The Australian Cyber Security Centre says the cyber threat “remains ever-present”.
A survey by the ACSC found 90% of Australian organisations faced some form of attempted or successful cyber security compromise during 2015-16. The survey found 86% of organisations experienced attempts to compromise the confidentiality, integrity or availability of their network data or system and just over half experienced at least one incident that successfully compromised data and/or systems.
Robert Half director Andrew Brushfield says there is “definitely” a shortage of cybersecurity talent.
Many companies have in the past put a lot of resources into boosting their core IT systems to support sales and grow their business and left security as a secondary consideration. But that has changed as they have grown more concerned about security.
“Companies are now running at a pace get the security in place because at the moment it is all the rage,” he says.
According to a survey by Robert Half, some 75% of Australian CIOs say they will face more security threats in the next five years due to a shortage of IT security talent.
Cyber professionals want learning opportunities
Good cyber security experts are usually already in work and are usually quite well paid, so recruiters need to offer a strong value proposition. Along with pay and conditions, cybers ecurity professionals want opportunities to learn and to stay up-to-date with their specialisation through events like meet-ups.
Brushfield says that while soft skills are important in any job, in cyber security there is more of an emphasis on technical skills.
“It’s all about your technical skills enabling you to do your job to protect the information of the company, protect the information of the individuals in the company, protect the information of the customers of the company, and stave off or fight off any potential security threats,” he says.
It is also important that those cyber security professionals have a strong background in the area they are trying to protect. For instance, someone hired to protect applications should have a background as an applications engineer, says Martin Cvizek, IT Recruiter for CSIRO’s Data61. For this reason, there are now specialist degrees in data security, although Cvizek says it is not an entry-level job.
Data61 conducts research and development on IT, including cyber security, and has more than 1100 staff.
As such, Cvizek is often concerned with recruiting research scientists in cyber security, but he says many of the same principles apply.
He says he looks for people who have undertaken work of a similar scope and depth in another organisation and for people with relevant and valid certification, although these aren’t on their own an indicator of competence.
Attending conferences and exhibitions
Along with technical skills, there is also a non-technical skill set, which Cvizek says is equally important. This includes governance and assurance and risk mitigation. “It’s about leaving no stone unturned and about ticking all the boxes along the list. It’s super important to have done,” he says.
Cvizek says the best way to find cyber security professionals is to choose staff with the right backgrounds and train and develop them in-house, but of course this isn’t always possible, particularly when needs are pressing.
One way of engaging with security professionals is to go to forums where they meet, such as conferences or exhibitions.
For instance, Cvizek attended the Internet of Things (IoT) Summit last year. “If you were recruiting in that space, then you would go to that conference. You would maybe have a stall there, you would present there, you would network there,” he says.
“We had security professors from Australian National University (ANU) associated with us, speaking there as well, talking about the importance of designing IoT, developing standards for security for IoT.”
It’s also important to have a presence in online forums used by security professionals.
Along with using job boards such as SEEK, Robert Half’s Andrew Brushfield says it is very useful to tap into your networks.
“Simple things like networking through your current contact list or database of security experts is a really effective way of doing it,” he says. “If you know great security experts, they will know great security experts.”