Don’t fear the human capital crisis
Damien Manuel
Where are all the cyber security experts? A rare breed wherever you are in the world, but demand in Australia and the wider APAC region has never been higher.
According to the Government’s Cyber Security Review, the need for IT security professionals is expected to grow nationally by 21 per cent over the next five years. That’s some 9,100 jobs.
It’s little wonder as businesses, institutions, governments and individuals are generating, storing, exchanging and mining more data (some of it highly sensitive) than at any point in history.
It is increasingly difficult for consumers and businesses to manage, control and protect the sheer volume and multiple islands of data we use and create. The number of malicious attempts made to access these data grows each day. Those wanting to access these data are becoming more advanced and more malicious. Sometimes they want the data to steal our identities whether for doxing, for surveillance or to enrich with other data so it can be sold on at a higher rate for other purposes.
The Australian Crime Commission’s Organised Crime report 2015 said cybercrime affected five million Australians in 2013, although that figure is likely to be an underestimation because it is based on the cost to individuals only, not industry and government.
The world needs cyber security specialists more than ever. It needs them to help protect data, systems, people and organisations. The lack of professionals in the security industry has led some to call it “the largest human capital shortage in the world”.
Here at Blue Coat, I am fortunate to be surrounded by top security talent. We are always searching for the right people to join our team as we grow. It’s a task that’s getting increasingly challenging. But I’m not worried. Here’s why.
I think for too long our community has been keeping a big secret: What we do is actually really great. Dare I say it: it’s even pretty cool.
As my colleague Dr. Hugh Thompson, the Chief Technology Officer here at Blue Coat, said at the AISA National conference in October:
“We are in a space where you are defending critical information, people don’t even know they’re being defended, and you’re doing that every day. And the people who you are defending against are constantly changing. On the one side you can lament that and say – the attackers are evolving, but on the other side, if you are a problem solver - how could you be anywhere else but this space right now in history?”
That “secret” is beginning to get out. Information Security is exciting and impacts every part of our daily lives. Security used to happen in the background. It was a geek thing and was of little interest to anyone except those within the industry. Times have changed and as technology fully integrates into everything we do, security always seems to be front page news. Crime scene investigation roles were made sexy and interesting about 15 years ago by the popular TV show CSI at the time, now we have TV shows based on solving Cyber. Cyber Security is becoming interesting to the general public.
Stories about cyberattacks read like international spy thrillers. They involve mysterious groups, criminal gangs, subterfuge, moles and malicious intent. Governments are seeing the real threat of cyberattacks to infrastructure. Investigations are leading back to organised crime syndicates and terrorist groups.
The profession is becoming the most important line of defence from the world’s malevolent forces. It is the stuff of a James Bond movie (and such themes actually made it into the latest film of the franchise, Spectre). Our industry now has a great public image and our work is increasingly considered noble and important. And rightly so.
As Dr. Thompson explained to the AISA conference our line of work attracts a certain kind of person with a certain way of thinking.
“[It’s for] folks that look at a system and first thing they think about is: How can that system fail or break?” he said. “I think that it’s almost a personality attribute of an individual”.
“It’s a space for problem solvers. It’s space for people who like hard problems. It’s a space for people who are very creative.”
There will always be people like that, what’s needed is for the security community to attract them. To let them know we’re here. So they know there’s a career perfectly suited to their way of thinking in which they can protect the public and learn something new every day. It’s up to each of us to do that.
Recently there have been some high-profile fringe hacking groups emerge, and while their motives have not always been pure and productive, the rise of these types of groups points to a trend that could be harnessed for more positive purposes. Many of their members have technical skill and are creative problem solvers, and while their abilities could be used for scams and to steal money and data, they could also be very effectively redirected toward combating social media and tech-savvy malignant forces. They are young, able and driven to make the world a better place. We need to show these individuals there is an opportunity, a better, safer and more productive future, waiting for them in our industry.
We need cyber security to be part of computer classes from a younger age. Let’s face it - most young kids are fully computer literate. They don’t need to be taught how to use Word, they need coding and programming and cyber security skills.
Dr. Ian Williamson from Melbourne Business School raised a very valid point. He said “Companies are consumers of talent, they should be investing in developing talent, but the reality is, it is much easier for companies to bring fully developed talent in. Universities are suppliers of talent. When those two parties work together it can make a big difference.”
As an industry we need to stop thinking that talent only exists in the pool of people being recycled between organisations. We need to start thinking about employing problem solvers, who we then teach business and security skills. I’m always surprised by the number of taxi drivers I encounter on a daily basis across the country, but mainly in Melbourne and Sydney, who are IT ninjas, certified to the hilt with Masters or Bachelor degrees in IT but who can’t find a job in Information Security. What’s holding employers back from hiring these people in junior roles?
David Powell, the CISO of NAB pointed this out by stating “I’ve pretty much given up on attracting talent because it is a very hard market to recruit in. It’s about investing in your people, having a whole program that teaches the soft skills.” David is developing talent internally and recognises that it is a long journey.
So is it just about offering people a career path and proper training? Should companies take a risk on someone that has the right attributes, rather than a specific skill set?
I have been thinking about this a lot, for a long time and I believe the following is required:
- Primary and Secondary Schools should add cyber security to the school curriculum. Kids should be taught about safe online behaviours and the techniques people use to exploit systems. Importantly they should be taught defensive techniques so they can protect themselves and their information. I’m concerned that the current generation of children will know only how to use technology rather than understanding how it functions and the associated risks.
- Universities / TAFE should:
- Incorporate safe coding practices and cyber security fundamentals into all IT Degrees and Masters as mandatory subjects.
- Likewise incorporate analytics (security, behavioural and data) as mandatory subjects.
- Incorporate real world cyber security fundamentals into all engineering and product design courses to educate the next generation of innovators to build security into their products.
- Employers should look to employ people with the right behaviours and attitudes; investigative and problem solving, people who think out of the box. This is critical. Those looking to enter the sector who don’t have hands on experience will become disillusioned if opportunities for them to learn and gain practical experience are not offered by businesses.
- Recruiters should stop trying to move talent between organisations and should help organisations find local talent with the right attributes who are eager and willing to learn, outside of the traditional pool of people. The cost savings to employers developing these people in an organisation with the right culture will outweigh the time it takes to hone their skills.
- All of us should clearly communicate the various career paths available in security to our friends, families and the teenagers trying to make a decision about their future. I’m often asked: What is the best way to get into security? What career paths are available? There are so many career options in security from architecture and design (applications/systems/networking), operations (IAM, firewalls, DLP, IPS, SIEM, Proxies, endpoints), governance (internal systems and processes through to 3rd party analysis), risk management, software development, business analysis, penetration testing, auditing, forensics and incident management (Security Analytics). In the short future there will be more career opportunities as technology integrates deeper into our lives.
I have faith in our community to work to attract the right people to the right side of the battle. I have faith that we can inspire people that there is a really cool, crime-fighting, save-the-world job waiting for them in cyber security.
Our secret’s out. At last and for the better!