The skills shortage across Australia has been recognised as a potential brake on our economic recovery. For CISOs in particular, the lack of qualified and skilled staff to deal with increasingly sophisticated cyber security threats creates the perfect storm for business and consumer risk.
The Australian Cyber Security Centre saw a 13% increase year-on-year in reported cybercrime, with over 67,500 reports in the 2020-21 financial year. The ACSC puts this down, largely, to the impacts of COVID-19, as significant numbers of businesses and consumers moved to access work and services digitally and remotely. The top three cybercrimes reported by type included fraud, shopping and online banking. In the report, ACSC identified six key threats:
- Australians targeted online by malicious actors exploiting the pandemic
- Cyber-attacks on essential services and critical infrastructure
- A 15% increase in ransomware cybercrime
- Increasing speed and scale of malicious actors in prosecuting disclosed vulnerabilities
- Supply chains and their customers targeted through software and services
- Business email compromise
Border closures and a fall in migration also hampered organisations from securing the skilled staff required to address the growing challenges. In addition, uncertainty led many individuals to stay in existing jobs, adding to the lack of movement in the jobs market.
Even before the impact of COVID-19, organisations in Australia acknowledged cyber security teams are understaffed and underqualified. In the ISACA annual State of Cybersecurity 2021 survey, 66% of respondents in Australia and New Zealand indicated their teams are understaffed, 59% have unfilled vacancies, while 52% say applicants are not well qualified, lacking the experience required to fill the roles on offer.
Bridging the skills gap within existing staff is a good starting point to ensure business continuity. Access to research and best practices, professional certification, continuous training, and induction programs that expose security staff to different functions will help staff build better soft skills, security controls and a deeper understanding of critical data and business processes.
For CISOs to attract new staff, at the levels and skillsets required, they will have to work closely with HR teams and broaden their hiring strategy. Only 38% say HR regularly understands their cybersecurity hiring needs. Beyond certification and qualifications, the recruitment team should be encouraged to look for traits such as curiosity, problem solving and creative thinking. Broadening the hiring strategy to include under-represented groups, including women, diverse communities, people with a disability or a remote and regional workforce, is a great way to access an untapped talent pool and improve diversity in your organisation.
It’s not surprising that the shortage of well qualified security experts has resulted in a highly competitive hiring environment and poaching good staff is rife. We are seeing graduates with no experience and no industry credentials such as ISACA’s, asking for, and expecting, excessive salaries. With poor retention rates exposing organisations to greater threats, it is critical that a business takes a proactive approach to retaining staff.
Staff retention strategies can include:
- Open dialogue on staff benefits, such as flexible working, good culture, salary packaging
- Sponsored further education, ongoing training, and certification
- Ongoing review of competitive salary packages, in line with market trends
- Formal professional development plans and career paths
- Projects and opportunities that provide new challenges
- Access to business leaders as mentors
- Active negotiation in response to job offers
- Paying for membership in relevant professional bodies
With a good recruitment, training, and retention strategy, your organisation can weather the cybersecurity skills shortage storm.