Category Archives: Information security strategy

Singapore on StackOverflow


Everyone is buzzing about big data these days.  Without something interesting, I would rather be a reader or an audience. Until now, while I am doing my own website researches, I have noticed something which you may like to know too.

As IT geek coming from Hong Kong and working in Singapore, I can’t remember how many times I was asked “How Singapore is different from Hong Kong?”. There are many similarities between these two ex-British colonies in Asia. People like to compare and contrast both economies on their business readiness, innovations and productivity. In many city indexes, Singapore and Hong Kong are often competing.

After living in Singapore for over 2 years, I usually answered the question more based on my own observations and experience.  For people who is more interested in food, I can talk about the difference in food in the two places.  For someone who cares more in politics, I can talk about the difference in the election systems.  So, in the context of IT industry, “How Singapore is different from Hong Kong?” Which place is having a better competitive edge? Which will better leverage IT advancements to support economic growth?

I have gotten the opportunity to meet with IT professionals from both the public and private sectors in Singapore. Singapore Government dedication and investment on technology is impressive. We see many projects (some experimental) to reinvent this city state. Industry associations like Singapore Computer Society and SITF are working hand in hand to build the competitive edge of Singapore in the IT arena.  However, I am not a PR consultant and should dig deeper. With my IT engineering background, I am trained to be fact-based. So, instead of settling with a conclusion based on what I experienced or how I felt, I would like to finalize my conclusion with hard fact: Data!

So, I turn to, which is a website that tracks Internet usages and ranks websites in each region or country. The ranking of website reveals how netizen surf Internet which tells a lot of their digital life and thus indirectly on digital economy. From there, I looked into the Top 100 websites in Hong Kong and Singapore listed in Alexa website.

First, it stunts me when I see StackOverflow ranked 37th in SG but 57th for HK. This difference tells something about IT industry in two very economies. is the most popular website for programmers globally. Developers and technical professionals share their knowledge via forum-like platform. I myself find it most useful for undocumented features of programming languages & APIs. You don’t spend time on StackOverflow trying to find next hotel deal or sangria receipt. Developers spend time on StackOverflow exchange ideas and share bug-killing joys.

When StackOverflow ranked higher in SG than HK, we may loosely read that the percentage of time SG people collectively spend on developing software is more than HK (i.e. bug killing is more popular in SG). Yet, I believe it is more likely that SG has more developers or SG developers are more hard working!

Absolute ranking in Alexa maybe affected by seasonal or other technical issues, it may not paint the true picture. To avoid such bias, let us use relative ranking, i.e. the distance between Stackoverflow with other popular daily websites (I have chosen online banking and local newspaper). Let us throw in some simple chart here.

Screen Shot 2015-11-29 at 6.12.38 PM

Left hand side  shows SG ranking of Online Banking (DBS.COM.SG), Local Newspaper ( and StackOverflow-SG. Right hand side shows HK (HSBC, and StackOverflow-HK.

A shorter distance between popular websites and StackOverflow reconfirm our observations with absolute ranking. Singapore netizens are more geek! Or, Singapore geeks are more active on the geek-forum! More time are spent on analyzing IT and killing bugs. Just a caveat though: StackOverflow is mainly English, Hong Kong developers may prefer similar forum in Chinese.

Screen Shot 2015-11-29 at 5.28.34 PM

When double check with StackOverflow own 2015 survey, Singapore has 31.7 devs per 1000 people. 6th globally, highest in APAC.

Even with user behavior data, the conclusion may still be too generalized.  However, I do think this gives an encouraging picture to SG policy maker (IDA,ITSC, MDA, LTA etc) and IT practitioners. Singapore have nurtured a culture for people to built and tinker. In the last two years, I met with different communities (like Null Security, iOS Dev Scout, Lean Startup) full of energetic people sharing their experiences and dreams.


CCSP , joint project from CSA and ISC2

(All comments and blog posts are personal opinions. Not related to any organisation.)

I like to share an exciting news about Certified Cloud Security Professional (CCSP℠). This week I received an email from ISC2 on awarding me CCSP designation. The blue color of CCSP (Certified Cloud Security Professional) Logo from ISC2 resembles the sky in a sunny day. Same as the sky here in Singapore.

Risks of running application and services on the cloud has been an impediment  and people (journalist in particular) tends to see the cloudy side! I involved in many discussions on cloud security in my volunteer works in CSA Hong Kong & Macau Chapter. Some of the concerns are valid , in particular the lack of experienced professionals and knowledge framework.

CCSP with the support from CSA and ISC2 is the answer to these concerns. In 2013, visionaries (like Aloysius Cheang from CSA APAC and Hord Tipton from ISC2 ) in both organisations joined together in response to market needs. In the past two years, A few other volunteers from CSA and I worked with ISC2 and their consultant Pearson VUE to develop CCSP CBK and examination questions. It was a rewarding experiences.

The process administrated is very structured and all rounded, with concept mapping, team discussions and psychometric analysis. As a security professional, I am thinking maybe system development life cycle (SDLC) should also make use of similar validation process to ensure each feature implemented is user facing and also balanced!

Developing Cloud Security certification is a challenge due to its extensive scope. The final CBK covers six domains:

  • Architectural Concepts & Design Requirements
  • Cloud Data Security
  • Cloud Platform & Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal & Compliance

Very few people acquired working experiences in all six domains. However, learning cloud technology knowledge and applying security principles in a virtualised environment are both achievable via CCSP CBK. Studying CCSP domains and passing the exam will help security professional to gain knowledge in a structure way, thus able to demonstrate their security skills are not outdated.

With every BCM audit, you should pay attention to this question “Show me the contract?”

While researching on DR best practices, I uncovered a statistic from Bank of Japan 2012 survey on business continuity. When asked how many days can a bank’s power generator runs on fuel ? The answer is surprising low. Look at this chart on page 25.

 stockpiles of generator fuel

stockpiles of generator fuel

I remember in 2003 New York Blackout, I was working for a bank and their New York data centre staff was forced to drive a long distance and wait for hours to buy generator fuel. When over 40% of  from JP banks do not have fuel supply over 1 day, this number is quite worrying. Japan banks and professionals are well aware of large scale of catastrophes and yet their risk assessment/impact analysis arrive in one day fuel stockpiles.

Think deeper, there are some reasons for not able to store extra fuels. First, fire safety issues. Storage of a large amount of fuel permanently will require extra safety measures. Industrial buildings or data centre location may not allow such storage of inflammable substances. Second would be cost. What else? Third is the estimation of recovery time is not directly link to fuel supply. Within 24 hours, most people would believe they can replenish fuel with confidence. However, the 2003 large scale blackout in New York lasts for 2 days. All generators were put into use and thus supply are going to be tight, you should expecting a long queue. The assumption of continuous fuel supply when disaster or large scale blackout happened simply does not hold.

One better approach is to secure priority access to fuel supply when disaster strikes, So in your next data centre audit , you should ask “Show me the contract?” Auditor are paid to ask tough questions.

New ISO TR on Guidance on the audit of the governance of IT

In conjunction with the guidance contained in ISO/IEC 38500, ISO/IEC TR38502 ISO/IEC19011:2011: Guidelines for auditing management systems, there is a new technical report proposed on providing guidance on audits to assess whether an organization’s governance of IT is aligned with the principles for governance of IT in ISO/IEC 38500.

BSI is seeking public comments on this new TR URL:

“The primary audience for the technical report is auditors undertaking audit assessment of an organization’s governance of IT. The outcomes of such assessments will inform members of governing bodies who are responsible for the governance of IT and are accountable for the effective, efficient and acceptable use of IT within the organization; and those responsible for defining and implementing the governance framework for IT.”

IT auditor has a responsibility to help the management board to oversees complex IT environment. A governance framework defines the organisation structure, role and responsibility and accountability is important.

Cyber security info explosion

As a IT security guy, I used to read cyberattack and data breaches news, trying to learn from others missteps. However, in the past few months, it becomes impossible to keep up with those stories! There is a cyber security info explosion in mass media. Blogger, journalist, lawyers, bankers and even comedian started to comment on cyber security.

Just thinking, we may need a course to teach people how to (not to ) write about cyber attacks. Purely rely on fear factor is not helping.