Mohammed Noordin Yusuff Marican was a typical young boy in Singapore in the 1980s. He was always out playing football and hanging out with his friends. “I was never home.”
But when he received his first computer at age 12 – a 486 – he embarked on a path that would eventually be his life’s work. Eagerly he absorbed what there was to learn about DOS and programming languages: Turbo Pascal, C, C++, Java.
There was no Internet yet at the time, but there was BBS – bulletin board service. “I found a lot of security tools there. That’s what got me interested.” When the Internet came, he looked at security websites and learned about hacking tools.
Such curiosity led Noordin, now the CISO of NTUC Link – the consumer loyalty program under the National Trades Union Congress umbrella of social enterprises — to pursue a career in security.
“The funny bit is that during my time, no one wants to hear about security. Now everyone wants to hear about it.”
Eyes on the goal
Noordin’s first job was with the Singapore Police Force, where he was assigned to the IT Security Department. “I was the principal coordinator for the computer security incidence response team. That was a lot of groundwork, hands-on work, basically trying to understand the system.”
While serving in the police force Noordin took up various certifications – he became an information systems auditor, and information security management, and earned his masters in security management.
“At that point I was very junior in my career. I had my career goals that I want to achieve.”
After five years, he left the Police and started working with Ernst and Young, where as an external consultant he did work for many clients in different industries. “I got to understand the various businesses pertaining to how the various IT functions in different industries actually work, and security controls pertaining to each of the business environment. Because these environments work differently.
External consulting allowed Noordin to observe diverse business environments, but in his succeeding role at Barclays, he crossed over to an internal role. “I had local and regional responsibility pertaining to IT audit and security across the various offices.”
Thus he was able to appreciate how security worked both from outside and inside organizations. He brought this knowledge to Qatar, where he worked for five years and where his biggest challenge was working with colleagues of 37 different nationalities.
“The work is the same, but the culture is different. You had to adopt.” When he got the hang of the diversity, work became fun. “It was a good environment to be in. I had supportive colleagues, bosses, the management was fantastic.”
He returned to Singapore, however, because his kids were growing up. He took a job at KPMG. Here he was able to apply his unique external-internal perspective in security work. These days at NTUC Link, Noordin enjoys a similarly dual role – in cybersecurity and in infrastructure. He heads a team of 15.
“I chose to join NTUC Link which prides itself on being an organization that values security in order to maintain the trust that its members and merchants place in it,” he says.
A holistic, strategic view
A good CISO needs to understand the business, first and foremost. He or she must know the operating environment, including the technicalities, and how security helps in the business. “Security has to be aligned to business objectives,” Noordin says.
And then, the CISO should be able to communicate effectively with the various stakeholders on how security should be embedded in the process.
“Security shouldn’t be working in silos. Security should be working with the business. At the end of the day I believe that security helps the business maneuver various obstacles and to achieve its organizational goals.”
What will the future look like in cybersecurity? Noordin anticipates several trends. Foremost, phishing attacks will become even more prevalent, and organizations will have to realize that the human element is the “number one key weakness in cybersecurity.”
Second, malware is going to get even more advanced. Organizations will be at greater risk if they do not implement complementary security measures. “There needs to be a prevention-detection-response-recovery mechanism in place within the organization. These have to be working together, and cannot be working in silos.”
Third, the targets of DDOS attacks will increasingly be organizations which are national icons. “Attackers may want to try their luck here because if they are able to bring down these organizations, that will have a national impact. That is something they can put in their credentials.”
Finally, there will be more vulnerability attacks on IoT devices.
What can be done? The answer could be simple and basic. “Patching is basic security hygiene. But it is still not being done religiously.”
Not all organizations have deep pockets to implement security controls. “There needs to be a form of prioritization,” Noordin says. It’s business risk.
Again holistic thinking comes into play. “At the end of the day the operating environments are all different. Businesses work differently, and the abilities and skill sets of various personnel are different. The prevention-detection-response-recovery measures have to be complementary.”
Finding a home
Noordin has been in cybersecurity for 17 years, but he does not feel the years, “There is always something new, there are always opportunities.” It is not difficult to imagine him sticking to his career path. “This is what I do, what I am comfortable in.”
At 40, he tries to keep fit by going to the gym and playing soccer with his friends. He rides his motorcycle. “I’m pretty adventurous,” he says.
Cybersecurity does take up a lot of his time, but unlike in his younger days when he was never home, now Noordin tries not to work long hours so he can enjoy the company of his wife and two children.
“It’s a bit of a happy kind of stress.”