So great is the shortage of cybersecurity skills in Australia that organisations have no hope of recruiting the people they need and must instead resort to casting a wider net and training suitable candidates with the skills needed to combat the growing threats they now face.
That’s the view of Professor Richard Buckland, professor in cybercrime cyberwar and cyberterror at the School of Computer Science and Engineering at the University of New South Wales (UNSW) and director of SECedu, the Australian Cybersecurity Education Network.
In Scaling Cyber Skills, an episode of the Bridging the Cyber Divide video series produced as a partnership between InnovationAus and CyberArk, Prof Buckland said there were 600 students undertaking cybersecurity training at UNSW – a twelvefold increase in five years – and all already had jobs to go to.
“I get people all the time saying, ‘Can you give me your best students, I’ve got buckets of money,’ and I have to say, ‘I can’t even give you my worst students – they’re already gobbled up even before they graduate’,” he said.
A report published last month by RMIT and Deloitte Access Economics estimated that 87 per cent of jobs in Australia required digital skills, and the country needed 156,000 new technology workers to keep pace with the rapid transformation of businesses.
An even greater shortage was identified by AlphaBeta in a study commissioned by AWS. It estimated Australia would need an additional 6.5 million newly skilled and reskilled digital workers by 2025, a 79 per cent increase.
A more precise measure of the shortage of cybersecurity skills, by both skill and location, is provided by CyberSeek, a tool created by cybersecurity company CyberCX and the Australian Cyber Security Growth Network, AustCyber. It has developed a heatmap that show cybersecurity job openings in Australia by location and specialisation.
It says from October 2019 to September 2020 there were 4,500 openings for IT security specialists, but only 4,100 workers currently employed in those positions, “an annual talent shortfall of 400 workers for cybersecurity’s largest job”, and that there were “11,700 additional openings requesting cybersecurity-related skills, and employers struggling to find workers who possess them”.
Train up to fill cyber positions
Prof Buckland recommended employers should seek to meet their cybersecurity skill needs by training up suitable employees. He said graduates from cybersecurity courses were not necessarily ideal cybersecurity employees: “There is a lot we can teach them theoretically, but cybersecurity is a discipline, a profession. There is no better way of becoming finished than being trained by someone who is an expert in the field under a sort of apprenticeship model.”
Bruce Nixon, partner manager lead, Australia and New Zealand with privileged access management company CyberArk, agreed. He said organisations had to resort to identifying and training suitable candidates, and technology could enable those people to become more effective quicker.
“You have to think outside the square in terms of how you’re going to actually establish the skill set,” he said.
“You need to incorporate a training mentality – you might not necessarily find that perfect person in the industry – and we can provide enablement tools that will make it easier to find someone with domain expertise and evolve them into having those very specialist skills.”
Subsidy for cyber training proposed
However, Mr Nixon acknowledged that this approach would not work for smaller enterprises that did not have the domain expertise, the budget, or the need for full-time IT people. He canvassed the idea of the government “providing cybersecurity training free-of-charge to the mid-market and to small enterprises to allow them to consume high-quality training”.
He is not alone. The Australian Government recently announced the Cyber Security Skills Partnership Innovation Fund, with grants of between A$250,000 and $3 million, “to improve the quality and availability of cyber security professionals through training”.
This prompted a call for a program that would subsidise training for SMEs, which would raise the general level of cybersecurity understanding among the wider workforce.
Prof Buckland said digital technology was now so pervasive that everyone needed some level of competence in cybersecurity, and UNSW had several initiatives towards this goal.
“We’re teaching our law students cyber, and lawyers are teaching some of our cyber students about cyber law,” he said. “We’ve created our courses so that everyone can take them, and insert them into their degrees within UNSW. We also run free courses in basic cyber literacy.”
The speed with which the cyber security landscape is changing has put constant pressure on the availability of skilled cyber professionals. With borders now closed to skilled migration and any boost to the experienced employees not likely to come from overseas in the next 12 months at least, how does Australia find the skills required for the future of work and addressing the current shortage of skills?
The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.