Curious as to what employers in the cyberspace of today are looking out for when hiring? Hear straight from our COO at Red Alpha, Emil Tan, as he condenses his advice for aspiring professionals in the field and how Red Alpha works in solving the global cybersecurity talent crunch.
Do you have any interesting observations about the new generation of cybersecurity professionals as compared to the past generations?
This is a very interesting question. Before we talk about the new generation, I have to touch a little bit on the history of cybersecurity in Singapore. As we all know, cybersecurity is a very new industry. The discipline has been around for a long time – probably since the 70s, 80s – but the cybersecurity industry itself has been around for just about 30 years, to be honest.
From my general observation, there are about three generations of cybersecurity professionals in this industry. The first generation birthed out of necessity in around the 90s and early 2000s, which was when IT infrastructure, systems and services first started to get attacked more often. Organisations like governments, the military, big banks, pharmaceutical companies, and so on had to step up and protect their systems. That was when IT personnel were tasked to take up Information Security roles. These people made up the first generation.
Then comes the second generation – which I proudly belong to – which started in around the mid-2000s. We are cybersecurity-trained from the get-go by gathering experience from the past generation of security folks, even though there was still a lot of experimenting involved since we still didn’t really know what cybersecurity really entails. We experimented with all sorts of technology, to try and grasp the essence of cybersecurity. We compete in CTF. We attend conferences. We participate in hackathons. We look for resources everywhere and see what we can learn from them, and build upon our current knowledge. This is the second generation.
Now, we go back to your main question. In this generation, cybersecurity is a lot more established and job functions are a lot more defined. People enter the industry knowing what to expect. When you bring up things like Red Team, Blue Team, Pen-Test, Incident Response, Forensics, SOC, GRC, people know what you're talking about, as compared to the first two generations, where we were still figuring things out. This generation has an abundance of opportunities and plenty of resources – access to mentorship, a choice of what CTF to participate in, what conferences to attend. With all these resources widely available online, the current generation gets to have a strong and early start into the professional side of the industry. They make up the third generation of cybersecurity folks, and they are very important to the industry since these roles are crucial to defending our cyberspace.
I agree with you there. Sometimes I’m a little jealous that the new generation has the luxury of a structured education. But there is also the issue of losing the creativity fostered through out-of-the-box thinking, which the first two generations of professionals tapped into. What do you think we can do to foster that? Is that a skill or is that a trait, or are there things that we can do to foster that kind of out-of-the-box thinking in this new generation?
Of course, the structured programmes offered in education facilities have their merits. They provide a good foundation for people who want to pursue cybersecurity as a profession. But, the bricks and mortar of this structure is not enough. At the end of the day, the important part of becoming a professional is to really understand what cybersecurity really is about.
Students need to ride on top of the program structure, they need to explore beyond it. They mustn’t remain content with whatever they learnt from schools, or their skill sets will remain stagnant and outdated. They need to experiment more with what they have, and gain more experience.
Go for internships, understand the industry – what is it like, how do they apply their skill set to the current climate? Work on projects, not just school assignments, but real projects. Work on open-source projects beyond the school curriculum. Learn how to work as a team. It's really important here in cybersecurity.
Compete in CTF. Get a mentor, learn from war stories and that's how we all learn. Students definitely have to continue to do that. They cannot just purely depend on the school curriculum. They need to be resourceful in order to succeed in this industry.
Those are really great points. On to the next question: what do you think about skills versus certifications and credentials? What do you think is the balance between putting emphasis on certifications on a CV as opposed to projects and accomplishment?
I think it really depends on the context. To me, a certification is proof of the skills and knowledge you have, which is essential for securing your first job. It’s a tool to secure your place in the company, to persuade them to hire you.
But of course, the weight of certifications ultimately fall short if you don’t know how to apply it in real-world situations. If you have not embarked on any projects before, you have no experience to show for yourself, and the certification becomes unimpressive.
Personally, I focus more on the projects a candidate has embarked on. What cause have they contributed to? What contributions can they bring to the table for my company? Looking at their past projects can give insights into other attributes they possess, and not just technical skills. Singaporeans are exam-smart, so certifications may not mean as much. But if you deliver well at your projects, it tells a different tale on your competency. That’s what I look for when screening through applications.
I definitely agree with you there. If you had to pick five attributes or skills that are the top five most crucial to face the cybersecurity world of tomorrow, what would you say they were?
I love this question. If you asked me this question five years ago, I would, without a doubt, have said passion.
“You need to have passion. Passion for the field. Passion for cybersecurity.”
But now, things have changed. For the last three years or so, I found “passion” to be such an empty word. I've met so many people in the field who claim that they have passion, but when I ask them more about it, they can't elaborate further. They can't demonstrate or explain their passion for cybersecurity to me when I ask them about it. And for those who can articulate this passion – and you will be able to tell – they’re the ones who possess the other underlying attributes that we are really looking for. And one of the first things I look out for is playfulness – knowing how to play.
Playfulness
This attribute was imparted to me by my supervisor when I was working in the Defence Science Organisation (DSO). Under his supervision, rather than telling me to work on something, he always tells me, “Hey, go and play. Play with this tool, play with that method, explore and experiment, just play with it.”
That is how I've been approaching a lot of things since – seeing everything as a fun activity – and it makes me eager to explore, understand, and get down to the underlying science of things. That’s very important in cybersecurity when the breadth of things is endless, and there's just so many things out there that you'll never ever be an expert in everything.
So when we're playful, the world's your oyster. Your thirst for knowledge and your thirst for understanding is going to be there.
Excellence
The second attribute would be excellence. In cybersecurity, it's not about how well you know about a tool. It's not about collecting certifications. Instead, what I look out for are people who strive for excellence in the things they do. Those who really understand the underlying matter at hand. They strive for the level of being able to tap into the depth and breadth of their knowledge in order to fulfil their mission and task effectively and efficiently.
Grit and gumption
I'll combine the third and fourth attributes. I will say grit and gumption. I kind of touched on them earlier that you need to be able to push yourself and never rest on your laurels. You need to have the grit to always push yourself beyond your limits and reach for new heights, and you need to be gumptious in order to survive.
Success
And last but not least, success. How do you bring success to the people around you? How do you find success for yourself? Success for your peers or your community? Success for your organisation, and overall, to the cyber world or the world? This is important.
Tell us a little bit about Red Alpha, what you guys do, what you guys are about, and the problems that you guys are looking to solve. How do you guys do it?
Red Alpha is a talent development company. In a nutshell, we sit in between a training institute and a recruitment agency. We're kind of like a hybrid of both but at the same time, we are neither. I know it's getting confusing, but let me explain.
We are not just a training institute because although we provide training, we do not sell training. We show the industry that our training works. So what we do is we recruit people with high aptitude and people with the talent to excel in cybersecurity. We train them up for free. They even get an allowance during the training period and then we place them with our partners – people who need cybersecurity talents. Our partners will only pay us for the training that we have provided to these trainees after recruitment, so there is no transaction involved until we have proven that we have provided quality training to the trainees and the company wants them to be part of the team.
We are not just a recruitment agency because we don't just place existing professionals. We introduce new talented cybersecurity professionals trained by us into the industry. This is the only way that we see that can solve the current global cybersecurity talent crunch. Aspiring cybersecurity professionals no longer have to be troubled by their own training investment, wondering what the right path to get into the cybersecurity industry is. Other agencies provide training courses at close to $10,000, and students may not even get a job after completing these courses. It’s just a horrible advertisement for the industry, in my opinion.
People must be climbing over each other to join your programme! How many applicants do you usually get per cohort?
Each cohort usually has an average of about 1,500 applicants. We accept around 12 people for each cohort. We look for trainees with the highest aptitude, mainly because we only have four months to train them. Within these four months, we need to get them from inexperienced candidates – some came in with none – to someone whom companies would want to hire.
What’s your placement record looking like so far?
We had 11 trainees for our last cohort and all of them were placed in a company. So it’s a 100% placement rate!
If anyone who's listening to this had one thing to take away, what would you like to leave them with?
Ah, that’s a tough one. At the end of the day, it’s really about continuing to grow as a hacker each and every day. Learning is not just about books and papers. It's about diving deep into your creativity, trying to understand everything around you, being curious all the time. Learning is not about going through chapters. It’s all about applications, and how we can bring benefits to people around you.
Thank you to the team behind Horangi Cyber Security and Ask A CISO for inviting us over!