Talent shortage for cybersecurity roles to continue for next few years

The recent hacking of government websites in Singapore has put cybersecurity at front of mind for many organisations. As a result, lots of investment has gone into beefing up cybersecurity within both the public and private sector. Last year, the Singapore government passed the Cybersecurity Act, which highlights Critical Information Infrastructure sectors that will need to meet minimum security requirements. This includes infocomm, energy, transport (land, maritime and aviation), healthcare, banking and finance, water, media, security and emergency services sectors.

“Cybersecurity hiring has grown tremendously in the last year and will continue to do so for the next few years,’’ says Grant Torrens, Regional Director at Hays Singapore. But while cybersecurity is a hot topic across all industries, the bulk of its job roles still stem from government and banking and finance sectors. Generally, the more secure the online process required, the higher the need for cybersecurity talent.

Demand Across the Board

The Cybersecurity roles currently in high demand are Security Operation Centre Analysts, which require 1-3 years of experience monitoring and respond to alerts and threats in a security operations centre. Another skillset in demand is that of penetration testers (often shortened to ‘pentesters’), who are essentially ethical hackers that proactively try to attack an organisation to unearth security vulnerabilities and gaps.

“Pentesters have a very unique talent,” says Sheralynn Tjioe, Cyber Security Consultant at Hays Singapore. “They have to think like a hacker would and work across a wide spectrum of threats, triggering phishing emails and understanding where loopholes might be.’’ This is very different to roles in security centre operations that are more reactive in nature and require responding to incidents and then trying to stop them from recurring.

The Cybersecurity Act also triggered demand for a Chief Information Security Officer. All organisations covered by the act need to appoint one, along with all the agencies that work under government ministries. Candidates eligible for these senior roles generally come from technical backgrounds but may have moved up the ranks to take on more strategic or policy-related roles. They are required to know the policies in Singapore well, work with senior stakeholders and engage with a wider audience.

Employee Retainment in Focus

There is currently not enough supply to match this demand for such a wide range of cybersecurity staff. Consequently, the market is now very “fluid’’ with candidates moving around every one to two years. This talent shortage has also led to an increase in salaries as organisations need to remain competitive in terms of remuneration. Last year, salaries increased by around 10%-15%, and are predicted to rise by 20%-25% this year.

The talent shortage is also putting pressure on employers to find ways to retain their key staff. A lot of firms have resorted to using cybersecurity certification allowances and relevant cybersecurity training bonds to retain employees. “There are not many initiatives to retain candidates apart from bonding employees with training subsidies. Organisations need to think more about providing promotions and long-term career paths,’’ says Tijoe.

Cybersecurity: a new career path?

Hays receives a high number of applications from candidates looking for cybersecurity roles, particularly from overseas talent looking to relocate to Singapore. In fact, overseas applicants make up two-thirds of the candidate pool but the challenge of foreign worker quotas makes it hard to recruit them. An interesting observation is that around 30% of applicants are seeking a career change. “Usually, they are in the first three years of their career or already have a background in IT. It can be harder for those with more experience looking to change careers as they are already earning more than a junior cybersecurity employee would.’’

Tjioe has plenty of tips for those looking to break into cybersecurity roles. “If you do not have the experience, it’s hard to justify getting a role in cybersecurity. it would help to equip yourself with some basic exams, like the Certified Ethical Hacker (CEH). This will also show a potential employer that you are committed to a career in cybersecurity.” Candidates can also try to move internally within their organisation, which is easier if they have a good track record. “It should be easier to network and switch internally than if you are an external candidate,” she says,

While technical skills and qualifications are important, so is having the right mindset. “You need to be innovative and think like a hacker. Sometimes an unconventional achievement could get you a job. You could self-learn and present a seminar at a conference or forum to get noticed’’.

Incremental Growth

Even though cybersecurity is currently very hot in the market, it is still a very niche skillset; this means the talent short market in Singapore is likely to remain for the short to mid-term. ‘’It will still take a few years for the market to mature and so the talent shortage will continue. While the government is doing a lot to pipeline cybersecurity talent, it’s still relatively early days,’’ says Grant.