Career Gaps Poke Holes In Australian Cybersecurity Defense

Image credit: iStockphoto/golubovy

Let’s begin with an anecdote from personal experience: I talked to a friend of my thirty-something-year-old son on the weekend. Naturally, I was interested as he recently transitioned from a career in the music industry to cyber security.

He’d done his research, thought about his future, and believed that a degree in IT with qualifications in cybersecurity was a more secure career path than lugging PA systems and mixing desks into venues.

Sadly, however, it hasn’t proved to be as positive as he had hoped. Around 18 months into his career change, he is disillusioned and frustrated by the lack of support and recognition he is receiving.

The work is stressful, but he sees limited opportunities for promotion and career development. So he plans to see if life at another organization might be better. If not, he is looking at another career change — his third by his early thirties.

Frustrated career path

The anecdote resonates with a recent global research report from detection and response firm Trellix, which found that 35% of cyber security professionals are frustrated by the lack of a career path, with three in ten disappointed by a “lack of societal recognition.”

And while over 90% were inspired to consider their work as “purposeful and soulful”, more than a third thought there was insufficient recognition for what they do. Alarmingly, 12% were considering leaving the profession, resonating with the comments of the young professional I spoke with on the weekend.

Much of this goes back to the skills shortage across all organizations. 85% of the cyber security professionals say that the shortage hurts their organization’s ability to secure increasingly complex information systems.

This has created something of a “Catch 22” situation, which is particularly relevant in Australia. Due to the skills shortage, Australian organizations are struggling to cope with the new security landscape, as evidenced by a spate of recent lapses at leading financial institutions.

Most recently, Tasmanian-based pensions fund Spirit Super confirmed that the personal information of around 50,000 members had been compromised in perhaps the most significant security breach to hit the industry this decade.

On the extreme end, over two-fifths – or 41% - of respondents believe their digital attack surface is “spiraling out of control”

The breach occurred in late May when a staff member clicked on a link in an email that was a phishing scam, resulting in a security breach that gave the attackers access to the Spirit member database. The fund has more than 325,000 members and manages over AUD25 billion in member funds. 

In other recent incidents, failed startup GigSuper breached member privacy in an email copied to 500 members, telling them on Christmas Eve 2021 that the fund had collapsed.

In the advice industry, RI Advice was found to have breached the law by failing to protect against nine cyberattacks that risked confidential client data. 

Outside of the financial industry, the payroll data of 90,000 South Australian government employees was compromised in a May security attack, which came through a third-party provider, Frontier Software.

Rating poorly against global peers

In this context, it is not surprising that around 80% of Australia’s chief information security officers say their organizations are unprepared for an attack.

This data comes from a 2021 Proofpoint survey, which found that Australian CISOs were the least prepared for cyberattacks among 14 countries. The Australian result was also up 21% from the same survey conducted in 2020.

On top of that, 68% of the Australians rated their organization at significant risk of suffering a major attack in the next 12 months, against a global average of 48%.

In the case of the Spirit Super breach, the mistake was made by an employee responding to a phishing email. This was reflected in the survey, with 75% of CISOs considering human error as the most considerable risk.

So, why is this happening? Organizations are pushing further into their digitalization journeys but lack the resources and access to skills to keep themselves as safe as they should. At the same time, the cast of bad actors is becoming more sophisticated and capable.

Reflecting that again, cloud security firm Trend Micro released their research earlier in June 2022, finding that 69% of Australian organizations are worried about their growing “attack surface.”

Over a third said it is “constantly evolving and messy,” while 41% could not define its extent. There are blind spots, unsophisticated risk assessments, and a lack of transparency around network environments.

On the extreme end, over two-fifths — or 41% — of respondents believe their digital attack surface is “spiraling out of control.”

Earlier this year, the Australian Government announced a significant AUD9.9 billion investment in cyber security to shore up the capabilities in intelligence and defense.

One can only hope that this pumps some energy into the cyber security industry and helps create a fresh cohort of professionals who can plug the corporate skills gap and raise the profession’s profile.

Whether that happens fast enough for my son’s friend to retain his enthusiasm for his cyber career remains to be seen, but I hope so. He’s a good one, and the industry needs him.

Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].

Image credit: iStockphoto/golubovy