Hi Emilie, what do you do and what brought you to Singapore?
Hi the French Tech community! I am responsible for all internal cyber security matters for PwC in Singapore and Myanmar. Our team’s job is to secure and protect our company from external and insider cyber threats. I joined the cyber security field directly after graduation and started as a VIE within Societe Generale in London.
We decided to move to Singapore from London a few months after our son was born. Asia is very appealing with its fast growing economy. Moreover we have family living in Singapore and they told us about the outstanding the quality of life here. This personal decision was made during my maternity leave. First, I was first uncomfortable requesting it to my manager. But he happened to be very supportive and even offered me an opportunity with more responsibilities in Singapore.
When I joined PwC, it was more for this manager than the company itself. I think this is crucial to follow a great leader at the beginning of our career. Sadly moving to Singapore meant leaving his team. Now it’s my turn to develop opportunities for my team here. Few months after our arrival in Singapore, my husband joined a London based startup, working remotely from our neighborhood coffee shop! Moving abroad can bring opportunities to our partner to change industries.
As head of Information Security, what are your responsibilities and challenges?
My role is to focus on ensuring confidentiality, integrity and availability of our data, known as CIA triad for our clients data and internal data. Regardless of where our collaborators are working from, we need to maintain these standards. So I supervise tools implementation consistency, policies consistency across Singapore and Myanmar despite differences in local regulations can sometimes be a challenge which we overcome by tailoring specific configurations, hosting and access controls among other components.
First objective when I joined PwC Singapore was to set up a new internal cyber security team. Currently, my main priority is to provide a better visibility for our leaders and increase engagement with our business. Main initiatives are :
Discuss cyber security strategy with the executive management and set up a cyber security committee involving various key stakeholders such as CIO, CRO, legal, Cyber partner and DPO
Create KPI/KRI for management to understand monthly information security postures and make data driven decisions on cyber risk.
Set up cyber attack simulation sessions for the management team focusing on what could be the upcoming challenges and possible outcomes
Increase understanding on how security risks can impact our business using layman’s terms to make it more accessible.
Create a continuous learning framework for all the employees through Cyber Booth, classroom training, posters, videos through the office, interactive e-learns, phishing exercises, goodies, etc..
What I like is that each day brings its variety of challenges. For example in a day I could be working on responding to address security incidents, train our managers and staff on how to recognize and react to cyber threats, as well as working with our practice to help review the security of a new solution they want to use. One major objective is to ensure cyber security is part of the company culture from juniors to senior staffs.
Here are the fundamentals yet simple awareness messages we continuously spread and repeat: – Patching: Ensure to update your mobile applications and OS as soon as a new version is available as well as any software update required by the company. Earlier this year, vulnerabilities were found in Facetime (access to your phone audio) and WhatsApp (access to all messages) ! – Phishing: Always check the sender email address for suspicious emails with links, attachments or requesting urgent actions. More complex attacks exist but numerous phishing emails will be using tricky emails such as email@example.com. Also get the reflex to hover your mouse over the web link to check where the link is redirecting you. Finally suspicions emails need to be transferred to the security team for further analysis. Be also cautious of the increase number of SMS phishing. – Social Engineering: criminals are often good social engineers, meaning they do pre-work before sending out a phishing emails, always be wary when you are sharing information (public space, public wifi)!There are great pretenders out there using Vishing attack (Voice + Phishing). Confidential information should not be shared during unexpected calls. Caller claiming to be from our company should be called back using their official number from our address book.
My next short term focus is to upskill the cyber team on emerging technologies such as Artificial Intelligence, Robotic Process Automation, blockchain… Understanding those new technologies is key in our constant need for relevant and valuable security requirements. Moreover this allows us to embrace new technologies in a more secure manner.
We are often hearing there is a lack of cybersecurity professional. Do you share the same view and what skillsets are you looking for when hiring ?
Skill gap is a significant challenge in this industry, from a recent ISACA study, there are 58% of unfilled cybersecurity positions. Demand is booming, cyber threats is becoming a priority for CEOs, and we can see worldwide, a wave of cybersecurity legislation enforcement being issued by regulators. But there is a shortage of cybersecurity skills worldwide even with the recent increase of industry and academic program – the first cybersecurity master in France only appears in recent years.
When hiring, skillset requirement will depend on each role but while technical skills are important, the right mindset is fundamental. We need excellent team players, curious to constantly learn new skills, result oriented and positive! Our team is made of people with diverse backgrounds from economics to philosophy. I think our job needs this diversity to be able to fully address data protection from multiple angles.
People commonly associate cyber security with IT but this field covers numerous other activities which does not requires technical knowledge, more oriented business and risk. Here is a good overview of cyber security scope.
Is your cyber security team viewed as the police or doom managers by your colleagues?
While our main objective is to be seen as a business enabler, I have to admit that when some security controls prevent our staff from using our corporate network like their personal one, this does not indeed contribute to our popularity! Today technology allows us to work from anywhere at anytime, and there are many grey zones between professional and personal usage. That being said, user experience is a strong consideration within our company and any UX impacting decisions will be reviewed with the management in order to find a balance between security and business need.
Sometimes we can be badly perceived if we are involved too late in the discussion. In this case, security could really become a showstopper for business deliverables. This is applicable for any company. It is fundamental to have the security team involved in projects as soon as possible in order to enable a fast and secured project deployment. The latest the security team is being reached out to, the more complicated this becomes to ensure project delivery in a timely manner.
A top-down and regular management communication is crucial to engage staff support. Data security needs to be part of the company’s DNA and be perceived as a business facilitator rather than the the policeman. In PwC Singapore, we work closely with our staff and partners thanks to management drive, continuous communication and cyber awareness workshops.
How dare you to be women in cyber security?
How dare you asking me the question? 🙂 It is a challenging sector, I love being surrounded by passionate people like geeky ethical hackers, VCs who will know new products available on the market, or business partners eager to leverage some of our solutions to answer our clients needs. “Is there enough women in Cyber?”, definitely not. In my department we are closed to gender parity knowing that my only recruitment criteria remains competency and behaviour. This is unfortunately not the case everywhere. Last month (ISC)2 study revealed that women only represent 24% of the global cybersecurity workforce. Personally, from engineering school to being in the cybersec industry, I am used to work mainly with guys. I have so far been surrounded by great people and I don’t really feel a difference of being a woman when interacting with my colleagues or peers. That being said, when you realise that you are the only woman in the room in a meeting or at an event, then you start thinking about the lack of women in this industry. From my experience, there were much less girls interested in studying IT (studying infosec was not even an option). So I think education and woman experience feedback should be promoted at highschool level. Apart from the different perspectives women can bring, it would just be nicer for everyone to have more gender diversity in the room!
What do you do to bring more diversity ?
We never do enough to bring more diversity into this “Tech” world. Culture wise, my team is quite diverse with four different nationalities and coming from different backgrounds from studying actuarial at LSE to one of the first infosec staff of Starhub ! Also, I have recently joined several cyber security initiatives in Singapore: ISACA, Women in Security led by Magda Chelly and recently the French Tech Cyber Chapter,also led by two women! Joining those infosec groups is a way to encourage more women to join this fun cyber world.
Otherwise I invite anyone, men or women to join the Lean In community, which is led by Sheryl Sandberg (Facebook COO) and to read her book “Lean In” as it gives practical advice on how to cope in your professional and personal life. One point she is raising is that women actually tend to have the “Queen B” syndrome, meaning once they succeed to reach a certain professional level and are often the only woman in the group, some will not be enthusiastic to lose this “only woman” status and might be less supportive and welcoming than the rest of the team. We need to help each other much more to reach better gender balance in our industries.