Why filling the talent gap is cyber’s biggest challenge

Cybersecurity Awareness Month is often focused on convincing the public to develop healthier habits, creating a cyber-literate populace as more and more of our lives revolve around our time online. But the industry in Australia has another problem that we need to be dedicating our favorite month toward solving; the education and development of future cybersecurity professionals.

Over the next three years, Australia is likely to hit 30,000 unfilled cybersecurity practitioner positions, mirroring a similar labor shortage in the U.S., Canada and Europe. The potential economic and national security consequences of thousands of missing security practitioners could be devastating, especially when considering an evolving threat landscape capable of launching more precise attacks than ever before. Without an adequate supply of experienced people in cybersecurity, the responsibility of thwarting rising numbers of ransomware attacks and understanding increasingly-convincing social engineering scams will fall on an already exhausted and stressed-out workforce.

And the workforce we have now won’t last forever. Research published late last year found that 57% of local cybersecurity professionals in Australia and New Zealand are either looking for new employers or considering exiting the industry altogether, with 87% of those respondents citing ‘burnout from workload’ as a factor in their decision. With the pandemic shifting workers to remote and expanding the surface area that these security professionals have to defend, it’s unlikely that the job of an analyst will get any less stressful in the near-future.

Which is why we have to act quickly to make cybersecurity an easier sector to enter — and stay — for everybody. Simply relying on universities and TAFEs to graduate enough students to fill the shortage of talent in the industry won’t be enough, and the current working conditions of analysts are clearly not sustainable. Cybersecurity Awareness Month is our opportunity to make a case that anybody can get a job in this lucrative, always-interesting industry, and that doing so will be a worthwhile career. To make that case, there are some steps we can take.

Cybersecurity is an industry that really only requires an innate work ethic, the ability to work as part of a team and willingness to learn — all traits found in professional settings like construction, hospitality, law, culinary arts and even science labs. We as professionals have to do a better job of encouraging detail-oriented and motivated folks in any industry to try their hand at cybersecurity. Hiring from outside of traditional STEM-focused majors and the most popular tech hubs could help bring new ideas into the industry and, critically, mitigate the talent shortage ANZ is facing. In order to make these hiring strategies a reality, though, cyber firms have to make themselves appealing to non-technical applicants, possibly by detailing whether there’s room to grow beyond the role, how the day-to-day tasks of that role play out and the opportunities to learn skills within that role — not just the necessary certifications and degrees required.

To retain the employees the industry does have now, security leaders have to find ways to make their employees feel appreciated and lessen their burdens. When a few employees are asked to tend to entire organisations’ security needs, they need to be comfortable setting boundaries that preserve their work-life balance without fear of losing their position. There’s not an easy path to helping employees without directly understanding what their problems are, and the more comfortable employees feel in addressing their issues and concerns, the clearer the path leadership will have to fix them via improving pay, benefits or offering additional resources in the office.

The cybersecurity labor shortage is a real issue that goes beyond gather telemetry and thwarting adversaries, but it’s equally important to the sustained growth of the industry. As we celebrate the 20th anniversary of Cybersecurity Awareness Month, we have to use our platform to encourage new interest in the field and improve the conditions for our current practitioners.