My Cybersecurity Career > Cracking Code

Recently, I was at the Singapore Airshow to showcase what my firm offers in terms of cybersecurity solutions contextualised to the aviation market. Being a trade show, I was privileged to have met many different partners and stakeholders who would otherwise communicate with us typically via teleconference calls.

Being the first huge trade show I attended since the pandemic (the Singapore Airshow in 2022 was a far cry compared to this year’s edition), it definitely made me think about some questions about how bright Singapore’s star is in the aerospace sector. Some of these thoughts are translatable to cybersecurity careers.

Singapore will not, and cannot be a low cost country. Business in Singapore must always be about providing value-add in a product, or service that others cannot identify or execute.

As a country with limited resources, there is a limit to which Singapore-based firms can cut costs in-country. But other countries can do this better than us simply because of better economies-of-scale.

Singapore does not necessarily have a choice in this matter. While there are options, the most appealing and politically sustainable solution is to stand on our two feet to earn our own keep, and show that Singapore has unique selling propositions. While survivalist, only a strong value proposition will enable Singapore to be able to be relevant, stay relevant and “be at the table, and not on the menu”, in the words of the late S. Jayakumar. But what does value entail?

Value is not simply hard technology, but also soft skills like asking questions that showcases our understanding of stakeholders, and illustrating our cultural sensitivities through knowing the language and socio-political situation in the places we do business in.

Often, in the technology sector, people believe that value is largely derived from the technology itself. For instance, years ago, there was a “quantum rush”. Every business somehow had to decide to add the word “quantum” into the products they were selling claiming they were “enabled by quantum technology”. Other buzzwords came up, including “AI”. There will be no exception to the speed of buzzwords being generated to attract eyeballs.

But this approach misses the point. Technology must ultimately serve humans and solve human problems. But humans have subjective views over what they believe their problems are due to their lived experiences, the environments they grew up in, and the extent to which they believe a certain problem is important to tackle. In my own line of business, i.e. cybersecurity, this is evident in how different the maturity level of various organisations are in terms of their cybersecurity journey. Selling them an “AI-powered content scanning solution” would likely fall on deaf ears in a business pitch.

Value is also derived from our soft skills.

I experienced this personally in the Airshow. Given that the Airshow attracts many foreign dignitaries, there are many who will come from different parts of the world. While English is indeed the international language of administration, it is not always the most comfortable language for our counterparts. For the first time in years, I had to switch to Mandarin extensively when speaking to Mandarin-speaking customers (and even add in a few references that I understand some of their concerns). Once I switched to a few words of Mandarin, their eyes lit up. It felt as if a glass barrier between us was broken; I was a part of their world and more of a friend to them, explaining to them how my organisation can help their organisation uplift their cybersecurity posture with the tacit understanding that I understand them and their culture. Language commonality is immensely powerful, and the late Lee Kuan Yew’s views on bilingualism struck me post-Airshow; I heaved a sigh of relief I could still remember some of the Mandarin I learnt even though I did not do well for the exams.

Here, the value proposition is simply the fact that they know I can help translate “Western thinking” to “Eastern thinking” through understanding the language. But let me explain more on value, before moving onto what these mean for Singapore.

Someone will eventually claim that the value we provide in Singapore can be done in a cheaper way. We must know when to provide new value as opposed to flagging a horse simply because said horse was our “comfort zone” for years. We must keep adapting to the speed of global innovation. Bonus points if we can define some part of it.

Times change. Singapore used to emphasise different industries in her formative years. Initially, Singapore focused on industralisation up till the mid-1970s, where Singapore then moved towards higher-value economic activities. In the 1980s, Singapore was the world leader in the manufacture of hard-disk drives1. But this title was taken away in 2005 by Thailand2. In 2009, Seagate shut its manufacturing plant in Singapore3, and in 2022, Western Digital downsized its HDD production capabilities in Singapore, preferring to split it between Singapore and Malaysia4. If you were the Singapore Government in between 2009 to 2022, what would you have done to deal with the layoffs of workers in the hard disk industry?

Just as there were crests and troughs in the hard disk industry, the same will happen in other industries once another country finds a recipe to perform the same task more cheaply. While Singapore has managed to obtain high-value work such as the manufacture of the latest Rolls-Royce Trent XWB engine5, such fruit may not be harvested by us forever once other countries level up in precision manufacturing and assembly capabilities. When such a time comes, we will once again be confronted by the question on whether protectionism reigns, or that we find the next better high-value target to learn, master and execute at scale.

But is Singapore doomed?

Singapore has the right ingredients to provide value. We must build on our mindset. Learn more about ASEAN, perhaps revisit our mother tongue and learn it well, not just from a language perspective but cultural perspective. Know that training also goes beyond hard certifications, but soft skills like being able to read the room, listen to key details and then showing this through maturity of conversation.

Singapore’s survival thus far has been determined by our own tenacity and our willingness to defy the odds of history. To that end, there have been a variety of controversial governmental policies being introduced, such as the bilingualism policy that is now being viewed as the cause of the erosion of the diversity of Chinese culture that was broadcasted through media in dialects. Another controversy was the “6.9 million” population target that suggested a view on how Singapore’s population was likely to evolve over time given a liberal immigration policy.

The political realities are here to stay. It may not even be a certainty that the migrants who used to view Singapore as a highly favourable destination for work continue to think of it as such with the rapid development of other cities in other parts of the world. But years of institution-building in Singapore have led to us having some important ingredients to succeed in delivering both hard value and soft value.

Generally, Singaporeans have better reading, mathematical and scientific skills than contemporaries in the region6, providing a good foundation for further study, especially into complex contemporary subjects such as machine learning. But beyond just mastering the craft, Singapore is also a highly trusted country with regards to our ability to bring regional partners for collaboration.

This is where I felt the bilingualism policy had saved me. A few years ago, I tried to learn Malay with my friend, thinking that a study buddy was all I needed to practice with and learn a language. That did not work out, and my command of said language is still “tidak bagus”. But being forced to learn Mandarin in school made me at least conversant enough to speak to counterparts who all understood Mandarin. Being able to tell them about my little knowledge of Deng Xiaoping’s economic liberalisation policy (as opposed to beginning the conversation about say, the Cultural Revolution), or the existence of “三立台” would at least suggest some understanding of China and Taiwan.

But I confess to still be a poor student of ASEAN. While I have friends in Malaysia, Indonesia, Thailand and Vietnam and have visited these countries at least twice each in my life, I am still humbled each time I learn about new islands in Indonesia, or how the Vietnamese have improved in technical prowess. I know about our other ASEAN members even less beyond reading the biggest piece of news about their territories every now and then.

What do all of these have to do with my own cybersecurity career?

In one paragraph: a cybersecurity career is just like a technology one: we exist to support businesses, who in turn solve a human problem. An effective cybersecurity programme comprises of people, processes and technology. As I continue developing and understanding more about my industry, I have started understanding how there can be so many different ways one can view cybersecurity issues because of their prior experiences. Some of us may be earnest students but still fail to grasp these points. We can help them by levelling them up. But being prescriptive is not the first step.

Trust-building is, and building of trust revolves mainly around soft skills. A simple business saying goes: people must “know you, like you and trust you” before anything can be discussed. This is especially true for an industry as critical as the cybersecurity one, where the risk of an untrustworthy vendor or consultant can be extremely damaging (e.g. data loss in less extreme cases, possibly the closure of a company due to egregiously bad cybersecurity advice). In the technical world, we sometimes lose sight of the broader picture: beyond compliance and regulations, beyond technical know-how, we must first be able to believe the other party can, in fact, be kept to their word not to abuse the high levels of privilege provided to said party to perform tasks such as authorised penetration tests (i.e. legal hacking of systems by white-hats), architecture review requiring comprehensive disclosure of network topology and data security, requiring understanding exactly what is collected, as well as how and where said data is stored.

But I did not write this to believe I know a lot. In fact, I have not managed to write a long blog post on cybersecurity in quite a while. To me, I use writing as an opportunity to think through some of the issues I think about, and share them in the hope to elicit discussion, and perhaps also find learning opportunities through some of the comments that might emerge if you manage to finish reading this long-form article!

  1. ↩︎
  2. ↩︎
  3. ↩︎
  4. ↩︎
  5. ↩︎
  6. ↩︎

Leave a Reply

Your email address will not be published. Required fields are marked *

three + 16 =