There is little doubt that cybersecurity is a vital component of Australia’s future economic success. Prime Minister Turnbull’s launch of the Federal Government’s Cyber Security Strategy shows that the Australian Government is putting its money where its mouth is.
A reasonable investment of $230 million is pledged to directly assist in meeting the five strategic themes of the strategy, whilst additional funding is being channelled into national security through the strategic Defence review – from which we’ll undoubtedly see additional cybersecurity projects. This all means that the future looks bright for Australia’s cybersecurity profession. Well, maybe.
The reality is that there are significant challenges in meeting Mr Turnbull’s strategic objectives. It’s true that the Prime Minister’s harshest critics have still applauded the Cyber Security Strategy as a plan that incorporates practical milestones and achievable targets. However, the vital ingredient that’s missing from the review is the detail of how these outcomes will be achieved.
The five strategic themes are:
- A National Cyber Partnership
- Strong Cyber Defences
- Global Responsibility and Influence
- Growth and Innovation
- A Cyber Smart Nation
Who’s going to do the work?
Furthermore, a single common theme is alluded to throughout the document that must be acknowledged. We simply don’t have enough cybersecurity professionals in Australia to meet demand and there isn’t a full enough pipeline to meet future demand.
“To grow our cyber security capabilities to anticipate and respond to cyber threats, we must address our shortage of cyber security professionals. It is critical that we build our nation’s stock of cyber security skills, which are becoming increasingly essential for life and work in our connected world.”
– Australia’s Cyber Security Strategy –
Even today, without factoring in the anticipated growth that the Cyber Security Strategy compels, Australia is suffering from a national shortage of skilled information security professionals.
Last year’s Global Information Security Workforce Study, undertaken by Frost & Sullivan in conjunction with certification company (ISC)2, projected the global shortfall of information security professionals would rise to be as high as 1.5 million workers by 2020.
The report says “This shortfall is the difference between Frost & Sullivan’s projection of the workforce needed to fully address escalating security staffing needs, and our workforce projection that accounts for workforce supply constraints.” This is saying that an additional 1.5 million cybersecurity workers will be required to enter the industry, over and above the number who are already anticipated to pass into our sector, based on previous trends. This really is a massive, irrefutable issue – one that remains the single biggest threat to our defeating cybercrime any time in the future.
The #1 priority
It’s clear that addressing this problem must be at the top of the national cybersecurity agenda. Building a pipeline of talent should begin down at primary school level, where kids are introduced to the dangers of going online and shown that there are exciting career options out there in the fight against cybercrime.
By engendering a culture of security awareness in our children, we’ll develop a future generation of security-aware workers who make far better choices that most of us do today. These future workers will understand cyber threats better than today’s generation ever can, and they’ll make better risk-balanced decisions when confronted with potential attackers.
A cyber-smart nation
Cybersecurity safety and awareness is one of the most important issues to our nation’s economic wellbeing. Prime Minister Turnbull recognises it as the fifth pillar of his strategy, where he proposes we build a “Cyber Smart Nation.” As security professionals who are already working in the industry, we need to step out of our comfort zone and stop focusing just on the enterprise.
We are required to refocus on educating in every aspect of our digital lives: at home, in our children’s schools, when we interact with friends and family, within our businesses, and even in our social activities – cybersecurity becomes the instrument we play and the song we sing.
By raising this level of awareness in every citizen, we stand to gain an increased pipeline of prospective new entrants coming into the industry. This will lead to a real and sustainable pool of future professionals who have real career opportunities and a future in an industry where they will never become bored. This lifecycle is shown in Figure 1, where the identification of talent starts with our recognising who is interested, training of those workers and helping them get started on the right path.
Nurturing new talent
We can further facilitate the growth of talent by helping new workers progress through targeted work placements, and by mentoring those staff to make sure they get through their apprenticeship unscathed, whilst understanding what career trajectory they are on and how they will achieve success.
Leaders already in the industry need to push their organisations to adopt schemes of professionalisation that will underpin their staff’s careers. We need to develop nationally recognised certifications and job roles to allow us to explain to new prospects how the industry works.
We need to be confident that if a prospective employee says they are a Security Manager, Security Architect or Business Continuity Manager, there is some guarantee of the qualities they will have as an employee in terms of both skills and competencies.
I believe it’s incumbent on every single cybersecurity professional in Australia today, no matter how new to the industry they might be (or long in the tooth), to spread the word of what we do. They need to show as many people as possible how important the work we do is, and to encourage those with promise to take the leap of faith into our domain.