Cyber Security Skills Australian Organisations Need
The increasing number of cyber security risks
Cyber security skills are in high demand around the globe, and here in Australia. More organisations are completing digital transformation projects and automating their core business operations. As companies digitise their activities, they expose themselves to a greater variety of cyber security risks. These risks have increasingly dangerous implications, thanks to a growing community of cyber criminals that seek to exploit any vulnerability for their profit.
The Australian Cyber Security Centre lists the growing number of cyber criminals as the number one cyber security challenge this year, primarily due to readily available ransomware kits, and the proliferation of cryptocurrency mining malware.
The cyber security skills problem in Australia
We have a crisis of cyber security talent in Australia. Recent figures suggest that Australia has just 7% of the cyber security expertise it needs. Local market demand for specialist cyber security professionals has multiplied three-fold, thanks to recent legislative changes. Australian legislation; the Notifiable Data Breaches (NDB) scheme introduced in February 2018, puts pressure on businesses to keep cyber security under control. Internationally, the General Data Protection Regulation (GDPR) released in May 2018, has also put intense pressure on enterprises with clients around the world, especially insurance, banking, and healthcare organisations.
Job platform Indeed reviewed advertisements listed on their Australian site that required cyber security skills. Demand for cyber security specialists more than doubled, after the NDB scheme came into effect in Australia. A 227% increase was witnessed in a 60-day period between 01 February 2018 and 01 April 2018. This figure increased a further 140% over the next two months.
Available talent is not keeping up with this demand for cyber security skills. In 2017, interest in cyber security job postings met 17.5% of this requirement. In 2018, the Australian talent market had a 93% skills shortage in specialist cyber security roles.
Top 7 cyber security skills for Australian Organisations
It is important to analyse where precisely the shortage is. So, what are the top skills required in 2018 to detect, prevent, and mitigate cyber security risks?
1. Security Analysis
Security analysis is no longer a technical skill alone. Every organisation needs people who understand cyber security, their core business, and the industry in question. Organisations need people who can use a range of security tools to monitor systems, identify gaps and recommend ways to minimise attacks, and this cannot be confined to an IT team or a security operations centre. Every enterprise needs a CISO, who can analyse Enterprise level risks and recommend solutions to a board. If an organisation cannot justify an internal CISO, they can find CISO-as-a-Service or Consulting CISO options which are more cost-effective.
2. Penetration Testing
Intrusion detection has become a critical area to increase cyber security organisational capability – thanks to hackers increasing in skill and number. Ethical hacking skills and other technical penetration testing skills are a must, especially for companies with a large volume of external customers interacting with their websites and applications.
Penetration testing must be done by seasoned cyber security professionals certified to the most stringent standards. At Stickman, our Penetration Testing services are based on OSSTMM, OWASP and NIST criteria and conducted by certified specialists.
3. Secure Application Development (DevSecOps)
DevSecOps is the new DevOps: there is no point speeding up IT operations if this brings a flood of vulnerabilities. Rather than just incorporating security into DevOps, DevSecOps is a proper cross-department approach. It involves combining three crucial areas of expertise: software development, IT operations, and cyber security. Working from, and in silos, is a sure way to allow vulnerabilities to find their way between teams. Good application development teams must design every product with security challenges discussed in the planning phase, rather than applying a break-fix approach later down the line. And DevSecOps is not just a buzzword. Gartner forecasts that 80 per cent of rapid-deployment teams will embed DevSecOps practices by 2021. By comparison, only 15 per cent were using DevSecOps in 2017.
4. Incident Response
As mentioned before, we cannot operate under the illusion “breaches will not happen to us”. It is disturbing how frequently I encounter this philosophy. When it comes to cyber security, leaders must prepare for the ‘when’ scenario, not the ‘if’ scenario.
Every IT team and security operation must have strong incident response (IR) capabilities and a robust IR process. IR starts with a thought process. Just like Stickman’s own Cyber Security by Design methodology, good IR requires thinking ahead and designing for scenarios that have not yet eventuated. By the time IT identifies a security incident, it is too late to come up with protocols and assign responsibilities, so due to the vast number of people potentially involved, every team and department must know their part in a response plan. If your organisation does not have an incident-response plan that outlines all key steps, it is time to start redesigning your core IT processes to ensure cyber security.
5. Cloud Security
IT teams managing cloud workloads face a few core challenges:
The rapid rate of change
Technology teams have always struggled with change. On-premise infrastructure requires constant upgrades and patches and can require change periods of months or even years. This rate of change has only gotten worse with public cloud computing. Vendors do their best to ensure security while increasing functionality, but vulnerabilities continue to pop up. Australian businesses cannot put complete faith in any cloud vendor. Every IT leader must evaluate cloud platform changes with their data and information security in mind.
The 2017 State of the SaaS-Powered Workplace Report stated that companies
…use 16 SaaS apps on average today, up 33% from last year [and that] 73% of organisations say nearly all (80%+) of their apps will be SaaS by 2020.
The staggering number of different SaaS vendors means very few teams can ever stay on top of the sheer variety of cyber security vulnerabilities inherent in each application. Even managing access to Social Media accounts is a challenge that can land a brand in hot water (for example, the UNSW Facebook breach).
User-led technology change
In 2016, Gartner and CMO Magazine reported that CMOs in Australia are now spending more on technology than CIOs. Business users and decision makers typically lack cyber security education and awareness. Even though IT may not directly manage every piece of technology, the CIO is held responsible for information and data breaches regardless of cause.
6. Data Science and Analytics
Cyber security as a profession has progressed well beyond simple monitoring tools and processes. Many cyber security vendors include behaviour-based analytics, big data analysis, and machine learning tools in their products. Firewall vendors and even antivirus programs are starting to add some of these tools. Organisations need high-end data science and analytics tools to ensure their cyber security detection efforts are ahead of the competition – hackers and cyber criminals.
7. Soft Skills
Last but not by any means, least – communication is a universal yet crucial skill for every organisation seeking to mitigate cyber security risks. A staggering 90% of cyber-attacks succeed because of human error: good communication is key to reducing this. Business users need a cyber security expert with a listening ear to understand their business challenges, and provide clear instructions that any user can and will follow.
And whether you are implementing a new procedure, developing a new product, or troubleshooting issues – strong soft skills will help you succeed.
Addressing the cyber security skills shortage in Australia
Indeed noted that despite an incredible increase in demand for cyber security skills and job candidates, there is a shortage of people with specialist skills. “The problem is that cyber security professionals – who combine broad technical skills with specific security expertise and an understanding of business risk – are becoming much harder to find. Addressing this skills shortage will remain a matter of critical importance for the foreseeable future.”
According to CSO.com.au, many organisations are working on fixing our local cyber security skills challenge. “Recent projects have included popular speed-networking events by AustCyber; a program called WithYouWithMe that focuses on retraining skilled military veterans; a recent $600,000 government grant uniting the University of Sydney and the banking industry to develop a Cyber Security Challenges for High School program”. However, most businesses cannot wait for retraining efforts to solve our incredibly large cyber security skills gap slowly.
Organisations can also choose to grow capability internally, by skilling up individuals who are keen on a career in cyber security and have some skills. Again, this is a slow process fraught with risk. It does not solve the need for niche, specialist skills (such as CISO level thought, or PCI compliance expertise) that organisations need from time to time but cannot retain on a full-time basis. Playing a waiting game – waiting for the right candidate to take a job – is fraught with risk. Waiting for the right cyber security skills to come by is akin to waiting for disaster to strike.
What then is the solution? Managed Security Services from a specialist, proven provider such as Stickman allow Australian businesses immediate access to top cyber security talent, shored up by world-class standards and measures. CISO as a service capability is not a ‘nice-to-have’: penalties facing Australian organisations which suffer data breaches can be crippling. Working with the right provider means immediate alleviation of risk, and access to decades of experience.
The right approach is working with a seasoned provider who has been focused on cyber security best practice and alleviating risk, well prior to the advent of NDB legislation or GDPR. Cyber security did not become a business problem in 2018.
Contact us to learn more about our approach, our services, and how we can fill your cyber security skills gap.