457 visa changes will limit Australian companies’ access to overseas security talent

Availability of crucial overseas cybersecurity staff will be restricted by the government’s changes to its visa program for skilled workers, which will limit visas for security specialists to two years maximum and prevent employers from transitioning overseas hires into permanent employees.

Broader information technology-related roles were spared the axe under changes to the government’s visa scheme, which saw the abolition of controversial 457 visas and their replacement with two-year visas for filling jobs on the Short-term Skilled Occupation List (STSOL) and four-year Medium and Long-term Strategic Skills List (MLTSSL).

While job roles such as ICT Business Analyst, Computer Network Systems Engineer and Software Engineer appear on the MLTSSL – a four-year visa under which overseas staff can apply for permanent residency after three years – jobs for ICT Security Specialists are only available on the two-year STSOL.

This is a potential problem for an industry that has been crying out for solutions to the ongoing cybersecurity skills crisis, which has hit Australia and the world as businesses dramatically ramp up their investment in cybersecurity. For example, a Deloitte Access Economics analysis of LinkedIn data last year found that cybersecurity professionals were the sixth most in-demand category of ICT professional in Australia. These dynamics have previously led some industry experts to push harder for importing security skills to Australia, but the recent 457 changes may compromise that approach by deterring applicants who no longer have a pathway to permanent residency here.

Closing the skills gap is a key part of the Cyber Security Sector Competitiveness Plan (SCP) launched today by the Australian Cyber Security Growth Network (ACSGN). This plan outlines a range of proposals for capitalising on Australia’s history of security innovation, with skills development seen as a key element.

Developing the local market and its skills was critical to the way forward, ACSGN CEO Craig Davies recently told CSO Australia. “There’s a lot of money sitting on the table with cybersecurity stuff over the next few years,” he said, noting that overseas markets present significant opportunities for Australian innovators.

“I really think Australia should get a bigger piece of this; we are really good at innovation. And it boils down to really creating a vibrant industry here, and getting more people working in the space. We can’t ignore the importance of growing an industry to create real economic benefit.”

The consignment of ICT security specialists to the STSOL implies that the Turnbull government – which has pushed hard to progress the local cybersecurity industry over the last year as part of the Cyber Security Strategy that it launched exactly a year ago – is favouring local skills development in the long term as opposed to importing and keeping talented overseas cybersecurity specialists.

While 457 visa recipients may be used in the short term to plug gaps in capabilities, executing on this plan long-term will require a concerted effort to promote cybersecurity amongst Australia’s schools and universities.

This requires new thinking about the development of cybersecurity skills, which were addressed in a new Institute for Critical Infrastructure Technology (ICIT) white paper that this month highlighted the need to sow the seeds of cybersecurity talent as early as the primary years of school. “Despite their inexperience, many of these actors manage to launch successful attacks or develop into more sophisticated cyber-criminals and mercenaries,” the ICIT report notes.

“Imagine how the asymmetric threat landscape might shift if these cyber-interested youths could instead be motivated to pursue meaningful careers in Information Security and Information Technology. In a reality where the emergence of automation and artificial intelligence are rendering conventional professions obsolete, motivating younger generations to pursue a field such as cybersecurity, with zero percent unemployment should be obvious.”