The Australian IT industry needs to look beyond traditional boundaries to redefine how we find, hire and retain cybersecurity talent.
In a nation that is as highly connected as Australia, and where cybercrime is estimated to cost organisations up to $1 billion, investment in cybersecurity is crucial to the national and economic future. This investment needs to be not only financial, but also in human capital in ways that have previously been unexplored. The federal government recently outlined in its first-year Cyber Security Strategy report that cyber skills development is a key priority.
While there’s no official ‘register’ to count, or keep track of the number of cybercriminals we’re facing today, what we do know is that these hackers are growing increasingly sophisticated and are collaborating in forums on the dark web to share tactics and tools. Facing these challenges, the demand for security talent is naturally on the rise.
Unfortunately, what could be a great career opportunity for thousands of individuals is turning into one of the biggest challenges facing the industry — a massive workforce shortage which experts predict will reach 1.8 million unfilled cybersecurity positions globally by 2022.
So why can’t we find enough security professionals to fill these high-paying, in-demand roles? There are number of contributing factors. Locally, this problem has been heightened with recent changes to 457 visas and with higher education in Australia becoming increasingly costly and, in some cases, unattainable. Quite simply, it is becoming more challenging for individuals to gain these skills through traditional means.
We cannot continue to focus on traditional recruitment methods, education models and old-world hiring practices for IT roles. We need to think about cybersecurity hiring and skills development in new, productive and tailored ways. What’s true is that many of the best and brightest working in security today didn’t come into the field with a four-year technical degree. Yet job advertisements — and hiring managers — continue to seek and define roles based on degrees, rather than on skills, experience and aptitudes.
A ‘new collar’ approach could be the answer. By new collar, I mean looking to fill cybersecurity jobs by taking advantage of the many other methods of learning to fulfil the technical skills needed. This can be learned on the job or through other means of hands-on engagement — internships, apprenticeships, certification programs or even skills that are self-taught or developed alongside peers, essentially hiring those resources based on aptitude and potential, not the old-world ways. For the government and industry, this could be the win-win we need by helping boost immediate skills and giving more people the opportunity to work in this dynamic, exciting and business-critical field.
Additionally, with security tools continually changing — and hacker methods as well — aptitude and the ability to learn quickly are really what makes or breaks how successful a security professional is.
Take the role of the ‘ethical hacker’ as an example. These security pros are paid to think like the bad guys, attacking corporate systems and servers to find the security holes — before the cybercriminals do. Natural curiosity and an investigative mindset, problem-solving, creativity and determination are often the factors that define success in this role — all skills which can be learned and honed outside of a traditional classroom setting.
The role of cybersecurity more broadly also needs a rethink, recognising that this is a business issue rather than just a technology issue. The variety of roles we need to fill is nearly endless, and the skills needed to fill these roles are broad as well.
Each organisation will have a different approach to how they can build their own new collar security workforce, but some good starting points include such things as:
- supporting security programs through high schools and TAFE;
- emphasising certification programs and embedding them into education programs;
- developing local partnerships and exploring alternative hiring pools;
- driving awareness of security careers to students at an early age, through workshops, clubs, competitions and more;
- establishing apprenticeships, residency programs and internships.
Rapid change is a constant, and transformation is essential to survival, so we need the best and brightest to join us in the ever-changing battleground against security. By looking outside of traditional boundaries and redefining how we find, hire and retain this talent, we can start to make that goal a reality.
Glen Gooding is the Business Unit Executive of IBM’s Security Services Division. He has more than 25 years’ experience in the security industry, having previously held the position of director of IBM’s Institute for Advanced Security. He is an IBM Certified Executive IT Specialist and also an Open Group Distinguished IT Specialist.
WHAT DO YOU THINK? Do you agree that Australia faces a cybersecurity skills shortfall? Which are the best ways to combat the problem? Join the conversation by leaving your comments below.