Awareness of cybersecurity threats may be increasing overall but businesses across Australia and New Zealand are still struggling to get the staff they need to respond to those threats, according to analysis of the local skills market that found over a quarter of organisations lack the ability to develop the cybersecurity talent they need.
Fully 61 percent of the 200 cybersecurity professionals responding to the recently released Hays Cyber Security Talent Report said their organisation was finding it difficult of very difficult to recruit cybersecurity talent, with just 5 percent saying that doing so was easy.
“It is still incredibly hard to staff roles in the cyber function,” the report notes, “and even harder to retain them whilst there is a ‘war for talent’ going on.”
Some 56 percent of respondents said they had responded to difficulties finding cybersecurity staff by upskilling existing IT staff in security areas, while 44 percent were tapping professional networks, 29 percent were hiring university cybersecurity graduates, and 11 percent were sourcing cybersecurity talent from overseas.
Just 25 percent of respondents said they had or would consider sponsoring skilled cybersecurity professionals from overseas – despite a recent analysis finding that temporary skilled visa programs are “a net positive” for Australia.
“Australia and New Zealand are attractive places to live and work,” the report noted, “which makes other countries an obvious source of talent.”
However, only around half of respondents believed they were capable of developing and retaining cybersecurity talent – highlighting a lack of formal recruitment and staff-development pathways that was leaving many organisations on the back foot when it came to building out their cybersecurity skills.
Those challenges had accelerated adoption of security automation, boosting investment in capabilities like incident response and penetration testing.
Automation is fast emerging as a key transformative force within the cybersecurity space, with Gartner among the many firms promoting a security orchestration, automation and response (SOAR) approach to better support security incident response.
Many organisations were looking elsewhere for the cybersecurity skills they need.
Some 48 percent of respondents said their current cybersecurity team was insourced, while 40 percent had looked outside the organisation to gain access to cybersecurity expertise or services to complement their own.
Internal cybersecurity teams were generally quite modest, with 61 percent of respondents saying their cybersecurity requirements were being managed by 5 or fewer employees.
Just 27 percent of respondents said they had 11 or more people looking after their cybersecurity protections – and 47 percent of all cybersecurity teams were operating without the supervision and guidance of a formal CISO or equivalent.
CISO roles were still seen as unusual in many organisations despite the escalating cybersecurity environment, the Hays report noted, arguing that the role “has progressed in the corporate hierarchy” and was rapidly entering the mainstream.
Respondents flagged a range of challenges including money, skills shortage, simplification, and getting the message right: “finding the right way to convey the message, with the right level of detail, is somewhat an art form that continues to challenge technical employees,” the report’s authors noted.