EXCLUSIVE: Boosting Australia's cybersecurity ranks

How do we encourage the best minds to take up cybersecurity as a profession, and what constitutes a ‘best mind’ anyway?

In the third of our exclusive articles this week on Australia’s cybersecurity skills shortage, we present an interview with ESET Senior Research Fellow Nick FitzGerald.

Nick has an extensive research background in computer malware, technical and editorial writing in the malware and e-crime field, and in-depth knowledge of anti-malware product testing. He is well known in the anti-malware industry as a former editor and head product tester for Virus Bulletin. As a web threats researcher, he has worked in the industry from the very earliest days of malware’s move to the web and its associated shift from ‘electronic graffiti’ to its primarily criminal activity today.

Technology Decisions: We hear a lot about Australia not producing sufficient numbers of skilled cybersecurity professionals. In your opinion, is there really a cybersecurity skills shortage?

Nick FitzGerald: This has been widely believed within the cybersecurity industry for a long time, and recently many IT-dependent industries have been increasingly voicing similar concerns. For example, in last year’s ‘Hacking The Skills Shortage’ report from US think tank the Center for Strategic and International Studies, 82% of respondents reported a “large shortage” of cybersecurity skills in their industry and across their country, and 71% said this shortfall results in “direct and measurable damage”. Australian respondents showed the highest level of concern in that survey.

TD: So how have we reached this point?

NF: Some say governments have not done enough to emphasise cybersecurity as an educational priority, others say employers do not spend enough on staff training, yet others say that millennials are more interested in building new things and changing the world than in maintaining and securing the creaking infrastructure on which those advances will depend. There’s probably something to each of these views — plus, until quite recently, there was relatively little demand for specialist cybersecurity skills so there was little emphasis on encouraging and developing them. However, the perceived cybersecurity threat has sharply increased over the last few years and probably at a faster rate than traditional education systems can keep up, at least in the short term.

TD: What can the different sectors — education, commerce, vendors, government — do about it?

NF: The obvious answer is for greater public/private cooperation, more funding from both public and private sectors and to specifically target cybersecurity education, rather than just hoping that the general emphasis on STEM will see the cybersecurity skills gap close. The Australian Government has a new focus on cybersecurity education, with nearly $2 million from its recently revised Cyber Security Strategy funnelled to University of Melbourne and Edith Cowan University in order to set up Academic Centres of Cyber Security Excellence. Private funding has also recently been provided by the likes of Optus and Commonwealth Bank to fund cybersecurity initiatives at La Trobe and Macquarie Universities and University of NSW, respectively.

However, just funding courses does not necessarily boost the visibility and desirability of cybersecurity training and jobs. The Hacking The Skills Shortage report found median cybersecurity salaries were around 2.7 times the average wage and there is a fair amount of anecdotal evidence suggesting that cybersecurity expertise is well rewarded, monetarily, but that does not seem to be inspiring the desired increase in interest. Media portrayals of cybersecurity roles and issues in TV series such as the CSI franchise and Mr Robot, and in innumerable movies, may be a blessing in disguise.

TD: Is there enough cooperation between the different sectors?

NF: There could always be more, but I think ‘enough’ depends on which sector you’re from.

TD: What are the next steps?

NF: Monitoring the short-term success (or otherwise) of recent initiatives and drawing lessons from them, rather than throwing more resources at largely untried approaches, is probably a good position right now.

Personally, and based on a lot experience, it seems to me that cybersecurity is not just something you can teach. There are specific interests and intellectual quirks that set good cybersecurity folk off from those who have learnt the grisly inner workings of some specific set of product offerings, and our greatest success will be in learning how to recognise those traits and encouraging those who possess them to consider cybersecurity as their career field.

And it’s almost a cliché to point out that women are seriously under-represented in STEM and IT in particular, but that bias is even worse in the cybersecurity sector. So fledgling projects to increase women’s engagement in cybersecurity, and to support them once there, should be further encouraged.

Pictured: Nick FitzGerald.

WHAT DO YOU THINK? Do you agree that Australia faces a cybersecurity skills shortfall? Do you have personal experience of strengths or weaknesses in cybersecurity education? Join the conversation by leaving your comments below.

Follow us on Twitter and Facebook