Soaring cybersecurity pressures are exacerbating an Australian training conundrum

Experts warn Australian businesses need to make systemic changes to meet staff requirements.

cybersecurity digital technology security picture id1271866338
iStock

Sourcing and keeping appropriate staff may be critical to improving cybersecurity capabilities, but as economic uncertainty and difficult labour markets buffet businesses this year experts warn that businesses must make “systemic changes” to meet their staffing requirements.

The economic uncertainty was highlighted by a recent Australian Information Industry Association (AIIA) member survey that found 47% of businesses expressed confidence in the economy this year, compared with 69% last year.

One third of respondents said they would be adding cybersecurity staff this year — the area of most demand apart from application development — but around 35% said they would be looking overseas to complement Australian workforces that have been stretched to their limits.

“Concerns with Australia’s specialist tech talent are significant and are holding back the sector from greater growth, innovative businesses and products are being held back, or worse still, sold overseas, because Australia doesn’t have the talent available to meet the demand. This is talent and capability that Australia could and should be delivering,” AIIA CEO Ron Gauci said.

Even as industry groups and government bodies wrestle with the right policy settings to build the cybersecurity workforce, however, there are signs that many Australian tech workers aren’t ready to wait for the issue to resolve itself.

Australian cybersecurity professionals are understaffed and overstressed

Fully 84% of Australian workers had taken on up to six new tasks outside of their job descriptions because their colleagues have jumped ship, a recent UiPath survey found, with 56% saying they don’t even know what their job responsibilities are anymore and 60% admitting they are interested in looking for a new job in the next six months.

Even as Australian workers pick up new responsibilities, the added strain is pushing many to the limit. Splunk’s 2022 State of Security report recently noted that 22% of Australian cybersecurity workers said they were considering leaving their jobs due to the stress stemming from staff and skill shortages.

“I’ve never experienced a trend like we’ve seen over the past 6 to 12 months with respect to attrition and people moving through the industry. The world has had to move very, very quickly — and while digital transformation has accelerated, it has also expanded the number of areas that an organisation has to monitor and be aware of around security,” Splunk group vice president for ANZ Mark Troselj told CSO Australia.

The weight of those pressures was evident in Proofpoint’s recent 2022 Voice of the CISO report, which surveyed 1,400 CISOs in 14 countries and found Australian CISOs are among the most likely to be expecting a “material cyberattack” over the next 12 months.

Fully 68% of respondents — well above the global average of 48% — said such an attack was likely, while 77% — the highest of any country studied — said their organisation would be unprepared to cope with a targeted cyberattack this year.

Australian CISOs were also more likely than those in any country except Canada to agree that expectations on their role are excessive — 63% agreed, up from 44% a year ago — corroborating the UiPath findings that workers are feeling the weight of being pushed to do more than ever before, with less resources than ever.

“Our research shows Australian CISOs feel the least prepared globally to deal with the consequences of a cyberattack. With rising geopolitical tensions, ongoing conflict in Ukraine and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged to weather an increasingly volatile threat landscape,” Proofpoint resident CISO for APJ Yvette Lejins said.

Yet plugging those gaps remains a challenge for both business and government bodies, which have invested heavily in training but are also responding to growing employee discontent by actively poaching qualified cybersecurity and other staff from rivals.

Fully 60% of respondents to ISACA’s recent State of Cybersecurity 2022 report said they were having trouble retaining qualified cybersecurity professionals — up 7% over 2021 —and 59% said cybersecurity professionals were leaving their jobs because they had been recruited to other companies.

That meant poaching was causing even more attrition than high work stress levels, which were cited by 45% of respondents.

Be flexible when searching for candidates

With large numbers of employees seemingly prepared to walk, ISACA director of professional practices and innovation Jonathan Brandt said recent increased turnover “is compounding the long-standing hiring and retention challenges the cybersecurity community has been facing for years, and systemic changes are critical.”

“Flexibility is key from broadening searches to include candidates without traditional degrees to providing support, training and flexible schedules that attract and retain qualified talent, organisations can move the needle in strengthening their teams and closing skills gaps,” Brandt said.

And while the previous government’s proposed budget includes a range of measures to improve companies’ business and cybersecurity capability — including a 120% tax deduction on investments in skills and training through the Skills and Training Boost — analysts were warning that the industry needed to respond to increased demand in a measured and transparent way.

A lack of consistent standards around cybersecurity training could risk a repeat of the ‘pink batts’ fiasco, in which opportunistic contractors failed to implement adequate oversight as they raced to take advantage of government incentive programs.

“Mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations,” forensic expert with BDO Stan Gallo said.

“Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations,” Gallo said, warning that “there is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers”.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.