As cyber security becomes an increasingly important issue for Australian organisations, many are finding themselves hamstrung by a lack of qualified staff. Skilled security experts are proving hard to find and the rising salary expectations resulting from this scarcity is putting them out of reach for small and mid-sized firms.
Clearly something needs to be done; however it's not a problem that can be solved by a single group. Any successful strategy must include actions taken by security companies, the tertiary education sector and the Australian Government.
The lack of a clear career path
When you take a look at the root cause of the IT security skills shortage facing the nation, interestingly it doesn't stem from a lack of talent or motivation. There are many highly intelligent people in Australia for whom a career in IT security is a very appealing option.
Rather than a lack of people, the skills shortage is actually the result of a lack of defined career paths. If you are a high school student and want to be a doctor, for example, you can go to the school counsellor who will advise which subjects to take in years 11 and 12, and which universities to consider for further studies. The same holds true for those who want to embark on careers in areas such as law, accountancy or engineering.
At the same time, if you want to be a plumber, carpenter or electrician, there is a recognised path through high school, to TAFE and then on to an apprenticeship. Young people follow these paths successfully every year.
When it comes IT however, unless you want to be a programmer, there are no recognised paths, and this is particularly the case when it comes to IT security. All those young people with talent and enthusiasm simply don't know how to get their career started.
Some may try approaching a security company looking for a job but, lacking saleable experience, they are viewed by any prospective employer as someone who is going to need a significant amount of time and money invested in them before they will be able to add value to the firm.
While some firms do make new hires, many more are unwilling to take these kind of risks. This is understandable in a commercial environment where keeping a lid on costs and maximising billable hours are key goals.
The role of the education sector
The most effective way to overcome Australia's chronic shortage of IT security specialists is for universities to begin offering a Bachelor of Cyber Security. As well as covering the technical aspects of the area, such a degree should also incorporate teachings in areas such as psychology, law and economics.
The result would be graduates who have an understanding, not just of the tools and techniques used in IT security, but also of the wider context in which companies are operating. This would make them much more valuable prospective new employees.
The role of government
For universities to make the investments needed to establish courses of this type, they must be convinced that there is demand from both students and prospective employers. Universities are for-profit entities and so following a 'build it and they will come' approach is not viable. They must be sure the lecture halls will be filled from the outset.
This is where the Australian government can play a role. It can act as a facilitator by bringing all parties together and creating an understanding of the benefits that will result from such an initiative.
Simply offering incentives such as one-off grants to companies that employ new inexperienced staff is not enough. The government needs to work more broadly to increase awareness of the situation and the best strategies for fixing it.
The role of the IT security industry
As a result of these new degree courses, IT security firms will soon have access to a new pool of talent. Graduates will have acquired the basic skills they require that can then be further extended with on-the-job training.
The degrees will also lower the risk to firms that new employees will be unsuitable for long-term employment and any further time or funds invested in their training will be wasted. They can hire them with confidence and nurture the talent that already exists.
Increasing the number of qualified security specialists in the industry in this way will also reduce the challenges associated with skilled staff being poached by other firms. More qualified people in the market will make it easier for firms to fill vacancies as they arise.
With the education sector, government and IT working together, Australia will be in a much better position to tackle the IT security issues that will continue to increase in coming years. Creating a clear career path is the key.
Phil Kernick is founder and executive director of Adelaide-headquartered CQR Consulting.