SINGAPORE (12/05/2007) - Defence Science and Technology Agency's (DSTA) CIO, Chau Chee Chiang, one of the purveyors of solutions to the Singapore Armed Forces, talks about IT security in the military.

The DSTA is responsible for implementing technology plans, managing research and development, acquiring defense materials (including weapons systems), and developing infrastructure for Singapore's Ministry of Defence (MINDEF).

In his concurrent appointment as Assistant Director (Systems Management), Chau is also responsible for managing the operations and support of IT systems in MINDEF and the Singapore Armed Forces.

Describe your role in DSTA with regards to IT security.

As the CIO of DSTA, I work very closely with the Chief IT Security Officer (CISO) and Head, Security. The CIO is responsible for equipping DSTA with the necessary defenses against IT security threats, and for IT security incident management. The CISO ensures that processes needed to manage IT security are in place and that DSTA has the capacity to respond to security incidents when they happen. Head, Security focuses on the overall state of security in DSTA, of which IT security is an integral part.

What are some IT security threats that DSTA faces and how do you deal with them?

As part of DSTA's IT- enabled transformation, we connected our office IT environment to the Internet several years ago. Since then, we have stepped up our emphasis and continuous efforts in IT security to counter external and internal threats. Information leakage has been, and will continue to be, a key threat in our area of work. Therefore, protecting and securing information stored and transmitted remains at the top of our IT security agenda. We have employed solutions such as authentication, access control and audit, as well as various encryption tools against this threat.

DSTA is also fine-tuning its e-mail filtering policy, stepping up user education and enhancing our tools to manage the significant increase in spam e-mails.

What key technologies do you employ to ensure access/policy control over sensitive information?

In DSTA, we employ a range of technology solutions to control access to sensitive information. These solutions, such as data encryption, storage encryption, directory service, public key infrastructure and digital rights management were implemented progressively over time.

However, I have to stress that technology alone will not meet our objectives in IT security. Areas such as policy, people and process are equally important.

How should a CIO be involved in IT security?

I think the CIO should be involved in two very important aspects of IT security. Firstly, to ensure management's commitment and get their buy-in for IT security initiatives. Secondly, to achieve a balance between IT security requirements and business needs, and make trade-offs when necessary.

What is DSTA's overall IT security strategy?

Our holistic approach in managing our IT security strategy balances security with business needs. Technology implementation takes the form of multi-year masterplanning to ensure coherent architecture and up-to-date solutions. We need to constantly review and strike a good balance between connectivity and security, because it is critical for us to establish and oversee the robustness and security of our IT infrastructure. Hence, we seek to have progressive and sustainable investment in IT security every year.

As part of risk management, we review and update policies and processes on a regular basis. Plans are also reviewed regularly as new threat scenarios evolve.

We believe our people play a critical role in IT security. Therefore, we place great emphasis on education, training and updating them regularly on best practices and new threats.

CIO's exclusive interview with MOD CIO John Taylor reveals how defence is embracing new technology to counter threats and streamline operations.