Depending who you ask, there’s a growing gap between the number of cyber threats in Australia and the number of security specialists necessary to fight them. And while experts quibble over the exact size of the gulf, no-one doubts that it’s there.
You want the numbers? Job site Indeed now estimates we’ve got about seven per cent of the cyber expertise we need (based on the discrepancy between cyber job postings and job searches). The Australian Cyber Security Growth Network (AKA AustCyber) has put the price of that shortfall at $400 million in lost revenue and wages. Their 2018 report claims that Australia needs an additional 17,600 cyber professionals by 2026. To put that in perspective, the headcount of Australia’s entire cyber workforce currently sits around 19,500. That’s some significant growth.
“Australia’s cybersecurity sector has a strong reputation internationally,” says Sean Duca, Vice President at Palo Alto Networks. “The Global Open Data Index also ranks Australia second in the world for policies that support cybersecurity and allow government data to be openly available to the public. But there is a huge opportunity for graduates looking for a career in cybersecurity. If you have an interest in the field, now’s the perfect time to grab it.”
So what’s causing this skills gap? And what is industry doing to fix the problem?
More threats, more jobs
One thing driving the jobs boom (and accompanying skills gap) is a spike in the number of domestic cyber threats. A Financial Review investigation last year found a surge in cyber crime from several prominent foreign sources, and the government’s own Criminal Intelligence Commission estimates that cyber crime costs the Australian economy around $1 billion each year (and that figure doesn’t even factor loss of business revenue). In the wake of high-profile attacks like Stuxnet, Ashley Madison and (lately) WhatsApp, IT departments are quickly scaling up their cyber teams, inflating a market that’s expected to top $120 billion global revenue next year. Job openings have hockey-sticked, but graduate numbers haven’t matched demand. Basically, there’s a lot more cyber crimes than cyber cops.
Who’s joining the fight?
Part of the problem is down to growth channels. At the moment, most of Australia’s cyber talent pool comes from workers inside a company, usually transitioning from other departments, like IT. Very few are graduates from tertiary institutions, or skilled migration from overseas. This has stalled cyber headcount at around 7 per cent growth year-on-year – well short of the numbers needed. Filling these roles is tricky—it often takes 20 to 30 per cent longer to fill an InfoSec role, compared to a similar IT position, and that’s despite a $12,000 wage premium on cyber jobs, according to AustCyber.
Universities to the rescue
As part of their Future Skills portfolio, RMIT Online has just launched a new cyber security short course, in partnership with industry, in an effort to plug the skills gap. This will help with long-term employment targets, but AustCyber warns there may still be a short-term problem, if companies and recruiters don’t get more creative. “Current recruiting practices still place strong emphasis on technical skills,” they say in their 2018 report. “This is despite the well-acknowledged need to improve the ‘soft skills’ and diversity of workers in the sector. There is also a lack of public understanding of the range of different career paths spanning technical and non-technical cyber security roles.”
The robots are coming
There is one small asterisk when it comes to cyber job security, and that’s the rise of AI and machine learning in the InfoSec space. Almost one third of CIO’s have adopted some form of AI-based cyber defence, and pretty much everyone expects that number to grow. But most cyber professionals are more circumspect about humanity’s chances. “It’s important to separate the hype from reality,” says Palo Alto’s Sean Duca. “Relying on a single technology is a risk that can lead to damaging consequences, especially if a cybercriminal finds a way around the ML algorithm. A safer approach to enterprise cybersecurity is to deploy a multi-layered solution that can leverage the power and potential of AI/ML, but backs it up with other detection and prevention technologies, ultimately supervised by human capabilities.”