• United States



Samira Sarraf
Regional Editor for Australia and New Zealand

How the skills shortage puts Australia at risk of cyberattacks

News Analysis
Oct 31, 20216 mins
IT Skills

The skills shortage in cybersecurity means professionals in the area have less time to spend on configuring systems properly, increasing the chances of cybersecurity incidents. Here’s what can be done.

A team with megaphones promotes their message.
Credit: RichVintage / Your Photo / Getty Images

A shortage of cybersecurity professionals in Australia means an increase in risk of incidents, according to a recent study by global security standards and certifications organisation ISC2. The survey found that skills shortages meant a 32% increase in misconfigured systems.

And this was not the only problem the report identified.

The ISC2 Cybersecurity Workforce Study found the lack of professionals also means there is not enough time for proper risk assessment and management. Other concerning issues include slowness to patch critical systems, oversights in process and procedures, inability to remain aware of all active threats against a network, and rushed deployments.

ISC2 spoke to 143 cybersecurity professionals in Australia. The 2021 survey marked the first time it asked participants to share the negative effects of staff shortages. The study found that the list of issues cybersecurity professionals say can be prevented with enough people covers many root causes of reported data breaches and ransomware attacks.

What is being done to solve the cybersecurity skills shortage

There is a lot being done to decrease the skills shortage issue, with federal and state governments announcing various training programs to upskill the workforce in general digital skills.

There are 134,690 cybersecurity professionals in Australia, according to ISC2 and an estimated 25,000 shortage of cybersecurity professionals.

In late 2019, the AustCyber’s Australia’s Cyber Security Sector Competitiveness Plan reported Australia could need up to 17,000 additional cybersecurity professionals by 2026 and that the domestic cybersecurity sector is estimated to have forfeited as much as $405 million in revenue in 2017.

The fear of losing an employee after training them in a specific area seems to be slowing down, with more organisations now looking to reskill or upskill their employees on specific areas such as cybersecurity. This has changed dramatically due to the coronavirus pandemic, which resulted in border closure for Australia. This fear has also slowed, given that businesses have reported plans to increase the salary of their existing tech employees.

Another good news is that the minister for home affairs, Karen Andrews, said, “We anticipate welcoming fully vaccinated skilled workers and international students” by 2022. But how far can this help? According to ISC2 CEO Clar Rosso, the cybersecurity workforce gap is global, and Australia is one country among many competing for a limited talent supply available globally.

“The options for these professionals are many. While the gap in the region has decreased, at least for now, it’s still the largest anywhere in the world. As such we are competing intraregionally for talent as well. Hoping for a quick influx of skilled professionals from outside Australia should not be our focus,” Rosso told CSO Australia.

Things to look at, Rosso recommended, include identify the skills the organisation truly needs, rethinking hiring approaches, putting people before technology, embracing remote work policies, and working to build diversity, equity, and inclusion into the culture to broaden the appeal of the business to potential cybersecurity candidates.

Andrews, the home affairs minister, also announced $60 million in grant funding for the second round of the Cyber Security Skills Partnership Innovation Fund, which will provide grants of between $250,000 and $3 million.

The grants will support projects that boost Australia’s cybersecurity workforce by enhancing partnerships among industry, education providers, and governments. The federal government will look for projects that improve diversity, including those focused on increasing the participation of women, Aboriginal and Torres Strait Islander peoples, people based in regional and remote areas, and people with neurodiversity.

Helping students move into training and career pathways, building the capability of job-ready professionals through industry traineeships, and work experience programs are all eligible for this funding round.

Where cybersecurity professionals are and where they want to be

IT services is, unsurprisingly, the sector that employs most cybersecurity professionals (27%) across Australia, followed by telecommunications (9%), consulting (8%), manufacturing (6%), and education (6%).

The study listed five sectors where certifications in cybersecurity are beneficial for validating expertise and confidence. Financial services is top of the list with 63%, followed by consulting and government, both with 50%, education at 38%, and IT services at 18%.

According to ISC2’s Rosso, cybersecurity roles are increasingly being advertised with certification requirements. “Most prospective employers view these certified individuals as a ‘safe pair of hands’ because of the governance and ethical requirements that must be maintained. However, there are dozens of different roles within cybersecurity teams, and not all require technical skills to fulfil,” she said.

“Our study’s data shows a growing number of younger workers coming from nontraditional, non-IT backgrounds. While there will always be a demand for those with technical skills, nontechnical candidates can also be trained and developed to attain them, and that trend will need to continue if we’re to overcome the cybersecurity skills shortage,” Rosso said.

When it comes to skills development, the Australian respondents are focusing on artificial intelligence and machine learning (32%) followed closely by cloud computing security (31%). Global data from the study showed that Baby Boomers are more likely to focus on cloud security as they have developed their skills while securing and provisioning traditional data centres.

Australian cybersecurity professionals are also looking to improve their skills in governance, risk management and compliance (28%); development, security, and operations (25%); and operation technology security (25%).

The study also found some of the nontechnical skills that organisations are prioritising when hiring include strong problem-solving abilities, curiosity and eagerness to learn, and strong communications skills.

The issue of diversity was also covered by the study, finding that 29% is the estimated percentage of female cybersecurity professionals in Australia. Out of the 143 professionals who answered the study, 68% were men and 29% were women. The respondents suggested the following as ways to improve diversity in cybersecurity:

  • Provide mentorship and support at all job levels.
  • Provide more flexible working conditions.
  • Diversify management and hiring team practices.
  • Eliminate pay and promotion gaps.
  • Establish organisation diversity goals, missions, and values.
  • Promote women, minorities, and other underrepresented groups to leadership roles.

Gender diversity has been the primary focus of diversity across Australian organisations. The Australian federal government’s STEM Equity Monitor showed a very slow growth in the number of women enrolling for STEM (science, technology, engineering, and maths) courses, completing those courses, being employed in STEM areas, and so on. The data collated by the federal government saw only a 1% increase in the number of women working in STEM industries from 2019 to 2020.