Please tell us more about yourself.
Name: Mohamed Noordin Yusuff
Age: 39
Current Job/Company:
Head, Cybersecurity & Infrastructure (CISO) – NTUC Link
Head, Group Cybersecurity Centre of Excellence – NTUC Enterprise
Duration in industry: Over 16 years (started in Dec 2001)
What do you do at work on a daily basis?
I head up the Cybersecurity & Infrastructure in NTUC Link and have 20 direct reports. I have the Cybersecurity, Technology Infrastructure, DevOps, IT Service Delivery Management and IT Service Management teams reporting up to me. At the same time, I am also leading the Cybersecurity Centre of Excellence which is a group-level initiative at NTUC Enterprise to provide cybersecurity oversight across the social enterprises such as NTUC Fairprice, NTUC Income, NTUC LearningHub, NTUC First Campus, Mercatus, NTUC Health as well as NTUC Link.
No one day is the same for me. Everyday is a new challenge. As the CISO, I am accountable for cybersecurity and ensure our cybersecurity programme gets implemented. On a daily basis, I oversee day-to-day activities, cybersecurity and infrastructure projects and initiatives we currently run in NTUC Link and across the group. At my level, I typically handle the people aspects of the work and ensure our projects are on track, meet deadlines and achieve the overall objectives.
What drives you in doing what you are doing?
Passion.
I have been in Cybersecurity since 2001, even before it was called Cybersecurity. It used to be called Data Security, then IT Security, progressed into Information Security and in the past few years, Cybersecurity.
Even before I formally worked in Cybersecurity, I delved in security; tinkering with hacking tools and programming. I started to gain interest in programming since the age of 12 when I started with Turbo Pascal, C, C++, Java and much, much more. I am familiar with hacking websites and can even get into a company’s network via the e-kiosk within minutes. “Pasar Malam” was rampant during those days with pirated software, and I used to buy all hacking tools and spent hours learning how they work.
So, as a CISO, I am familiar with both sides of the fence as a black hat (hackers who violate computer security for personal gain) and white hat (hackers who use their abilities for good, ethical, and legal purposes). I rarely go into the details nowadays as I’m handling like a million things at once, but whenever I have the time, I love going through in detail the penetration test and source code review work my team does, and I can just read code for hours.
What are some of the challenges that you face being in the industry that you are in?
Talent shortage. This is a real problem. I know people in general tend to think that we are not looking hard enough. But truth is, a lot of my cybersecurity peers tend to be highly technical with coding, pen-test work, malware analysis, etc. and less on understanding how the network really works, server configurations, implementing policies and governance-type work.
I would love to be able to find talent with that balance and the kind of skillset that will make a good CISO one day. I’m lucky to have the best of both worlds due to my past careers.
What is your advice to youths who are at a crossroad, unsure of which career path to take?
Find your strengths and work on it. Know the kind of careers suited for your strengths. Pen those careers down and find out what you need to do in order to achieve those careers.
When I started my career in the IT Security section within the Police Technology Department of the Singapore Police Force, I was one of the most junior staffs. But that didn’t stop me to plan out which three careers I would want to have after the Singapore Police Force. I researched on the qualifications required for those careers and went on to attained them. I networked with professionals in the similar industry even though I was very new at that time. I attended Toastmasters to enhance my public speaking skills so that I have the confidence to talk to senior colleagues in the industry.
Remember this: if you don’t believe you can do it, you are probably right. Look at the mirror. The only person that is stopping you from doing what you want to do is that person looking back at you.
What does it take to survive in the Singapore job market today?
Relentless determination, persistence and hard work.
I am an active speaker in the cybersecurity community and I have spoken at closed-door events where there was no Malay Muslim representation and I was the only Malay speaker. I remembered asking them what they thought about the Malay community. Almost everyone gave me a grin. I asked them whether they thought Malays were not hardworking enough and would just sit around strumming their guitar. They smiled and laughed at each other and nodded their heads in agreement. I then told them I was one of those Malay boys who sit in the vicinity of my block strumming my guitar, but I had my Java programming book in front of me.
You need to work harder than everyone else. We have 24 hours in a day. How you make good use of that time is entirely up to you. Time is a precious commodity. Nothing comes for free in this world. If other people are working hard, make sure you work even harder. Know what you want in life and get your objectives right. You can reach for the stars by all means, but be practical.
What is your call-to-action/advice to those who want to pursue the industry that you are in?
Learn the latest programming languages. You are lucky there are a lot of resources out there. Know how a hacker thinks; learn penetration testing, malware analysis and technical security concepts. Understand the infrastructure, networks, servers, operating systems. Go to cybersecurity conferences and attend the talks and learn about the latest security technologies. Go for courses to start learning basic security concepts – there are a lot out there. Network with security professionals in the industry and learn from them. Most are willing to share their knowledge and experiences.
Go out there right now. The cybersecurity market is just going to get more competitive day by day.
Describe the path you took to arrive at the job that you are in right now.
I started to have my first 486 PC at the age of 12, gained the interest in programming and started with Turbo Pascal, C, C++, Java, etc. We could not connect to the Internet back then and we used to tap on the Bulletin Board Service (BBS) and that was where I learned to uncover security tools.
Then, when we were able to connect to the Internet, I became hooked with hacking tools and even tinkered with most of them which I bought from “Pasar Malam”. I was very familiar with hacking and even wrote my own virus program by reverse engineering. I remembered accessing the company’s network via the e-kiosk within minutes and I can even do it now just with the keyboard and without using any tools. Of course, that depends on how strong the security is in protecting the kiosk.
I was fortunate enough when I started my career with the Singapore Police Force (SPF) in which I wore multiple hats; a Police Officer (Staff Sergeant), Principal Investigator/Coordinator for the Computer Security Incident Response Team and an IT Security officer.
Whilst in the Singapore Police Force, I took part time classes for my Specialist Diploma in Infocomms Security. After which, I took part-time Masters in Internet Security Management and I graduated top of my cohort with distinction. I also took several security certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).
After SPF, I joined Ernst & Young Singapore as a Senior IT Auditor where I led multiple teams providing IT/Operations audit, compliance and IT security consultancy services. I joined Barclays Internal Audit as a Manager thereafter where I was assigned with regional and global audit and compliance responsibilities to plan and review IT, security and operational processes, policies and procedures for the front and back office systems. I took up a role shortly after as an expatriate with an oil and gas conglomerate in the Middle East where I was involved in Internal IT Audit, Special Investigations and Compliance.
After five years in the Middle East, I came back to Singapore as an Associate Director with KPMG’s Cybersecurity team where I was the privacy service line lead and led the cybersecurity services for the government sector. I also headed the internal IT Security team as Deputy CISO/DPO in KPMG Singapore and its regional offices.
At the start of 2018, I took up a role to head Cybersecurity and Infrastructure in NTUC Link, and I now concurrently lead the Cybersecurity Centre of Excellence (CoE) initiative across NTUC Enterprise group.
I am also a Co-Founder of Phishnow, Singapore’s First-Founded Phishing Simulation Company, with its own SaaS-based application. I am an active speaker in the Cybersecurity community and speaks at various Cybersecurity conferences and closed-door events and I am also a published co-author for the book titled “FLOW – How Entrepreneurs Make An Impact By Being A Part Of Something Much Bigger Than Themselves”.
What are some of the perks or benefits of your job?
It is exciting times in NTUC Link where we have now evolved to have a data-driven loyalty programme utilising innovation technology which makes cyber security a key component in their digital transformation. I love people management, and I’m fortunate to be able to lead a great team with a variety of skillsets. Apart from getting a comfortable salary with good benefits, I get to do what I love every single day. I love my job and don’t dread waking up to go to work. I am contented with what I have, though I strive to be even better and do more every single day.
What are some of the qualities that you believe employers keep a look out for, in potential employees who aspire to work in the industry you are in?
You need to have the relevant skillsets first and foremost. Cybersecurity is not rocket science, but you still need to know what you need to do. Curiosity; having the ability to question, is one important quality. In cybersecurity, you will need to talk to your stakeholders so know your area of expertise well.
