Cloud adoption in Australia could soon hit a major speed-bump: skills shortages in cloud security. There’s nothing new about cybersecurity skills shortages, which most expect to persist into the foreseeable future: AustCyber predicts that the nation will need around 18,000 more cybersecurity workers by 2026, a number significantly beyond our currently trajectory.
However, those skills shortages are growing particularly salient in the management of cloud infrastructure – especially as businesses begin to favour more complex multi-cloud environments over homogenous public or private clouds. IT leaders must work quickly to upgrade and share skills in cloud security if they want to maintain speed of digital adoption without undermining their organisation’s safety.
Multiple clouds, exponential challenges
IT teams already face various issues in securing simpler models of public, private, and hybrid cloud, from a lack of compatibility with preferred security tools to the complexity associated with new applications and deployment methods like containers. Addressing each of these issues requires skills which, in most instances, can only be found amongst a handful of IT professionals typically clustered in certain organisations or service providers.
Accessing those skills on a regular and rigorous basis can be taxing even the most well-resourced of businesses – if they even remember to prioritise cloud security. It’s worth noting that the size, cost, and likely also frequency of data breaches in Australia continues to rise at a rapid rate despite increasingly stringent cybersecurity legislation, suggesting many organisations may still treat cloud security as afterthought rather than acute issue.
Those already-substantial cloud security issues multiply rapidly in a multi-cloud environment. IT teams must ensure consistent security posture across applications, data, and processes that move – and are meant to move – seamlessly between different clouds, most of which function very differently to one another. Delivering that consistency at speed and at scale requires not only technical proficiency in relatively new disciplines, but continuous learning and training as each cloud platform evolves independent of the rest. Most organisations simply can’t sustain that pace and find themselves quickly falling behind on consistent, robust cloud defence – often without realising it. This is part of the new challenges IT teams are facing today, and they have to be careful not to fall back into technical debt due to all these challenges and requirements.
What does it take to properly secure the cloud? For most organisations, unified security capabilities that can work uniformly across various cloud platforms; native integration of security solutions into each cloud; and a single management and automation layer covering the entire network. None of that comes without access to deep technical knowledge and sufficient experience to adapt security tools and approaches to the quirks of each unique cloud environment – something even well-known cloud security providers often struggle to muster.
For most Australian businesses, it is not within their realm of possibility to have those skills in-house, combining a historical understanding of the organisation and its workflows with enough technical proficiency to secure those various use cases in the cloud. This is particularly so for smaller enterprises which may lack the headcount or budgets to deliver even a passable level of cloud security on their own.
Plugging the skills vulnerability
What can Australian businesses do to close the skills gap? On the surface, not much: skills development around the country will take time, even with renewed emphasis on STEM in schools and colleges at a national level. AI and automation tools, while promising much in the way of protecting even the most complex cloud infrastructures, themselves demand new skills and technical understanding which most IT professionals still don’t have. However, Australian organisations – even those with relatively low resources – still have several options to improve handling of their cloud security.
First, CISO’s and business leaders can give their teams license to upskill – sponsoring them for courses and hands-on training that quickly boost awareness of the security issues faced in today’s cloud environments. More importantly, they can grant aspiring cybersecurity experts the time and support needed to learn and develop new abilities, even if that means shifting workloads or operational priorities for a certain window of time. Even virtual learning and training courses, like those offered by Fortinet’s NSE Institute, require no small amount of dedicated attention to be effective. The more CISO’s and business leaders can free up that attention, the better.
IT can also invest in skills-sharing: getting those with cybersecurity skills, whether in-house or from trusted service providers, to train others within the organisation. While doing so won’t necessarily offer the rigour of more formal courses, it can go a long way towards building awareness of key cloud security issues and lead to a more security-conscious posture when designing cloud models from day dot.
Finally, CISO’s and business leaders should work together to simplify their cloud infrastructure. IT leaders can work on frameworks and architecture with business in mind, where they can consolidate how they are using data and applications using a hybrid cloud strategy.
Business leaders, for their part, should lend their support to any attempts to rationalise existing applications and infrastructure while still meeting fundamental business goals. All too often, the adage of “less is more” still applies for both cloud and its security and the best way to secure the growing demand for cloud infrastructure is to build security into the beginning stages, from the design, to architecture to implementation, building security that is part of the business process, and not an afterthought.