Over the past two years in particular, the importance of cybersecurity has been globally recognized, and sophisticated cyberattacks have made international headlines. However, a global skills shortage in this sector has been acknowledged as a potential brake on economic recovery following the pandemic, and for CISOs in particular, the lack of qualified and skilled staff to deal with increasingly complex cybersecurity threats creates the perfect storm for business and consumer risk.
The Australian Cyber Security Centre saw a 13% increase year-on-year in reported cybercrime, with over 67,500 reports in the 2020-21 financial year. The ACSC puts this down, largely, to the impacts of COVID-19, as significant numbers of businesses and consumers moved to access work and services digitally and remotely. The top three cybercrimes reported by type included fraud, shopping and online banking. In the report, ACSC identified six key threats:
- Australians targeted online by malicious actors exploiting the pandemic
- Cyberattacks on essential services and critical infrastructure
- A 15% increase in ransomware cybercrime
- Increasing speed and scale of malicious actors in prosecuting disclosed vulnerabilities
- Supply chains and their customers targeted through software and services
- Business email compromise
Border closures and a fall in migration also hampered organizations from securing the skilled staff required to address the growing challenges. In addition, uncertainty led many individuals to stay in existing jobs, adding to the lack of movement in the jobs market.
Even before the impact of COVID-19, organizations in Australia acknowledged cybersecurity teams are understaffed and underqualified. In the ISACA annual State of Cybersecurity 2021 survey, 66% of respondents in Australia and New Zealand indicated their teams are understaffed, 59% have unfilled vacancies, while 52% say applicants are not well qualified, lacking the experience required to fill the available roles.
Bridging the skills gap within existing staff is a good starting point to ensure business continuity. Access to research and best practices, professional certification, continuous training and induction programs that expose security staff to different functions will help staff build better soft skills, security controls and a deeper understanding of critical data and business processes.
For CISOs to attract new staff, at the levels and skillsets required, they will have to work closely with HR teams and broaden their hiring strategy. In ISACA’s State of Cybersecurity research, only 38% say HR regularly understands their cybersecurity hiring needs. Beyond certification and qualifications, the recruitment team should be encouraged to look for traits such as curiosity, problem-solving and creative thinking. Broadening the hiring strategy to include underrepresented groups, including women, diverse communities, people with a disability or a remote and regional workforce, is a great way to access an untapped talent pool and improve diversity in your organization.
It’s not surprising that the shortage of well-qualified security experts has resulted in a highly competitive hiring environment and poaching good staff is rife. We are seeing graduates with no experience and no industry credentials such as ISACA’s, asking for, and expecting, excessive salaries. With poor retention rates exposing organisations to greater threats, it is critical that a business takes a proactive approach to retaining staff.
Staff retention strategies can include:
- Open dialogue on staff benefits, such as flexible working, good culture, salary packaging
- Sponsored further education, ongoing training and certification
- Ongoing review of competitive salary packages, in line with market trends
- Formal professional development plans and career paths
- Projects and opportunities that provide new challenges
- Access to business leaders as mentors
- Active negotiation in response to job offers
- Paying for membership in relevant professional bodies
With a good recruitment, training, and retention strategy, your organization can weather the cybersecurity skills shortage storm.
Editor’s note: This article originally appeared on KBI Digital.
About the author: Jo has over 25 years’ experience in the security industry. She consults in risk and technology issues with a particular emphasis on governance and IT security in businesses as a Director with BRM Advisory. She regularly provides strategic advice and consulting to the banking and finance, utilities, healthcare, manufacturing, tertiary education, retail, and government sectors.