Where are all the cyber security experts? A rare breed wherever you are in the world, but demand in Australia and the wider APAC region has never been higher.
According to the Government’s Cyber Security Review, the need for IT security professionals is expected to grow nationally by 21 per cent over the next five years. That’s some 9,100 jobs.
It’s little wonder as businesses, institutions, governments and individuals are generating, storing, exchanging and mining more data (some of it highly sensitive) than at any point in history.
It is increasingly difficult for consumers and businesses to manage, control and protect the sheer volume and multiple islands of data we use and create. The number of malicious attempts made to access these data grows each day. Those wanting to access these data are becoming more advanced and more malicious. Sometimes they want the data to steal our identities whether for doxing, for surveillance or to enrich with other data so it can be sold on at a higher rate for other purposes.
The Australian Crime Commission’s Organised Crime report 2015 said cybercrime affected five million Australians in 2013, although that figure is likely to be an underestimation because it is based on the cost to individuals only, not industry and government.
The world needs cyber security specialists more than ever. It needs them to help protect data, systems, people and organisations. The lack of professionals in the security industry has led some to call it “the largest human capital shortage in the world”.
Here at Blue Coat, I am fortunate to be surrounded by top security talent. We are always searching for the right people to join our team as we grow. It’s a task that’s getting increasingly challenging. But I’m not worried. Here’s why.
I think for too long our community has been keeping a big secret: What we do is actually really great. Dare I say it: it’s even pretty cool.
As my colleague Dr. Hugh Thompson, the Chief Technology Officer here at Blue Coat, said at the AISA National conference in October:
“We are in a space where you are defending critical information, people don’t even know they’re being defended, and you’re doing that every day. And the people who you are defending against are constantly changing. On the one side you can lament that and say – the attackers are evolving, but on the other side, if you are a problem solver - how could you be anywhere else but this space right now in history?”
That “secret” is beginning to get out. Information Security is exciting and impacts every part of our daily lives. Security used to happen in the background. It was a geek thing and was of little interest to anyone except those within the industry. Times have changed and as technology fully integrates into everything we do, security always seems to be front page news. Crime scene investigation roles were made sexy and interesting about 15 years ago by the popular TV show CSI at the time, now we have TV shows based on solving Cyber. Cyber Security is becoming interesting to the general public.
Stories about cyberattacks read like international spy thrillers. They involve mysterious groups, criminal gangs, subterfuge, moles and malicious intent. Governments are seeing the real threat of cyberattacks to infrastructure. Investigations are leading back to organised crime syndicates and terrorist groups.
The profession is becoming the most important line of defence from the world’s malevolent forces. It is the stuff of a James Bond movie (and such themes actually made it into the latest film of the franchise, Spectre). Our industry now has a great public image and our work is increasingly considered noble and important. And rightly so.
As Dr. Thompson explained to the AISA conference our line of work attracts a certain kind of person with a certain way of thinking.
“[It’s for] folks that look at a system and first thing they think about is: How can that system fail or break?” he said. “I think that it’s almost a personality attribute of an individual”.
“It’s a space for problem solvers. It’s space for people who like hard problems. It’s a space for people who are very creative.”
There will always be people like that, what’s needed is for the security community to attract them. To let them know we’re here. So they know there’s a career perfectly suited to their way of thinking in which they can protect the public and learn something new every day. It’s up to each of us to do that.
Recently there have been some high-profile fringe hacking groups emerge, and while their motives have not always been pure and productive, the rise of these types of groups points to a trend that could be harnessed for more positive purposes. Many of their members have technical skill and are creative problem solvers, and while their abilities could be used for scams and to steal money and data, they could also be very effectively redirected toward combating social media and tech-savvy malignant forces. They are young, able and driven to make the world a better place. We need to show these individuals there is an opportunity, a better, safer and more productive future, waiting for them in our industry.
We need cyber security to be part of computer classes from a younger age. Let’s face it - most young kids are fully computer literate. They don’t need to be taught how to use Word, they need coding and programming and cyber security skills.
Dr. Ian Williamson from Melbourne Business School raised a very valid point. He said “Companies are consumers of talent, they should be investing in developing talent, but the reality is, it is much easier for companies to bring fully developed talent in. Universities are suppliers of talent. When those two parties work together it can make a big difference.”
As an industry we need to stop thinking that talent only exists in the pool of people being recycled between organisations. We need to start thinking about employing problem solvers, who we then teach business and security skills. I’m always surprised by the number of taxi drivers I encounter on a daily basis across the country, but mainly in Melbourne and Sydney, who are IT ninjas, certified to the hilt with Masters or Bachelor degrees in IT but who can’t find a job in Information Security. What’s holding employers back from hiring these people in junior roles?
David Powell, the CISO of NAB pointed this out by stating “I’ve pretty much given up on attracting talent because it is a very hard market to recruit in. It’s about investing in your people, having a whole program that teaches the soft skills.” David is developing talent internally and recognises that it is a long journey.
So is it just about offering people a career path and proper training? Should companies take a risk on someone that has the right attributes, rather than a specific skill set?
I have been thinking about this a lot, for a long time and I believe the following is required:
I have faith in our community to work to attract the right people to the right side of the battle. I have faith that we can inspire people that there is a really cool, crime-fighting, save-the-world job waiting for them in cyber security.
Our secret’s out. At last and for the better!
Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint
Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.
Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation
CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)
Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana