The already hot market for cybersecurity skills is likely to get super-heated in coming months – especially for board-level executives with tech and change management expertise – as a direct result of the new mandatory data breach notification laws.
The passage of the legislation through the parliament this week will shine a huge spotlight on cyber issues from boards of directors.
It is simply no longer possible for corporate boards to leave responsibility for cyber issues to IT departments or even senior operations executives.
The mandatory data breach notification laws will almost certain lead to a rethinking of board skills and drive demand for senior cyber literacy. This renewed focus on cyber skills may yet be the biggest impact of the data breach laws.
“Overall [the passage of the laws] means that it raises the profile of cybersecurity out of IT, and out of operations and brings it all the way up the board,” according to Verizon Enterprise Solutions regional managing director Rob Le Busque.
“It was starting to get there before the legislation, but this is going to now provide a specific focus for the discussion on cyber security and data security at the board level for the enterprises that are impacted by it,” he said.
The laws will also lift the transparency that consumers have over their own information and those they share it with.
“Ultimately it means data security is having a big light shone on it in the Australian context, and it improves transparency for consumers.”
The new provisions will take a year to take effect giving organisations a year to get their houses in order. The entities that need to comply are businesses with a turnover of more than $3 million, and business (even small) that handles sensitive information, and most government agencies.
The already high demand – and short supply – of cyber talent is likely to increase as businesses look for ways to mitigate risk.
The growing acceptance by organisations of the need to go out an acquire the right technical and strategic capability and expertise will grow, especially in relation to building aspects of cyber security into the broader business strategy.
Mr Le Busque cyber skills as well as the business process and change management skills associated with the integration of new cyber-aware policies and processes would grow in demand.
“Those kind of skills were already hard to come by and so you will probably see a tightening of that labour market even further,” he said.
There are a couple of other likely impacts across organisation of the passage of the data breach disclosure laws, Mr Le Busque said.
The first is that the new regime is likely to raise the level of PCI-DSS compliance in Australia (PCI-DSS) is the credit card industry compliance standard. Mr Le Busque said regardless of whether you’re holding credit card data or personal information of a different kind, the PCI-DSS is considered a very good framework.
And secondly there is likely to be an increase in the number of organisations that take out insurance against the risk of a breach. In Australia, somewhere between 3 per cent and 14 per cent of organisations have bought insurance, whereas the US – where data breach legislation has been in place for some time, that number is 25 per cent to 30 per cent.
Macquarie Telecom Group CEO David Tudehope said the mandatory notification of serious breaches would provide a foundation for better national cyber security practices.
Making greater transparency a legal obligations means all boards and management teams know that trying to sweep problems under the carpet is no longer an option, he said.
“Consumers need to know promptly when their data may have been lost in a serious breach so they can take their own remedial action.
“The new regime also helps other businesses and organisations to become aware of possible vulnerabilities in their own networks,” Mr Tudehope said.