Cybersecurity Leadership Program for Non-Technical Executives

Phub Dem

Since the advent of the coronavirus pandemic, many government agencies have launched e-delivery services, adding to Bhutan’s cyber security scenario. Despite increased engagement in the development of information and communication technology (ICT), studies indicate that many government leaders come from non-technical backgrounds, which hampers awareness of cybersecurity.

Recognizing the importance of raising awareness of cybersecurity threats and challenges at the executive level, the Department of Information and Telecommunications Technology (DITT) conducted a cybersecurity leadership program targeting senior executives and officials which began Jan. 6.

As more agencies engage in digital transformation activities, Dechen Chhoden, Team Leader of the Bhutan Computer Incident Response Team (BtCIRT), said it was important for agencies to identify critical computing and information assets through risk management processes and adopting controls to ensure the security of systems and information.

Although most attendees are non-technical and lack basic cybersecurity knowledge, the department expects attendees to better understand their role and be better prepared to manage cyber risks in their organizations.

She said senior management engagement is essential in the governance, risk and compliance aspects of cybersecurity, adding that they must be aware of the cybersecurity threat landscape and be aware of the risks of cyberattacks and the emerging local and global trends.

The training was designed to introduce senior officials to the various aspects of cybersecurity, its trends and risks, the implications of cyberattacks and data breaches, and security management in a public body.

Is Bhutan sufficiently prepared to respond and manage a large-scale cyberattack?

Considering the new trends of cyberattacks across the world and the complexity of such attacks, Dechen Chhoden said Bhutan is not ready to respond and handle a large-scale cyberattack. “Cybersecurity is not just about technology, it includes people and processes, and that is by far the biggest concern.”

She added that Bhutan needs to sensitize all individuals in the country on cyber hygiene, increase cyber security human resources, develop and enforce policies and have a system to respond to various cyber incidents.

DITT is proposing a Security Operations Center (SOC) project to equip the country with trained cybersecurity operators and incident responders. It will also identify and designate Critical Information Infrastructures (CIIs). Critical infrastructure is considered to be the most crucial infrastructure which, if attacked, will hamper the country’s economy, disrupt day-to-day operations and, in the worst case scenario, could result in loss of life.

The BtCIRT, as the central coordinating agency, encourages organizations and even citizens to report any cybersecurity incidents so that incidents can be addressed and contained as soon as possible to avoid the risk of spreading to other devices in the country.

Dechen Chodden said the team is working with organizations for government systems to ensure the systems are free of vulnerabilities that could be exploited before reaching the government data center. “BtCRIT promoted cybersecurity awareness programs as part of the digital literacy program, providing relevant security training to ICT professionals.”

BtCRIT has handled 870 incidents since 2016. The most common cyber threat is system vulnerabilities, which are flaws in a system that leave it open to attack. The risk includes systems that are not updated or patched, weak passwords, virus-infected software. Scams and phishing are also common threats. Phishing, she said, involves calling, texting, emailing or using social media to trick you into clicking on malicious links, downloading malware or sharing sensitive information.

Dechen Chodden said the threat has evolved from scammers targeting email users and via posts on social media platforms to calling users saying they’ve won the lottery, having them send the lottery amount and forcing people to give out personal information.

According to a DITT press release, the degree of financial loss and reputational damage from a significant cyberattack could be severe and lead to loss of confidence in digital government, an even greater risk to the country.

The program consists of five 2-hour sessions spread over several weeks and attended by 30 senior officials. The program is supported by the Temasek Foundation and organized and implemented by Nanyang Polytechnic International, Singapore.

In addition to providing leaders with knowledge on global trends in cybersecurity threats and challenges, the program includes presenting Singapore’s cybersecurity strategy and sharing their experiences and ideas, issues and best practices.