As the global cyber threat landscape continues to evolve, defenders will continue to play catch-up by finding ways to prevent, detect, respond and recover from cyber-attacks. However, we need to further democratize security and get citizens of all technical backgrounds more involved in order to fight back against latest threats that target both organizations and individuals alike.

The digital age has given rise to an urgent demand for cybersecurity professionals worldwide. However, this demand has surpassed the available workforce, resulting in a significant talent gap. The (ISC)² Cybersecurity Workforce Study 2022 reveals that despite a workforce of 4.7 million professionals, there are 3.4 million unfilled cybersecurity positions globally. [1] In the Asia Pacific region, where digital transformation is in full swing, the talent gap remains a concern. Nonetheless, there have been positive developments, with a 15.6% growth rate in the cybersecurity workforce. Singapore and South Korea stand out for their efforts in closing the talent gap within their countries. 

In this article, we will explore diverse cybersecurity career paths, examine the factors contributing to the closure of the talent gap in certain regions, and discuss steps Hong Kong can take to address this pressing issue. Understanding the global cybersecurity talent landscape is vital for building a stronger and more secure digital future. 

Understanding the Various Cybersecurity Roles and Responsibilities

In cybersecurity, roles are categorized using the InfoSec color wheel, which highlights the roles and responsibilities of different teams. [2] The primary roles include the Red Team (offensive security), Blue Team (defensive security, remediation and orchestration), and Yellow Team (combining security and development expertise). Collaboration between these teams leads to secondary roles: Purple Team (maximizing Red Team’s results and enhancing Blue Team capabilities), Green Team (improving code-based defense via DevSecOps), and Orange Team (increasing security awareness in software development).

To understand the tasks, competencies, skills, and knowledge associated with these roles, we can refer to frameworks such as the National Initiative for Cybersecurity Education (NICE) Framework [3] or the European Cybersecurity Skills Framework (ECSF). [4] The NICE Framework provides comprehensive insights into cybersecurity roles, including roles like Red Team Operator, Blue Team Analyst, Secure Software Assessor, and Compliance Manager. Meanwhile, the ECSF outlines competencies and knowledge domains, and encompasses roles such as Cybersecurity Engineer, Incident Responder, and Risk Manager. These frameworks serve as valuable references for individuals seeking to understand the specific responsibilities and requirements of various cybersecurity roles.

By embracing the diverse range of cybersecurity roles and promoting collaboration among them, organizations can establish a strong cybersecurity posture. This collaborative approach ensures effective defense against evolving cyber threats and enables a comprehensive security strategy.

Hong Kong’s Progress and Areas for Improvement

In recent years, Hong Kong has made notable advancements in its cybersecurity landscape. The introduction of Hong Kong Monetary Authority’s Cyber Resilience Assessment Framework (C-RAF) [5] and the Professional Development Programme (PDP) [6] has expanded the roles of red and blue teams alongside traditional compliance functions. Additionally, the adoption of public cloud technologies has driven growth in design/architect and develop/build roles, which has helped to boost the capacity and capabilities of the yellow team.

However, Hong Kong still faces challenges, particularly in building a sufficient talent pool for red and blue team roles. While Singapore boasts over 2,000 qualified candidates with credentials like CREST Registered Penetration Tester (CRT) and Offensive Security Certified Professionals (OSCP), Hong Kong has fewer than 300 qualified professionals, indicating a significant talent gap. Singapore stands out for its proactive approach to talent development. While individual licensing is not mandatory, companies offering licensable cybersecurity services must seek accreditation. [7] Furthermore, the Monetary Authority of Singapore has invested SGD 400 million in the Financial Sector Development Fund to enhance digital workforce competencies, including cybersecurity expertise. [8]

To strengthen Hong Kong’s cybersecurity workforce, it is crucial to invest in specialized training programs, foster collaborations between academia and industry, and promote recognized certifications and qualifications. Emulating Singapore’s commitment to talent development can help Hong Kong address the evolving cyber threats effectively.

How to Address the Talent Gap?

To tackle the potential problems surrounding the lack of cybersecurity talent in Hong Kong, it is crucial to ensure that the investments made are targeted and effectively utilized. While Hong Kong’s investment in cybersecurity is comparable [9], if not higher, than other regions, it is essential to focus on areas that require more talent, particularly in the primary colors of red and blue teams, rather than the traditional “white” team roles.

The talent gap in red team roles is already significant, with Singapore experiencing a tenfold gap compared to Hong Kong. To stay competitive, it is vital to nurture these talents at an early stage, even as early as secondary or tertiary education. This can only happen if the Hong Kong government recognizes the value of “ethical hacking” as a form of innovative problem-solving and includes it in educational curricula. However, it is concerning that the 2023-24 Budget page does not even mention cybersecurity, and that feels like a “missed opportunity” that should be addressed in future budgets. [10]

While demand generation efforts such as local bug bounty programs like Cyberbay [11] are valuable, they can only be fully effective with a steady supply of skilled and qualified professionals. It is crucial for the government to prioritize cybersecurity in its policies and allocate resources for the development of cybersecurity talent. By recognizing the importance of cultivating cybersecurity skills and incorporating them into educational initiatives, Hong Kong can build a robust talent pool and foster an ecosystem that supports the growth of the cybersecurity industry. This will help Hong Kong keep pace with market demands and maintain its position as a leading cybersecurity hub.

Conclusion

To support the ecosystem, we need an uplift of all talents, but in particular the red and blue teams. Those talents are severely lacking in Hong Kong as words like “hacking” are frowned upon by parents as well as the private and public sector. While demand generation such as bug bounty programs and supply programs such as Cyber Academies can help, this would not change until we either enforce the need to have such talent through law or regulation, or to have education programs that have sufficiently low barrier to entry, at least from a cost perspective, given our assessment that cybersecurity knowledge is actually a common good.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.