Australia’s security skills shortage is a lie: Talent is not the problem – hiring companies are

We were inundated with nominations for last year’s 2021 Australian Women in Security Awards, with hundreds and hundreds of outstanding cybersecurity and protective security professionals put forward to recognise their contributions to the ever-changing security industry.

Judges had their hands full – but I was left wondering what the response would have been if each person on my LinkedIn network had shared my posts with others like Amanda Turner did or made an announcement about the awards within their own organisations as well. One day, perhaps.

The other thing I was left wondering was a little more disruptive: with so many obviously qualified women distinguishing themselves in security every day, does Australia really still have a cybersecurity skills shortage?

News flash: there is no shortage of women (and men) working to get jobs in IT security. Universities are churning out graduates; workers are diving into cybersecurity from other industries, and employers are plumbing new sources of talent by recruiting internally and targeting gender-diverse and neurodiverse communities.

In other words, from here in the captain’s chair, it looks like the industry has heeded the call, pulling out all the stops to find the security professionals they require. So why is the media still talking, as the AFR did in August last year, about the “chronic shortage of skilled Australia’s security skills shortage is a lie Talent is not the problem – hiring companies are cyber security workers” and a talent pool half the size of the 14,000 cybersecurity job openings in the year to September 2020?

What about the ISSA/ESG Group Life and Times of Cybersecurity Professionals 2021 study, in which 76% of respondents said it was “extremely difficult” to recruit cybersecurity professionals, and 57% said their organisations had been affected by the global cybersecurity skills shortage.

Cloud computing security, app security, and security analysis and investigations were named as the hardest skills to find, but – and here’s the kicker – 29% said their HR department doesn’t really understand cybersecurity skills and was probably excluding qualified candidates off the bat. Furthermore, 28% said that cybersecurity job postings tend to be unrealistic, demanding too much experience and way too many certifications.

If you’re reading those comments and don’t immediately think about words like ‘internships’, ‘graduate programs’ and ‘work experience initiatives’, it’s probably time to hang up your hat and go home. But if you did? That’s the first step towards closing the gap.

What I can only conclude from these figures is that the media-hyped skills shortage has been false, misleading, and inaccurate.

The problem isn’t that we don’t have enough skilled cybersecurity candidates; the problem is that we have a shortage of fully qualified, deeply-experienced professionals who are citizens or permanent residents within our industry.

This perspective completely ignores the other pathways into cybersecurity, and the importance of understanding that your next cybersecurity superstar – and our next Women in Security Award winner – may well be a student who has blindly followed the advice, spent years getting trained, then graduated to find they cannot compete for jobs as currently described.

Blind Freddy could see that if cybersecurity spending is expected to increase to $7.6 billion over the next few years, then this is the time to train these individuals to be our next generation of cybersecurity fighters – and to adjust our expectations so that we can stop crying about the supposed skills shortage.

With international borders only tentatively opening, we will not be able to rely on the importation of certified, top-grade cybersecurity professionals any time soon – so why aren’t Australian companies looking to tap the talent in their own backyards?

There are hundreds, if not thousands, of cybersecurity and GRC graduates currently sitting at home and doing very little because they can’t satisfy a potential employer’s HR checklist or AI-powered CV screening tool.

Instead of acting like they aren’t there and crying about the skills gap, why not invest a little time and money to level up their skill sets and experience with a decent training program?

You have nothing to lose, and everything to gain – and so does an industry where we are chronically overlooking qualified potential employees in our search for the perfect candidate.

Here’s what I think we need to do:

• The media need to report where the real shortage is
• Universities and TAFEs could do better to promote cybersecurity professions, adding certifications and work experience to help graduates’ professional prospects
• Companies should educate HR departments or recruitment agencies about cybersecurity roles and skillsets – and instruct them not to exclude candidates until they have been vetted by a senior CSO or similar
• Managers should open up more entry-level roles, graduate programs, and internships
• Executives should change company policies and culture to promote workforce inclusiveness and diversity
• For students, I have just three words: network, network, and network
• Connect with security professionals, associations, and mentors from different disciplines who can help you improve your optics with HR and recruitment agencies

As I’ve said, there is no point sitting around whingeing about the cybersecurity skills gap when a bit of lateral thinking will help us tap our massive pools of security talent. Without thinking differently, how will we as an industry ever catch up?