In his speech launching Singapore’s national cybersecurity strategy earlier this week, Prime Minister Lee Hsien Loong warned of cyberattacks and threats “becoming more frequent and sophisticated, with more severe consequences”.
He pointed to how a cyberattack on the power grid in Ukraine last December left many Ukrainians without electricity for hours, and how hackers used malware to withdraw more than US$2 million (S$2.77 million) from ATMs in Taiwan in July this year. Closer to home, he said that there have been attacks on government networks and on the financial sector.
According to a 2014 report from Center for Strategic and International Studies, cybercrime costs Singapore an estimated S$1.25 billion annually.
Yet there is a decidedly acute shortage of IT security specialists that can be engaged to help fend off such online threats.
According to Communications and Information Minister Yaacob Ibrahim, there were 15,000 vacancies in the information and communications technology (ICT) sector last year, unchanged from 2014. More than two-thirds of these vacancies, he said, were for professionals, managers, executives and technicians (PMETs) or technical specialists in areas such as development, network and infrastructure, cybersecurity and data analytics.
Additionally, 2012 data from the Economic Development Board (EDB) showed that just 0.8 per cent of Singapore’s 144,300 ICT workers were IT security specialists, with a particularly acute shortfall in the middle and senior tiers.
MANPOWER GAP HINDERING CYBERCRIME FIGHT
This is why for vendors like Quann, which hires more than 300 certified security professionals in the region, a global shortage of cybersecurity manpower means fighting cybercrime is proving to be an uphill battle.
“There is a distinct (manpower and skills) gap, and the gap has widened. The proxy for that is the wage growth that we’ve seen in this sector. Wages have gone up quite substantially in the last two to three years. Based on some reports by third-party consultancies, wages are estimated to have gone up by 20 per cent per year, over the last couple of years,” said Quann’s managing director Foo Siang-tse.
According to Mr Foo, increasing digitisation of customer and business records and the proliferation of interconnected devices have resulted in greater avenues for cybercriminals, but “until recently”, educational institutions have not expanded capacity quickly enough to keep pace with demand in the sector.
To address this, part of the national cybersecurity strategy is to boost the cybersecurity profession in a number of ways. This includes instituting clear career pathways, promoting certification, and working with the industry and institutes of higher learning to attract new graduates and convert existing professionals from related fields.
WHAT ARE THE SKILLS NEEDED?
One of these organisations is ISACA, the international professional body formerly known as the Information Systems Audit and Control Association. Its Singapore Chapter says the Government is working with industry groups like theirs to offer training and certification programmes.
“Skills that are lacking now are in the areas of intrusion detection, security architecture and analysis, security incident management, secure software development, incident response and recovery,” said Mr John Lee, President of ISACA Singapore Chapter.
“Singapore is a global financial hub with high-end manufacturing and developed service industry. The need to safeguard against a major cyber breach is paramount to prevent erosion of trust by external stakeholders.”
Among the IHLs, the Singapore University of Technology (SUTD) only opened its doors four years ago. Professor Aditya Mathur, who oversees the university’s Information Systems Technology and Design pillar, said he has seen a rise in student enrollments and a growing number of students picking security classes.
“SUTD is not only offering courses in cybersecurity at the undergraduate level but also conducting outreach programmes aimed at raising cybersecurity awareness among secondary school students,” Prof Aditya added.
TAPPING ON EXISTING TALENT POOL
But it will be some time before these students join the workforce and contribute to the core of local cybersecurity talent. In the meanwhile, Mr Foo says Quann is doing its best to meet the manpower challenge through on-the-job training, or through converting existing IT professionals with adjacent skillsets.
The local company is one of four participating in the Cyber Security Associates and Technologists (CSAT) programme, which equips ICT professionals with three years’ working experience to pick up the requisite skills to switch sectors. The other training partners are Singtel, ST Electronics and Accel Systems and Technologies.
While Quann partners tertiary institutions like the National University of Singapore, the Singapore Management University, and Ngee Ann Polytechnic to get access to talent, others, like British multinational BAE Systems, aim to build up the cybersecurity ecosystem through collaborating with researchers and helping to incubate startup ideas.
One outcome of its partnership with Nanyang Technological University is a threat operating model designed by postgraduate students, built using BAE System’s tools and techniques.
“You need to create the interest in the industry. You do that by running research programmes, and you do that by bringing niche technology to startup companies to help close the gaps that customers face,” said Mr Boye Vanell, Regional Director of Asia at BAE Systems.
Microsoft Singapore’s Managing Director Jessica Tan, who oversaw the company’s opening of a new Transparency Center and Cybersecurity Center in Singapore this month, told Channel NewsAsia that apart from technical skills, other important attributes for cybersecurity professionals include “a growth mindset, curiosity, learning and resilience”.
She said: “What is critical is building an ICT foundation in every student, which they can then extend and apply to every field they pursue, regardless of whether it is in biomedicine, behavioural economics or digital manufacturing, to name a few. ICT will touch every facet of the industry and government.”
According to Ms Tan, given that more citizens’ lives are touched by technology – at home, in schools and in the workplace – the talent pipeline of cybersecurity professionals is “both an economic and security imperative for Singapore”. This implies the difficulty in relying too heavily on foreign cybersecurity professionals to plug the gaps.
The unique nature of the industry also means it is relatively labour-intensive, and there are limits to plugging the gaps with technology like big data analytics.
“At the end of the day, the person at the other end of the kill chain – the perpetrator – is still a human being. Notwithstanding that fact that we have our own R&D labs, we’re looking at tapping on big data and threat intelligence – if the adversary is human, we need humans on our side,” said Mr Foo.