AustCyber to figure out what 'cyber skills' actually are

Australia is ahead of the global average figure for cyber gender diversity, but when it comes to filling the cyber skills gap we don't even know what we need.

It's a project that sails boldly into the dangerous and uncharted waters of actual evidence-based policy. AustCyber is working with the Australian Department of Education and Training, and PwC's Skills for Australia program, to understand our needs for cyber vocational education and training.

"We are gathering insights to learn about key cyber security skills needs and industry trends," wrote AustCyber on Wednesday. The aim is "to provide an evidence-based case for developing vocational training in cyber security skills that are transferable across multiple industries".

There's certainly a skills shortage. We've been hearing that for years, although some of the guesstimates seem extravagant. Cisco said in 2015 that there were one million unfilled cyber jobs [PDF]. Now we're hearing it could be 3.5 million by 2021.

The National Association of Software and Services Companies (NASSCOM) reckons that India alone will need a million cybersecurity professionals by 2020.

Whatever the numbers, it's an industry crisis.

But what sort of people do we actually need? What sort of skills?

According to McAfee's Cybersecurity Talent Study [PDF] released on Tuesday, we don't even know.

"While the existence of the skills gap itself is clear, many cybersecurity staff struggle to name the skills they think their organisation needs -- or the skills that would help progress their own cybersecurity careers," McAfee wrote.

"A lack of definition around required skills suggests that it is not just the skills themselves that are missing, but the talented individuals necessary to provide and integrate those skills into the everyday operations of the business."

While technical skills are important, respondents also identified the ability to translate technical concepts into plain language, analytical capabilities, working well in a team, and good communications skills.

"However, 27 percent of respondents couldn't identify a single skill that made for a good cybersecurity worker," McAfee wrote.

"These findings suggested there is still a lack of consensus about the skill set required for an effective cybersecurity employee, as well as a lack of understanding of what a truly diverse team should look like -- which threatens efforts to build well-rounded, effective organisational cybersecurity capabilities."

AustCyber's project is obviously intended to fill that knowledge gap.

"The purpose of this project is to provide an evidence-based case and industry support for developing vocational training in cybersecurity skills that are transferable across multiple industries," AustCyber wrote.

"The Cyber Security Cross Sector project will review current and emerging developments in cyber security skills, particularly in relation to data confidentiality, protection and privacy, and identify related skills needs shared by multiple industry sectors."

The project is looking at four topics:

  • Cyber Hygiene and Awareness
  • Threat Protection, including data protection, hardware protection, and identity verification and protection
  • Social and Business Risks, including social engineering and business practices
  • Advanced Cyber Security Skill, including network architecture review, advanced analysis and network forensics, and "advanced intrusion detection system concept"

"We want to hear from interested employers, industry representatives, employees, teachers, trainers, recruiters, students, and others who are passionate about improving vocational education and training, and/or who would like to provide feedback around industry trends, skills needs or training priorities in their sector," AustCyber wrote.

AustCyber is currently asking potential focus group participants to register their interest.

The importance of cyber diversity

McAfee's report also highlighted the lack of diversity in the cybersecurity industry, although only gender was explored in any detail, with previous industry background a secondary aspect.

Australia's cybersecurity workforce is 25 percent female, according to McAfee, more than double the global figure of just 11 percent.

"Recruiting cybersecurity workers just from the IT industry is unlikely to bolster diversity and can limit new thinking -- a potentially dangerous shortcoming in an industry as dynamic and fast-changing as cybersecurity," the company wrote.

Mike Burgess, director-general of the Australia Signals Directorate (ASD), also stressed the importance of diversity this week.

"I am proud of the fact that currently 56 percent of ASD's senior executive roles are held by women. That's a 25 percent improvement since I started in January. This result should be the norm, and while I can note this achievement, I would also note overall ASD is not where it should be," Burgess said in a speech on Monday night.

"Only 34 percent of our overall positions are held by women. We must do better and we will. We must have full access to the brightest minds across our society. Limiting ourselves is ludicrous."

One curious aspect of McAfee's research is their observation that many cybersecurity employees are gamers.

"Strong correlations between gaming and cybersecurity work suggest gamers represent a significant potential source of cybersecurity workers. Most cybersecurity workers polled (69%) said they either are, or used to be, keen gamers," McAfee wrote.

"This finding, which reflects previous McAfee research, suggests managers may want to consider gamers as forerunners when looking for cybersecurity staff."

It's worth remembering, however, that correlation does not equal causation.

On Wednesday, McAfee committed to providing some of its existing cybersecurity training programs free of charge to Australian senior high school and tertiary students and graduates.

The courses usually retail at $3,500 to $5,000, and McAfee has committed a AU$1 million value over three years, which would cover 500 to 600 students.

Related Coverage

New Zealand gets NZ$3.9m 'cyber' boost in 2018 Budget

The Computer Emergency Response Team, a government CTO, R&D, and Communications get a slice of the New Zealand Budget.

RMIT Online adds more tech-focused courses to tackle skills shortage

The online arm of RMIT is launching new courses in self-driving cars engineering, robotics, AI, and front-end web development.

ASD restructure: Trouble at t' cyber mill?

Differing views within the recently restructured Australian Signals Directorate, described in one media report as an 'internal brawl' and 'internal frictions', could highlight a deeper, more challenging division.

Budget 2018: AU$250m for Skilling Australians Fund

The government has allocated AU$250 million for its Skilling Australians Fund, with the Budget also setting aside almost AU$200 million in helping 'mature-age' citizens adapt their skills for the digital economy.

Why manufacturing companies need to up their cybersecurity game (TechRepublic)

Cybercriminals now consider manufacturing companies a target-rich environment. Learn why and what can be done to get off that list.

4 best practices for cyber intelligence in business (TechRepublic)

Research has shown that the safest businesses know their digital weaknesses, preemptively identify any potential hacker targets, and hire a diverse cyber intelligence team.