In 2019, Singapore became the first country in the world to require cybersecurity professionals to undergo a licensing and certification process. The trend has been slow to catch on. However, this year, Ghana and Malaysia joined Singapore in creating certification requirements to have them licensed.
With managed service providers (MSPs) having to wage a constant battle in cyberspace to keep their clients safe, will there soon be another hoop they must manage? Possibly. Other countries have expressed interest in implementing similar provisions. Currently, only a handful of nations require cybersecurity practitioners to be licensed, but these trends have a way of multiplying. So, before licensing requirements become widespread, now is a good time to see what this means for countries currently adopting cybersecurity requirements.
Examples from countries across the globe
Malaysia
Malaysia’s new cybersecurity bill of 2024 outlines the licensing procedure:
“Any person providing or advertising (or holding himself out) as a provider of a cybersecurity service shall obtain a license (“Cybersecurity Service Provider License“).”
The definition and scope of a “cybersecurity service” are not defined in the bill and are left to the government department’s determination to regulate.
The bill further explains, among other things, the conditions of the license, qualification for application of license, requirements to maintain records, and the renewal, revocation, and suspension of a license.
Singapore
Singapore’s licensing mechanism has been in effect since 2018, and their government cybersecurity center’s website describes its goals:
CSA adopts a light-touch approach to license only two types of service providers currently, namely penetration testing and managed security operations center (SOC) monitoring. These two services are prioritized because providers of such services have access to sensitive information from their clients. They are also relatively mainstream in our market and hence have a significant impact on the overall security landscape. The licensing framework seeks to strike a balance between security needs and the development of a vibrant cybersecurity ecosystem.
Ghana
Ghana’s licensing law went into effect earlier this year. The government barred cybersecurity service providers, establishments, and professionals without a license or accreditation from operating in the country. This is including MSPs that provide cybersecurity services.
The text of Ghana’s law dealing specifically with MSPs defines an MSP that provides security as:
“Managed cybersecurity services entail the provision of security services, including threat monitoring, detection, prevention, mitigation, response, and security advisory. Computer Emergency Response Teams (CERT) and security operations center (SOC) are considered Managed Security Services.”
Individuals who provide cybersecurity services without a license may face penalties. These could equal the cost of any damage caused and the value of any financial gain made.
According to local news sources, as of February 2024, over 1,137 cybersecurity professionals (CPS), 194 cybersecurity service providers (CSPS), and 52 cybersecurity establishments (CES) had registered to become licensed. However, by summer, Ghana had licensed only 51 entities to provide cybersecurity services, a mix of individuals and institutions.
Experts weigh in
Wes Kussmaul of The Authenticity Institute, a Nigerian-based business incubator, states in an interview with SmarterMSP.com that licensing cybersecurity professionals raises more questions than anything else right now.
“This begs the question: Licensed by whom?” Kussmaul asks. In Ghana, Singapore, and Malaysia, the government does the licensing, but even that raises questions. “If every cybersecurity professional is licensed by their country, will they require a license by another country if they were to work there?”
The current licensing systems are so new that the answer to that question isn’t clear yet.
Kussmaul points out that “work there” doesn’t typically mean physically moving to a new jurisdiction. He goes on to explain that “work there” is a daily reality for millions of MSP folks. This includes pen testers and security product developers who work online, for employers and clients thousands of miles away.
“Will there be accountability of licenses by the government of those countries?” Kussmaul wonders. He adds that if licensing is going to be a standard practice, there are two components it should possess. “The first is an attestation of competence, established through testing and other methods. However, the more critical part of professional licensing is accepting liability,” he says.
Still, Kussmaul explains that even if that is established satisfactorily, jurisdictional questions will remain. “We come back to the subject of jurisdiction,” he says. “What authority representing what jurisdiction issues the professional license and polices its use?”
Ian Paterson, CEO of Canada-based Plurilock Security, says that the licensing won’t strengthen cybersecurity services. “Licensing may help in tracking the industry but will do little to increase overall security. Governments may be better served in focusing on upskilling their economies overall in cyber hygiene, best practices, and talent development at the K-12 level to build more resilient societies, rather than imposing speed bumps on solution providers.”
So MSPs, if you have clients in Malaysia, Singapore, or Ghana, you should monitor these developments extra closely.
Photo: ParinPix / Shutterstock