Former FBI negotiator Chris Voss has said that every negotiation is a no-lose situation – you have to save all the hostages or you fail. Cybersecurity is the same. Every byte of data and every node in the network has to be secured, with zero room left for attackers.
The world needs more cyber talent to protect its data and networks. What can educational institutions do to raise the global cyber defence wall?
Singapore Institute of Technology (SIT) believes partnering with industry is essential. Cybersecurity training has to keep up with the growing pace and breadth of cyber threats. Here is how SIT is preparing the next generation of cyber professionals.
Cyber skills shortage
Tammie Tham, Chief Executive Officer, Ensign InfoSecurity Pte Ltd
There is a global shortage of cybersecurity talent worldwide. In Singapore, “the demand for cybersecurity talent continues to outpace the supply,” says Tammie Tham, CEO of cybersecurity firm Ensign InfoSecurity. “It is especially challenging to find individuals that have both the technical background and the required experience.”
The skills gap leaves industries and nations vulnerable to cyber attacks. This is a particularly pressing concern for Singapore, given its smart nation vision. “We won’t be a smart nation without cybersecurity,” she says.
But training cybersecurity professionals is not that straightforward. “There is no one-stop cybersecurity textbook as the cyber threat landscape is very vast,” says Associate Professor Steven Wong, Programme Director of Information and Communication Technology (Information Security) at SIT.
Cybersecurity professionals need to have both knowledge and practical skills, he notes. A recent study by the Enterprise Strategy Group and the Information Systems Security Association recommended for cybersecurity education to tie in with businesses to plug the skills gap.
The other side of the house
Associate Professor Steven Wong, Programme Director, Information and Communication Technology (Information Security), SIT
SIT is stepping up to the plate to train future cyber professionals. A key part of its curriculum is to teach real world cyber skills – by getting students to role-play as hackers.
In one project, professors gave students permission to break into a smart locker on campus. The locker is a new addition to the campus, meant to reduce manpower requirements and make submitting homework easier. “If I’m going to open it up to any adversary, it might as well be my own students,” Wong remarked.
Such exercises help students think from the perspective of an attacker so they can defend better, he explains. “In the real world, attackers don’t follow a textbook.”
Students also take turns to attack and defend part of SIT’s network during lessons. The school runs an isolated network that’s only used for training, so students can simulate cyber attacks and defence in a real system. “We want them to really get their hands dirty,” says Wong.
Solving real world problems
Industry projects are a big part of coursework at SIT. Students partner with companies to work on a problem they have identified. Theory can bridge some tech knowledge gaps, but “nothing beats getting hands-on experience in cyber,” Tham says.
Students might, for instance, have to conduct vulnerability testing for a company’s networks. They would be graded on the impact they made on the company’s cyber defences. This helps students “understand that industry requirements are not as aesthetic as lab-based university assignments”, Wong says.
SIT is keen to partner with industry in its education. Its upcoming Punggol campus will include a Living Lab, a testbed for companies to trial innovations. Students get to work on these projects and look for solutions alongside companies. “Not all learning has to be timetabled,” he notes.
SIT is currently inviting companies to be a part of the Living Lab. It could be especially useful for SMEs, since they may not have resources to build testbeds, he says.
Bespoke staff training
SIT also supports upskilling in the workplace by conducting training for cybersecurity professionals. It works with each company to understand their gaps and designs bespoke bite-sized courses to meet their needs. A company might need more support on ethical hacking, while another might want to strengthen its forensic abilities.
This allows companies to bring their staff up to speed in the shortest time possible. “Companies cannot release employees for classes full-time. Time is of the essence to them,” Wong explains. “These customised courses are a lot more effective because they are immediately applicable to the workplace.”
It’s also important for cyber professionals to be well-versed in a wide range of cyber competencies, in addition to their area of expertise. “Such professionals are more adept at effective collaboration, which is key to cyber-resiliency as cyberthreats become increasingly complex,” explains Tham. Ensign encourages employees to explore other areas of cybersecurity, so they can build versatility and broaden their cybersecurity experience.
“Unless you have the ability to learn, unlearn and relearn, you’ll always be held by strings by the adversary,” Wong says. With strong industry partnerships and a firm focus on real world experience, SIT will work to equip the next generation of cyber defence experts.