Despite the constant messaging about Australia’s lack of cybersecurity skills, Nigel Phair thinks it’s not so much a skills shortage as a leadership shortage.
Much has been made recently about the lack of cyber security skills in Australia. Indeed, a central part of the Australian government’s Cyber Security Strategy is a commitment to “address[ing] the shortage of cyber security professionals”.
The government will “work in partnership with the private sector and academic institutions to improve cybersecurity education at all levels of the education system.” It will build on existing science, technology, engineering and mathematics (STEM) related initiatives, and help create what the government has called a “cyber-smart nation”.
STEM graduates are important, but cybersecurity is a cross-cutting issue for all organisations . We need people from all academic disciplines to become involved , and use their unique skill sets to address this ongoing problem.
While there’s a multitude of jobs being advertised for cybersecurity professionals, there’s even more people applying for them, with many missing out.
I don’t believe we have a skills shortage. What we have is a leadership shortage.
Australia is blessed with some amazing cybersecurity leaders across government and the private sector. They lead multi-disciplined teams, measure their performance, and provide advice to peers and the broader community.
However, Australia is home to three tiers of government (including over 500 local government bodies). We have more than two million actively trading business, according to the latest statistics, consisting of more than 2000 listed companies, and around 600,000 not-for-profits.
These organisations need cybersecurity leadership, but it’s largely missing. There isn’t enough understanding that cybersecurity isn’t a technical problem, but one that requires an all-hazards approach.
Leadership starts with the board of directors.
If the board isn’t asking questions in an insightful way — and isn’t skilled enough to know what answers to expect — then there’s little incentive for an organisation’s management to pay due attention.
Management need to realise that cybersecurity is about people and processes, with a limited amount of technology sprinkled in. While many vendors will give a different impression, there is no technical silver bullet.
Leadership requires managers to engage staff with a robust risk-management approach. It needs to incorporate physical security as well as digital, and it needs to including a system for rating the level of risk for each type of transaction undertaken by their organisation.
Once this is done, managers can set targets, and decide the level of controls and budget they’ll need to achieve those targets.
Cybersecurity needs to be seen as a normal cost of doing business, just like salaries, office rental, and travel.
Too many organisations do things in isolation. They buy a new firewall without considering other network vulnerabilities. They encrypt their storage devices without looking at other data management issues. Or they invest in penetration tests without implementing their recommendations.
Organisations need to train staff not to fall prey to phishing attacks, stop holding personally identifying information any longer than necessary, and audit third-party suppliers and other outsourced arrangements. Most fundamental of all, they must back up their data, and develop and test a disaster recovery program.
A solid cybersecurity governance approach will foster cybersecurity leadership, both within an organisation and through the sector in which it operates. It will allow them to decide whether they want to be the gold standard in cybersecurity, or perhaps only the silver or bronze standard, based on the identification, measurement, and management of the risks they face.