The cybersecurity field is still in critical need of more professionals, so much so that industry analysts and researchers call it a crisis. (Photo: iStock/Thapana Onphalai)
Despite a clear increase in cyber threats, the tech sector finds itself short of cybersecurity professionals. Some reasons include uncompetitive salaries for entry-level roles and legacy hiring criteria, says cybersecurity firm F5’s Adam Judd.
The cybersecurity field is still in critical need of more professionals, so much so that industry analysts and researchers call it a crisis. (Photo: iStock/Thapana Onphalai)
SINGAPORE: Facebook parent Meta did a final round of layoffs on May 24, the latest in a spate of cuts rippling through the tech sector. But amid retrenchments and hiring freezes, there is one sector with just the opposite problem.
The cybersecurity field is still in critical need of more professionals, so much so that industry analysts and researchers call it a crisis.
According to the 2022 Cybersecurity Workforce Study by non-profit ISC2, the global shortage of cybersecurity workers widened by 26.2 per cent to 3.42 million, with the Asia-Pacific region alone chalking up a gap of 2.16 million cybersecurity workers.
The study estimated that there were 77,425 cybersecurity workers in Singapore, with a workforce gap of 6,071.
The detrimental effects of this talent shortage are profound.
Ransomware has now emerged as the new public enemy number one for businesses, governments, and consumers; and attacks on entities of all sizes have been on the rise. The Cyber Security Agency of Singapore reported 137 ransomware cases in 2021, a 54 per cent jump from the 89 reported in 2020.
There have also been new forms of scams, such as tricking F&B businesses into paying fake suppliers through fake reservations and orders. Scammers have also tricked victims into filling in Google forms with the Singapore Police Force insignia to access the victims’ internet banking accounts or into downloading a malware-infected fake ScamShield app.
We increasingly rely on cloud services for everything from remote working to digital banking.
But this convenience is a double-edged sword, creating a broader attack surface area for cybercriminals to exploit.
They also have more advanced tools at their disposal: Generative artificial intelligence can allow bad actors to create malware easily, conduct phishing attacks and crack passwords, while deepfakes in the form of videos, images or audio can be designed to deceive victims and purloin data.
Despite a clear increase in cyber threats and growing government concerns about the scale of the problem, the tech sector finds itself short of the very specialists needed to head off the bad guys.
In a 2022 KPMG study, 58 per cent of Singapore companies surveyed also admitted their organisation was not proactive enough in its cybersecurity collaborations, such as with professional bodies and the government.
There are a number of reasons for this. For one, compensation is sometimes at below-market rates for security roles and there can be mismatched expectations on the part of fresh graduates.
The tech industry is also often restricted by legacy hiring criteria such as degrees, certifications, and years of experience.
For example, a cybersecurity analyst job may require professional certification, such as the Certified Information Systems Security Professional (CISSP), which requires a minimum of five years of professional experience or direct full-time professional security work experience.
A recent graduate in cybersecurity, computer science, or an adjacent field might be considered unsuitable for the role.
Resolving these issues will ease the shortage. It may include conducting a thorough review of job descriptions to ensure they realistically reflect the position's requirements.
Companies could also consider a performance-based recruitment approach, using practical assessments to allow candidates to demonstrate their skills and abilities.
For example, the DBS Hack2Hire initiative aims to fill positions across developer and engineering roles through a hackathon programme that will test the candidates’ abilities.
There is potential, too, in reskilling. Workers who are already in a technical role - but not specifically cybersecurity - should have more ways to acquire cybersecurity-related skills in their current roles.
It’s something already on the radar of the Infocomm Media Development Authority (IMDA), which has announced that it will appoint training partners to scale up reskilling in the near future.
Tech workers with infocomm, engineering or information systems backgrounds can improve their prospects by acquiring skills in cybersecurity forensics, network security or threat intelligence among others.
Businesses should also not isolate their security operations - in fact, they should align them with their business objectives. Cybersecurity is not just the IT department’s job - cyber hygiene is part of every employee’s responsibility.
In addition, businesses should also develop a cybersecurity training programme, incorporate cybersecurity into job roles and conduct regular awareness training.
This also involves developing policies and procedures to ensure employees follow best practices to protect the company's information assets. Only then can businesses reduce their risks and enhance their overall cybersecurity posture.
Despite recent dark clouds over the tech industry, there are opportunities aplenty in cybersecurity. Companies not traditionally seen as tech firms - such as banks, healthcare, energy, and utilities - are seeking to deepen their digital capabilities.
Recently laid-off tech professionals or tech workers concerned about job security amid an uncertain economic outlook could consider a change.
Adam Judd is Senior Vice President of Sales for Asia Pacific, China & Japan, F5 Inc, based in Singapore.