There is a need for businesses to take a planned approach to cybersecurity awareness, training and education to ensure visibility and capacity to respond.
According to a recent speech in Parliament, Julie Bishop, Foreign Minister, stated, “The Australian Signals Directorate detected more than 1,200 cyberattacks against Australian interests in 2015.” These attacks primarily targeted Australian government and businesses in defence, energy, finance and transport.
And that is just the number of cyberattacks detected. Joint research between the Information Systems Audit and Control Association (ISACA) and RSA Conference shows that in 2015, 82 percent of Australian/New Zealand (ANZ) IT professionals expected their business would experience a cyberattack in 2015, indicating the number is probably even higher.
Unfortunately, the threats are increasing, and the cybersecurity skills gap is worsening too. There are three things that will help to narrow this gap, but it will take time and considered planning.
First and most importantly, the highest levels of management need to recognise that cybersecurity is not just an IT issue – it is a business issue. According to the ISACA and RSA Conference survey, globally 82 percent of board of directors report being concerned or very concerned about cybersecurity, yet only one in seven chief information security officers reports to the CEO. With the monetary and brand damage already experienced by local businesses, cybersecurity must be viewed as a business issue and budgeted for accordingly.
For businesses that do recognise the importance of the issue, another problem lies with finding staff that are adequately skilled and know how to deal with cyber threats. According to the 2016 ISACA Cybersecurity Snapshot, the cybersecurity skills gap is a significant challenge to businesses trying to expand their cyber workforce. Close to half (47 percent) of those surveyed in Australia said they need to hire more cybersecurity professionals this year, yet a whopping 94 percent of those hiring said it will be difficult to find skilled candidates.
One way to address the skills gap is to provide on-the-job training. Ron Hale, Chief Knowledge Officer at ISACA, states, “Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce.” Upskilling those already employed can reduce time spent trying to find staff in a shallow pool of applicants where determining the skill level can often be challenging, particularly with the dynamic nature of cyber threats. There are a myriad of training courses businesses can provide to staff, including those offered through ISACA’s vendor agnostic, Cybersecurity Nexus (CSX), which now includes a career road map tool that can highlight areas of future growth and development.
Not only should IT professionals obtain on-the-job training, but businesses should invest in basic security training for all employees. Understanding the basics and having policies in place, especially in password protection and social engineering, allows employees to be more responsible and alert for potential threats and attacks, and enhances the protective and responsive capabilities of the organisation.
Another tactic for overcoming the skills shortage is to proactively engage tertiary students. A number of major universities are providing courses in cybersecurity; however, students do not necessarily understand the job opportunities that are available to them. Local chapters of ISACA are actively engaging students through career fairs and guest lecturers to discuss the opportunities and skills required for these roles. Businesses should do the same as a way to embolden digitally savvy students to work in the IT industry. Through this active engagement and awareness, students will be able to see the possibilities and opportunities that are available to them.
Further to this, ensuring a diverse workforce is needed. According to Girls in Tech MasterCard research, which surveyed teenagers in Australia and Asia about Science, Technology, Engineering and Mathematics (STEM), young Australian women are the least interested in these subjects in the region. If this level of disinterest remains, the cybersecurity skills gap will continue to increase. The research suggests that providing positive female role models and highlighting the attractive salaries may assist in encouraging more women into IT roles. There are amazing female role models who continually inspire and provide thought provoking insights into the security industry. They are leaders and pioneers, and businesses need to profile these career opportunities so that there is an even greater pool of talent to tackle the cybersecurity issue.
In her address to Parliament, Julie Bishop said the Australian Government will pledge $30 million to develop a Cyber Security Growth Centre which will create business and employment opportunities for the cybersecurity industry. This is just the beginning when it comes to tackling the major cybersecurity issues within Australia. How a business approaches the concept of cybersecurity is imperative in today’s marketplace. Upskilling the current workforce and encouraging a diversified workforce are steps in the right direction to ensure an organisation is prepared and its capacity to respond is adequate.
Garry Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management and governance, having worked in a number of New South Wales public sector agencies and in banking and consulting. ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global non-profit association of 140,000 professionals in 180 countries.