3 strategies to address the cybersecurity workforce shortage

September 25, 2020

Source: JuSun/iStock

Australia is currently experiencing a severe shortage of job-ready cybersecurity professionals. It’s estimated that the country could require approximately 16,600 additional cybersecurity workers by 2026.

Recruiting in-demand IT talent presents a significant challenge for the entire economy, from the public sector to dynamic startups and large multinationals.

What impact does a cybersecurity skills shortage have on the Australian economy?

In spite of Australia’s recent growth in its core cyber workforce, supply is not enough to meet demand. The number of cybersecurity vacancies and time to hire is well above the IT industry average.

According to a 2020 analysis of historic data of salaries, vacancies and time-to-fill, Australian businesses face a supply gap that could last until the mid 2020s.

IT historic salary data Figure 1 - Cybersecurity positions are harder to fill and command higher average salaries (Source: Australian Cyber Security Growth Network)

And, while a substantial number of academic institutions have launched cybersecurity qualifications, it’ll take time to develop this pipeline. At which point they may be in higher demand than ever.

Until then, companies are under pressure to find the skills to meet demand in the medium term

Cyber workforce demand and supply

Figure 2 - Cyber workforce demand and supply (Source: Australian Cyber Security Growth Network)

One question for business is whether they can leverage transferable skills. Cross training existing IT professionals into new career paths could be an option

Another option is to offer training and professional development of existing talent pools. Providing access to security certifications for current employees could help to grow cybersecurity teams.

Why does cybersecurity matter in business?

Global society is more reliant on technology than ever before.

Whether it’s a small firm or a large global enterprise, chances are your business is dependent on digital technology.

And, while technological advances have expanded the economy, it also opens the door to new and rapidly evolving threats.

In 2018, Australia’s external spend on cybersecurity grew to $3.9 billion. However, according to the Morrison Government, cybersecurity incidents cost businesses in Australia an estimated $29 billion every year.

With complex systems in play and a lack of trained professionals, cyber attacks could inflict critical operational damage.

What strategies can firms take to prevent a cybersecurity talent shortage?

There are three main strategies your business can take to develop effective security teams.

  1. Make - train from the ground up
  2. Regenerate - upskill talent from other verticals within tech
  3. Take - attract talent from the industry

addressing cybersecurity workforce shortages

Let’s discuss each of these in more detail:

1. Make - how can firms build a cybersecurity training strategy?

The first strategy involves training new employees from the ground up.

This method carries many benefits, such as long-term cost savings, internal knowledge sharing and talent retention.

Cybersecurity training is an essential investment.

Training has always been essential to business success. It provides your employees with the skills and knowledge necessary to do their jobs effectively.

We’ve already discussed that cybersecurity threats are costing Australian businesses $29 billion every year.

Increasing training investment can help companies improve in-house expertise to reduce risks, detect threats, and prevent incidents and attacks.

It’s worth considering graduate schemes as part of your cybersecurity training strategy.

Providing graduate training helps you build from the ground up and benefit from academic research in the field. 

There are a number of ways you can attract talent from universities, including:

  • Offering mentorship programs. These will appeal to graduates without a lot of hands-on experience, but are willing to learn..
  • Contact universities to see if their curriculum contains your desired skill set. If they do, you can offer internship schemes, with the potential to keep graduates on once they’ve finished their studies.

It’s important to also be aware of the disadvantages of graduate schemes.

  • The average salary costs for a graduate would be lower, but they will require more support than an experienced specialist
  • It’s difficult to guarantee loyalty at this stage in their career
  • The time frame before graduates are fully productive may be longer than hiring experts
  • Training and development can be costly and resource intensive, although it can pay off in the long-run

2. Regenerate - upskilling existing talent with cybersecurity knowledge

The second strategy to prevent a cybersecurity talent shortage is to upskill your existing employees with a stronger understanding of cybersecurity.

Academic training can play a vital role but will be insufficient to meet demand. Transferable skills can play a significant role in attracting and developing talent.

In fact, a cybersecurity workforce study by McAfee found a wider variety of professions and trades transitioning to cybersecurity jobs. Including

  • Retail
  • Food production
  • Sports management
  • Sales & marketing
  • Teaching

McAfee’s Cybersecurity Talent Study (2018)

Figure 3 - professional qualifications of those working in the field responding to McAfee’s Cybersecurity Talent Study (2018)

Finding skills transferable to cybersecurity

People with strong problem solving skills are often well-suited to cybersecurity, as are those with scripting and reverse engineering skills. With this in mind, developers and programmers tend to be a good fit for cybersecurity.

When interviewing for transferable skills, try to avoid questions that are specific to cybersecurity.

Instead, consider scenario based questions that allow candidates to demonstrate a growth mindset and ability to learn. This will help you find employees with the capabilities to apply the skills they have to a cybersecurity role.

Cybersecurity awareness is not just an issue for the IT department

It is also important to increase awareness among all employees - not just those with an explicit focus on tech.

Apparently, 51% of reported breaches are caused by ‘human error’. These lapses include password sharing and sending documents containing sensitive information to the wrong recipient.

With that in mind, building cyber awareness through the organisation is an important element of a ‘regeneration’ strategy.

This can be done through the following steps:

  1. Organize security talks and training sessions
  2. Set up an early warning system to counter malicious spam campaigns
  3. Preventing employees wearing badges with their personal identifiable information in public
  4. Reminding employees of the risks when discussing confidential or client-specific information in public
  5. Create a good practice guide that is easy to access for all employees and is regularly updated

Keeping up to date with developments

The culture in the cyber security sector is ever-changing and requires individuals to actively keep abreast of all developments. This could include support through sponsoring of courses and training to develop employee loyalty.

Today's job seekers value environments that are built to encourage individual learning and development. The benefit of offering training to employees means that your company will have an upskilled workforce.

3. Take - how can firms develop a cybersecurity talent acquisition plan?

The final strategy option is to create a cybersecurity talent acquisition plan.

Recruitment partners can provide expert knowledge of the market and where the best opportunities lie. If they have a strong enough network, they can source in demand talent both locally and globally.

They can also help you to market your employer brand to the talent you want to attract. A well developed employee value proposition gives candidates an insight into your company and creates inbound demand.

It is worth spending time, thinking about your digital identity and the various channels, candidates will use to research you.

  • Is your LinkedIn company profile up to date?
  • Do you monitor your Glassdoor page and respond to feedback?
  • Do you share employee testimonials or images of your office/site?
  • Do you encourage former employees to refer you as a great place to work?

The immediate benefits to a cybersecurity talent acquisition plan is hiring specialists to develop your ‘make’ and ‘regenerate’ strategies. Other benefits include:

  • A more streamlined hiring process
  • A better employee experience and candidate journey
  • Stronger diversity among candidate and employees

A talent acquisition strategy must consider candidate motivations and what security professionals want from their next employer.

According to a study conducted by (ISC)², the majority of security employees want to work for a company

  • That takes their opinions seriously
  • That allows them to protect people and their data
  • That has a strong code of ethics
  • And provides a high salary

Are you looking to hire cybersecurity professionals?

If your company is feeling the effects of the cybersecurity shortage in Australia, we can help.

Our technology workforce solutions are designed to support you at every stage. We can provide talent acquisition, consulting and global employment services if you need to find skills from our global network.

We identify candidates according to your needs, so we’ll never put forward a candidate that doesn’t match your criteria. To find out more, speak to one of our specialists

Hire talent with an IT workforce specialist
bottom banner

This post was written by: Ryan Carroll, Regional Director - Australia & New Zealand