AISA 2017 – Dealing with the security skills shortage

At this year’s AISA Annual Conference, a panel with Australia Post’s CISO Kristin Lyons , Professor Jill Slay from the Australian Computer Society, Marco Figueroa the CISO from the NSW Department of Finance, Services and Innovation, and Tracy Hughes from Q1 discussed the issue of the skills shortage facing the cybersecurity industry. Faced by mega-trends of IoT, digitisation, connectedness and mobility, changing regulatory obligations and the pervasiveness of technology means security is a big deal. And while technical solutions go some of the way to combatting the threats and risks, people are an important part of the solution.

Those people work in everything from strategy to detailed implementation. And the conversations they are engaged in about cybersecurity have moved from back rooms to the boardroom.

Lyons says part of the issue is how we approach the issue. She said that rather than a skills shortage, we are perhaps facing a skills deployment issue. We can think more broadly about the skills we need and where we can find them within our businesses.

“We’re going to have a skills shortage forever. There will never be enough people. We have to keep training people,” said Lyons.

The kinds of approaches people are taken are quite varied.

Hughes says companies are now looking at moving people from other career areas into cybersecurity. Mentoring programs, especially for women, are popular. And specific product specialists, when a new tool or application is deployed, are being used to train existing staff.

There are also relationships with learning institutions such as Box Hill TAFE and La Trobe Univeristy that are bringing new people into businesses with up to date skills.

Figueroa says NSW wants to be the “state of choice” for people to start businesses and has building a technically strong environment. With new businesses and people, he says skills to bring new systems online need to be developed but, more importantly, they need to be retained.

He noted that many people are starting careers here, gaining skills but then moving to Silicon Valley and other technology centres where they can garner much higher salaries.

One of the areas government can do better, where there is “great potential” he said, is in making the most of human capital. While governments are good at managing infrastructure, they are less effective at managing human capital.

Slay, through her long academic career, has had the opportunity to work and train many aspiring cybersecurity professionals. Working with the ACSC, the ACS and other bodies she worked to define what a cybersecurity professional actual is. She noted that the ACS is now the body that now certifies degree courses as being ratified qualifications for cybersecurity professionals.

Her research says the industry needs about 10,000 more people over the coming years – and these are people that are not currently in any existing education pipeline.

One of the challenges facing Australian businesses is getting the right skills into smaller businesses. While large companies are resourced to employ cybersecurity professionals, getting these new people into SMBs is challenging.

Hughes said some institutions, such as Box Hill TAFE, have certificate courses and internships that facilitate the entry of trainees into businesses of all sizes. This works by using an intermediary that manages the process of matching interns with employers.

Those internships run for three months, with students moving between organisations as they hone different skills. For example, they might spend time with one employer working on identity management and then another stint on security operations.

Lyons said the best answer for SMBs might not be to place staff directly in those businesses. But rather, that security becomes embedded in other other disciplines. And that diversity of background and experience brings benefits to businesses.