Almost every day, the media covers another massive data breach or cybersecurity incident. The reality is that cybercrime is now a $400 billion industry and it's in hyper growth. Nevertheless, cyberattacks are becoming more and more sophisticated, yet we see sites being compromised because their owners didn't have even the basic security controls in place. Is this because of a lack of understanding, a shortage of experienced cybersecurity professionals, a lack of training or a lack of funding?
This article explores each of these interconnected issues, suggesting some means to tackle the problem nationally and internationally.
There are clear connections at play here. The need for increased security means that security specialists are more in demand, which in turn results in a skills shortage that directly impacts those organisations with the least ability to recruit and retain expensive professionals.
The issues involved are complex. We need to ensure that all of the stakeholders in the Australian economy (industry, government and education) take appropriate security measures and contribute to the development of the information-security profession. Furthermore, we need to make sure that Australia has appropriate cyber defences, supported by a sufficiently experienced cyber workforce with the appropriate skills.
The shortage of skilled and experienced cybersecurity professionals has been raised as a concern both internationally and within Australia. It is an issue that has been identified by the Australian government's new Cybersecurity Strategy and raised independently by a number of the key organisations in Australia. According to the Australian Department of Prime Minister and Cabinet, demand is expected to grow by 21% nationally by 2020, totalling around 9,100 cybersecurity jobs across the country.
The reality is that the cybersecurity industry has been aware of the shortage of security professionals for many years, but nothing has been done to fully quantify and address the problem.
To remedy this, the Australian Information Security Association (AISA) has initiated a research project to better understand the extent of the problem in Australia and determine if it's related more to knowledge or to experience.
We've tasked the research team to investigate whether there is a broad skills shortage or whether the focus should be on a particular demographic of the security community, such as senior management or risk specialists. Do all of Australia's states and territories have the same cybersecurity skills problems? We already know that some of these problems make the cybersecurity-skills issue hard to quantify and, hence, difficult to address.
A key finding of one of last year's studies was related to the lack of widely understood job roles within the cybersecurity workforce. As an example, analysis of job seeking website, seek. com.au showed that six jobs were advertised with six different titles, yet each of the hiring organisations was after the same skillset: i.e. a penetration tester.
The lack of consistency in job role definitions makes it difficult for employers to express clearly what they need applicants to be able to do, especially in terms of aligning skill sets and experience to what their organisation needs.
The upshot is that employers continually complain about the number of job applications they receive for positions where the applicant doesn't have the necessary qualifications, skills or experience required to take up the role.
Another consequence of this confusion is the lack of clear career paths for existing cybersecurity professionals. The security workforce doesn't have a clear guide of how to progress from one level to another in their career, nor what their next role might be nor the skills required for that position.
One of the first steps in solving these issues is to begin with defining the cybersecurity career landscape appropriate for Australia. Not all cybersecurity professionals want to be a Chief Information Security Officer (CISO), nor is CISO the only executive position; there are those who are considered peers, at the same level, with the titles of Chief Scientist or Chief Security Architect. The important thing is that the career map fits the individual and it recognises them as a senior member of the cybersecurity team.
Another way to help improve clarity around career paths in cybersecurity is for us to develop a professionalisation programme for the industry. This is an area that has been identified as vital in solving the cybersecurity skills shortage and is key to the success of Australia's new Cybersecurity Strategy. It is critical to establish educational and support programmes as the basis for the national cybersecurity profession and to ensure solutions are provided for real problems that are fully understood.
More often than not, hiring managers hold off for the perfect candidate. This panacea is almost always a pipe dream and the position will go unfilled. As in most professions, there are superstars who are the leaders in their field, commanding superstar salaries and often spending their professional life on the conference circuit and in the media.
The cybersecurity profession needs to ensure that we identify, nurture and grow our superstars, offering our people challenging problems to solve in rewarding environments. Cybersecurity should be seen as an attractive career option for school leavers and college graduates so that it will be considered as 'cool' as (or cooler than) engineering, architecture or the arts.
Rather than building a home-grown capability, many organisations poach from others. This creates a shuffling of the deck chairs across organisations without attracting new people.
So, the question remains as to how we can be more innovative in meeting the growing demand for cybersecurity jobs? Why are we not adopting systems such as mentoring and job introduction that have worked in other industries for decades?
For example, if you want to become a medical specialist, you need to complete an internship, working alongside qualified professionals after you leave the university before you can practise on your own.1 Cybersecurity should follow that same principle. Several organisations have strong graduate programmes but they are more the exception than the rule.
Salaries are another area with a marked divergence between the expectations of employers and those of cybersecurity professionals.
With many in the security field aiming for the top 1% of professional roles—and the highest salaries in cybersecurity—AISA members have said they are not seeing attractive compensation packages from employers consistently across the market. Neither have we seen recruitment agencies head-hunting from overseas to fill Australian cybersecurity roles.
Cybersecurity is still not on the list for skilled migrants.2 Being on the doorstep of Asia, with a large supply of cybersecurity skilled workers, this seems illogical.
In recent years, Australia has lost cybersecurity experts to other countries, mainly the United States, where cybersecurity superstars can earn stratospheric salaries. If Australia wants to become the digital economy of Asia, we need to change tack. We need to make it attractive for our home-grown superstars to stay here, with effective incentives to attract overseas professionals to migrate to Australia, as well as incentivise the lower ranks of professionals to remain in the game and strive for greatness.
If we accept that there is a cybersecurity skills shortage in at least some demographics in Australia, we need to know what the country's future requirement looks likes before we can address the issues and devise a plan to solve them.
Developing people with the knowledge, skills and experience required to address the shortfall takes time and investment—possibly over five years. This is one of the reasons the country is currently suffering a shortfall.
We currently don't know how many cybersecurity professionals we might need or what skills will be most important for the Australian economy by 2020. There are many global estimates but none has been focused on the Australian market. We believe that further research in this area will help set realistic goals for policy makers to better understand recruitment requirements.
A recent UK study, Security Breaches Survey6 showed that 87% of businesses experienced a cybersecurity breach in the past year. This is a rise of 10% from the previous year. One of the main issues is that small- to medium-sized businesses (SMBs) don't see cybersecurity as their problem. There is a disparity between the perception and the reality of security preparedness. Many SMBs believe that their security processes are optimised and their security tools are effective while only their security preparations for managing incidents likely need improvement.
Mandating basic cybersecurity hygiene is essential to the success and longevity of these companies and to ensuring they can help drive an effective and efficient digital economy for everyone. For basic cybersecurity hygiene, we refer to initiatives like the Cyber Essentials Scheme, which was developed by the UK Government and industry to fulfil two functions:
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and build upon. Initiating similar measures in Australia could significantly reduce an organisation's vulnerability.
However, it does not offer a silver bullet to remove all cybersecurity risk, i.e. it is not designed to address more advanced, targeted attacks. Organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does is define a focused set of controls that provide cost-effective, basic cybersecurity for organisations of all sizes.
AISA understands that implementing even basic security controls can be a major challenge for SMBs. We believe that the top end of the market will take on a significant portion of these trained workers. However, the majority should be deployed at SMBs with one clear objective: make Australia a Cyber Smart Nation. Australia's 200,000 small and medium enterprises4 are the engine of the economy. We need to get them on board.
Organisations that provide cybersecurity services (consulting, security testing and design) understand the importance of taking on cybersecurity trainees, and mentoring them for several years to transform them into wellrounded cyber professionals. They all understand that building cybersecurity capabilities needs to be from the ground up. But many businesses are all too aware of the costs and risks of losing their well-trained cybersecurity professionals once they've learned the tricks of the trade.
The phenomenon of lateral hiring is still prevalent and makes smaller organisations wary of the time and effort they are willing to invest in a trainee. This is a big threat to developing a stronger trainee pipeline. If SMBs don't hire these workers to improve their cybersecurity capability, efforts to grow these trainees are doomed to fail.
We strongly believe that we can't start early enough with educating children in cybersecurity. This will not only make them more aware of the Internet's security risks, but they will also consider career opportunities in cybersecurity the norm at a very early age. As an industry, we will jointly have to develop material that speaks a language that both parents and children understand.
Without consensus and collaboration, the onslaught of breaches to corporations and threats to critical infrastructure will continue to escalate. If current trends continue, it is likely we won't have the right sort of cybersecurity professionals by 2020. The cybersecurity skills shortage will become more visible and more problematic than many seem to realize. To keep pace, we need to mature the cybersecurity profession into a proactive, not reactive, model.
For AISA, it is very clear that this challenge cannot be solved by one single entity. It must be an industry-wide collaboration. AISA believes that bringing together key stakeholders from the public and private sectors around Australia is imperative to finding a common solution for this shared problem.
We encourage that people in our industry start seeing the whole skills shortage discussion as a more complex issue than it initially appears.
AISA is Australia's primary information security professional body, representing a member base of over 3500 cybersecurity professionals from a diverse set of business, government and academic markets.
4. In June 2015, 61% of actively trading businesses in Australia had no employees, 28% had 1-4, 9% had 5-19, 2% had 20-199, and less than 1% had 200 or more. In June 2015, the number of actively trading businesses in the market sector was 2,121,235.
Driving collaboration across business, industry and tertiary education.
Copyright © 2001-
Business/Highter Education Round Table (BHERT). All right reserved. ABN 80 050 207 942.
Website by Hope Stewart—Website Design & Management