The health sector has been a major target for threat actors over the last year or so. Hospitals in the United States have been heavily targeted with the pathology department at Royal Melbourne Hospital bringing the problem onto our own shores.
During the recent Cyber in Business conference held in Melbourne, conference organiser Thomas Alomes moderated a panel discussion on the topic of "Closing the skills gap in cyber" with a focus on health services. The panel members were Dr Nalin Asanka from the ACCS at UNSW Canberra, Dr Toby Murray from the University of Melbourne, Professor Matthew Warren from Deakin University, and Associate Professor Sara Smyth from LaTrobe University.
The panel's discussion was not especially focussed on the health sector, with many of the suggestions the four speakers made being pertinent to the entire cyber security sector.
The panel started by looking at the question "Is there a skills shortage or is it a failure to use diverse skills?".
Asanka opened the discussion noting there needs to be a systematic approach to finding people and training them. He said universities are producing lots of graduates with the requisites skills but we lack a way to mine those skills to find and place the right people.
Smyth also noted, during the audience Q and A session, that the focus is not only on hard technical skills but on le easily identified and taught skills such as problem solving and critical analysis.
There are things we can do better, said Murray. We need to develop better technical skills so people can ask the right questions. Generic skills such as machine learning and core fundamentals need to be a major focus. Although the threat landscape changes, the core principles stay constant he said.
One of the challenges, said Warren, was that the actual shortfall of people is difficult to measure. There are indicators, such as increased salaries and companies saying they can’t find the right recruits. No single entity can solve the problem. Smyth agreed, saying we need partnerships between academia and business to better understand the needs and give industry skills to students. A focus on teaching for vocational skills would be a good start, she said.
The panel then turned their attention to the nature of those collaborations. Murray said working with smaller companies was valuable and that businesses can help teach students from a perspective of the "real world" rather than a school's academic perspective.
But there was a "catch 22" said Warren. Industry is not always open to offering placements to university students because they lack experience. As a result, universities are looking for ways to create opportunities for students to get that experience within their course of study so they are more attractive to companies.
Warren also noted that organisations such as AISA found their members found academic qualifications, industry certification and experience were all valuable.
Smyth added that educators need to help students through experiential learning, the introduction of guest speakers such as law enforcement and technologists to bring real-world perspectives and to embrace new teaching modalities to engage students. She mentioned delivering a course, at one time, using to the once popular Second Life platform as an example.
Looking ahead, both Smyth and Asanka said government support was crucial for addressing the cyber skills shortage. Aside from the obvious, often repeated request, for more funding, there was some consideration given to how the government could better foster a start-up culture.
For example, changing the taxation regime around employee share programs and options were seen as important.
Murray's advice was to ensure there was a tighter link between what is needed by business with what is being taught and researched in academia. By bringing these two sides together, alongside better government support, all the speakers agreed it would be possible to address the current cyber skills deficit.