Once the sole domain of highly technical geeks poring over security logs to look for signs of hackers lurking in their networks, cyber security has become more multi-dimensional and varied across specialisations, organisations and industries.
Today, cyber security teams comprise not only threat hunters, security operations centre analysts and digital forensics specialists, but also technology risk managers and even economists who understand the economic and political motivations behind cyber attacks.
In the Asia-Pacific (APAC) region, the growing diversity of cyber security has drawn more people to the booming sector, thanks to the growing pace of digitalisation and adoption of public cloud, the internet of things (IoT) and remote work that have enlarged the attack surface of organisations.
According to a cyber security workforce study by International Information System Security Certification Consortium, or (ISC)², there were nearly 4.2 million cyber security professionals worldwide in 2021, an increase of more than 700,000 compared to 2020.
In APAC, the number of cyber security professionals grew by about 19% to 743,075 last year, with Singapore recording the highest increase of 61%, followed by Australia (23.6%) and Japan (22.2%).
Despite the healthy growth in the region’s cyber security workforce, the talent gap still exists – even as the same study found that APAC’s talent gap is shrinking in comparison to other regions such as North America and Europe.
Freddy Tan, a fellow at Singapore’s Association of Information Security Professionals (AiSP), noted that the shortage is most acute in areas like cloud security, where the uptake of the Certified Cloud Security professional certification has surged over the past year.
Other areas where talent is scarce include threat hunters and data scientists, two emerging and deeply technical roles which Ensign Infosecurity, a Singapore-based cyber security firm, has been trying to fill.
“Cyber threat hunters are tasked with hunting advanced threats that are designed to evade traditional cyber security solutions,” said Stacy Ng, Ensign’s lead for access and identity. “Threat hunters scour the network and digital environment to find anomalies and suspicious activities to outmanoeuvre their cyber adversaries and stop their attacks.”
“Data scientists are responsible for outwitting cyber criminals by developing cyber security solutions to detect and stop new cyber threats with the help of advanced technologies such as artificial intelligence and machine learning,” she added.
In Australia, talent shortages are present in many cyber security roles, including security researchers, ethical hackers, analysts and consultants, said Adrian Covich, senior director at Proofpoint Asia-Pacific and Japan.
“Experienced cyber security consultants who can advise on threats and implement appropriate mitigation strategies are in high demand as more organisations face the realities of the changing cyber landscape,” Covich said.
“Organisations are also seeking cyber professionals in senior leadership roles like chief information security officers [CISOs] who can provide strategic advice and counsel to c-suite leaders to help organisations better protect their critical assets,” he added.
Given the significant surge in demand for cyber security products and services, especially over the past few years, it is unsurprising to see people in similar but also unrelated fields shifting careers into cyber security.
“People are coming from all different areas whether that’s finance, law, teaching, human intelligence or business roles,” Covich said. “A lot of the skills required to be successful in the cyber security industry are transferable and don’t always require a technical or scientific background, depending on what kind of cyber roles professionals from other IT domains are seeking to move into.”
Covich said CISOs, for example, should prioritise business acumen over technical expertise unless the organisation they are working for is exceedingly small and requires a hands-on practitioner.
“A lot of the work in cyber security is about solving complex and interesting problems, understanding how things work or piecing information together,” he added. “This doesn’t require an undergraduate or postgraduate degree or specific qualifications. What is perhaps the most important is having a passion for the industry and the right attitude.”
Freddy Tan, Association of Information Security Professionals
AiSP’s Tan noted that the ability to adapt is also critical for one to succeed in the field: “You have to learn and sometimes you have to be able to forget some of the things you’ve learned and learn new things.
“The dynamics behind an aircraft has not changed for many years, and so what you’ve learned about designing an aeroplane will still be relevant in 10 or 20 years,” he said. “That’s not necessarily so in cyber security, because the threat landscape changes as the medium we use to store information and communicate changes over time.”
To ensure its cyber security workforce is familiar with emerging threats, Ensign encourages its staff to attend courses and training every year so that they are well equipped to tackle new threats and improve the security of its clients. In 2021, Ensign staff collectively spent about 22,250 hours learning from an online on-demand platform.
On the importance of certifications, Ng noted that as cyber security is a deeply technical field, certifications will ensure professionals have the latest up-to-date knowledge of the evolving cyber landscape, web vulnerabilities, as well as the latest industry standards, compliance regulations, and emerging cyber threats.
But Tan noted that cyber security certifications are not just about certifying a person’s knowledge, but also their ability to make the right decisions, which can be very contextual to an organisation.
“That is why, to me, certifications would apply to management rather than entry-level positions. For positions like directors and above, certifications would be important because in our industry, there is no licensing, unlike the legal and medical professions,” he said.
“The cyber security industry is still young, and licensing may come in future, but meanwhile certifications will ensure a person is sound not only in their knowledge, but also in applying that knowledge to make decisions.”
With people consistently the number one target through which cyber criminals carry out attacks, improving an organisation’s quality of defence requires putting people at the centre, said Covich.
“Effective security programmes need human interface through training and education, which is why having strong interpersonal skills has become so critical,” he added.
“In addition, being able to communicate complex threats whether that’s to employees, other business leaders or the board, and implement sophisticated risk mitigation strategies requires not just the technical knowledge but the ability to communicate effectively.
“Technical competence has its place, but it is not the be all and end all – security is much more than that.”
Cyber security professionals have a wide variety of career pathways to choose from today, as new roles continue to be created in line with an evolving cyber landscape, said Ensign’s Ng.
Apart from cyber security analysts, she said aspiring cyber security professionals can also train to become malware researchers, big data engineers, cloud architects and developers, cyber threat hunters and data scientists, among others.
“Given the wide variety of cyber security roles and the different skillsets needed in the cyber security industry, there is no typical or fixed career pathways for cyber security professionals today,” she added.
Tan said those new to the industry should start from the trenches in a user environment, whether it’s at a bank or the government, to learn how to protect IT assets from cyber attacks: “In those environments, you’ll learn the right things and you learn things very quickly.”
Covich noted that cyber security is one of the few industries where one “has the chance to be one of the good guys and on the right side who helps to protect individuals and organisations from cyber criminals and adversaries”.
“That’s what makes it a very rewarding career. There is a sense of purpose and no matter what route or role you choose, working in cyber security allows you to make a real difference in peoples’ lives,” he said.