How AI could help close the cyber security skills gap in Malaysia and beyond

To coincide with the launch of the Hays 2024 Annual Global Cyber Security Report, Beyond traditional cyber talent, we’re interviewing leaders worldwide to get their thoughts on today’s trends and challenges.

Our latest guest on the Cyber in the Spotlight series is Jason Yuen, who has worked in cyber security for 27 years. Specialising in industries including financial services and energy, he returned to EY in 2011, where he currently serves as a Partner for Technology Consulting in Malaysia.

Download our 2024 report here.

Our global report found that 61% of employers don't rate their ability to attract cyber security talent highly. What are your thoughts on this?

"This is aligned to what we see. Regulations mean that the industry is forced to hire, which involves paying skilled professionals large salaries in order to attract them. Then, retaining that talent is potentially a bigger challenge because they can go somewhere else for an even larger amount of money. It’s a vicious cycle.

"Another problem for me is the talent leaving Malaysia. Things are improving, thankfully. But during the pandemic we had one of our highest ever attrition rates as a consulting firm. We can’t compete when organisations abroad, for example in Singapore, are offering three times the salary. I totally understand the results of your survey, it’s a real challenge."

According to our survey, the most popular sources of new talent are graduate pools and internal solutions. In Malaysia, bringing in people from other tech disciplines was also a common response. What have your experiences been of looking further afield?

"As a consulting firm, we hire graduates all the time. Even in my team of 120 cyber security professionals, we always want to have at least 10 interns. If we like the intern and they like us, we’ve found ourselves a new professional.

"The bonus of being a global firm is that we get to tap into some of our wider talent pools. We’ve brought in people from our internal IT team - in fact, one of the directors in my team came from our internal IT. We have people from IT audit and other divisions who express interest in cyber security, too.

"Almost all of our roles are based in Kuala Lumpur, but the pandemic has proven it's possible to work remotely and succeed. Even clients from big industries have accepted it’s a possibility, which is why we've started building a cyber security team in our Penang office.

"We have to be open to multiple talent sources - I think you probably get the hint that we have no choice!"

In terms of training and reskilling for cyber security roles, is there a set development plan for everyone, or does it differ for each recruit?

"There are fundamentals everyone has to adhere to, but our size means we can't just focus on one area. In the last couple of years, we've focused on building and acquiring skills in operational technology, cloud and a few key other areas which are developing and where clients are demanding the skillset."

Hays found that 57% of organisations will have trained their cyber security workforce on AI tools by the end of this year. In Malaysia, this was 44%. Does this surprise you?

"Not really. We're closely monitoring developments in AI and we’ve invested heavily - we have our own models and subscribe to commercial tools. Although we're working with large clients on building AI security frameworks, we're very transparent that this is a new and developing area and that we haven’t been experts at this for 10 years – that would be a total lie.

"AI is very useful for us because, in consulting, quickly collecting and compiling data is so important. Everyone recognises its potential, but integrating it into our business in a meaningful way is still something that's progressing."

One of the other things we explored is how AI will then affect the workforce - 44% of respondents believe that AI won’t impact their headcount. What are your thoughts on this?

"Before I talk about cyber security, I think that, generally, many automated tasks will be handled by AI. In cyber security, though, there is such a shortage of professionals that I don’t think it’ll affect us in the short to medium term. We just don't have enough people in the first place!

"Where I see AI supporting us is speed of analysis. For example, what is it within my infrastructure that needs fixing? Where are my weak points? Where would criminals most likely attack? And I think the speed at which AI can match, for example, the types of attacks versus those my organisation is potentially susceptible to, is really useful. Traditionally, collating this information would either take forever or just not be worth the effort.

"That's also where I see cyber security professionals providing value: being able to ask these questions and direct resources to where the remediation needs to happen in a more efficient way. I don't think we will have a case where our jobs will be taken over. It’s more that we'll be able to do our jobs better."

Finally, what are the key issues for you in 2024?

"Four things come to my mind. Number one: Malaysia will experience many more high-profile incidents. This will lead to greater public awareness, especially as the next version of PDPA will most likely mandate compulsory breach notifications to the population, like in many other countries.

"Secondly, cloud-specific skills and cloud security professionals are going to be in higher demand. Everyone’s been discussing cloud for a long time, but the pandemic has led to accelerated adoption, especially in Malaysia. With that, security skills will be required to manage and understand the risk.

"The third one is application and security development. As every company embraces digital, there are going to be new products. But how do we launch a secure product? The number of professionals in that area just isn’t high enough.

"Lastly, people. We're not worried about AI taking over – we’re still worried about how we can get the right people. Attrition has been slightly below forecast for us over the last year, but we see it picking up. As regulators put pressure on the financial institutions and they need to hire the right people, we’re definitely one of the talent pools that they source from. It goes back to what I said at the start. I don’t blame them though!"

For more insights from our survey, as well as cyber security leaders and Hays consultants, download your copy of our 2024 report here.

00