8-41-50 am-scaled
Categories
Resources & Articles

State of IT risk in Singapore

by Allan Tan — December 6, 2023
The ISACA Singapore and Frost & Sullivan Cyber Security Survey 2023 warned that 86% of companies in Singapore are identified as being at risk of cybersecurity incidents. This finding underscores the pressing need for businesses to prioritise cybersecurity measures and protect their digital assets.

Frost & Sullivan director and head of the Asia Pacific Cyber Security Practice, Kenny Yeo, says Singapore faces two broad trends that are impacting the state of digital risk. Among respondents to the first, 83% are accelerating cloud adoption over the past 12 months. Further, 87% said they are pursuing a cloud-first strategy or have production projects in the cloud. “Organisations are also going multi-cloud to scale capacity and increase technical capabilities quickly.

But with this push towards cloud, many organisations are still not protecting their cloud adequately,” warned Yeo.

He added that organisations are also facing greater complexity, dealing with digital transformation projects, while maintaining business-as-usual (BAU) and legacy systems. He posits this means new and existing cyber security solutions must work together, with data residing in multiple siloes.

“This, unfortunately, leads to more organisations getting hit with cyber incidents. This is not just an enterprise issue, but also a personal individual challenge as well, as you can see from multiple scams hitting the vulnerable and unaware digital users."

Kenny Yeo
Kenny Yeo
Andrew Lim, managing director for ASEAN at Kyndryl, says Singapore’s strongregulatory environment, advanced infrastructure, and skilled workforce set a high standard.

That said, DPM Heng Swee Keat, speaking at the Singapore International Cyber Week 2023, said the key to fully harnessing technology as a force of good lies in forging partnerships across borders and sectors. This is particularly important as other ASEAN nations seek to enhance their tech utilisation.

The ASEAN Cybersecurity Cooperation Strategy holds the potential to unite the region, as it seeks to foster trust, enhance cyber readiness, and facilitate international cooperation for a safer and more prosperous digital environment.

Impact on enterprise security strategies

Asked how the trend is impacting enterprises’ IT and security strategies, Jenny Tan, president of ISACA Singapore Chapter, says with the high level of cloud adoption, data protection should be one of the key IT and Security Strategies.

She conceded a lack of visibility on this front as an issue going against organisations’ efforts to maintain high degrees of cybersecurity readiness.

“In our recent ISACA SG Survey, it was noted that one of the most challenging efforts is to have senior management buy-in as most still think that the security effort is only at the technical pursuit.”

Jenny Tan
She added that the survey results also showed that most enterprises who adopted cloud solutions think that they have transferred their security risks to the cloud service providers.

“With this survey outcome in mind, we can assume that enterprises may not put in much effort to review their existing security strategies to deal with their shift in IT resource management,” she commented.

In a separate study, Lim described an intriguing paradox: 88% of respondents expressed confidence in their organisation’s preparedness for adverse events, while 92% reported experiencing such events in the last two years.

It is this disconnect, notes Lim, that underscores the importance of enterprises prioritising boardroom discussions on IT risk, enabling top-down organisational alignment and supporting necessary changes to ensure cyber-enabled systems can remain operational during adverse events.

“With this strategic shift, enterprises are seeking to minimise system disruptions and their potential impact on a brand’s productivity, reputation, and financial performance,” said Lim.

Persistent cyber vulnerability of SG enterprises

At the C-Engage Convention , CIOs and security professionals participating as guests’ panellists acknowledged the importance of cybersecurity across organisations, industries, and governments. But the journey towards this level of recognition has not been smooth sailing, nor is it still.

Market analyst firm Canalys forecasts global cybersecurity spending (including enterprise products and services) to reach US$223.8 billion in 2023, with growth in the delivery of cybersecurity services outpacing product shipments.
canalyse-2023
Source: Canalys 2023
Canalys says persistent heightened threat levels will keep cybersecurity high on the list of investment priorities for organisations.

“But not all planned projects will be signed off, as pressure mounts on budget holders to scrutinise spending and focus only on the most pressing cybersecurity needs to minimise the risk of breaches.”

Tan posits organisations’ vulnerability will continue to persist in the years ahead attributing the key reasons to lack of talents and continuity of talents in an organisation, lack of security prioritisation by the Board and senior management, and high compliance costs in implementing security strategies.

Where vulnerabilities lie

Source: ISACA Singapore and Frost & Sullivan Cyber Security Survey 2023
Reflecting on the 5th annual ISACA Singapore and Frost & Sullivan enterprise security survey, Yeo says unpatched systems, unrelenting phishing email attacks, and third-party supplier compromise as well as data leakages accounted for much of the sources of the attacks that enterprises, governments and consumers faced in 2023.

“Top hygiene factors like vulnerability management and a systematic patching regime are number one, with the most popular vector of attack being phishing emails,” he elaborated.

Kyndryl’s Lim says talks with IT decision-makers and risk and compliance professionals, suggested that the ongoing global IT skills shortage may be a concern, but it doesn’t not top the list. The most frequently cited challenge by respondents was the inability to recover systems and data from encrypted, clean backups when dealing with adverse events.

“We encourage them to consider investing in automating and orchestrating recovery processes, assessing and establishing how best to mitigate human error in restoring from backups, and to test incident response plans repeatedly and often.”

Andrew Lim
Andrew Lim

Accountability and responsibility should cut both ways

At the national level, there is recognition in Singapore that cybersecurity is a collective responsibility. Yeo acknowledges that any IT solution or cyber security tool has vulnerabilities because imperfect humans are involved in its development.

“Too often technology is the primary focus for organisations in their cyber security protection, but training and enabling people is also crucial, along with coming up with policies and processes anticipating a breach as well.”

“Cyber security is something that everyone in the organisation needs to pay attention to, not simply the technical team, but the board of directors, senior management to line staff too,” said Yeo.
Categories
Resources & Articles

Graduation Gala of the FY2023 SLT Conversion Programme

In a dazzling display of talent, resilience, and transformation, the FY2023 SLT Conversion Programme Graduation Ceremony illuminated the path for a group of remarkable individuals – the cohort, the industry partners, the mentors and ISACA leadership. The path to this momentous day began with 3 months of intensive classroom training March-May, coupled with a further 3 months of hands-on internship from June-August. But this wasn’t your regular “sit, listen, and yawn” kind of course; it was a masterclass in revamping careers as Jenny Tan mentioned the cohort size was kept precisely low for the precise attention.

With mentors to support, these six months weren’t just about acquiring technical skills; they were a transformational process that demanded tepping outside comfort zones. For many, it entailed leaving behind their established careers, taking a leap of faith into the world of technology. Their resolve and dedication deserved a round of applause in itself.

The heart of this remarkable initiative lies in its mission to convert individuals without tech skills into adept Tech Governance, Risk, and Compliance (GRC) professionals. Graduates, who had crossed a chasm of uncertainty, stepped up to the microphone to share their heartfelt appreciation and takeaways. 

One of the candidates, Bernard Ong, with a twinkle in his eye, expressed his gratitude for the support he received and the newfound inspiration that propelled him to participate wholeheartedly (unlike how silent he was before). Jenny, his mentors and his whole SLT family is proud of him now.

Sharon Ng, a former HR professional, illuminated how she conquered her apprehensions and fears. A major career change and evening classes wasn’t without its challenges, yet her unwavering determination and humility prevailed gaining tech knowledge from teachers much younger than herself. Ong Hwee Shan’s journey from IA to cybersecurity underscored the transformative nature of the program. Yvonne Tay’s account of navigating a younger work environment with grace was a testament to the program’s ability to foster adaptability with technical skillset.

The cohort started with a fearless eleven, and after a whirlwind of learning, laughing, and cyber and tech knowledge, ten crossed the finish line. Seven got job offers, three got…well, a dose of self- discovery, which is basically a VIP ticket to personal growth, right? 

From here, they are not just left out. Jenny Tan announced the newly launched SLTCP Alumni initiative which will serve as a beacon of information, ensuring that graduates remain connected, informed, and ready to adapt to new trends in tech. She also informed of the upcoming seminars and webinars, furthering the program’s commitment to knowledge dissemination.

Bernard Tan gave us a good glimpse of ISACA’s leadership, programmes and benefits of being connected to the more than 3300-member strong tech community of ISACA SG! 

As the sun sets on the second successful chapter of the SLT Conversion Programme, the FY2023 Graduation Ceremony was a reminder that innovation, transformation, and growth are not just buzzwords; they are the essence of the human spirit. The journey from non-tech to tech, from doubt to self- confidence, from unfamiliarity to embracing change, was a celebration of human potential that left an indelible mark on all in attendance. 

Thank you once again ISACA SG, Jenny and all behind the SLT program for this noble work in making the world a better place for all!

Author: Neha Agarwal, August 31 2023

Categories
Resources & Articles

The EU AI Act: Adoption Through a Risk Management Framework

Artificial intelligence (AI) failures have made headlines in recent years. These incidents include Tesla’s car crash due to an issue with the autopilot feature,1 Amazon’s AI recruiting tool showing bias against women2 and Microsoft’s AI chatbot, Tay, being manipulated by users to make sexist and racist remarks.3 These mounting ethical issues related to biases and malicious use have led to the development of the EU Artificial Intelligence Act (AI Act) to establish governance and enforcement to protect human rights and safety with regard to the use of AI. The AI Act is the first AI law established by a major regulator. This law seeks to ensure that AI is used safely and responsibly, with the interests of both people and enterprises in mind.

The AI Act is an important step in the development of an effective and responsible regulatory framework for AI in Europe. It is hoped that this law will create a level playing field for all enterprises while also protecting the rights and interests of people.4

Risk of Generative AI

Generative AI content poses significant risk, perhaps most notably, the spread of misinformation. Generative AI can be used to create fake news and other forms of misinformation that can be spread quickly and widely. This can have serious consequences including damaging individuals’ and organizations’ reputations, political instability and undermining public trust in media.

AI tools such as ChatGPT write with confidence and persuasiveness that can be interpreted as authority. The text may be taken at face value by casual users, which can send incorrect data and ideas throughout the Internet. An example of data inaccuracy from ChatGPT is Stack Overflow, which is a question-and-answer website for programmers. Coders have been filling Stack Overflow’s query boards with AI-generated posts. Due to a high volume of errors, Stack Overflow has taken action to prevent anyone from posting answers generated by ChatGPT.5

Another risk of generative AI content is malicious use. In the wrong hands, generative AI can be a powerful tool for causing harm. For example, generative AI can be used to create fake reviews, scams and other forms of online fraud. It can also automate spam messages and other unwanted communications. In addition, there have been proof-of-concept attacks where AI created mutating malware.6 ChatGPT may also be used to write malware—researchers found a thread named “‘ChatGPT—Benefits of Malware'” on a hacking forum.7

Because AI can only generate content based on what it has learned from data, it may be limited in its ability to provide in-depth investigations of complex subjects or offer new insights and perspectives.

Because AI can only generate content based on what it has learned from data, it may be limited in its ability to provide in-depth investigations of complex subjects or offer new insights and perspectives. This lack of substance and depth in generative AI content can have serious consequences. For example, it can lead to a superficial understanding of key topics and issues and make it difficult for people to make informed decisions.8

Because of the complexity of algorithms used in AI systems, AI presents a challenge to the privacy of individuals and organizations. This means that individuals may not even be aware that their data are being used to make decisions that affect them.9 For example, Clearview AI allows a law enforcement officer to upload a photo of a face and find matches in a database of billions of images it has collected. The Australian Information Commissioner and Privacy Commissioner found that Clearview AI breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.10

AI Act Risk Categories

The AI Act assigns applications of AI to 3 risk categories based on the potential danger these applications pose: unacceptable risk applications, high-risk applications and limited or low-risk applications.

The first category bans applications and systems that create an unacceptable risk. For example, unacceptable uses include real-time biometric identification in public spaces, where AI scans faces and then automatically identifies people.

The second category covers high-risk applications, such as a resume-scanning tool that ranks job applicants based on automated algorithms. This type of application is subject to strict regulations and additional protective measures to ensure that people are not discriminated against based on their gender, ethnicity or other protected characteristics. Higher-risk AI systems are those that may have more serious implications, such as automated decision-making systems that can affect people’s lives. In these cases, it is important that users are made aware of the implications of using such systems and are given the option to opt out if they feel uncomfortable.

The third category is limited-risk AI systems, which are those that have specific transparency obligations of which users must be made aware. This allows users to make informed decisions about whether they wish to continue with the interaction. Examples of low-risk AI systems include AI-enabled video games or spam filters, which can be used freely without adverse effects.

Will a Risk-Based Approach Work?

To address this risk, the European Commission undertook an impact assessment focusing on the case for action, the objectives and the impact of different policy options for a European framework for AI, which would address the risk of AI and position Europe to play a leading role globally. The impact assessment is being used to create the European legal framework for AI, which will be part of the proposed AI Act.

Several policy options considered in the impact assessment undertaken by the European Commission were :

  • Option 1: One definition of AI (applicable only voluntarily)—Under this option, an EU legislative instrument would establish an EU voluntary labeling scheme to enable providers of AI applications to certify their AI systems’ compliance with certain requirements for trustworthy AI and obtain an EU-wide label.
  • Option 2: Each sector adopts a definition of AI and determines the riskiness of the AI systems covered—By drafting ad hoc legislation or by reviewing existing legislation on a case-by-case basis, this option would address specific risk related to certain AI applications. There would be no coordinated approach to regulating AI across sectors, nor would there be horizontal requirements or obligations.
  • Option 3a: One horizontally applicable AI definition and methodology of determination of high-risk (risk-based approach)—This option would envisage a horizontal EU legislative instrument applicable to all AI systems placed on the market or used in the EU. This would follow a proportionate risk-based approach. A single definition of AI would be established by the horizontal instrument.
  • Option 3b: One horizontally applicable AI definition and methodology of determination of high-risk (risk-based approach) and industry-led codes of conduct for nonhigh-risk AI—This option would combine mandatory requirements and obligations for high-risk AI applications as under option 3a with voluntary codes of conduct for nonhigh-risk AI.
  • Option 4: One horizontal AI definition but no gradation—Under this option, the same requirements and obligations as those for option 3 would be imposed on providers and users of AI systems, but this would be applicable for all AI systems regardless of the risk they pose (high or low).
The following criteria were used to assess how the options would potentially perform:
  • Effectiveness in achieving the specific objectives of the AI Act
  • Assurance that AI systems placed on the market and used are safe and respect human rights and EU values
  • Legal certainty to facilitate investment and innovation
  • Enhancement of governance and effective enforcement of fundamental rights and safety requirements applicable to AI
  • Development of a single market for lawful, safe and trustworthy AI applications that helps prevent market fragmentation
  • Efficiency in the cost-benefit ratio of each policy option in achieving the specific objectives
  • Alignment with other policy objectives and initiatives
  • Proportionality (i.e., whether the options go beyond what is a necessary intervention at the EU level in achieving the objectives)

Based on these criteria, option 3b yielded the highest scores.11 Using a risk-based approach means that most efforts are focused on assessing and mitigating the high-risk AI applications in contrast to low-risk ones. A risk management framework is a useful road map for providing the required structure and guidance to balance the risk of AI applications without dampening innovation and efficiencies from AI. It also ensures that the AI Act can be implemented and governed and the interests and privacy of people are protected.

A risk management framework is a useful road map for providing the required structure and guidance to balance the risk of AI applications without dampening innovation and efficiencies from AI.

Governance Through a Risk Management Framework

To address how the AI Act can be successfully applied, it is necessary to have a risk management framework to support the regulation.

A standard risk management framework encompasses key elements including risk identification, mitigation and monitoring, which sets the foundation for governance. The US National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) is suggested to complement the AI Act and is a feasible approach to the implementation of option 3b as it sets forth dialog, understanding and activities to manage AI risk responsibly.12

Many leading technology organizations such as Amazon, Google and IBM have applauded the efforts of the NIST AI RMF for the responsible development and deployment of AI products, stating that it is :

…an important path forward for the responsible development and deployment of AI products and services. The AI RMF, like the BSA Framework, creates a lifecycle approach for addressing AI risks, identifies characteristics of Trustworthy AI, recognizes the importance of context-based solutions, and acknowledges the importance of impact assessments to identify, document, and mitigate risks. This approach is well-aligned with BSA’s Framework to Build Trust in AI, which emphasizes the need to focus on high-risk uses of AI, highlights the value of impact assessments, and distinguishes between the obligations of those companies that develop AI, and those entities that deploy AI.13

As shown in figure 1, the AI RMF Core is composed of 4 functions: govern, map, measure and manage.

Figure-1-AI-RMF-Cre

The govern function provides organizations with the opportunity to clarify and define the roles and responsibilities of those who oversee AI system performance. It also creates mechanisms for organizations to make their decision-making processes more explicit to counter systemic biases.

The map function suggests opportunities to define and document processes for operator and practitioner proficiency with AI system performance and trustworthiness concepts. It also suggests opportunities to define relevant technical standards and certifications.

The govern and map functions describe the importance of interdisciplinary and demographically diverse teams while utilizing feedback from potentially impacted individuals and communities. AI actors who are involved in applying their professional expertise and activities in the RMF can assist technical teams by anchoring design and development practices to user intentions and representatives of the broader AI community and societal value. These AI actors are gatekeepers or control points who assist in incorporating context-specific norms and values and evaluating end-user experiences and AI systems.

The measure function analyzes, assesses, benchmarks and monitors AI risk and related impacts using quantitative, qualitative, or mixed-method tools, techniques and methodologies. It uses knowledge relevant to AI risk identified in the map function and informs the manage function. AI systems should be tested before deployment and regularly thereafter. AI risk measurements include documenting systems’ functionality and trustworthiness.

Measurement results are used in the manage function to assist risk monitoring and response efforts. Framework users must continue applying the measure function to AI systems as knowledge, methodologies, risk and impacts evolve.14

Both the European Union and the United States are committed to a risk-based approach to AI to advance trustworthy and responsible AI technologies. Experts from the governing bodies of both are working on “cooperation on AI standards and tools for trustworthy AI and risk management.” They are expected to draft a voluntary code of conduct for AI that can be adopted by like-minded countries.15

Conclusion

By understanding the current limitations of human-AI interactions, organizations can improve their AI risk management. It is important to recognize that many of the data-driven approaches that AI systems use to attempt to convert or represent individual and social observational and decision-making practices need to be continuously understood and managed.

The AI Act proposes a risk-based approach to managing AI risk. It requires organizations that are providing AI tools or adopting AI in their processes to undertake an impact assessment to identify the risk of their initiatives and apply an appropriate risk management approach. High-risk profile AI initiatives should be mitigated with effective risk controls, which can be discussed and reviewed with similar industry groups that have common products or risk areas. This results in a positive outcome—development of voluntary industry-led codes of conduct that can support the risk governance of AI). This approach can also help spread the cost of regulation and oversight responsibility. The synergies achieved will benefit and protect users of AI.

With this strategic adoption of AI, efficiencies can be achieved that are not possible with human effort only.

Endnotes

1 McFarland, M.; “Tesla-Induced Pileup Involved Driver-Assist Tech, Government Data Reveals,” CNN, 17 January 2023
2 Dastin, J.; “Amazon Scraps Secret AI Recruiting Tool That Showed Bias Against Women,” Reuters, 10 October 208
3 Tennery, A.; G. Cherelus; “Microsoft’s AI Twitter Bot Goes Dark After Racist, Sexist Tweets,” Reuters, 24 March 20216
4 The AI Act, “The Artificial Intelligence Act”
5 Vigliarolo, B.; “Stack Overflow Bans ChatGPT as ‘Substantially Harmful’ for Coding Issues,” The Register, 5 December 2022
6 Sharma, S.; “ChatGPT Creates Mutating Malware That Evades Detection by EDR,” CSO, 6 June 2023
7 Rees, K.; “ChatGPT Used By Cybercriminals to Write Malware,” Make Use Of, 9 January 2023
8 O’Neill, S.; “What Are the Dangers of Poor Quality Generative AI Content?” LXA, 12 December 2022
9  Van Rijmenam, M.; “Privacy In the Age of AI: Risks, Challenges and Solutions,” The Digital Speaker, 17 February 2023
10 Office of the Australian information Commissioner, “Clearview AI Breached Australians’ Privacy,” 3 November 2021
11 European Commission, “Impact Assessment of the Regulation on Artificial Intelligence,” 21 April 2021
12 National Institute of Standards and Technology (NIST), Artificial Intelligence Risk Management Framework (AI RMF 1.0), USA, January 2023
13 National Institute of Standards and Technology (NIST), “Perspectives About the NIST Artificial Intelligence Risk Management Framework,” USA, 6 February 2023
14 Op cit NIST, Artificial Intelligence Risk Management Framework (AI RMF 1.0)
15 Staff, “EU, US to Draft Voluntary AI Code of Conduct,” The Straits Times, 1 June 2023

adeline-chan
Adeline Chan

Leads risk management teams in assessing and mitigating risk and enhancing bank risk culture. She has implemented various risk frameworks for the cloud, SC ventures, operations and technology, and cybersecurity. Her focus is on creating business value and aligning risk management with business objectives. Previously, she led teams in business transformation and banking mergers. While managing project and change risk, she coached subject matter experts on organization redesign and achieving cost efficiencies. Her experience spans global and corporate banking, wealth management, insurance and energy. She is a member of the Singapore Fintech Association and the Blockchain Association Singapore where she plays an active role in the digital assets exchange and token subcommittee. Her social responsibility involvement includes volunteering for ISACA® SheLeadsTech (SLT) as a mentor to women in the technology sector and candidates looking to change careers to the GRC sector. She shares her professional insights through writing (https://medium.com/@adelineml.chan) and has contributed articles to ISACA Industry News and the ISACA® Journal.

Categories
Resources & Articles

AI Ethics can be Difficult to Control: ISACA Singapore’s Jenny Tan

Corinium APAC Content Director Director Vanessa Jalleh sits down with the President of ISACA Singapore, Jenny Tan, to talk about cybersecurity in the era of large language models (LLMs).

One of the biggest recent disrupters in the technology sector has been the emergence of mainstream large language models and the impact they are having globally on day-to day-life.

From universities unsure of how to regulate LLMs for academic writing, to Singapore’s civil servants being permitted to use ChatGPT in certain capacities, and Italy outright banning access to it, there have been numerous and different responses to the technology. From a security standpoint, there are a lot of risks around generative AI and how they will change the security landscape.

ISACA Singapore President Jenny Tan, who will be speaking at CISO Singapore in August, says there are some very clear information security risks involved with generative AI, particularly around deepfakes, data privacy, copyright issues, and cybersecurity problems.

“For example, attackers may abuse the technology to generate new and complex types of malware, phishing schemes, and other cyber dangers that conventional protection measures may not be able to detect and deal with,” she says.

“The challenges include inherent biases that generative AI produce, lagging in tech understanding in this area to react timely on security controls to deal with the versatile output that generative AI produced to cope with the emerging risks outlined above. And policies not timely adjusted to deal with this matter, especially in the education sector.”

While there are risks, LLMs do also present opportunities, which Tan believes will mainly surround productivity in coding as references and perhaps creativity in designing products that were given rise from generative AI.

In terms of the ethical risks inherent in the adoption of new AI models, Tan believes this is a very important area to consider, but quite difficult to identify and control.

“The existing threats about generative AI leading to higher volume of ransomware, phishing, and so on will peak as the technology matures over time and as human talents cannot catch up. I believe organisations have to revisit their risk appetite and tolerance considerations more regularly to assess their maturity in dealing with such risks,” she says.

Driving Cyber Deeper into Business

One of the strategy areas that cybersecurity leaders can find challenging is embedding more cybersecurity conscientiousness in more of the business.

One of the ways Tan says leaders can approach this is to embrace business language and the business’s way of thinking to drive more successful cybersecurity strategies, adding that there are three areas to consider when doing so.

“Training, to create more awareness of the impact of not doing so will lead to in business opportunity costs,” she says.

“Secondly, security by design, to mandate that every digital or technological projects will require security architecture and governance clearance prior design, development and implementation.

“The third point is continuous monitoring, in order to deploy technology to assist in security monitoring and active incident responses that has a loop back to the business KPIs (essential to manage business behaviour for immature organisations control environment).”

Reactive and Proactive Shift

Shifts in culture and practices are always challenging. When asked for her best practice advise on changing from a reactive to proactive approach in cybersecurity, Tan prefaced her answer by saying this is no easy task.

“First of all, changing mindset of the board and management and mass employees take time. Training is always the easiest route to create awareness, but the effectiveness is questionable as 90% of the attendees who walkout of any training will not retain or apply the lessons learnt,” Tan says.

“Cybersecurity is considered a compliance cost, and it’s not cheap. If every project has a cybersecurity cost component, like contingency cost, the cost may be passed on to consumers. I always advocate the concept of “combined assurance” such as leveraging line 1 (management and users) and line 2 (risk and security), together with line 3 (audit) to transform the risk landscape.

“If GRC can be part of balanced scorecard and the tone at the top is right, then perhaps we have a chance to truly be proactive in cybersecurity outlook.”

During times of high risk, cybersecurity leaders will be hyper-focused on strengthening the overall security posture of their organisations, and Tan says one critical strategy is to cultivate individuals’ risk responsibility.

“With the acknowledgement of every individual in an organisation appreciating the implication of cyber risks on organisations and individuals, careless mistakes can be avoided. Apply continuous monitoring and posture assessment help to re-calibrate every organisation’s capabilities to best mitigate such risks,” she says.

Categories
Resources & Articles

Heightened Human-centric Risk Assurance in Digital Era

Jenny Tan is currently leading a global internal audit practice, including IT audit, with a global real estate cum fund management MNC. Outside of work, Jenny volunteers heavily in the technology community space where she actively promotes technology (including cyber) awareness and adoption to both the business and IT professionals and organisations. She is currently the President of ISACA SG Chapter. She is the winner in 2022 Top Woman in Security (SG & Asean), 2022 Women Program of the Year Award (Asia), 2021 Women in IT Outstanding Contribution Award (Asia) and 2021 SG 100 Women in Tech recipient. She has also received the Top 20 Cybersecurity Women in Singapore, 2020 award.

With the lightning speed of technology and digital development, human-centric risk assurance should take priority in all business aspects. To the contrary of what most management and organisations are thinking that technology &/or post digitalization, risk management can be replaced by automation, I offer different opinion on this matter. Granted that technology and automation can greatly complement risk management effort, they are not full-proof. In this article, I hope to share some of my views to offer some help to organisations when they consider enhancing their risk management. And the best value of adopting or adapting some of my recommendations requires zero external costs.

Despite the hot topics about machines/ technology replacing human effort, everyone should take a deep breath, keep cool and step back to “truly see” the “digital landscape” holistically. Human resources design, develop, implement and use these digital and technological solutions. Hence, there are talks about bias and ethics when rolling out the solutions and there is negligence when using the solutions. The technology itself has nothing to be blamed. So, when one performs risk assessment, regardless of technology applied &/or deployed, human-centric risk-based controls cannot be ignored. By the way, processes are initiated and effected by human resources.

Let us understand the simple human-centric risk assurance components that I’ve conceptualized:

human-centric risk assurance components

Regardless of which component, the underlying issue across all components is that everyone, other than risk & compliance professionals, does not acknowledge that they are not aware of or not receptive to risk management. These groups of people would assume that risk management is not their responsibility, these are the responsibilities of risk & compliance professionals. They have also stereotyped that risk management slows down their functional delivery. Hence, when each group of people carries out their responsibilities, only functional efficiency and effectiveness are considered. Risks have never been incorporated in their discussions and project designs.

Developers – IT (including Vendors) &/or Citizens: There has been a great promotion several years back about “Controls by Design” and “Security by Design”. These are approaches that developers can adopt to ensure vulnerabilities and risks can be mitigated prior to roll-out. It is too costly to perform damage control post implementation. Unfortunately, many developers were not given the opportunity for technology risks training. This becomes evident when auditors talk to the developers. To make matters worse, digital tools available allow organisations to push for citizens developers to encourage innovation and to control the developer’s talent crunch. The design and implementation risks of such digital tools roll-out heightened as citizens developers are not trained to design, develop and implement solutions properly. Audit has also discovered many issues relating to this matter and of the many issues I’ve observed, the key concern is that IT department was not aware of such developments in the various business units. IT department will not be able to govern when they are not aware of the existence of such projects.

Recommendation 1-2-3: (1) Establish a project governance process across all organizational business units and that all projects, regardless IT or Business Unit driven and zero cost or more, have to be registered with the Project Office prior any project procurement convenes. (2) Ensure mandatory targeted project training, including essential targeted ethics & security training, was received by the project design & development team members prior project commencement. (3) Establish a policy about information security that no approved freeware can be used for corporate projects.

Testers – IT &/or Business Users: Many testing audits noted poor test plans and test cases were used. The test plans and test cases were not complete, not co-designed by business users and testers were not properly trained to perform the tests. If the project is IT vendor led, most of the time vendors want to close the projects quickly and will push for test cases that may be “favorable” to their products to ensure a “pass”.

Recommendation 1-2-3: (1) Ensure the project plan has a proper testing phase that includes training the testers and test case design effort. (2) Ensure that the component of system testing versus functional testing versus user designed test cases versus vendor-provided test cases are not skewed e.g., 25% across and not 90% vendor-provided test cases. (3) Ensure that regardless of methodology applied, relevant training is provided, and documentation maintained i.e. scrum methodology versus conventional software development life cycle will have different expectations. Tweak the test approach accordingly and not “skip” it.

Users – Internal vs External: Data protection is key to users of any digital and technology solutions. The treatment of data and information should be classified and educated to all internal users. Internal users need to appreciate that corporate and personal information have to be managed with care and will face different consequences when leaked. The users involved in the leakage (and usually the negligence of the users) will have to be held accountable. Who can have access to the corporate and personal information have to be scoped out accordingly too.

Recommendation 1-2-3: (1) Establish a data usage and protection policy and ensure awareness provided to all internal users. Ensure vendors and external users have read your policy and acknowledge adherence and responsibilities accordingly. (2) Conduct crisis management simulation &/or training to internal users using data leakage scenarios and explicitly outline the sanction policy on such matters. (3) Verify your external users/ vendors control environmental strengths periodically.

Governors – Board/ Management: It is not enough to only talk about risks and whether they are controlled at reasonably acceptable level at risk committee meetings. Risk management has to be a strategy that goes hand-in-hand with all other business strategies. When risk management is incorporated in the DNA of an organization, it is no longer a perceived roadblock, it boosts outcome. There are many research conducted that agree that deploying risk management as a strategy will lead to positive business performance. Unfortunately, many Boards and Management Teams do not acknowledge that their risk management knowledge and risk responsibilities are lacking in some areas. The reality is that organisations that have risk and audit teams have much smaller teams as compared to business units’ staffing. This is logical understanding too. Hence, all the more for Boards and Management Teams to be pro-risk (beyond only financial risks focused) and incorporate risk management as a culture in all business dealings. In this way, risk and audit professionals can play their business partnering roles better and more effectively.

As outlined above, everything revolves around human resources. Training is key but many training are not effective as they are not right fit to the objectives that the trainees have been expecting or expected to have to fulfil their tasks. And many trainees do not appreciate the training received and hence never apply the relevant knowledge at work, leading to repeated audit issues noted. In addition, the recommendations listed above may seem easy to achieve but in reality, it is very challenging to execute them right.

Regardless of what your organization is deploying cloud, artificial intelligence or internet of things solutions, the above-mentioned are still valid. With technology, the impact of breaches can be fast and furious and can be escalated into crisis mode in a very short time. To stay resilient, your human resources have to be trained and prepared to act accordingly. Tools cannot make their own decisions. Hence, human-centric risk assurance maturity becomes critical.

And perhaps it is also the right time to make risk management a component of organizations’ balance scorecards. The scorecard should not be the number of audit issues considered as this drives negative auditees behaviour. I suggest perhaps consider the scorecard from a collaborative effort perspective e.g., number of risk-related training hours clocked, risk team invited to at least 20% of project discussion, audit team invited to perform readiness review of a key process, etc.

I will strongly recommend any organization in this digital era to (re) emphasize human-centric risk assurance effort, especially starting with hiring right and (re) starting the Code of Ethics awareness training programme. With encouraged employees’ creative way of working and work flexibility, sometimes, the gray area has widened, and this will cause organizational damages in many different ways. I am confident that should this concept and recommendations of mine be implemented right, fulfilling ESG & Sustainability mandates become natural and the incremental effort minimal.

Categories
Resources & Articles

FY2023 SLT Conversion Programme Closure

The highly anticipated SheLeadsTech FY2023 Conversion Programme – Training Phase Graduation took place on 29 May 2023 at CapitaSpring. This momentous event celebrated the successful completion of the program’s second cohort training phase and marked a significant milestone in promoting diversity in the tech industry.

The event commenced with a warm welcome address by Jenny Tan, the ISACA Singapore Chapter President. Jenny introduced the event and provided a recap of the program’s objectives. The primary aims of the SheLeadsTech Conversion Programme (SLTCP) were to encourage more women to venture into the tech space, bridge the talent gap, and support national initiatives.

Over the past 2-3 months, SLTCP trainees underwent intensive training that encompassed a wide range of soft skills and knowledge-based workshops. These workshops were designed to equip them with the essential tools and expertise required to thrive in the tech industry. To assess their understanding of the topics covered, they also underwent tests and completed homework assignments, ensuring a comprehensive grasp of the materials.

The training phase encompassed crucial Tech GRC topics such as IT Audit Methodology and Process, Planning and Execution, Governance and Management of IT, and many others, as well as emerging technologies like AI Governance and Ethics. In addition to technical knowledge, the program emphasized the development of soft skills, including change management and design thinking, among others. This holistic approach prepared the trainees for multifaceted challenges and enabled them to become well-rounded professionals.

A notable aspect of the SheLeadsTech Conversion Programme was the mentorship component. Each trainee was paired with a mentor who also served as a SheLeadsTech ambassador. These mentors provided invaluable guidance, support, and insights. Their dedication to nurturing the trainees’ growth was sincerely acknowledged.

The event also provided an opportunity to express gratitude to the corporate partners who played a pivotal role in making the program a resounding success. Schneider Electric, Deloitte, RSM, CheckPoint Security, Assure IT, Ernst & Young, Ensign InfoSecurity, PulseSecure, and KPMG were thanked for their support.

The training and outreach partners – TTAB, e2i, and CSA Singapore–were also recognized for their contributions to the program’s success.

Heartfelt appreciation was extended to all the volunteers who dedicated their time, skills, and energy to make the SheLeadsTech Conversion Programme possible. Their selfless contributions and commitment to empowering aspiring tech professionals were essential in creating a supportive learning environment.

An inspiring highlight of the event was the motivational talk delivered by Ethan Seow, the CEO of the Centre for Cybersecurity. Ethan shared his remarkable career trajectory, from being a medical student to discovering his passion and purpose in cybersecurity. His talk, titled “Restarting One’s Career: How to manage deep and complete change in one’s career,” emphasized the importance of humility and collaboration in finding meaning and fulfillment in one’s work.

Photo featuring Ethan Seow, CEO of Centre for Cybersecurity. Picture credit: Ho Si Hao

The event continued with the eagerly anticipated announcement of attachment placements. Trainees were geared up for their upcoming three-month internships with corporate partners in the Tech GRC sector. This invaluable opportunity will allow them to apply their newly acquired skills and knowledge in real-world contexts, further enhancing their growth and development.

The trainees were also presented with certificates, symbolizing their successful completion of the training phase. Their fellow trainees offered words of encouragement, fostering a sense of camaraderie and celebration of their collective achievements.

As the event drew to a close, an exciting announcement was made—the recruitment for the FY2024 SheLeadsTech Conversion Programme would commence in October 2023. This announcement sparked anticipation and served as a reminder that the program’s impactful journey to promote diversity and empower future tech leaders would continue.

Author: Clarissa Goenawan, 4 June 2023

 

Categories
Resources & Articles

Digital Transformation: An Opportunity Or Nightmare To Risk Management

Jenny is currently leading a global internal audit practice, including IT audit, with a global real estate cum fund management MNC. Outside of work, she volunteers heavily in the technology community space where she actively promotes technology (including cyber) awareness and adoption to both the business and IT professionals and organisations. She is currently the President of ISACA SG Chapter. She is the winner in 2022 Top Woman in Security (SG & Asean), 2022 Women Program of the Year Award (Asia), 2021 Women in IT Outstanding Contribution Award (Asia) and 2021 SG 100 Women in Tech recipient. She has also received the Top 20 Cybersecurity Women in Singapore, 2020 award.

Digitalisation or Digital Transformation has been the buzz word in the corporate world nowadays to catch up with business evolution, with the hope of gaining business advantage if the transformation is successful. There is nothing wrong with embracing transformation. However, there is something wrong when such initiatives are not handled right and fit, and not handled from a good strategic perspective but wanted something of a quick fix.

While more people are starting to understand what digital transformation and digitalisation entail, there are still common misunderstanding of these two terminologies, and they are often used interchangeably. I often stress to my audience that understanding the definition of any terminology is very important as it sets context to applying the right knowledge treatment and to enable clear execution to avoid unnecessary resources (including costs). 

Researchers characterise “digital transformation” as a major organisational change driven by or enabled by digital technology, altering how business is conducted. Whereas “digitalisation” is about leveraging digital technology to change socio-technical structures (Karen Osmundsen et al, 2018 [1]). If there is no organisational change and no social-technical structures change, then this initiative is only “digitisation”. Socio-technical structures can be explained in two parts i.e. “socio” refers to the social (human interactions, relationships, norms, etc.) and “technical” refers to technology, tasks, routines, etc. aspects of the structure. (Karen Osmundsen et al, 2018 [1]). Hence, “digitalisation” is a subset of “digital transformation”.

As understood from the above-mentioned, when an organisation undergoes either digitalisation or digital transformation, structural changes happen. When there are such changes, processes change and hence, existing risks may change, and new risks introduced. During such times, a pro-governance organisation will consider this as an opportune time to fix their risk management processes to enable better risk resilience position. Ordinarily, other organisations would just let the project teams run on their own and risk considerations are often the last priority given conventionally, business users treat risk management as efficiency roadblocks. 

Personally, I belief that “Digital Transformation” or “Digitalisation” can be the right moment, right opportunity to enhance an organisation’s risk management processes. The following are some key reasons why I belief so:

  • There is a budget! Yes! It is rarely that an organisation will set aside a huge budget to implement a project. With a good budget, many considerations can be included, including risk management. There can be a risk pillar in the project where risk specialist (in-house or externally engaged) can be involved and to participate in the end-to-end project.
  • Mindset shift! Surprisingly, people suddenly become very open-minded when embarking on transformation project. The key stakeholders tend to be willing to accept new ideas to ensure their project is a success and hence willing to apply different “lenses” to view risk and risk management. This is a good time that the risk specialist can advocate the changes needed, especially when the existing risks have changed their forms and take the opportunity to re-perform a risk assessment exercise, including business continuity planning (“BCP”) exercise. 

Note that risk assessment exercise measures business risks when the business is on-going. BCP exercise measures business risks when the business is down and under-going recovery. Both exercises look at risks from different angles and cannot be undermined. Covid, pandemic BCP risk, has taught many organisations a good lesson that their recovery processes are inadequate. Most, if not all, controls mitigating the identified risks have not been effective as most risks did not benefit from deep thoughts at the point of BCP risk assessment and BCP procedures design. A very typical example of both enterprise risk versus BCP risk is backup control. Enterprise risk identified that backup control is essential to mitigate the risk of data loss and business operations continuity. The backup control follows the backup policy of say weekly backup frequency. In a BCP exercise, the same system owner assessed that the function can only afford to lose data of up to 3 days. But the backup policy and backup control indicated 7 days. So there is a gap here. Many IT and Business Owners did not realise that they have not considered risk and control design from an integrated risk approach. To be fair, while enterprise risk management and BCP are overlapped, you need different skillsets to conduct both exercises. Hence, the control gap example cited is a common finding.

  • Resilience is the new risk focus! Most organisations have experienced Covid and hence will better appreciate the importance of being resilient. Resilience involves an organisation to be independently self-sufficient and agile, but it also means the supply chain of an organisation has to be as strong too. With digital transformation or digitalisation, organisations have to be very sensitive towards its assets (information and physical) protection strategies. Hence, physical and information security (including technology risk management) will gain attention from the Board when they consider their risk responsibilities. 

On one hand I do belief that the opportunity to enhance risk management is great and is available, but on the other hand, I am also aware that most organisations are not handling the “digital transformation” or “digitalisation” right and hence making them a nightmare to risk management. The following are some key issues I see that led to the “nightmares”:

  • Data owners misunderstood their risk responsibilities. Most of such projects ended with cloud solutions. Data owners thought that since they outsourced their function, processing capability and data storage, they are not responsible for anything that may happen to their data &/or their cloud service providers (“CSPs”). And this is often a nightmare because Information Technology (“IT”) and Information Security (“IS”) departments are not informed and not involved in this business project.
  • Data ownership and data governance. In a digital ecosystem, data is mobile and fluid. It may reside in many applications that may be controllable or not. The understanding and appreciation of data governance risks are usually not mature or inadequate. Hence, data governance is often not part of such project consideration and is often a after-implementation consideration. There are many regulatory risk implications, reputational and technology risk implications in digital transformation or digitalisation projects. When there is no data ownership identified, no one will take responsibility.
  • Cybersecurity risks. You need to leverage on technology to achieve your digitalisation goals. You may deploy emerging technologies too. Hence, new risks from cyber are introduced. From my experience, inventorising the projects and their respective components (both hardware and software) are common gaps that hinder cybersecurity controls to be timely and accurately implemented. In addition, cybersecurity talent gap is high and hence organisation may not be able to address these risks timely.

Research by Martens et al, 2022 [2] has also indicated that Digitalisation and Digital Transformation are double-edged sword to risk management and governance approaches. There have been studies that indicated despite the popularity and familiarity of digitalisation and digital transformation projects, many such project failed. They failed because they did not understand the business problems well, they undermine the influence of corporate culture, they set wrong KPIs, they did not cost the project right and poor leadership. Ali Alkhafaji, 2021 [3]. All these failure indicators touched on many risks associated with such projects and leaning them more towards risk management nightmares. 

In conclusion, I personally feel that we should not be discouraged with the failures. Transformation is a journey. Let the failures be our lessons learnt and avoid repeating them in your (next) transformation project. Risk professionals should seize the opportunity to capitalise on such projects to promote good risk management practice and not take a back seat. Everyone should understand that collaboration is important in risk management as regardless which role you are holding on to now, everyone has risk responsibility, and everyone’s common goal is to ensure the interest of the company is looked after.