David Koh’s retirement on July 1 marks the end of a defining era for Singapore’s national approach to digital defence. Eleven years at the helm of the Cyber Security Agency of Singapore and 42 years in public service leave a legacy that demands attention, not polite nods. This departure is a pivot point: an opportunity to audit what worked, what did not, and how the next chapter under Gwenda Fong should build on hard-won gains.
Blueprints, laws and real-world tests
Foundations matter. The 2016 Cybersecurity Strategy, the 2018 Cybersecurity Act and the 2021 strategy refresh form a contiguous policy spine that shifted Singapore from reactive posture to a structured, anticipatory stance. These were not cosmetic moves. The Cybersecurity Act’s requirement for operators of critical information infrastructure to meet standards and report incidents changed incentives overnight. The 2024 amendment extended accountability to key digital services and third-party providers — a recognition that supply-chain risk cannot be outsourced and must be regulated.
Policy paper alone never proves its worth. Crises do. The SingHealth breach in 2018 and the UNC3886 strike on critical infrastructure in 2025 were both brutal tests. Response quality separated rhetoric from competence. Leadership that plans, drills and then delivers when systems are breached is leadership that reshapes norms. Lessons learned from those incidents now live inside playbooks, procurement standards and vendor contracts across the public and private sectors.
Talent, research and the market
Talented people and commercialised research are the engine of resilient defence. Initiatives such as CyberSG Talent, the Innovation and Growth Collaboration Centre, and the CyberSG R&D Programme Office did two things simultaneously: they created career pathways for local talent and gave start-ups a runway. That dual focus — people and market — is what mid-sized firms in Singapore need to emulate. Without local capacity, dependence on external vendors becomes a strategic weakness.
A sharp observation: capability built only in government silos will atrophy fast. Cross-pollination between agencies, academia and small-to-medium enterprises turned abstract policies into deployable tools. That pattern should be accelerated, not reversed, under new stewardship.
Global posture and diplomatic muscle
Under steady guidance, Singapore became a respected voice at international tables. Participation in the UN Group of Governmental Experts on ICT security and chairing the UN Open-Ended Working Group demonstrated that influence can be translated into norms and coalitions. That matters for trade, for trust and for deterrence. Smaller nations that punch above their weight do so precisely because they invest credibility, not just capability.
Transition: what to expect from new leadership
Gwenda Fong arrives with a strong resume: two decades in public service, experience across digital policy, social policy and enforcement, and previous spells at CSA and MDDI. Her track record on digital society strategy and online harms signals an emphasis on the human and social dimensions of technology. That shift is necessary. Security cannot be divorced from digital inclusion, misinformation mitigation and the lived experience of citizens.
Expect continuity on the big-ticket items: regulatory rigor, incident reporting and international engagement. Expect refinement on public-facing programmes and a closer linkage between digital-society outcomes and security frameworks. For enterprises and SMEs, that will translate into clearer expectations around service provision, consumer protections and third-party risk management.
Practical takeaways for Singapore SMEs
- Stop treating compliance as a checkbox. The Cybersecurity Act and related rules are now baseline expectations. Compliance must be the floor, not the ceiling.
- Map third-party dependencies. The 2024 expansion to include key digital services and third-party providers makes supply-chain mapping a board-level conversation. Shadow IT and unknown subcontractors are liability time bombs.
- Invest in people. Apprenticeships, rotations and cross-training pay off. Talent pipelines are how resilience is replicated across the economy.
- Test often. Tabletop exercises, red-team engagements and incident rehearsals break brittle processes before real attackers do.
Final note: momentum must be maintained
Change at the top can cause ripple effects that slow momentum. That cannot be allowed to happen. The institutional muscles built over the last decade must be exercised, expanded and made more inclusive. A pause for reflection is useful. A pause for complacency will be costly.
This is an emotional moment for many professionals who poured effort into national programmes; pride and unease sit side by side. There is gratitude for what was achieved and fierce determination to ensure that progress accelerates, not stagnates. The new chief executive takes the reins at a moment where continuity and adaptive change must be balanced. The response of public agencies, private firms and civil society will decide whether the next decade builds a more secure, inclusive and innovative Singapore — or settles for maintenance mode.
For those running SMEs here, the path forward is clear: treat resilience as strategy, not cost. Build talent, demand accountability from vendors, and treat regulatory changes as opportunities to differentiate, not obstacles to tolerate. The national architecture exists. Now comes the hard work of embedding it into everyday practice.