With attention focusing on identifying ways to overcome Australia’s ongoing skills crisis, one factor is not in dispute: there is no quick fix to the problem.
While all areas are feeling the pressure, the issue is particularly acute in the Cybersecurity sector. A lack of qualified and experienced staff is resulting in delayed projects and concerning gaps in security cover.
The cybersecurity skills crisis has already been underway for an extended period, and industry studies have shown that there are at least 7,000 that need to be filled across the nation by 2024.
This shortage of staff is leading to increased pressure on those already working in the security space. The pressure is particularly acute for those working in security operations and incident response.
As a result, there is a significant amount of burnout, causing cybersecurity workers to switch jobs much more often than they otherwise would, or move to less stressful jobs or industries. This, in turn, is placing increased pressure on businesses that need to undertake seemingly constant recruitment programs and offer additional incentives to attract staff.
These staff losses also mean that organisations lose a lot of historical and contextual knowledge. When those who are familiar with an organisation’s IT infrastructure and security measures depart, it can take a while before their replacements are fully up and running with all the knowledge that is required.
Overcoming the challenge
Activities such as the recent Skills Summit, which involved around 100 representatives from the business, union, and community sectors, are proving to be a valuable mechanism for finding practical ways to overcome the skills challenge.
One of the issues discussed was the length of time it takes for people to complete a tertiary degree and then be in a position to take up a role, compared to the speed at which technology changes and how cyber attacks change. Knowledge gained throughout cybersecurity studies is often not relevant by the time courses are completed. A potential solution here includes redesigning courses so they incorporate on-the-job training.
This initiative could smooth the transition between learning and working and have people contributing in a practical way much more quickly than has previously been possible. It would also give prospective new staff a clear idea of what to expect in various roles when they enter the workforce.
Another initiative being examined is the potential to attract people working in other areas and encourage them to transition into a technology role. This is being seen as particularly attractive in the area of cybersecurity where the skills shortage is likely to be acute for an extended period.
Bringing in people from outside the technology sector is likely to require a shift in thinking within HR departments. They will need to come to terms with hiring people on the basis of their attitude rather than their technical knowledge, and be prepared to embed process and technology that is designed specifically for IT and cybersecurity roles.
If someone has the right attitude and transferable skills, they can be trained to work in technology roles relatively quickly. Areas in which this approach is likely to be particularly successful include cybersecurity, process automation, and business intelligence.
As well as attracting and retaining the right staff, organisations also need to ensure they select platforms which are more user centric.
SOC workforce studies have shown that large amounts of time is spent on administrative responsibilities associated with their work, such as collaboration and reporting, instead of core activities such as threat hunting, intrusion detection, and response.
Cybersecurity operations can be data-heavy work, and many platforms tend to be optimised around the data rather than the user experience, so careful selection is important. These tools and platforms need to be as frictionless as possible to ensure people and teams can operate effectively, and cybersecurity operations employees experience higher job satisfaction.
Australia will continue to battle the skills crisis for an extended period, but this doesn’t mean there are no measures that organisations can undertake to reduce its impact. By rethinking issues such as training and recruitment, and tool selection, more vacancies can be filled and the pressure on existing staff reduced.