The shortage of cybersecurity talent is holding back fast-growing companies like Atlassian -- so is the lack of STEM graduates here in Australia.
"From a commercial point of view, I kinda need more, and I need it, like, yesterday," said the company's director of security, Craig Davies.
Atlassian set up its cybersecurity centre in Austin, Texas, two years ago, but the company is keen to continue investing in Australia. Last year Atlassian hired 80 graduates here, assigning three to security, and their 2016 recruitment road tour has just started.
Davies wants graduates with solid practical skills, an issue he thinks universities need to address.
"I'd really like to see the students that come in already have that mindset of: 'This is the flaw, and this is what I can do to take advantage of it -- or more importantly, how I can join those together to create havoc and mayhem'," he said.
"I'm looking for that puzzle-solving ability, but they've got to learn aggressive techniques. They can't all just learn defence and theoretical. They've got to learn the bad side of it as well, to understand how to defend against it -- and more importantly, not just defend, but identify earlier in the cycle so the architectures become more robust."
The Department of the Prime Minister and Cabinet (PM&C) has also been hearing industry calls for students with more hands-on experience.
"They don't feel that graduates from university come out ready to do the jobs that people have," said Lynwen Connick, PM&C's First Assistant Secretary for Policy and Intelligence.
"We've been having a lot of that as part of our Cyber Security Review to see what we can do with universities to help make sure we connect the requirements of business to what's being taught at universities."
That Cyber Security Review is expected to be released "shortly", Connick said.
Filling the global cyber talent gap isn't the only way Australia could capitalise on the projected growth in security spending from $75 billion annually now to an estimated $170 billion by 2020.
Australian companies are already ranked number four in the world for cybersecurity-related patents, according to the report Network Security: Overview of patent out-licencing opportunities published by intellectual property consultants LexInnova Technologies in 2015.
The Cyber Security Growth Centre, with AU$30 million funding announced as part of the National Innovation and Science Agenda in December 2015, is designed to leverage our expertise.
"The Growth Centre is about bringing together researchers, startups who can commercialise research ideas and concepts, [and] connecting bigger businesses who have problems that they want to get solved," Connick said.
"The Growth Centre will develop a plan for how we grow the cybersecurity sector in Australia, [and] how we connect our sector to international markets."
Connick and Davies were speaking at D61+ Live in Sydney on Wednesday. This event was the inaugural showcase of the work of Data61, the new organisation formed by the merger of NICTA with CSIRO's Digital Productivity research teams.
Data61's chief executive officer Adrian Turner is bullish about the potential.
"The good news about cyber is [that] it's an arms race, so it's constantly evolving," Turner said.
"Even though we're behind in creating industry ... we can catch up. We have the talent, the capability, the universities. We have amazing work going on in the country to create that industry. And I think what's going to be important is to identify those areas where there's either a market failure, or we have capability and understanding of the problem to build critical mass."
Examples include the development of trustworthy and resilient systems, machine-learning analytics, and even behavioural economics that can be used to analyse the intersection of people and security.
Data61 has been collaborating with the US Defense Advance Research Projects Agency (DARPA) and Boeing to develop secure communications and flight control systems for drones, and that's already delivering results.
In one trial, a drone helicopter was equipped with a communication system based on the seL4 proven-correct microkernel, plus a camera system based on Linux. DARPA's red-team penetration testers were given root access on the camera system, but couldn't hack into the drone's communications.
Independent assessments have rated Data61 as having one of the top five machine learning teams in the world, Turner said.
Atlassian's Davies is impressed with some of Data61's work.
"Machine learning is an area that we are super interested in from a security analytics point of view, because of the size and scale across our entire infrastructure ... Australians have a great ability to look at really tough problems and go: 'Oh hang on, we could do it this way'," Davies said.
"I walk into a place like here [D61+ Live] and I see much better ideas," he said. "In the US, vendors do have good ideas, but they're 'swamped by all the other stuff' in the companies as they try to be all things to enterprise customers in every sector.
"What I get worried about is the small and medium business sector, particularly in Australia. That is an area that is ripe for breach, and is having breaches all the time. It is ripe for clever-thinking ideas," he said. Davies said it would be the same in the US market, but "the scale might be different".
Turner says Israel's approach, where a lot of the early companies and capabilities were spun out of the government sector, could be a model for Australia.
"This sense of being able to commercialise technology from the government sector, and also have government be an early adopter of technology, really helped to spark the industry there," Turner said.
"We've got to create a cyber industry, create depth in the talent pool, to be able to support our other industries as well ... We need to get a critical mass of researchers to attract the investment."