Bringing IT talent into an organisation can be a herculean task at the best of times, but as any hiring manager responsible for digital skills will tell you, there’s no challenge quite like cybersecurity, Linton Burling writes.
According to a study from Burning Glass, filling cyber security roles takes 20 per cent more time than typical IT roles. That’s due to a global job market that’s exploding in size, outstripping the ability of talented people to fill positions.
This isn’t just a global problem, we are experiencing a similar situation closer to home. A study from industry body AustCyber warned that Australia may need approximately 16,600 additional cyber security workers by 2026 to meet demand, and that’s despite a recent rise in the country’s cyber workforce.
To add fuel to the fire, the pandemic has further exasperated the skills shortage globally. Permanent working from home arrangements and a notable uptick in cyber-attacks are causing headaches for security teams, who desperately need more skills to pick up the slack.
For private organisations, hiring cybersecurity talent is often a matter of how much they’re willing to pay, although this is less of a reality for government agencies. With tight restrictions on budgets and many regulatory boundaries to consider, bringing on cyber talent in such a competitive market can be tricky to say the least.
Addressing this issue is no easy feat and it may progressively get more difficult as time goes on. During a recent executive roundtable for NSW government agencies hosted by Vault Cloud, experts from across the sector weighed in on how they’ve been managing the shortage of digital skills and what agencies can do to address the increase of risk that it presents.
The three takeaways from those experts on how to manage cyber skills within agency environments include:
- Double down on your strengths to acquire talent
Luring cyber security talent isn’t easy for government, considering agencies of all sizes are finding themselves competing against tech companies and large enterprise organisations.
However, that doesn’t mean agencies can’t compete if they think about things a little differently than a private organisation would. Government organisations have a lot to offer candidates from all backgrounds, and they should rest on these tried and tested proficiencies for attracting security talent.
Agencies should emphasise non-financial aspects of the roles on offer, with a greater focus on societal impact, benefits, and work/life balance. These elements are highly compelling and even refreshing for IT talent, as burnout and stress are often part and parcel in these positions.
Using this approach, one agency commented that, as part of a recruitment drive for 150 roles, only 15 (10 per cent) had declined at the last minute due to salary negotiations. This demonstrates that while financials are an important aspect, it’s not a deal breaker if you can bring something else to the table.
Agencies should also take advantage of new remote working capabilities to look outside their typical geographies, increasing the candidate pool and widening the scope for talent.
- Determining the right mix of staff
There is no ‘one-size-fits-all’ method of balancing talent approaches, although it’s doubtful that agencies will be able to do everything by themselves.
Agencies need to make considerations around the business risk and level of security needed for their specific organisations and prioritise protection accordingly. This involves following a security-by-design mentality and – importantly – finding the right balance between in-house full and part-time talent and contactors.
“It’s a blend of different types of people. You have a permanent core group and then you have your contractors and consultants,” one agency commented.
Security contractors shouldn’t be feared or avoided, as they can provide an injection of talent in certain areas that can take security strategies over the line.
“The permanent people are committed public servants, who care deeply about what they’re doing … You aim to get 90 per cent of the work done within this base, or the ‘core group’. Then you have contractors for up to 12 months and consultants for up to three months on the remaining 10 per cent. It works well.”
This obviously isn’t a hard and fast ratio, but each agency can assess their risk profile and find the mix of staff that works best for them.
- Ask more from vendors
Breaches are a ‘when’, not ‘if’ inevitability and breach awareness is a key area that requires additional focus for government agencies. There have been instances where agencies haven’t been aware of a breach until well after it has occurred, suffering from a distinct lack of visibility over their environments.
While having the right skill available to tackle this risk is important, vendors can also provide some critical support. Agencies need to start having hard conversations with their vendors, ensuring they’re taking accountability for the security of their environments.
Vendors need to take responsibility for their solutions and be prepared to commit beyond marketing statements. That involves proactively notifying agencies of issues, whilst being accountable in remediation and recovery efforts if data is lost.
These vendors need to have a thorough understanding of the agency’s requirements and limitations around data use. Experts at our industry roundtable discussed instances of vendors coming in and taking charge after an event, only to migrate data to offshore clouds, breaking compliance obligations.
That’s why it’s important for vendors to be involved from the planning and design process and come prepared with a comprehensive knowledge of agency IT profiles and the priorities that go along with being part of the government. If vendors aren’t providing this level of support, agencies should reassess these relationships.
Linton Burling is general manager at Vault Cloud
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter