Recruit and reinforce: Solving Malaysia’s cybersecurity shortfall
By CHRISTOPHER FAM
Cybersecurity
Monday, 29 Apr 2024


In March, Digital Minister Gobind Singh Deo emphasised to Parliament the need for Malaysia to maintain a high level of expertise in cybersecurity to face future threats.

To enhance the country’s cybersecurity capacity, he said the Digital Ministry is set to introduce several programmes to develop cybersecurity talents and attract experts to the country.

These professionals are expected to bolster Malaysia’s key agencies for national cybersecurity and data protection, namely CyberSecurity Malaysia (CSM), the National Cyber Security Agency (Nacsa), and the Personal Data Protection Department (JPDP), which regulates the processing of personal data.

Furthermore, Communications Minister Fahmi Fadzil reported last October that Malaysia faces a significant deficit of cybersecurity experts, with only 15,000 currently active within the industry.

He estimated that an additional 12,000 experts across various fields are necessary to manage digital threats effectively.

“This is a huge gap when we understand the need for cybersecurity, and companies, especially those in the digital economy, really prioritise cybersecurity and there will be an urgency to set up their own cybersecurity units.

“Every company, depending on size, might need between 20 and 30 people, and if we look at small and medium enterprises as an example, there really is a need,” he said in a Bernama report.

This shortfall was echoed by Prime Minister Datuk Seri Anwar Ibrahim in late March, who stated that the country requires “25,000 workers in cybersecurity by 2025”.

Worldwide woes

Ahmad Zaidi Said, an incident response specialist with the Global Emergency Response Team at Kaspersky, pointed out that the scarcity of cyber talent is a widespread issue that is not just confined to Malaysia.

He cited a study from the International Information System Security Certification Consortium (ICS2) that indicated a global workforce gap of four million information security (InfoSec) workers in 2022.

Moreover, a separate study by Kaspersky revealed that 41% of companies “described their cybersecurity teams as somewhat or significantly understaffed”.

“Our survey also showed that the government sector reported the highest demand for InfoSec professionals, followed by telecommunications, media, and the retail and wholesale sectors.

“Achieving a goal of 25,000 cybersecurity professionals in Malaysia is an ambitious goal, yet it is really crucial,” he says.

The chief executive of Nacsa, Dr Megat Zuhairy Megat Tajuddin, believes that the demand for cybersecurity professionals will rise, especially as the Cyber Security Bill 2024 was unanimously passed on April 3 by the Dewan Negara.

“The Bill is anticipated to mandate specific security standards and procedures, highlighting the significance of cybersecurity professionals.

“However, its effectiveness will hinge upon the availability of trained personnel capable of properly implementing and enforcing its requirements.

“The demand for cybersecurity talent is expected to surge significantly as compliance with the cybersecurity baseline becomes mandatory for National Critical Information Infrastructure (NCII) entities under the law, necessitating resources within their organisations,” he says.

Datuk Dr Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia, shared that the CSM 2023 Mid-Year Threat Landscape report revealed that the government sector experienced the highest number of data breaches, accounting for 22% of the total breaches affecting various sectors.

The telecommunications sector ranked as the second most impacted, albeit substantially less, at 9%.

“The education and retail sectors are tied at 6% each in terms of Malaysia’s data breach records. Furthermore, the report indicates that in June alone, there were an estimated total of 823,880 breached records, totalling 417.59GB of data, involving six government agencies and 20 private entities,” he says.

Training tomorrow’s talents

As the Bill is set to play a pivotal role in enhancing Malaysia’s cybersecurity framework, Megat Zuhairy stressed that a shift in talent development strategy is needed.

“Prior to this, we tended to focus on developing our talents in institutions of higher learning, but it is no longer sufficient.

“I believe that we need to start even earlier – from primary schools and secondary schools, as they are the generation that has been exposed to digital gadgets from the beginning of their lives,” he says.

To promote cybersecurity awareness among school students, Nacsa plans to unveil the MyCyberHero programme and also recommends promoting cybersecurity-related careers to school students.

Moreover, the agency advocates providing opportunities for professionals already in the workforce to transition into the cybersecurity sector by offering supplementary courses and certifications.

Amirudin emphasises that cybersecurity talents are in high demand due to evolving cyber threats and the increasing pressure for faster results.

“If no new personnel are brought into cybersecurity, Malaysia’s digital landscape will slowly deteriorate,” he says, citing the numerous cyber incidents in the country.

Another aspect to consider is the limited resources and expertise available to develop effective training programmes, which may impede efforts to adequately train cybersecurity professionals.

Philip Victor, a partner and managing director at the technology strategic advisory firm Welchman Keen, highlights the significant challenge of funding, which is essential for cybersecurity talent training and retention.

This challenge is particularly notable when trying to attract Malaysian talents currently working overseas and foreign experts to the country.

“It’s all about the money. You should pay them well. You need that pull factor. Our declining currency is not helping at all. Why would they want to return, or why would foreign experts come?

“The benefits must be great. One suggestion is to offer flexibility and remote work. In the organisation I work with, we are all based in our home countries, and today we can work from anywhere,” he says.

He advises engaging with these individuals to work remotely if that is their preference, adding that good remuneration, development opportunities, and recognition are steps toward making the sector more attractive.

This view is echoed by CSM’s Amirudin, who agrees that offering competitive compensation packages that align with global standards is essential to attract top talent.

“Demand for cybersecurity experts is high globally, making it challenging to attract and retain skilled professionals in Malaysia due to competition from other countries and industries.

“Addressing these challenges requires a multi-faceted approach that involves raising awareness, providing relevant training and education, allocating resources effectively, fostering collaboration among stakeholders, and continuously adapting to the evolving cybersecurity landscape,” he says.

Amirudin adds that measures such as simplifying visa and work permit procedures, along with creating more opportunities for professional development, would make the Malaysian cybersecurity landscape more attractive.

Barriers to entry

According to Philip Victor, collaborative efforts with international certification bodies, special pricing schemes, and increasing the availability of local instructors are pivotal to nurturing cybersecurity professionals.

“Work with international certification bodies for certified professionals. Look at special government pricing schemes for government personnel and scholarships for the public and private sectors.

“Create more local certified instructors for these certifications to lower the cost of international trainers, which will lower the overall cost per head for training our local talents.

“If we can get at least one certified instructor from each university, we can have a larger pool of offerings and thus create more professionals in a shorter period of time,” he says.

During his tenure as the head of training and outreach at CyberSecurity Malaysia from 2002 to 2008, Philip Victor stated that the regulatory body collaborated with ISC2 and the International Council of E-Commerce Consultants (EC-Council) to offer special pricing and scholarships aimed at creating certified professionals.

Megat Zuhairy highlights ongoing collaborations and initiatives aimed at attracting and retaining talent throughout the country.

“Programmes such as the Nacsa collaboration with the EC-Council, providing RM5mil in scholarships for over 2,000 Malaysians to enrol in certified cybersecurity training, exemplify this approach. Initiatives like the newly established BlackBerry Cybersecurity Center of Excellence aim to enhance local talent through international syllabi and trainers,” he says.

Philip Victor recommends offering government subsidies to offset the high costs associated with obtaining international cybersecurity certifications, or alternatively, incorporating such certifications into university courses.

Additionally, he proposes a transition towards a mandatory six-month on-the-job internship to streamline the process of drawing talent to the local industry.

Ahmad Zaidi stresses that successful collaboration between the public and private sectors, as well as the industry at large, is vital.

“Universities can update their curricula by partnering with cybersecurity players and integrating the latest industry knowledge into their training programmes,” he says, adding that Kaspersky and University Malaya have set up such a partnership.

“In addition, community-based non-profit organisations and societies play a crucial role in promoting cybersecurity awareness, skill development, and networking within the Malaysian cybersecurity community.

“These grassroots initiatives provide valuable platforms for knowledge sharing, hands-on training, and collaborative efforts among cybersecurity professionals, enthusiasts and students.

“Community organisations such as the Malaysia Cybersecurity Community (rawSEC) and SherpaSEC are actively engaged in organising various events and activities that contribute to talent development and foster a vibrant cybersecurity ecosystem in the country.

“Moreover, non-profit cybersecurity boot camps like the Malaysia Cybersecurity Camp (MCC) are one of the most effective ways to pique students’ interest in Malaysia,” Ahmad Zaidi says.

He acknowledges that these efforts will not immediately address the current shortage, advising that companies find ways to minimise the impact of the professional shortfall, such as working with managed security services providers in the interim.

Source: https://www.thestar.com.my/tech/tech-news/2...urity-shortfall

Cybersecurity reality check: How prepared are M’sian companies at warding off attacks?
Cybersecurity
Monday, 29 Apr 2024

A Kaspersky report shows the significant cyberthreats faced by Malaysia, with the cybersecurity firm claiming that it blocked over 22 million local threats last year.

Kaspersky’s security network infrastructure data indicates that offline media such as USB drives are a common attack vector, with worms and file viruses making up the majority of these local threats.

Commenting on the decrease in attacks – from over 35 million in 2021 to over 22 million in 2022 and last year – Yeo Siang Tiong, Kaspersky’s general manager for South-East Asia, highlights a shift in strategy by cybercriminals.

“It’s also important to remember that, in recent years, cybercriminals have already seen the value of targeted attacks over mass attempts.

“We should not be complacent just because we see this slight drop in local threats. Vigilance remains necessary,” he said in the press release.

Furthermore, the 2024 Cisco Cybersecurity Readiness Index rated only 2% of Malaysian companies at a “Mature” level of readiness, the highest attainable rating, to counter cybersecurity risks.

The majority of Malaysian enterprises fall into the two lowest-scoring categories – Beginner or Formative (66%) – which are below Progressive.

The index, which includes data from 8,136 private-sector companies across 30 markets, including Malaysia, reveals a pressing situation: 73% of surveyed companies experienced a cybersecurity incident in the past year, with 44% of those incidents costing them at least US$300,000 (RM1.4mil).

In Malaysia, the gap between supply and demand for cybersecurity talent is significant, with 91% of firms deeming it problematic and 44% reporting more than 10 vacant cyber- security roles.

Cisco’s index also discovered that 77% of companies believe a cybersecurity incident could disrupt their business operations in the next two years.

Despite the lack of readiness, 85% of companies remain confident in their ability to confront cyberthreats – a sentiment Cisco’s executive vice president and general manager of security and collaboration, Jeetu Patel, characterises as overconfidence.

“We cannot underestimate the threat posed by our own overconfidence.

“Today’s organisations need to prioritise investments in integrated platforms and lean into AI in order to operate at machine scale and finally tip the scales in the favour of defenders,” he said.

Source: https://www.thestar.com.my/tech/tech-news/2...ing-off-attacks

we don't face a significant deficit of cybersecurity experts

we face a shortage of paying customer only

Brpa celery in this field?

tldr ..

inb4 membaca jembatan ilmu

Pay peanut, expecting big name to take up the job.

kesian all cyber experts dont want to work for MY companies

A lot of Russian IT folks youngsters running away from Russia few months after Ukraine war, some stuck in Georgia and elsewhere, go recruit them before Putin got them and converted into conscript reserves.