Short on skills shouldn’t mean short on security 

By Lindsay Brown, VP and General Manager APJ, GoTo (pictured)

The ongoing skills shortage continues to slow Australia’s hiring conditions, with cybersecurity professionals being one of the most sought-after employees, according to recruiter Hays’ Salary Guide.

Given how paramount cybersecurity has become to all organisations this isn’t surprising, but business leaders should not be prepared to accept gaps in security as they wait for hiring to progress. Internally, organisations should be considering upskilling and introducing easy-to-use security solutions to improve their cybersecurity posture, or they risk being the next victim that makes news headlines.

The security skills shortage squeeze 

A workforce armed with strong cybersecurity skills  is critical for Australia’s future prosperity and safety. ‘Cyber literacy’, or knowing how to effectively protect digital assets, is not only relevant for professionals working in the cybersecurity sector, but is also becoming a must-have skill for every Australian worker in the digital age, regardless of occupation. Because of this, cybersecurity employees are heavily in demand, with AustCyber estimating that Australia may need around 16,600 additional cybersecurity workers for technical as well as non-technical positions by 2026.

With such gaps in the market forming, it provides a ripple affect across the business. On the most consequential and dangerous side, organisations are at high risk of cyberattacks as reflected in the number of data breaches Australia is currently experiencing, with 409 data breaches reported to OAIC in the first half of 2023.   

Furthermore, understaffed organisations will only exacerbate the burden placed on current IT workers. When IT teams are slim, not all tasks can be actioned to the highest standard, leading to increased vulnerability, lengthened downtime and disruption, and a diminished customer and employee experience. 

Therefore, given the potential business impact that arises, it becomes imperative that being short on skilled professionals does not lead to being short on security.

Tapping into internal potential 

When unable to hire externally, it is important to place focus on how internal operations can be improved. Large organisations can look to draw heavily on workers with transferrable skills from other departments, such as the broader IT team. Companies can do this by offering pathways to accelerate the transition of workers from outside the sector into cybersecurity roles. 

For smaller organisations, where cybersecurity responsibilities fall directly under IT teams, focus should be placed on alleviating day-to-day tasks so IT workers have as much time dedicated to security as possible. Leveraging Artificial Intelligence (AI), IT workers without the skills to write complex or specific scripts can generate the commands they need using AI, effectively teaching themselves and gaining valuable new skills in the process. This allows IT teams to grow internally, while senior technicians can focus on cybersecurity practices. 

Ultimately the greatest improvement on strengthening cybersecurity posture, especially while under resourced, comes from a collective effort by every employee within the organisation. James Turner, Founder of CISO Lens, quipped at the recent AFR Cyber Summit; “We hear the statistics that 17,000 more security experts are needed in the next five nanoseconds, or something, but I don’t think it’s a useful stat. What would be much more interesting would be 100,000 people who actually cared about security.”

Cybersecurity needs to be a focus of for everyone within the organisation, and business leaders should look to foster a culture of rsecurity-awareness. Employees who can uphold basic cyber hygiene, such as recognising phishing emails, implementing strong password policies, and utilising multi-factor authentication greatly reduce the risk of account breaches, and in turn the workload of IT teams. 

From IT workers to security leaders 

When looking to plug cybersecurity gaps, it’s important to lean into the expertise organisations already have with their IT leaders. Beyond becoming dedicated cybersecurity professionals, especially when it’s not an option in small and medium sized businesses, IT teams can become leaders in cybersecurity investment. 

GoTo’s 2023 IT Priorities Report found that when it comes to deciding on new digital tools, 39 per cent of Australian business leaders took their IT team’s recommendation. Moving forward, organisations should lean into IT teams’ preference on what security tools would serve the most purpose, such as mobile device management if remote and mobile working is prevalent, zero trust security, or anti-virus management software. And with restricted budgets, a solution that is fit for purpose and addresses the security aspect, will only save costs while increasing efficiency and mininising risk. 

The cybersecurity skills shortage is not showing signs of improving, and threats will only continue to plague businesses. When understaffed, it is important to recognise what can be addressed internally surrounding upskilling, investment, and most importantly, instituting a culture of security-awareness. Short on skills should not lead to a complacent cybersecurity approach.

By Lindsay Brown, VP and General Manager APJ, GoTo (pictured below)