The ABS, Yahoo and Volkswagen all learnt the hard way, and now Australian government and industry are standing up and taking notice, but it could take 10 years to plug a yawning skill shortage in Cyber security, insiders warn.
Australia has only around 10 per cent of suitably skilled people to meet the growing demand for the security engineers.
“There is just not enough. We are out by a factor of 10 so absolutely there is a competitive scramble for the people. Somehow we have got to create more,” says Richard Buckland, Professor in Computer Security, Cybercrime, and Cyberterror at the University of New South Wales.
“We are just on the first steps of a big journey and it probably will be a decade until we sort this. That is not a quick journey,” he says, adding that poaching is rife in the industry and the US absorbed most of the first tranche of skilled security engineers.
If the risk eventuates and hits an organisation, the implications are potentially organisation threatening, Professor Buckland says, and that has increased demand dramatically as companies now scrabble around frantically.
A number of high-profile security breaches has underscored that the threat is real, and Professor Buckland is reassured that the Federal Government is tackling the issue.
“It is really serious and important national problem to solve. Thank heavens they are seeing this. We are a bit ahead of the curve there,” he says.
“The country is really at risk. People are moving more and more of their life online and until that is properly secured, then your assets, your finances, your accounts, soon your property title for your house, and our power structures, our roads, our hospitals — all the national infrastructure we have that essentially has some sort of online footprint — is now, and will remain at risk until we properly secure it.”
The national need is so big it could replace all the people lost to the manufacturing industry, he says.
“The new digital world that is replacing so many of the old millenniums jobs is also creating a whole range of new needs we are not yet meeting or filling, and they are quite exciting jobs too.”
The UNSW teamed up formally with Commbank two years ago to train industry-respected security engineers, and has 300 students entering its program this year.
The five-year, $1.6 million partnership involved overhauling its cyber security curriculum, and CBA will also sponsor PhD research for security engineering graduates and provides funding for the recruitment of world-class lecturers.
Professor Buckland says obedient students who did well at school are not necessarily right for security, and the pool of people traditionally trained aren’t always appropriate to meet industry needs.
The best people learnt by being outside the system by questioning, by attacking, by challenging, and by not taking assumptions.
“What we need is to put out these dynamic, energetic questioning lateral thinking mavericks almost, and we need to turn them out in fairly large numbers.”
“This is a challenge for training organisations: how can we turn them out in bulk at the same quality as that first tranche that we have all gobbled up? That is the problem,” he says. “We have to just change our traditional ways of teaching it.”
Humans by nature are “a bit cheeky and rascally,” and everyone is capable of doing some sort of security job, says Professor Buckland. “You don’t have to be a maths genius. I don’t think this is a job for elites, this is a job for everyone and this is a very human skill: scepticism, assessment of risk, cheekiness, looking for flaws.”