Will the fresh graduates of cyber bootcamps and mid-career retraining courses really be sufficient to keep the world’s lights on?
Many leaders have been keeping an eye on the massive and widespread layoffs by big-tech firms starting in 2022 and continuing this year.
With cyber risks growing in numbers and global reach, surely the layoffs are going to lead to the larger organizations becoming even more exposed and cyber vulnerable?
Singapore’s Cyber Security Agency has estimated a global cybersecurity job shortage of 3.5m openings, with an approximate shortage of 3,400 jobs within its own shores. Meanwhile, the recently released WEF Future of Jobs Report 2023 has predicted that the global employment of data analysts and scientists, big data specialists, AI machine learning specialists and cybersecurity professionals is expected to grow on average by 30% by 2027.
Such upheavals in demand for cyber talent must bear heavily on leaders of tech startups, such as Benjamin Tan, CEO, Red Alpha. CybersecAsia.net interviewed him to find out his views on the cybersecurity impacts of talent demand-shifts and shortages.
CybersecAsia: While factors such as automation and AI do reduce the need for cyber talent, what mitigating circumstances do you think will keep cybersecurity personnel safe from layoffs, and remain relevant and sought-after in our region?
Benjamin Tan (BT): I would compare cybersecurity to a game of poker, where we have no control over the cards we are dealt with; however, we can change the outcome of the game with how we play our hand.
- Firstly, cybersecurity practitioners are coming up against adversaries that are human, that are constantly innovating and creating new ways of attacking systems, and who are able to use the same AI as defenders.
- Secondly, there will always be unknown and uncertain elements. There exists a fog of war in cybersecurity, where not all factors and possibilities can be accounted for by AI.
Hence a trained cybersecurity practitioner is still necessary and valuable. While automation and AI will be a critical enabler in making cybersecurity practitioners more efficient and alleviate the current talent shortages, practitioners will continue to be relevant and sought-after because AI will not be able to replace the human elements in cybersecurity.
CybersecAsia: How do you see generative AI and AI-ML powered cyber solutions and cloud MSSPs helping to ease the pains of cyber talent shortage? When such solutions really succeed in helping organizations to half the need for IT/Cyber talent now, will the future generations of graduates of such disciplines be rendered redundant?
BT: With increasing awareness of cybersecurity and the shortage of cybersecurity professionals, I feel that more resources will be allocated to train up more cybersecurity professionals in the industry. However, I feel that there will still be a significant shortage of professionals at least in the near future, as the increase in cybersecurity professionals has yet to keep pace with the fast advancement of digitalisation today.
While AI-powered cyber solutions will be a critical enabler and alleviate the cyber talent shortage to some extent, they are unlikely to be effective substitutes for human practitioners who are facing adversaries that are human, and who are capable of innovating and creating new ways of attacking systems (such as through exploiting Zero Day vulnerabilities). There is also a significant fog of war that limits visibility about an attacker’s activities, which limits the ability of AI to replace a well-trained security practitioner.
Cloud MSSPs provide a means for organizations which do not have dedicated cybersecurity resources to strengthen their cybersecurity posture. However, not all firms can leverage cloud MSSPs, due to their infrastructure or the sensitivity of their data — and cloud MSSPs do need to be manned by cybersecurity personnel themselves. Hence, I do not think that cloud MSSPs will significantly ease the cyber talent shortage.
CybersecAsia: To plug some urgent cyber talent gaps, mid-career professionals and short-but-specialized IT courses/boot camps have helped to produce small cohorts of cyber talent. How are graduates of such courses different from those that have undergone years of the traditional training route to gain deep cybersecurity experience and knowledge?
BT: Professionals who go through short/specialized IT courses/boot camps can be as competent as those that have gone through a traditional degree in cybersecurity, despite the “shorter” duration of training.
The reason is that cybersecurity is a skills-based profession that requires one to pick up skills that are relevant in the industry, and constantly keep up with changing requirements. In many cases, there is even a need to un-learn and re-learn certain skills such that they are able to perform their roles. When professionals with the right aptitude go through the right training programs that transfer industry-relevant skillsets to them, they can become as valuable as those who have a degree in cybersecurity.
Mid-careerists also bring with them knowledge and alternative skill sets that are not native to the cybersecurity community. For example:
- A former power engineer will bring with him knowledge about power systems that will enable him to defend industrial control systems (ICS) better.
- A former law associate will be able to contribute significantly to legal and policy developments in the cybersecurity domain, which is currently very nascent.
- A former sales executive would be very valuable as a cybersecurity solutions sales engineer or consultant.
Universities will continue to be a valuable source of cybersecurity manpower, as long as their curricula are reviewed regularly to include skill sets that are in demand in the industry. However, for those that can pursue the traditional route of obtaining a degree, specialized IT courses/boot camps are an equally viable, and more accessible route.
CybersecAsia: Can even well-trained white hat talent (churned out in just a year or two to meet HR numbers) ever hope to team up against unscrupulous, hell-bent state-sponsored threat groups in the ongoing digital cyber warfare and misinformation campaigns?
BT: Well-trained white hat hackers, even those with just one- to two-years of training and experience, are able to defend effectively, even against state-sponsored threat groups.
This is because defenders are guarding against attacks in their own environment, which gives them a fundamental advantage. Even for a motivated state-sponsored threat group, it is not easy to attack a network that is well secured, well instrumented with cybersecurity sensors, and defended in a timely manner by well-trained defenders.
The reason why organizations continue to suffer from cybersecurity breaches and still struggle to keep attackers out of their networks, is because they do not understand enough about their networks, or the attackers.
It is necessary for cyber defenders to understand the attacker mindset, how attackers exploit the attack surface area, and what traces they leave behind. When well-trained cyber defenders understands these issues, they will definitely be able to secure their organizations and networks, and render infrastructures resilient against even sophisticated attackers.