Here’s how to cope with Australia’s coming cybersecurity talent shortage

Australia’s recent budget ushers in the nation’s ‘biggest ever’ cybersecurity spend, with $10bn pledged to see electronic spy agency Australian Signals Directory (ASD) double in size and ramp up its ability to launch offensive cyber operations.

Axonius executive Christopher Cochran says: “That’s great news for the IT industry, but the expansion is also likely to usher in a huge demand for cybersecurity jobs.”

Already, the increase of cybersecurity incidents has more than doubled the demand for cybersecurity professionals. Some sources state that around 3.5 million cybersecurity jobs are likely to go unfilled worldwide between 2022 and 2025.

Considering the impact of cybersecurity incidents and the number of open jobs, why is it so difficult to staff cybersecurity professionals?

So let’s dissect the scarcity problem.

On the surface, it seems as though there are not enough qualified professionals to fill all the job requirements. But let’s dig deeper. By the end of 2021, it was estimated that there were 1,053,468 employed cybersecurity professionals and 597,767 job openings. Organisations often look for the following four cybersecurity roles:

  1. Cloud Security: Focuses on implementing and managing the security of critical assets in cloud environments.
  2. Security Analysis and Investigation: Focuses on in-depth analysis of threat intelligence and security event artifacts for proactive investigations.
  3. Application Security: Focuses on developing and configuring mobile and web application code using secure coding best practices and monitoring.
  4. Security Orchestration and Automation: Focuses on leveraging machines to help prioritise and drive process standardisation for cybersecurity operations.

It can be tough to find a suitable candidate with the right combination of skills, certifications (depending on your industry), and experience. The practitioners that have the opportunity to raise skill levels and deploy creative solutions are sought out by some of the world’s top employers who can afford to offer higher pay and other benefits, making it hard for smaller organisations to compete. This also leaves these smaller organisations struggling to fill available roles due to budget and resource constraints.

But it’s also the case that employer expectations may be unrealistic. Although numerous data and stats show the scarcity of skilled workforce in the cybersecurity industry, the hiring process is also to blame. Hiring managers and recruiters often miss collaborative opportunities to set realistic expectations, understand the technical discipline required, and post job descriptions that are tailored to suitable candidates.

Organisations should consider the skills gained through the personal pursuits and not only the years of professional experience. Furthermore, organisations prefer candidates with experience over potential and this is not scalable for our industry.

What will be the repercussions from the talent shortage?  Open roles affect team members who are already at the organisation. As the complexity of cyberattacks increases, the complexity of deploying, configuring, and managing security solutions increases too.

These security solutions create multiple alerts, and if not tuned properly will flood teams with false positives and cause what we call ‘alert fatigue’.

Alert fatigue is when team or member who is already stretched thin may not be able to handle the influx of alerts and is likely to experience team members’ burnout. Those burned out security practitioners will likely make more mistakes. In this way, organisations suffer at the hands of the very problem they created.

So how do we combat the cybersecurity skills crisis?

Today, the crisis affects over 57% of organisations. It’s challenging to fill the workforce shortage without organisations changing their hiring strategy. The sizable ones should look for alternatives.

For instance, a cybersecurity team member can provide guidance and help develop a robust cybersecurity program. Hiring managers can focus on assessing aptitude rather than exclusively testing skills. Some vendors might even offer interested candidates the opportunity to learn and receive mentorship outside of the workplace and provide continued education to new team members.

Organisations ready to take major steps toward filling open cybersecurity roles should:

  1. Encourage cybersecurity education and provide required certification courses to support professionals at all job levels.
  2. Eliminate pay gaps and provide more flexible working conditions.
  3. Diversify management and hiring team practices for providing essential guidance to interested candidates.
  4. Promote and encourage women, minorities, and under-represented groups who have the required qualifications for leadership roles.
  5. Implement cybersecurity automation to help refocus human efforts and reduce the daily workload.