Chalee Vorakulpipat is currently the head of Cybersecurity Laboratory, National Electronics and Computer Technology Center (NECTEC), Thailand. He has been involved in several projects in information security (including ThaiCERT), mobile device management, social networking sites, ubiquitous computing, context-aware computing, e-health, and mobile application development.
In this interview with Connect Intelligence he reflects on Thailand’s current cybersecurity initiatives and how the country surpassed the world’s leading economies including China, Germany and India.
1. In your role at the NECTEC, what challenges have you come across that are unique to Thailand’s business and socio-political landscape?
In Thailand, one of the big challenges is cybersecurity awareness. Many people are not well educated in cybersecurity. This results in low level of cybersecurity readiness and inappropriate investment in IT and cybersecurity. Moreover, IT adoption is sometimes implemented in an improper way, so cannot solve existing problems and improve business productivity.
2. Thailand recently ranked 20th in the Global Cybersecurity Index, ahead of some of the world’s leading economies including China, Germany and India. In your view, what’s been the secret behind this success?
It is probably that all public sectors in Thailand today are encouraged to develop their own cybersecurity policy and guideline. It is stated in the national law. Importantly, in the policy, CEO must be assigned as an ultimately responsible person for any cybersecurity risk. That is why Thailand is ranked highly. However, this is not an indicator to measure success.
3. What initiatives are you hoping to undertake to further improve this ranking?
Creating a cybersecurity policy and guideline is a must to do first. Despite a good number of organizations which have their own policy, we still need to encourage the rest to do in order to increase this number. Cybersecurity implementation should be done bottom-up, therefore lack of the policy can lead to the implementation in a wrong way. The next step is to review the policy and audit the organizations.
4. A major aspect of better cybersecurity is awareness. How have you worked towards increasing business awareness of cybercrime?
What we can do is to include the awareness program is the policy and annual budget. It is long-term plan not short-term. Formal training is one the most suitable method to improve awareness, but each course must be exclusively designed for people in different roles such as for new employees, technicians, functional managers, and executives. Moreover, an appropriate evaluation method should be also conducted. For example, an IT department spreads phishing emails which ask for username and password, and evaluate from the number of respondents.
5. What can businesses do internally to reduce vulnerability?
We conduct an internal audit every year or twice a year. Any systems planned to be used will be penetration-tested before moving to the production environment. This can be done internally or by a third party. All of these are stated in the policy.
6. Thailand recently hosted a seminar on cybersecurity in the ASEAN member nations. Do you think greater international collaboration is needed to overcome cybercrime?
International collaboration is definitely necessary. However, it is important that the collaboration could be done in all dimensions such as government level, R&D collaboration, joint cybersecurity drill, joint training, or financial supports.
To hear more of Chalee’s insights, register for the CIO Forum 2018.