In 2015, cybercrime damages cost the world no less than US$3 trillion. By 2021, that figure is expected to double. The director of America’s National Security Agency has called cybercrime ‘the greatest transfer of wealth in history.’
Such dire predictions and explosive quotes should be a boon for the cybersecurity industry; it’s fair to say that it won’t be short of work in the foreseeable future. But there’s one thing it is short on, which is starting to become an unignorable thorn in the side.
The inconvenient truth about cybersecurity is that there simply aren’t enough good guys to stop the bad guys. What’s more, the bad guys are generally more motivated (with trillions of dollars of loot on the table, who wouldn’t be?) and their modus operandi allows them to be more creative than the security experts, who are so often tasked with simply chasing a hacker’s tail.
If the current talent shortage continues unabated, it’s predicted that there will be 3.5 million unfilled cybersecurity positions by 2021. Such a dearth of trained professionals could see our private data being exposed to the most untoward users of the World Wide Web, and may result in the sort of outcomes that have previously been reserved for dystopian literature.
So why has this shortage occurred in the first place?
Cybersecurity moves and evolves faster than virtually any other tech sector. But unfortunately, cybersecurity hiring practices haven’t historically reflected that fact. With hiring managers conditioned to prize formal education above all else, a candidate with a four-year university degree is given far more credence than a high school graduate with serious coding ability, but little interest in higher education.
The fact that the learnings from the university degree are obsolete by the time it is printed and framed hasn’t seemed to matter. And by continuing such dogmatic hiring practices, tech companies are not only severely reducing their pool of talent; they’re also missing out on some of the brightest minds around.
But that’s not to say that organisations aren’t becoming alert to this issue. Vicky Bond of Text100 notes that the intensifying talent shortage has seen some of the world’s largest tech companies offering up creative solutions.
“Atlassian’s Mike Cannon-Brooke suggested offering visas to top graduates from 50 of the world’s best universities. And IBM champions what it positions as ‘new collar jobs’ where skills and ongoing on-the-job training matter more than degrees”, says Vicky.
Telstra is another organisation that is choosing to tackle this challenge head on, according to its Lead Discovery Analyst Skye Wu.
“We need to think more broadly about the pipeline of skills we need in cybersecurity and how different skills can complement each other. We may be missing opportunities to hire individuals with different backgrounds.”
As such, Wu puts less weight on what might conventionally be seen as signs of a good hire. “In my team, when we recruit, we actively focus on diversity of thinking and experience.”
A high-growth industry, a serious shortage of talent, and organisations beginning to hire more on potential than on proven track record — for budding tech professionals, cybersecurity represents a perfect storm of employment opportunity.
As organisations realise that the right degree is worth far less than the right attitude, candidates who can demonstrate curiosity, motivation, work ethic and adaptability will be far more prized than those holding a dusty academic cap.
“An aptitude for learning and critical thinking are the main skills needed” says Wu. “Technological skills can be taught, but essential skills like problem solving and critical thinking are much harder to develop.”
Bond has her own take on what a potential cybersecurity expert needs to bring to the table.
“It’s important to realise your academic background doesn’t always have to be computer science or engineering. It’s important to understand how technology is used, and the human behaviour that drives it.
“Increasingly, cybercriminals are taking a more strategic and targeted approach in their attacks. ‘Spray and pray’ tactics are becoming less frequent, and in some cases cybercriminals are using human social engineering tactics, known as spearfishing, to imitate those closest to their targets such as a friend, spouse or boss.
“If the cybercriminals are approaching the industry with a humanised skillset, it’s time for those responsible for defence to be equipped the same way. There are many transferable soft skills well suited to a role on the front line of cybersecurity, such as attention to detail, communications and project management.”
It’s clear that the idea of what constitutes a cybersecurity professional is exponentially expanding, which will result in the range of employment opportunities in the field following suit. Necessity is the mother of invention, so the need for pragmatism in cybersecurity will no doubt lead to the invention of a range of roles that lay far beyond the narrow view of the field today. For those with an interest in the industry, the career prospects look as fertile as they do exciting.
The final word is perhaps best left to Bond of Text100: “The cybersecurity shortage facing Australia needn’t be seen as a problem. It’s an opportunity for individuals to upskill and for organisations to rethink their recruitment practices.”
Looking for your next opportunity? Browse our latest job openings.