Australia is facing a massive skills shortage of cyber security professionals and the gap will only get worse unless more is done to invest in education, according to experts in the field.
Wednesday marked the launch of a $3.8 million joint government and private industry funded education program called Cyber STEPs (Secondary to Tertiary Education Partnerships), designed to get cyber education pathways into more high schools.
Cyber STEPs’ aim is to see advanced cyber security taught to year 7–12 students. The program will also be available to TAFEs, other registered training organisations (RTOs) and universities.
Speaking at the launch, James Curran, CEO of Grok Academy, a not-for-profit promoting cyber education, says the skills shortage will only grow into the future.
“Right now, we’re talking about a shortage of 25,000 cybersecurity professionals in Australia,” says Curran, who’s one of the original authors of digital technologies in the Australian curriculum.
“If every business isn’t heavily on-line already, it will be soon. As soon as your organisation is online, as soon as your staff are storing data, managing operations, anything like that, in an online environment, you can be hacked from anywhere in the world.”
Grok’s Cyber STEPs program creates real world simulated cyber-attacks for the students to engage with. It’s been running in schools since 2019 and over 170,000 students have participated in the online education so far.
Organisers say thousands of students attended Wednesday’s launch event, during which they heard from industry leaders about the importance of developing cyber security skills and the reasons they should consider a career in the field.
Curran says while it’s great to see the training for students being supported, what’s also needed is training for educators themselves.
“If you think about it, almost none of our 337,000 teachers in Australia ever learnt about this stuff at school, ever learnt anything about this as part of their initial teacher education at university,” he says.
“We’re asking them to teach our kids about it from primary school onwards, and in many cases teachers – just like the rest of us – [are] making exactly the kind of mistakes that we actually need to be protecting our kids from.”
Banks and technology companies are well represented among Cyber STEPs’ private industry partners and they say the industry needs the next generation of young people to be upskilled and interested in cyber security.
Luke Barker is the head of cyber security for British Telecom in Australia and he says the cyber security component of their business, where they provide cyber security support to companies, has been completely transformed in recent years, going from making up one-fifth of their overall business to now around four-fifths.
“We have to be at the forefront of that cyber resilience, our customers require us to make sure not only are they protected as a business but that their customers are protected as well,” he says.
Barker adds that the growing threats from cyber criminals change from industry to industry, however those most at risk were small and medium businesses who might not have the resources to put in place the strong cyber defences that larger businesses have.
“There is a lot of vulnerability in certain sectors, some like healthcare for example, as well as other small business,” he says. “Also those businesses which aren’t traditionally online, like manufacturing, are becoming targets because of the impact an attack could have on their day to day business.”
ANZ Bank Chief Information Security Officer Lynwen Connick says that major financial institutions like hers were always going to remain a big target for cyber criminals, and that maintaining a strong and robust defence system was essential.
“We’ve invested a lot in security, long before cyber became an issue of cyber security,” Connick says. “What you’ll find is that we are [one of the] organisations, who do a lot of work on security and have very sophisticated security capabilities, [because we know] as a financial organisation that we will be targeted. And so it’s something we take very seriously.
“But we want to make sure that we also help others, because we know if there was a big cyber attack in Australia, it would take on the whole economy. And so it’s equally important that we help others do the same thing.
“I imagine that we’ve probably got a more strategic capability than most organisations will be able to implement at this stage. We very much see it as a defence in depth approach,” she adds.
Connick says she’d like to see more young women getting into what is the mostly male-dominated field of cyber security. She says the job opportunities and career options in the field were only growing.
“In order to get more people into cyber security we need more women, we also want more diversity because the greater diversity in any team will make it more successful,” she says.
She and other speakers at the event were keen to point out the range of career options involved in the cyber security space, and emphasised that not all options were limited to the technologically advanced roles. Communicators, trainers and teachers are among some of the non-technical roles needed.
Matt Wilcox, the founder and CEO of cybersecurity workforce management company FifthDomain, says generally Australians are quite cyber aware and that we sit probably around the middle of the field of sovereign countries in terms of our preparedness for large-scale cyber attacks and online threats.
“We’re not like an Estonia, who have been living on the doorsteps of a hostile country [and] who have been essentially over the years a testing ground for certain cyber weapons,” he says. “We’re not like that. At the same time, we’re not the worst of the countries either.”
Wilcox says that organisations like his, which find and place cyber security professionals in various roles, are always looking for new talent and that cyber security would continue to be a highly paid and attractive destination for young people to work in if they were made aware of the opportunities.
He says he would like to see government and universities invest more into getting cyber security professionals from the field and back into universities to teach skills to a broader range of students.
“You have to think about this as a strategic investment, it takes years for what we are putting in now to mature into a capability,” Wilcox says.