The skills shortage in the cyber security sector is more severe than expected, according to a new analysis released today.
A shortfall in Australia’s cyber security workforce may already be costing the nation more than $400 million in lost revenue and wages, according to the analysis prepared by AustCyber — the Australian Cyber Security Growth Network.
AustCyber today issued the first annual update to its Cyber Security Sector Competitiveness Plan. The initial SCP was released in April 2017. The plan is intended to act as a blueprint to help strengthen the local information security sector.
The updated SCP reveals that today the local infosec sector is already short some 2300 workers, and Australia is expected to need up to 17,600 additional cyber security workers by 2026.
At the moment most growth is from workers transitioning from other sectors, such as IT, rather than graduates entering the workforce and skilled migration.
Currently, the nation’s cyber security workforce has a headcount of around 19,500, having enjoyed growth of around 7 per cent over the past two years. That growth is not sufficient to meet short-term demand, states the SCP.
There is a $12,000 average wage premium paid for a cyber security worker over an IT worker, according to the document, and filling an infosec role takes 20 to 30 per cent longer compared to IT roles. Some 42 per cent of ICT security specialist vacancies went unfilled in 2015, according to data from the Department of Jobs and Small Business included in the SCP.
“Over the past year, universities and vocational training providers have accelerated efforts to launch new cyber security courses and degrees,” the updated SCP states. “Partnerships with employers are helping to improve the quality of cyber security education by focusing curricula more on industry needs and facilitating more on-the-job training opportunities.”
However it warns that over the medium term the skills shortage will remain “severe” unless “employers start offering better pathways for workers to transition from other industries into cyber security roles”.
It adds: “Most workers currently taking up roles in the Australian cyber security sector have previously worked in broadly similar roles in IT and other industries. But to develop strong cyber defences, Australia needs to build a more diverse workforce with both technical and non-technical skills. Improving the gender balance will also help the cyber security workforce grow and mature.”
Although cyber security education is growing, the SCP argues that in the short- and medium-term closing the skills gap will require more support for workers transitioning from other sectors; in addition to people in IT, lawyers, people in risk management, and communications professionals could be particularly suited to the sector, the document states.
The SCP says that it is “evident that there is a lack of workers transitioning into the cyber security sector from industries outside IT”.
“This is largely because current recruiting practices still place strong emphasis on technical skills,” the document says. “This is despite the well-acknowledged need to improve the ‘soft skills’ and diversity of workers in the sector. There is also a lack of public understanding of the range of different career paths spanning technical and non-technical cyber security roles.”
Industry roadmap
AustCyber and CSIRO Futures today released the Australian Cyber Security Industry Roadmap. The roadmap examines the role that cyber security can play in boosting growth in other sectors, focusing on medical technology and pharmaceuticals, mining, advanced manufacturing, oil and gas and food and agribusiness.
“As organisations increasingly rely on digital technologies and the cross sectoral flows of data, the need to protect people and assets from malicious cyber activity is growing,” said AustCyber CEO Michelle Price.
“This strong demand for cyber security is creating substantial economic opportunities for Australia.”
“As an enabler for industry, cyber security’s importance is being driven by the global business environment becoming increasingly interconnected and reliant on data and digital technologies,” the roadmap states.
“As a result, organisations need to think of cyber security not just in terms of compliance and risk mitigation, but as an essential business function that is fully embedded in processes and systems.”
“Cyber security has never been more important, both as an enabler for Australian industry and as a source of economic growth itself,” said CSIRO’s Dr Shane Seabrook.
“As we integrate data and digital technologies into everything we do, security will be key to our future economic success. International cyber security practices are yet to reach a uniform level – the time to position Australia as a best practice nation for cyber security is now.
“The Cyber Security Roadmap will guide immediate actions that can set the stage for long term success – simultaneously protecting Australia and enabling us to be agile, innovative and competitive on the global stage. We can build our cyber security industry with skills from our world-class education system, testbeds supported by our small but sophisticated market, and alignment with cultures and time zones in our geographic region.”