How can we close Australia’s cyber security skills gap - Risk Advisory blog | Deloitte Australia has been saved
The Australian Government has recently released its Cyber Security Strategy 2020. As part of our series exploring the new strategy, this blog looks at the implications on cyber skills for businesses and government moving forward.
Cyber skills are critical for the future of Australia. The Australian Government’s Cyber Strategy 2020 rightly emphasises this importance, with a range of sensible mechanisms to broaden and deepen the cyber skills held by Australia’s workforce. But the strategy stops short of defining what is meant by skills and knowledge, and who among the Australian workforce is a target for this education push.
Cyber awareness is simply a common-sense safety. A framework with minimum standards needs to be created and adopted across all industries and for all individuals. By putting basic cyber security knowledge on the national agenda, cyber skills will no longer only be the realm of security professionals.
All ages, varying stages
Everyone needs to have basic literacy in cyber security across their digital lives, from their homes to school and work. The key to achieving Australia’s cyber strategy is to start with ensuring a national uplift of core cyber skills by embedding them at the grassroots level.
This must be geared to the Australian population as a whole, rather than a subset of it – including current, future and retired workers. After all, a chain is only as strong as its weakest link. As with any goal to impart knowledge across a population, it’s helpful to stratify people into recognisable categories and determine the levels of knowledge we would aim for each stratus to achieve.
For it to be successful, this framework needs to ensure that cyber knowledge is synonymous with general digital learning. These knowledge sets are intertwined; one cannot learn the latter without also learning the former.
With these considerations, there is then a need for the government to:
Creating this baseline will enable us to build further cyber skills across organisations, as well as remove barriers to entry and enhance cyber as a career for any who desire it. But to achieve this, we need a framework that binds together the education system, government bodies, private organisations and professional bodies. While the Cyber Security 2020 Strategy identifies varying cyber crimes and threats under focus, it does not note the roles and strategies these players will fulfil to address these challenges.
This responsibility needs to be shared and distributed across all sectors by implementing standards and frameworks. It can include numerous simple tools: a phishing email video before a user accesses their email account; an ad on how to protect data and privacy before logging into a social media account; privacy protection messages when logging in to an online bank account; cyber bullying awareness in schools; making it easier to report cybercrime, and combining cyber security education with other degrees.
The simplest solutions and ideas will be the most effective and resonate most with individuals. Stranger danger is understood when kids go out to play, but what about the threat posed by people online? Do we need to have universal baseline cyber protection measures in place for each industry, such as banking?
Within this, we see the government’s role as being a vocal advocate and promoter for this fundamental shift in how Australians understand cyber security. Australia has a rich history of successful nation-wide public awareness campaigns. Though now decades old, “slip-slop-slap" is still so ingrained in the minds of most, that skin cancer awareness in the public consciousness is second nature. Equally “stop, look, listen, think” is instinctively repeated in our minds before we cross the road. A similar approach needs to be implemented to integrate cyber protection measures in the psyche of individuals, regardless of age.
For businesses, their role will be to explicitly acknowledge and focus on the need for cyber skills to be embedded across all industries. Right now, cyber security is where health and safety was 30 years ago: disparate, patchy and often optional. A more concerted effort will see cyber security undergo a similar evolution to be a key part of employee safety – from initial inductions when they start a role, all the way through their employment at that organisation.
Removing the cyber stigma
The flow-on effect will be the advancement of cyber security as a career pathway. By debunking unhelpful stereotypes of the cyber workforce and making information security a commonly accepted practice, cyber will become a pathway of choice for many, bridging the forecasted skills shortage in this industry.
By removing and reversing the stigma of what a cybersecurity professional looks like, this will open this career choice up to more people including those currently under-represented – females, young Australians, the less-technically minded and those looking at a mid-career change – increasing and diversifying the talent pool available.
A path to a comprehensive cyber skills strategy that brings all Australians along the journey is critical. Every sector and every individual can be impacted by a cyber threat. Directing education outcomes towards a better understanding of cybersecurity will not only take a concerted effort from government, individuals, businesses and learning institutions – but will benefit each of them too.
A cyber security expert and leader who focuses on protecting the data and systems that matter most to his clients. David works with business leaders to set cyber and data protection strategies before drawing on his experience of data protection technologies and managed security services to bring them to life.
David is a cyber security and privacy management, risk assessment, governance and strategy development expert in large and complex organisations. In 2011, David led Deloitte’s engagement in providing an independent view of information security policy and governance across all agencies and departments in a major Australian state government. Prior to joining Deloitte Australia in 2008, David spent five years leading information security in the UK for Europe’s largest guided weapons and missile producer. This role included responsibility for information security compliance, risk management and the relationship with government regulators in a highly regulated industry.