Australia’s IT skills shortage is often cited as one of the main reasons organisations can’t find people with the expertise required for cyber security leadership roles. Following the release of the government’s ASX100 Cyber Health Check Report in April, I would argue that we don’t have a skills shortage as such. Instead, we as a nation are facing what I describe as a skills challenge.
The cyber security industry needs to address the lack of an industry standard around the skills and experience required to run effective security operations within an organisation.
The reality is that the boards of our top companies have limited understanding of the cyber security risks to their organisations, as revealed by the ASX100 Cyber Health Check. The report, which surveyed 76 of the top 100 listed companies in Australia, shows that although there is a high level of risk awareness and commitment to improve security, there are gaps in preparedness and resilience. Sixty-three percent of the surveyed boards said they had limited or no understanding of their biggest cyber security vulnerabilities. Almost a third of companies (30 per cent) haven’t yet evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them.
The rapidly expanding cyber security threat landscape calls for more robust, more sophisticated security teams that sit at the board level and have an understanding of both business and technology needs and risks. With an increasing number of high-profile breaches and ongoing pressure from governments and regulatory bodies, many businesses are starting to realise that cyber issues are no longer solely the responsibility of IT departments or senior operations executives. They are becoming increasingly aware that cyber incidents bear real consequences on the business and that business leaders need to be plugged into the security strategy.
Moreover, Australia’s impending mandatory data breach notification law will inevitably lead to a rethinking of board skills and drive more demand for senior cyber literacy within organisations.
Cyber security is certainly high-up on most board agendas and there is a growing need for practitioners at the leadership level, as well as analysts with managerial pedigree who can drive overall business security strategy. However the real challenge for organisations that are looking to fill boardrooms with trained cyber security professionals is the lack of industry standard on the type of skills and experience required to run cyber security operations.
In most organisations today, there is a distinct gap between security teams, who are often absorbed in trying to determine what a cyber incident is and how fast can they stop it, and business leaders, who are focused on the overall impact of the incident on their organisations. Survey after survey indicate that cyber security is now a board-level topic, yet so many organisations still suffer from the “gap of grief” - the inability to fully understand to what degree security incidents translate to quantifiable business risk. Issues are identified through a variety of sources, such as audits, risk assessments and security assessments, but are not managed properly to closure. Prioritisation of these issues is near impossible because there is no common understanding of the business criticality of assets and processes affected by these issues.
While the gap of understanding between IT teams and the business leaders is a real challenge in its own right, the solution is two-fold. Firstly, IT teams need to be able to translate very nuanced technology-related risks into business implications to help organisations align cyber security to their business needs.
Secondly, business leaders need to have the cyber literacy required to understand the technical aspects of cyber security. An important piece when trying to solve this puzzle, which is greatly overlooked, is the need for a clear picture of what specific skills organisations should look for to boost senior cyber literacy.
I cannot stress enough how important it is for the cyber security community to come up with a comprehensive skills framework to overcome the skills challenge and help boost cyber literacy at board levels in organisations. In fact, it’s one of the first things that need to happen before we can move forward and foster cyber security skills locally.
The cyber security industry needs to outline the required qualifications, requisite skills and relevant experience – just like other regulated professional sectors would, such as law and accountancy, for board members. Working out the skills framework, what kind of industry assessments Australia needs to implement, and figuring out how it can be used to train, rotate and empower senior cyber security professionals, will not only attract the right people but also retain them for longer, especially at a time when many professionals are aspiring to move beyond pure technology and into the boardroom.
Len Kleinman is Chief Cyber Security Advisor, APJ, at RSA.
Visit the Cyber Security Online Marketplace for both Students & individuals to learn your next steps