In March, Digital Minister Gobind Singh Deo emphasised to Parliament the need for Malaysia to maintain a high level of expertise in cybersecurity to face future threats.

To enhance the country’s cybersecurity capacity, he said the Digital Ministry is set to introduce several programmes to develop cybersecurity talents and attract experts to the country.

These professionals are expected to bolster Malaysia’s key agencies for national cybersecurity and data protection, namely CyberSecurity Malaysia (CSM), the National Cyber Security Agency (Nacsa), and the Personal Data Protection Department (JPDP), which regulates the processing of personal data.

Furthermore, Communications Minister Fahmi Fadzil reported last October that Malaysia faces a significant deficit of cybersecurity experts, with only 15,000 currently active within the industry.

He estimated that an additional 12,000 experts across various fields are necessary to manage digital threats effectively.

“This is a huge gap when we understand the need for cybersecurity, and companies, especially those in the digital economy, really prioritise cybersecurity and there will be an urgency to set up their own cybersecurity units.

Fahmi reported last October that Malaysia faces a significant deficit of cybersecurity experts, with only 15,000 currently active within the industry. — Unsplash

“Every company, depending on size, might need between 20 and 30 people, and if we look at small and medium enterprises as an example, there really is a need,” he said in a Bernama report.

This shortfall was echoed by Prime Minister Datuk Seri Anwar Ibrahim in late March, who stated that the country requires “25,000 workers in cybersecurity by 2025”.

Worldwide woes

Ahmad Zaidi Said, an incident response specialist with the Global Emergency Response Team at Kaspersky, pointed out that the scarcity of cyber talent is a widespread issue that is not just confined to Malaysia.

He cited a study from the International Information System Security Certification Consortium (ICS2) that indicated a global workforce gap of four million information security (InfoSec) workers in 2022.

Ahmad Zaidi says that Malaysia is not alone in experiencing a global shortage of cyber talent. — AHMAD ZAIDI SAID

Moreover, a separate study by Kaspersky revealed that 41% of companies “described their cybersecurity teams as somewhat or significantly understaffed”.

“Our survey also showed that the government sector reported the highest demand for InfoSec professionals, followed by telecommunications, media, and the retail and wholesale sectors.

“Achieving a goal of 25,000 cybersecurity professionals in Malaysia is an ambitious goal, yet it is really crucial,” he says.

The chief executive of Nacsa, Dr Megat Zuhairy Megat Tajuddin, believes that the demand for cybersecurity professionals will rise, especially as the Cyber Security Bill 2024 was unanimously passed on April 3 by the Dewan Negara.

“The Bill is anticipated to mandate specific security standards and procedures, highlighting the significance of cybersecurity professionals.

“However, its effectiveness will hinge upon the availability of trained personnel capable of properly implementing and enforcing its requirements.

“The demand for cybersecurity talent is expected to surge significantly as compliance with the cybersecurity baseline becomes mandatory for National Critical Information Infrastructure (NCII) entities under the law, necessitating resources within their organisations,” he says.

The CSM 2023 Mid-Year Threat Landscape report revealed that the government sector experienced the highest number of data breaches, accounting for 22% of the total breaches affecting various sectors. — Bloomberg

Datuk Dr Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia, shared that the CSM 2023 Mid-Year Threat Landscape report revealed that the government sector experienced the highest number of data breaches, accounting for 22% of the total breaches affecting various sectors.

The telecommunications sector ranked as the second most impacted, albeit substantially less, at 9%.

“The education and retail sectors are tied at 6% each in terms of Malaysia’s data breach records. Furthermore, the report indicates that in June alone, there were an estimated total of 823,880 breached records, totalling 417.59GB of data, involving six government agencies and 20 private entities,” he says.

Training tomorrow’s talents

As the Bill is set to play a pivotal role in enhancing Malaysia’s cybersecurity framework, Megat Zuhairy stressed that a shift in talent development strategy is needed.

As the Bill is set to play a pivotal role in enhancing Malaysia's cybersecurity framework, Megat Zuhairy stressed that a shift in talent development strategy is needed. — MEGAT ZUHAIRY

“Prior to this, we tended to focus on developing our talents in institutions of higher learning, but it is no longer sufficient.

“I believe that we need to start even earlier – from primary schools and secondary schools, as they are the generation that has been exposed to digital gadgets from the beginning of their lives,” he says.

To promote cybersecurity awareness among school students, Nacsa plans to unveil the MyCyberHero programme and also recommends promoting cybersecurity-related careers to school students.

Moreover, the agency advocates providing opportunities for professionals already in the workforce to transition into the cybersecurity sector by offering supplementary courses and certifications.

Amirudin emphasises that cybersecurity talents are in high demand due to evolving cyber threats and the increasing pressure for faster results.

“If no new personnel are brought into cybersecurity, Malaysia’s digital landscape will slowly deteriorate,” he says, citing the numerous cyber incidents in the country.

Another aspect to consider is the limited resources and expertise available to develop effective training programmes, which may impede efforts to adequately train cybersecurity professionals.

Philip Victor, a partner and managing director at the technology strategic advisory firm Welchman Keen, highlights the significant challenge of funding, which is essential for cybersecurity talent training and retention.

This challenge is particularly notable when trying to attract Malaysian talents currently working overseas and foreign experts to the country.

Philip Victor stresses the need to work with international certification bodies as well as have more local instructors train cybersecurity professionals. — PHILIP VICTOR

“It’s all about the money. You should pay them well. You need that pull factor. Our declining currency is not helping at all. Why would they want to return, or why would foreign experts come?

“The benefits must be great. One suggestion is to offer flexibility and remote work. In the organisation I work with, we are all based in our home countries, and today we can work from anywhere,” he says.

He advises engaging with these individuals to work remotely if that is their preference, adding that good remuneration, development opportunities, and recognition are steps toward making the sector more attractive.

This view is echoed by CSM’s Amirudin, who agrees that offering competitive compensation packages that align with global standards is essential to attract top talent.

“Demand for cybersecurity experts is high globally, making it challenging to attract and retain skilled professionals in Malaysia due to competition from other countries and industries.

According to Amirudin, the demand for cybersecurity experts is high worldwide, which presents challenges in both attracting and retaining skilled professionals within the country. — CSM

“Addressing these challenges requires a multi-faceted approach that involves raising awareness, providing relevant training and education, allocating resources effectively, fostering collaboration among stakeholders, and continuously adapting to the evolving cybersecurity landscape,” he says.

Amirudin adds that measures such as simplifying visa and work permit procedures, along with creating more opportunities for professional development, would make the Malaysian cybersecurity landscape more attractive.

Barriers to entry

According to Philip Victor, collaborative efforts with international certification bodies, special pricing schemes, and increasing the availability of local instructors are pivotal to nurturing cybersecurity professionals.

“Work with international certification bodies for certified professionals. Look at special government pricing schemes for government personnel and scholarships for the public and private sectors.

“Create more local certified instructors for these certifications to lower the cost of international trainers, which will lower the overall cost per head for training our local talents.

“If we can get at least one certified instructor from each university, we can have a larger pool of offerings and thus create more professionals in a shorter period of time,” he says.

During his tenure as the head of training and outreach at CyberSecurity Malaysia from 2002 to 2008, Philip Victor stated that the regulatory body collaborated with ISC2 and the International Council of E-Commerce Consultants (EC-Council) to offer special pricing and scholarships aimed at creating certified professionals.

Megat Zuhairy highlights ongoing collaborations and initiatives aimed at attracting and retaining talent throughout the country.

Amirudin emphasises that cybersecurity talents are in high demand due to evolving cyber threats and the increasing pressure for faster results. — Bloomberg

“Programmes such as the Nacsa collaboration with the EC-Council, providing RM5mil in scholarships for over 2,000 Malaysians to enrol in certified cybersecurity training, exemplify this approach. Initiatives like the newly established BlackBerry Cybersecurity Center of Excellence aim to enhance local talent through international syllabi and trainers,” he says.

Philip Victor recommends offering government subsidies to offset the high costs associated with obtaining international cybersecurity certifications, or alternatively, incorporating such certifications into university courses.

Additionally, he proposes a transition towards a mandatory six-month on-the-job internship to streamline the process of drawing talent to the local industry.

Ahmad Zaidi stresses that successful collaboration between the public and private sectors, as well as the industry at large, is vital.

“Universities can update their curricula by partnering with cybersecurity players and integrating the latest industry knowledge into their training programmes,” he says, adding that Kaspersky and University Malaya have set up such a partnership.

“In addition, community-based non-profit organisations and societies play a crucial role in promoting cybersecurity awareness, skill development, and networking within the Malaysian cybersecurity community.

“These grassroots initiatives provide valuable platforms for knowledge sharing, hands-on training, and collaborative efforts among cybersecurity professionals, enthusiasts and students.

“Community organisations such as the Malaysia Cybersecurity Community (rawSEC) and SherpaSEC are actively engaged in organising various events and activities that contribute to talent development and foster a vibrant cybersecurity ecosystem in the country.

“Moreover, non-profit cybersecurity boot camps like the Malaysia Cybersecurity Camp (MCC) are one of the most effective ways to pique students’ interest in Malaysia,” Ahmad Zaidi says.

He acknowledges that these efforts will not immediately address the current shortage, advising that companies find ways to minimise the impact of the professional shortfall, such as working with managed security services providers in the interim.