Should cybersecurity professionals be licensed?

There are numerous certifications that cybersecurity professionals can acquire if they want to validate their expertise and build trust with customers. But in spite of the availability of certifications, many professionals operate based on their experience in the field, rather than on training and qualifications. And while many governments do regulate cybersecurity businesses and their eligibility to operate, they don’t regulate individual service providers in the same way. 

Until recently, that is. 

Countries including Ghana, Malaysia, and Singapore are changing this – by introducing mandatory certification and licences, without which cybersecurity professionals are not legally allowed to bill clients. 

What are the requirements?

In Ghana, to obtain a cybersecurity licence, providers have to meet several requirements as detailed by the nation’s Cybersecurity Authority:

• Completion of an online application form
• Provision of a description of services and the technical processes involved in offering those services
• Validation of accreditation status of all cybersecurity professionals employed by a business to provide a service

Along with administrative requirements including business registration, tax registration, and insurance; and other requirements dependent on the type of business/professional and the services offered.

Malaysia’s new Cybersecurity Bill (tabled for first reading in Malaysian Parliament in March 2024, and passed in April 2024) mandates that any person who provides or advertises cybersecurity services must obtain a licence.

And in Singapore, all cybersecurity providers must now meet certain standards in order to operate legally under Section 5 of the Cybersecurity Act. The licence has two tiers of cost: S$500 for individuals and S$1000 for businesses. And individuals can be refused a licence based on a wide range of conditions, including previous convictions of fraud; judgements against them in civil proceedings relating to fraud or dishonesty; the diagnosis (current or in the past) of a mental disorder; and more. 

A mixed response from the cybersecurity sector 

Serene Kan (Partner in the IP & Technology Practice at Wong & Partners) told Dark Reading:

"We most certainly think that having a bare minimum standard will engender more confidence across the ecosystem as there will be assurance that — among others — penetration testing, security audits, and incident response services to be provided are on par with industry expectations and evolving technologies.” 

But licence requirements for individual cybersecurity professionals haven’t been warmly welcomed by everyone in the sector; with concerns raised about a lack of protections for free speech, excessive control over digital services, and a lack of accountability for governments when it comes to the control they’re exercising.

For organisations hiring cybersecurity professionals, licensing could reduce the level of risk involved in appointing someone who isn’t capable of managing the threats that organisation faces. And this is becoming more important as the attack surface grows, and cyberattacks become increasingly frequent and costly. Another layer of assurance that the professional you’re hiring understands the work they’re promising to do may improve cyber resilience. 

That being said, if a licence is granted based on certain certifications, there’s still no guarantee that a professional will have the capabilities to address the specific problems faced by a particular organisation. There is always nuance in cybersecurity – and the most effective professionals are adept at understanding the complexities of human psychology and communication, as well as technical skills. 

What do you think? 

We want your perspective. Is licensing a positive step for the cybersecurity space, and should more countries embrace this approach – or will it restrict the flow of talented cybersecurity professionals into the organisations that need them? Let us know your thoughts and leave a comment below.

Join us at Black Hat MEA 2024 to immerse yourself in the global cybersecurity community. Pre-Register now.