How APAC organisations are hiring cyber security pros

Organisations across the Asia-Pacific (APAC) region are relying on job postings, internships and even candidates from other fields to plug the cyber security talent gap, a study has found.

Those were the key findings of the APAC cybersecurity hiring managers research report by The International Information System Security Certification Consortium, or (ISC)², which polled 787 respondents across Singapore, Hong Kong, Japan and South Korea.

Over half of respondents (58%) in Singapore rely on standard job postings in their search for cyber security talent, while just under half in the city-state have identified or recruited talent through apprenticeship and internship programmes as well as recruitment agencies.

At the regional level, companies have also diversified their recruitment practices when it comes to candidate sourcing, with hiring managers turning to existing employees from non-traditional IT departments such as customer service (43%) and human resources (38%) for entry-level and junior-level staff.

“Our research findings point to the widening cyber security workforce gap, which has been driven by geopolitical tensions, macroeconomic instability, as well as growing physical security challenges,” said Clar Rosso, CEO of (ISC)².

“With APAC registering the second highest year-on-year rise in shortage globally, organisations in the region need to be creative with their cyber security hiring. However, unlike conventional thinking, adopting an innovative approach doesn’t mean organisations have to take on more hiring risks.”

The (ISC)² report noted that adopting a more collaborative hiring approach between HR and cyber security teams, identifying candidates with relevant attributes and skills, as well as investing in their professional development, can help organisations build more resilient and sustainable cyber security teams.

When it comes to skills and experience, 62% of respondents would hire a candidate self-taught in IT or cyber security despite having no work experience, with those in Singapore and Hong Kong most likely to consider such candidates.

Across the region, 64% of hiring managers ranked previous professional experience as one of the most important attributes, followed by technical skills (56%) and certifications (51%).

Data security (34%) and security administration (32%), as well as the ability to work effectively in a team (48%) and independently (33%), emerged as the most highly rated technical and non-technical skills hiring managers expect from candidates.

The vast majority of hiring managers surveyed also indicated that their organisations provide some form of professional development for their entry-level and junior-level staff. This ranges from certification training and courses to the sponsorship of certification exam fees, as well as mentorship programmes.

In-house training courses are considered the most effective method of talent development for entry-level and junior-level practitioners (60%), followed by external training courses (57%), certifications (47%), conferences (35%) and mentoring (35%).

But retaining young talent is just as critical, particularly in markets such as Australia and New Zealand (ANZ). A separate study by Lacework in ANZ found that those with less than a year of experience are more likely to leave (64%) than those with one to two years’ experience (44%).

The Net Promoter Score (NPS) – a measure of customer or employee loyalty – for cyber security was also very low at -9.4, putting the industry on par or worse than airline and insurance sectors.

Worryingly, for those in the field for two years or less, the NPS was -32, showing that those new to the industry are having a negative experience and are even less likely to recommend cyber security as a career.

“New, talented individuals are leaving the cyber security industry too fast. To retain crucial talent in a tight market, more needs to be done to reduce the workload and stress on all those in the industry, particularly newcomers. This is especially so given the rapid rate of change in the sector and mounting public pressure from recent high-profile security breaches,” said Richard Davies, area director for ANZ at Lacework.