The Australian government needs to be leading the national drive to close the “critical” cyber security talent gap, partnering with industry and funding new programs, the CEO of a leading cyber security organisation said.
A shortage of qualified cyber security professionals has been the subject of much discussion in Australia recently. According to government-funded AustCyber, an estimated 11,000 cyber security workers are required to meet just the challenges of today.
And a report by the Australian Information Security Association (AISA) found that nearly 80 per cent of its members believed there was a cyber security skills shortage.
Matt Loeb, the CEO of US-based global professional association for IT and cyber security ISACA, said this is an issue that countries around the world are facing and action needed to be taken now to ensure the gap doesn’t get any worse.
“Whether you’re going to India, the Middle East, countries in Africa or even the US, it’s global. Without the necessary human resources in place we just can’t achieve the level of resilience that we need in the face of a threat landscape that’s changing every day,” Mr Loeb told InnovationAus.com.
“The bad guys are better resourced than the good guys – that’s where the urgency exists.”
Mr Loeb, who is currently in Australia for a cyber security conference, said the Australian government is on the right track, but a lot more must be done to address the “public safety and national economic security issue”.
“I do a lot of travel around the world and the efforts of the Australian government to take a holistic and coordinated approach to cyber security is actually very good compared to many other parts of the world,” he said.
“I applaud the way in which the country is trying to not distribute all of the responsibility and have a bunch of silos on security.”
“It has to come from the top down, you need an orchestrated and coordinated approach across not just the government, but through partnerships with industry, academia and non-profits.”
The Australian government has already been in active in the space, launching its $230 million Cyber Security Strategy in April last year.
Last month AustCyber launched the first of many cyber security challenges, aiming to bring new people into the industry to fill the talent gap.
But there’s much more to be done too, Mr Loeb said, and it all needs to be coordinated and cooperative across government and the private industry.
“Messages need to come from the top. Governments have limited amounts of financial resources, so they need to look to partner with other stakeholders like industry, non-profits, and academic institutions. I think there is more that government can do there,” he said.
Australia should also be looking to successful programs from around the world that have helped to draw more people into the cyber industry.
Mr Loeb pointed to the Cyber Retraining Academy program in the UK, which saw people without cyber security experience but with technological aptitude take part in a 10-week cyber security boot camp.
After a trial of the program, 27 of the 55 participants are already employed in frontline cyber security roles.
“The government needs to look at sponsoring some of these alternative training programs, similar to what the UK did. They need to at least get it started,” Mr Loeb said.
Governments should also be looking at programs that help the private sector to work out their current cyber resilience and where improvements are required, he said.
“Industry doesn’t want to be over-regulated, but there’s also an opportunity for industry to get better about its own ability to measure a company’s resilience in a way that they can understand where they are on a continuum in relation to others in their industry,” Mr Loeb said.
“The role for government is to encourage that kind of behaviour and modelling how they do that themselves.”
In line with this, ISACA will soon be launching its Cyber Security Capability Maturity Assessment, which aims to help organisations “measure resilience and understand where it is in its capability versus others in industry, and roadmap in how it can improve resilience”.
The private sector also has a pivotal role to play in addressing this crucial issue, Mr Loeb said. In the short term, companies need to be more open to hiring people with less experience but an ability to learn.
“Employers are advertising for roles expecting people that are coming in to have the requirements they’re looking for. There’s simply not enough people with five years’ experience in doing this frontline work, there aren’t enough people in the marketplace,” he said.
“Organisations need to be more open to looking to those that have the technological aptitude and can bring promise in an ability to develop skills,” he said.
In the longer-term, legacy systems that are vulnerable to cyberattack need to be replaced by resilience designs, he said.
“We need the workforce in front of us to protect it and retrofit it, and in the long-run we need investments to be made to improve the qualities of systems,” Mr Loeb said.
“In the future you’d expect that new systems, equipment, devices and software will have security built into it. That won’t eliminate the need for human resources but it will take some of the chaos off the table.”