bluebay2014 - Fotolia

The need for cyber security skills in Australia balloons

Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply

Australia is facing a ballooning security skills shortage that, left unchecked, will leave enterprises even more vulnerable to attack.

An analysis of the online recruitment site Seek found that over the 12 months to November 2015 the number of computer security roles advertised leapt 60%.

Such is the demand for security skills that late last year the Commonwealth Bank and the University of New South Wales announced a $1.6m, five-year partnership to boost the number of security engineering professionals graduating in Australia, while Macquarie Telecom announced it would fund two scholarships in computer security at Western Sydney University.

But even those graduates may take a while before they become truly valuable.

Bob Hansmann, director of product marketing for Raytheon Websense, said it is difficult to get security personnel with expertise.

“You can hire someone who graduated magna cum laude with a PhD but it takes several months for them to be responsible for a piece of research. What seems to be best is someone with 10 to 11 years of experience. But these don’t grow overnight.

“We used to have enough because only the largest companies like banks had them, but post-Sony and Target [hacker attacks] there is growing demand for a limited number of people.”

More sectors than finance

Robert Wilson, group technology officer at Westpac bank, agrees that until recently the banks had security skills reasonably well sorted because only the finance sector was taking security so seriously. But he added that the shortage will grow as other industry sectors wake up to the mounting computer security challenge: “We need to plan heavily for the future, as do other industries, because we will be fishing in a smaller pool.”

It’s probably a key reason why rival Commonwealth bank signed its deal with the University of New South Wales. Certainly there is an appetite to invest in computer security. Gartner has predicted that Australian spending on information security will reach almost AU$3.2bn in 2016, an increase of 8% over this year. 

Stump up

Companies are also going to have to pay a lot more for the skills they need.

Peter Acheson, CEO of IT recruitment business Peoplebank, said that the laws of supply and demand are out in force and that the head of security for a major bank, retailer or telco could now command a salary of between AU$300,000 and AU$400,000; the people reporting to them would be on AU$120,000 to AU$170,000; while even security professionals with just two or three years’ experience could expect as much as AU$120,000.

A contracting trend is also pushing up costs, says Tony Aramze, currently chief information security officer (CISO) for RMIT, and formerly with Telstra, financial services companies and PwC Consulting.

“We are not only pricing ourselves out of the market, we are creating a market of contractors,” he said. “People are opting for a contract role because they are able to negotiate a better rate for their skills set.”

While that might be appropriate for some organisations – particularly heavy users of cloud services, which may want fluid skills sets – enterprises running in-house platforms really need in-house security skills and IP, Aramze said.

He believes that security has become a lot more complex. “In the past the role was about being a gatekeeper of information. That has changed today because security has become a business enabler. For example, doing your banking on the phone – that application existed a long time but was not commercially viable until we had controls for security and privacy.”

Soft skills

When Aramze hires security staff he looks for a matrix of specialist knowledge, broad analytical skills, product knowledge and forensic analytical capability. On top of that he wants his people to have “the ability to communicate and engage at all levels of management”.

“Yes, they are hard to find, and if you go to an industry and bring a security expert from there, those people have been aligned in a particular areas and are focused on that area only. The best source is the big four management consultant organisations because they invest in people, technology and the soft skills set.”

It’s not just end-user enterprises looking for security skills, either. The federal government is ramping up its cyber know-how with agencies such as the Australian Security Intelligence Organisation (ASIO) and ASIS hiring, according to Acheson, and the vendor community is looking for skills too.

Like corporate Australia generally, vendors are looking for a blend of abilities. Sam Ghebranious, regional director for CyberArk in ANZ, said that while technical capability is important, so are the soft, communications skills and the ability to articulate the security challenge that enterprises face.

“You need to be able to relate to change management and understand the security policies of the organisation,” he said, adding that 80% of the success of a security solution came from getting users to change behaviour and use the solution. “A lot of the technical guys aren’t comfortable talking to the CIO, so we take a lot of guys from end users and then train them.”

Westpac’s Wilson said that organisations will have to look at automating at least some of the role as the skills pool becomes more constrained. “Maximise the automation. When you are early in the maturity of IT security you don’t automate a lot of stuff. But as other industries move in you have to decide how to get the manual heavy lifting – that’s either not done, or is done by a lot of people – automated, then have your top echelon providing good oversight.

“Technology is providing some of the challenges but it is supplying some of the answers too.”

Read more about IT security in Australia

Hansmann agrees that to get best leverage enterprises need to deploy “tools to triage the problem”, which frees up more skilled and experienced specialists to deal with more complex issues.

Communicating to the upper levels of organisations is also important. “Previously the board wanted a report that said we had 27 computers affected and it took 14 hours to respond,” said Hansmann. “Now they want to know what would have happened if the problem hadn’t been found, how long it took to identify the problem, what was captured and how long it took to verify.’’

Aramze neatly described the challenge for today’s CISO: “The role of the CISO has changed. It used to be focused on controls of the organisation – to make sure that the firewalls operated correctly. Now the role is more of a marketer and aligned to the business: to engage with executive management at the business level and start to have the ear of the board.

“This is starting to be recognised as not just a technology issue but a business issue and the culture is changing too.

“The CISO wants the right message to reach the right people – not talk about firewalls, but about the potential loss of revenue and reputation if an application is affected.”

And that’s a skill worth finding.

Read more on Web application security