The Australian Cyber Security Profession is Broken
Tony Vizza
Digital Risk and Governance Executive | Cybersecurity and Privacy Practitioner | Digital Law | Board Director | Independent Expert
Significant challenges in uplifting cybersecurity resilience will remain until the Australian cybersecurity workforce sector is regulated like other industries and professions.
It is often said by long-term cybersecurity practitioners that in order to solve the 'wicked problem ' that is cybersecurity, organisations need to consider three distinct (but highly interrelated) areas - people, process and technology.
Despite this rather uncontentious perspective, contemporary organisations will typically see cybersecurity as a technology problem first and foremost. Consider situations where organisations keep having cybersecurity incidents? Well, they will almost always throw some more tech at the problem to try to resolve it. Some more issues? Let's add a couple of more boxes with flashing lights. So on and so on until they are left with an unwieldly technology stack of things that are hugely problematic to manage.
You would think that all this tech would have solved the problem, right? Well ... no. Statistics keep illustrating that cybersecurity breaches often happen as a result of human error - be it accidental or deliberate. In fact, according to the Office of the Australian Information Commissioner , 96% of data breaches result either as a result of human error or deliberate (and malicious) human activity (the 2023 Jan/June report is available here ).
We know that human factors cause almost all cyber-related breaches. Logic dictates that solving the cyber challenge rests not in more and more tech, but in ensuring that the people who work in the sector are knowledgeable, skilled, experienced and educated enough to work in the cybersecurity sector - and that they can follow the appropriate processes to prevent, detect, respond, recover and remediate cybersecurity risks.
Given that cybercrime is projected to become a $10 TRILLION black hole of criminal activity by 2025, you would be forgiven for thinking that cybersecurity practitioners belong to a professionalised industry governed by a code of practice, code of ethics, minimum acceptable levels of competency and a requirement to keep your knowledge, skills, and experience fresh, the same way doctors, lawyers, engineers, accountants, nurses, allied healthcare professionals the trades and pretty much every single industry outside of IT is?
Well, what I am about to tell you may come as a bit of a shock to the system.
The Australian cybersecurity workforce today is completely unregulated.
It often astounds people when they learn that there are no industry-wide professional standards for cyber security practitioners that are formally recognised by any Australian regulatory body or government entity.
'What do you mean, Tony? Are you seriously trying to tell me that anyone can claim to be a cybersecurity professional? That there are no barriers to entry and that it effectively falls on the bullshit detector of an employer to determine if an individual claiming to be a cybersecurity professional is actually legit?'
Yes. Yes, that's right.
I was recently speaking with one my friends in the legal space about cyber skills. While we were speaking, I shared with them the fact that in the world of cybersecurity, there is absolutely nothing preventing an individual who has never used a computer from legally referring to themselves as a 'cybersecurity professional'. At first, my lawyer friend was speechless. Once they understood the full ramification of what I had just revealed, they replied with
'I find it absolutely insane that there are no professional standards for the cyber security sector today'.
Coming from a highly regulated profession with a clearly defined pathway for all practicing solicitors and barristers to undergo, this individual was incredulous that for persons who are working and protecting vast amounts of sensitive information, there was no such defined pathway for individuals to appropriately claim that they truly can refer to themselves as 'professionals' in this field.
Of course, this is a subject matter in which a Japanese government minister responsible for cyber security once proclaimed that he had 'never used a computer'. Maybe these things happen.
Surprise leads to harm
I have had similar conversations with individuals in other well-established professions. Accountants. Engineers. The trades such as electricians, plumbers and painters. There is always surprise.
A few of these non-cyber professionals, possessing the insight that you often have when you are not immersed in cyber security 24/7, have come back to me about a lack of professionalisation in the cyber workforce with insightful comments such as 'well, at least we know why there are all these data breaches all the time'.
The 'Wild West' never ended; it just went online...
They certainly have a point.
Professionalising the cyber security sector to bring it in line with almost all other industries makes sense.
There has been some discussion around professionalisation in the cybersecurity space; why we need it; what it could look like and why it's important for national security and even national stability.
While the vast majority of industry players in the space, including government, IT industry bodies and the academic sector have recognised that the current laissez-faire approach is not an option going forward, a handful of vocal dissidents have popped up - including a large association of cyber security practitioners, enthusiasts and students that professes to act on behalf of the industry as a 'peak industry body'.
Such dissenters have voiced 'concern' that any professionalisation scheme:
At an individual level, the most common objection I hear isn't really an objection at all. It's a perspective wrapped up in the form of a question. I get asked: 'what's the problem you are trying to solve when you tell me we need to professionalise the profession?'.
My instinctual reaction when I hear these objections is to roll my eyes and wonder which so-called 'industry luminary' the person asking the question is parroting. But rather than go with instinct and yell 'bullshit', I am going to tackle each of these, one by one.
Let's begin.
领英推荐
Objection 1: 'Professionalisation will create a barrier to entry into cybersecurity'
I'll address this statement head on and in the clearest and most direct way possible.
The claim that any government-recognised or endorsed professionalisation scheme will act as a barrier to entry into the cybersecurity field is both categorically FALSE and based on ZERO evidence.
Let me elaborate.
No one promoting professionalisation is looking to prevent any individual from seeking a gainful career in cybersecurity. In fact, proponents of professionalisation know that we NEED more people in the field. Study after study after study shows there is a skills shortage in the sector.
However, every individual I am working with who supports some level of professionalisation strongly believes that any individual referring to themselves as a 'cyber security professional' should have an adequately assessed level and independently accredited level of knowledge, skills, experience, competency and should meet an industry code of conduct and code of ethics. Additionally, levels of competency should remain current.
This might sound like a big list. However, it's no different to the expectation most people hold of any other recognised profession. We all want the pilot flying the aircraft we are on to be an accredited pilot. We all want the doctor performing surgery on us to be accredited doctors. We all want the electrician doing electrical work on our homes to be an accredited electrician. Ditto for plumbers, builders, engineers, nurses, teachers, lawyers and so on.
Some refer to accreditation as a 'barrier of entry'. This characterisation is false, misleading and disingenuous. You know what we can call it, though - a minimum level of professional standards that should be expected of any individual in any industry looking to call themselves a 'professional' in that industry.
Objection 2: 'Professionalisation will worsen diversity in cybersecurity'.
This claim is, frankly speaking, as misinformed as it is ridiculous.
The claim that professionalisation will 'worsen diversity' is a red herring designed to distract support away from any support by well-intentioned and well-meaning individuals who are working extraordinarily hard to ensure that the cyber profession reflects modern and contemporary Australia in terms of gender, racial, cultural and demographic diversity.
The cyber security sector already suffers from chronically low levels of diversity today, in an environment where professionalisation does not exist. Female participation languishes somewhere between 15 and 30 percent, depending on the study and the methodology used. These claims that professionalisation could lead to worsening in diversity have no credibility.
In fact, I would argue the opposite - having an official professionalisation scheme sponsored by government, accepted by industry and aligned to by academia would provide aspiring cyber professionals certainty as to what is required to be considered a 'professional', regardless of background. In fact, many women in cybersecurity report that they are discriminated against by men who have often directed disparaging and/or untrue comments about their experience. Such a scheme would be useful to dispel and demolish any such arguments that backward looking individuals in this sector could have about the experience required for cybersecurity professionals to call themselves that.
Objection 3: Professionalisation will 'drive up costs'
This assertion is an interesting one. The argument held by supporters of this belief centre on the reasoning that if you implement a professionalisation scheme, this will result in costs associated with attaining and retaining a professional designation.
The short answer to this is 'well, duh!'. However, I wouldn't be doing myself any justice if I didn't explain this a bit further.
Let's explore why 'driving up costs' may not be that big a concern for individuals or employers.
Again, I would argue that a lack of professionalisation is in fact what drives up cost. Have you ever had to get involved in remediating a cyber incident after an individual or company holding themselves out as 'a cyber security company' has and has completely botched the process? Have you ever had to argue with an IT guy that cameras and corporate devices should not be on the same logical network and been called an 'idiot' for saying that? I have. I can also tell you that their clients are the ones who paid the price. The individuals concerned just end up finding another account to sell things to - rinse and repeat (with minimal to no recourse for the client).
A viable proposal to professionalise the Australian cyber security sector exists.
Professionalisation is an area which I have been involved with for 5+ years. In my previous role as the Director of Advocacy at ISC2, one of my roles was to devise a proposed professionalisation model for the U.K. cybersecurity workforce, based on the U.K. chartered accounting model. This lengthy paper contributed to the formation of the U.K. Cybersecurity Council who have now developed a formal professional registration scheme for the U.K. cyber security sector.
Following the work I undertook for the U.K. ecosystem, I developed a proposal for a scheme to professionalise the Australian cybersecurity sector in collaboration with Professor Jill Slay. This proposal incorporated concepts devised for the U.K. scheme such as internationally accepted ISO-standards based recognition, incorporating considerations and attributes required for an Australian context.
It was on the back of the proposal that Jill and I developed that the federal government funded Australian Cyber Professionalisation Program was established. Phase 1 of this work was completed earlier in 2023. There is no doubt that with the pending arrival of the Federal Government 2030 Cybersecurity Strategy will consider this issue.
What can you do to assist?
It is in the personal and commercial interests of every single Australian cyber security practitioner and business to push to professionalise the industry. Professionalisation creates trust and confidence in our sector and gives the broader Australian business ecosystem the confidence to know that the cyber industry is operating responsibly, ethically and maturely.
I encourage you to push for a standards-based professionalisation scheme for cybersecurity professionals by doing the following:
In Conclusion
A lack of professional standards in the cybersecurity sector will continue to be problematic for the Australian economy. Developing and implementing a government-endorsed and promoted professionalisation scheme will go a long way to uplifting professional standards in the cybersecurity sector, address the skills and competency shortage in the sector, boost national resilience to cybersecurity threats and ensuring a safer and more cyber secure Australia.
Important Note
This article represents the views and opinions of myself as an individual and does not represent the views of any entity I am associated, affiliated or employed by.
The Productivity Enabler Could your business benefit by gaining a productivity increase. Service more customers with out adding additional staff.
1 年Elliot Seeto interesting we spoke a bit about this the other in relation to the IT industry in New Zealand also.
Managing Director | Qualified Practicing Insurance Broker
1 年Banging on for years that our in famed MSPs in the IT industry (very important sector) lacks more ground support and arguably could have more health scarring than likes of nurses in the field- but for another time. Cause of errors due to overworked technicians is abhorrent. Cybercon23 convention confirmed to me as an insurance broker that we are so oversupplied with tools from other countries (geo) heaps of sales folk but not enough true professionals to service. I came up through an era where Insurance Broking just needed enough accreditation in the early 90s to what I am proud of by my predecessors has changed with a voice like NIBA supporting our industry. APLs, Code of Conduct, Complaints Handling and Compliance minimum audit control is where the IT Industry not only needs to regulate to set the pillars but then run true education through universities, even high schools for those choosing an early different path (like the old TAFEs did for trades back in the day) The lack of activity is causing more risk, which inevitably concerns insurers and as we develop our IT professionals (more learning, less churning) it will run the cowboys out of Dodge. Lots can be learned from the past aint that the truth
I have nothing to add, but, "Well said!" Tony.
Proven Information Security and Risk Management Leader | Board-Level Advisor on Governance, Risk, Compliance and Privacy | ISO 27001 | CISO | CISM | CDPSE | CISA | Shaping Secure and Resilient Enterprises Globally.
1 年Tony Vizza Excellent post and you addressed the points clearly. While I agree that #professionalstandards are the need of the hour, keeping it Australian or specific country focused may not be the right way. Similar to pilots, it needs to be a global standard that is accepted by all countries, especially with the global impact of cyber security incidents. This way, any specific and critical help from a professional overseas can be sought without going through the delays associated with getting them accredited at that point. Taking a crude example to illustrate my point. I work with an organisation that has operations across the globe. When I am investigating an incident, will my expertise be disregarded whem i present my findings just because i am not accredited with the accreditation agency in another country where the incident occurred? The alternative is to get accredited in every country which can quickly add up costs (Using your example of $300 a year. Do that for 143 countries where the organisation operates and it is a significant chunk of change for each professional and large organisations will have more than one).
CISO Advisor | Cloud & Cybersecurity Strategist | Board Advisor | Tech Evangelist | Author | Mentor
1 年I couldn't agree more and have views that I'd only be able to share offline unfortunately!