Critical gap in Australia's security skills

There’s an old saying in the IT security business — there are two types of companies: those that have been hacked and those that don’t know they have been hacked. There’s no middle ground, and the situation is only going to get worse with Australia facing a critical shortage of experienced IT security experts capable of identifying the vulnerabilities that make these attacks possible.

The question is why is Australia facing such a shortage of skilled IT security professionals? One good reason is that the tertiary education sector isn’t training enough IT graduates. According to a recent report, Australia’s Digital Pulse (Australian Computer Society in partnership with Deloitte), there has been a steady decline in students enrolling in ICT degrees since the early 2000s and a steady decline in students graduating from those degrees in the same time frame.

Training enough graduates is only one part of the problem. The second part is how these graduates then gain the experience demanded by organisations.

It’s a catch-22 situation. Australia’s IT security industry is relatively fragmented and has a lot of small to medium-sized IT security consultancies. Companies of this size rarely have the funds or the manpower to carry inexperienced graduates while they lift their capabilities.

Huge companies such as Google and Microsoft can afford that sort of expenditure, but in Australia there’s no way that privately funded training is going to happen without significant subsidies and incentives.

This puts the responsibility squarely in the hands of the federal government. If cybersecurity is going to be a concern for the government, then it’s the government that needs to drive the creation of IT security courses, training and mentorship programs across the nation. Programs that embrace industry-accredited mentoring are the key to upskilling graduates.

Sadly, however, as far as the federal government is concerned, it’s all noise and no traction when it comes to national cybersecurity initiatives and training.

One area where Australia has sought to fill the cybersecurity gap is through recruiting from overseas, bringing candidates to Australia on 457 visas. Attracting these candidates is currently the only way that Australia has any hope of bridging the cybersecurity skills shortage.

The problem with 457 visas is that the process is slow, and barriers prevent the industry from bringing in the number of people that it needs. The government needs to provide a fast-track on 457 visas for qualified IT security candidates. Unfortunately, at this point in time, there’s no action on that front either.

The industry also faces problems when it comes to getting 457 visa candidates approved for high-security work — particularly with the federal and state governments. Security approval is not a given, nor is it an overnight thing. This simply serves to exacerbate the security skills problem.

The reality is that we don’t have the number of IT security staff that we need, and for the foreseeable future we are not going to have enough of them. As a nation we are going to fall further and further behind other countries in this regard unless the federal government makes cybersecurity training an absolute priority.

We also need to make careers in IT, particularly security, more attractive to school leavers, something which is not a short-term task. Perceptions need to change, and that’s a job that needs to start early in high school, not at the point where a school leaver is deciding on which degree to do.

Despite the needs of industry and the nation, all of the signs point to the gap between the workers needed, and those being trained or recruited from overseas, continuing well into the future. As businesses, individuals and as a nation, we will be all the poorer — and more vulnerable — for that.

Image credit: ©kentoh/Dollar Photo Club