EXCLUSIVE - Insights into cybersecurity education and challenges in bridging the skills gap
The Association for Information Security Professionals (AiSP) was formed in 2009 with the main objective of becoming the pillar for the information security profession and professionals in Singapore. In 2016, the association rolled out their 5-year strategic transformation plan with 3 simple keywords: Advance, Connect , Excel (ACE).
At the Singapore International Cyber Week (SICW) 2017, which brought together policy makers, thought leaders and experts to exchange discourse on cybersecurity challenges, Deputy Prime Minister, Teo Chee Hean, announced the launch of the Cybersecurity Awards, organised by AiSP. The awards will recognise outstanding cybersecurity professionals, enterprises and students who have made significant contributions to Singapore’s cybersecurity ecosystem. They are supported by the Cyber Security Agency of Singapore (CSA) and seven other professional and industry associations.
OpenGov sat down with Dr. Steven Wong, President of the AiSP, as well as the Programme Director for the Information Security programme at the Singapore Institute of Technology, at the sidelines of SICW, to learn about this thoughts on the cybersecurity ecosystem and the challenges of cybersecurity education in Singapore.
The interview has been edited for length and clarity.
There is increasing demand for cybersecurity professionals by many industries these days and it is often a case of demand exceeding supply. Can you tell us more about the situation?
One question to ask ourselves is that even though there are a lot of training programmes, so many certifications, so many institutions, how come there is still a big supply problem?
The problem is not about having the training, but about having the correct training. It’s not the amount of training but how much of this training is applicable to the industry. I think that’s where the gap is now. We have a lot of certifications, we have a lot of training programmes that claims to train people to become a cybersecurity expert. The fact of the matter is, anybody who is practicing, knows that you cannot become a cybersecurity expert by attending a few courses. It doesn’t happen that way.
Often, the experiences that you learn as you go along in cybersecurity builds up the essential ability to see beyond what is in the box which is critical to be a cybersecurity professional. How do you train someone to see beyond the box?
It’s not something you can train them in by giving them a certification or putting them through a theoretical course. So, one reason as to why there is still a significant gap is because experience in this field plays a crucial role. Thus, it is important for the training to have some realistic components to it. It might be good, for example, to do the training in a real work environment.
Moreover, cybersecurity is very wide – you cannot be a generic cybersecurity person and say you have knowledge in everything.
Where is the deep, niche expertise that is required? Security testing, vulnerability assessment, forensics, malware, incident response, each one of these is a deep pillar. We need to get enough deeply and highly skilled professionals.
So, you must already have a pool of people who are broadly technically capable, who are already cybersecurity-aware, to start with. It’s an upstream problem. What leads to that problem? It is the early formative years of their education.So how do we solve this problem? We have to go even lower down. The universities and other IHLs are one part of the pipe. But we have to go even lower down. We have to look at secondary and primary education and include cybersecurity as part of their curriculum.
Most of the primary school kids these days already know how to use the iPhones but are they aware of the cybersecurity aspects of it? They’re not. Are they educated even in the basics of cybersecurity? No.
We’re solving the immediate problem now, trying to bridge the gap, providing training to develop deep skillsets. But we must not lose sight of the gap in the pipeline for talent development. You can either fill in the gap or try to reduce the gap in the pipeline for the people that can be educated and trained to become cybersecurity professionals.
There are degree programmes and diplomas that provides some coverage of cybersecurity training. But the problem here is where’s the upstream flowing into that? People from secondary schools, junior colleges are still going through the traditional path such as the ‘O’ and ‘A’ levels. They form a significant part of the student population. They’re not exposed to cybersecurity. They’re still taking it as a ‘good to have’, not essential to have but going forward with the amount of IT adoption, cybersecurity literacy is not a ‘good to have’, it’s a ‘need to have’. Without it, you can’t survive. I think that’s something a lot more effort will have to be put in.
You said that cybersecurity expertise needs a combination of in-depth as well as broad areas. Could you elaborate on that?
In cybersecurity, the threat landscape nowadays is always multi-vectored. It doesn’t come from a single vector.
Basic general awareness, fundamental skills and knowledge is essential across the board – that means, in order for you to even start in the domain of cybersecurity, you need to have at least some basic competency in knowledge and skillsets in broad aspects of cybersecurity.
These can include network security, web security, mobile security, forensics, malware, cryptography, policies, etc. – you need to know the whole thing about offence,defence, prevention and governance because as I said, nothing is single-vectored.
From there you get that stream of people who can then say, “this is what I know, now I want to go deep into one particular area.” At the end of the day, even though this is a deep pillar, for example, let’s say digital forensics, the work touches network, operating systems, storage, etc. So, how do you do that if you do not know even what the system looks like, if you do not know how network work?.
In traditional universities or traditional computer science programmes, specialisations are usually just a year. In a year, how much can you cover? So usually people will say, I have a general degree in computer science and have taken an elective which can be mobile security, and then claims to a mobile security expert. This will not be true asthe security flaw sometimes does not just come from the operating system alone or the application alone. It comes from many other places, sometimes it can be from the network layer, sometimes it can be people. So, you need to look across the board.
Same thing about individual certifications. Because I took up a certification in ethical hacking, I’m now a penetration (pen) tester? You can’t be unless you already have a grounding in terms of areas of cybersecurity because again, if you’re looking at pen testing, it’s not purely looking at just the network, it’s about the entire system which includes the operating systems, the policies, the applications and many other aspects as well.
Where I am from, luckily for us, at the Singapore Institute of Technology (SIT), we take all our students from the polytechnics. So, they have already done 3 years there, the university is another 4 years, so it’s a total of 7 years of training. Now, that gives us enough time to train a cybersecurity professional with sufficient breath and depth required for them to function in the cybersecurity profession..
Cybersecurity should be a booming field right now. The more we connect everything, the greater will be the need for cybersecurity. Why is that not happening?
I think everybody talks about cybersecurity as an accessory but not a sector in its own right. Cybersecurity is very cool in the sense that it is a horizontal across all sectors but by itself, it is also a sector. Cybersecurity has to be brought to the forefront, security-by-design has to be the fundamental thought. It’s usually very difficult to do that. Why?
Because everybody likes to see things that excite them, correct? I mean, you have FinTech, “Wah, I’ve managed to do fund transfer within ‘x’ amount of time”. “I’ve got IoT, I am able to do fanciful automation, data analytics and models.”
Cybersecurity, for many, seems to be a barrier. Before I even do something, you tell me all the risks.
I think the basic understanding of cybersecurity needs to shift – it’s an enabler, not a disabler.
I think that has not been showcased well enough because many times, people “celebrate” cybersecurity lapses or people publicise cybersecurity breeches.
In the areas of specialisation, you mentioned it’s not enough to get the knowledge from books. What can be done to help students and professionals get hands-on experience?
What CSA does with the Cyber Academy is that it brings industry into the mix. But I think we should not forget about bringing IHLs into play as well. You need to expose the students to real life tools and situations – it’s pointless talking about cryptographic algorithms to protect data when they don’t see how that matters at all.
Books and computers are relatively cheap. But to build up infrastructure to get one’s hands dirty is expensive. This is why industry partnerships are important. Industry has all this existing infrastructure. How to leverage off this? It is a win-win situation because in certain ways, it also helps the industry better understand their own systems. This is a potentially big space to explore, the various schemes that are possible that potentially government could look at.
Also, looking at the international stage, what is some of the offshore infrastructure that we might be able to utilize for cybersecurity education? Or if there’s a need to build infrastructure in Singapore? In this case, how can this infrastructure be utilised by people outside our borders as well? These can be used as a platform to encourage cross-border collaboration.
The other aspect is how do you train people here that other countries will recognise? This is the reason why we need to established a body of knowledge, off which we can all base our curriculums, certifications and training. Other countries in the world, such as in the UK, are also developing their own cybersecurity body of knowledge.
For Singapore, it’s very simple. We should also develop a body of knowledge that we can utilise in Singapore for our educational training, and then compare our body of knowledge with our counterparts from the other countires and look at where our similarities and differences are. Leveraging off this knowledge, in the future, we then train professionals who can be mutually recognized and can apply their skills across boundaries.
Are there any international standards right now in cybersecurity education or cross-country knowledge? Singapore is a relatively small nation; so how can Singapore contribute here?
Singapore is a small nation but we’re not lagging behind. For example, let’s say the information security body of knowledge – it’s something we have formulated since 2009, we have a good 8-year head start in front of nearly everybody else.
The good thing about being small is that you can actually move very fast. We are densely populated which means we are small in physical size but not small in scale. If you look at partnerships within ASEAN, they are very important because if we can help facilitate the collaborations within ASEAN through the body of knowledge, that is a platform of which we can grow the common understanding of of cybersecurity within the region. UK and USA are now building their respective body-of-knowledge – everybody is building theirs. At AiSP, we have just talked to our counterparts in the UK, the IISP, who are also building a body of knowledge and we are exploring how we can mutually work together on our respective body of knowledge so that we can mutually recognise our professionals in the future.
I’m very keen on forging collaborations and partnerships with ASEAN countries, through the body of knowledge because it can start as bilateral agreements between Singapore and whichever other ASEAN country that is interested. Once you have established that, then you can start to create larger groups, so that it becomes an ASEAN network of sorts. We have to start somewhere. Once you have the network of sorts within ASEAN, you could start building partnerships with other regions to grow the cybersecurity profession without borders.
Frankly, we need to do this because the dark side does this much faster than us. They already have networks and collaborations and they are not bounded by geographical and political boundaries. They are highly flexible and can evolve and mutate as they go along. So, we need to establish something very quickly thus cannot wait until all the parties come together and agree on something. That will take forever. Starting with bilateral agreements is a good way to get things going and Singapore should help to foster and encourage more partnerships within the region.
 During SICW 2017, DPM Teo Chee Hean announced that the Cyber Security Agency of Singapore (CSA) will establish a new academy to train cybersecurity professionals. For a start, the Academy will provide intermediate to advanced training to cyber defenders in the government, and also invite selected parties in the Critical Information Infrastructure (CII) sectors to join in the training. The trainings will be focused on targeted niche areas that go beyond what is normally available in the market. This will be expanded later to train cybersecurity professionals for the wider community.