We have a Cyber Security Talent issue Western Australia, but the issue is not what you think...

We have a Cyber Talent issue Western Australia (WA), but it's not a shortage, it's an entry level opportunity and retention issue. For my entire career, no matter where in the world I have been working, the phrase "cyber security talent shortage" has been thrown around with no meaningful deep dive into the contributing factors or required actions. Go to any cyber security conference today and someone will no doubt have it plastered within their slides.

The challenge in WA is unique, but not uncommon: small population ~2.7 million, economic sector focus on rocks and crops, small technology sector, low digital literacy amongst senior business leaders, IT teams who struggle talking at the business risk level, almost non-existent cyber risk appetite defined at businesses and universities pumping out cyber security graduates at a rate of knots supported by misrepresentation of issues by the media. I have responded to countless catastrophic cyber incidents as a result of a cowboy risk approach (a cyber-attack won't happen to us, we're isolated in Perth), lack assurance over operating controls (green RAG reporting, everything is fine here, nothing to see here, move on) and most importantly the right person is not in the role. I can see the brick wall we are heading towards but who is in the driver's seat?

We have a National imperative, underscored recently with the Russian/Ukraine conflict and our regional challenges, to increase our sovereign cyber security capability. Last week, Australian Cyber Security Centre (ACSC) issued an advisory (updated 7 times nonetheless); Australian organisations should urgently adopt an enhanced cyber security posture. Most Australian businesses would not know who the ACSC are let alone how to address the advisory reducing noise to signal within the content. If you look at the firmographics for WA, 97% of businesses are classified as small businesses. The question posited by a colleague in the industry was should Australian businesses (with the far majority being small) be worried about indicators of compromise (threat intelligence) from a war so far away or do we need to pay attention to the lack of maturity in foundational controls, what's more important? I personally believe we need to leverage this advisory to have real conversations about business priorities and risk. If you haven't worked it out now, all WA businesses are digital businesses (thanks COVID-19) due to the push towards digital transformation and reliance on digital public or private services. We as a state are extremely exposed at the moment, don't let this be downplayed, just look at the $33 billion in reported cyber crime loses across the country (FY 2021). Very few businesses, although as much as they would like to think they are, can call themselves an analogue business. In 2014 during an "all hands" call, a CEO from a bank I worked at said: "We employ over 80,000 staff in a technology related roles, we are a technology company". This has stuck with me throughout my career as I don't think we are there yet in my hometown Perth and Australia with this type of mentality and it really shows.

When Phil Kearnes AM (former Australian Rugby Captain) spoke at a UWA rugby luncheon, going back a decade or so ago, a father in the crowd asked him an important question: "I have a child who wants to play for the Wallabies can he do that from Western Australia?" The quick remark was no he will have to move to the east coast. This is not a too distant association to what I have seen for a number of decades happen in the cyber security industry in Perth. Do we want to build a "Destination State" or a "Transit State"?

Last year (August, 2021) during the Education and Health Standing Committee WA Chief Scientist Peter Klinken proposed a merger of universities into a ‘super-uni’ that would potentially rank the State in the top 40- 50 globally and may reduce the likelihood of potential future university closure. It's an insightful read and I urge business leaders to read through the discussion linked above. For cyber security in WA, I strongly support the merging of universities (be it two or 4 merged) and standardised curriculum for cyber security that addresses the plethora of job opportunities on the subject matter (note: this is far wider remit than the ASD Cyber Skills Framework). The quality of graduate vastly differs from university to university (and other tertiary institutions) and is widely known amongst hiring managers. To add, lot of students are drawn in by the allure of being a "hacker". I personally hate the term and provides a non-inclusive sense of what cyber security is really and more importantly is required for a business to be successful in this area. Don't get me started with "hackers in hoodies" marketing.

Looking specifically at cyber security when you add up state student intakes, research income,?expenditure/expenses, capital expenditure and revenue across the 5 universities in WA you can quickly appreciate the Chief Scientist's proposal as the current trajectory is not sustainable to then have the significant majority of the talent leave the Big State. Some academic senior figures may argue about student choice, but I am more interested in a sustainable future of academic research, drawing business and talent to the state, and the ultimate outcome post study: a job in the WA cyber security market. This is a why a Centre of Excellence for Cyber Security is essential in WA (not dissimilar to the Western Australian Academy of Performing Arts (WAAPA) model). This should be supported through a combined effort amongst all the tertiary education institutions, not one leading the pack with a high number of poor quality graduates.

If you would like see how many students are fighting for a cyber security role in Perth all you have to do is attend a Students of Cyber (SoC) monthly event; kindly coordinated by AustCyber WA Innovation Hub. It's a great opportunity for students to get an understanding of different career paths and industry networking. In my own journey I was extremely fortunate with a fantastic graduate programme at EY (Thanks Gav/Iain) post working in the EY IT department rolling out Windows XP across the firm. I also chose to work overseas for number of years to follow my passion in cyber security and get access to opportunities not afforded in Australia. I have seen hard employment markets like we are witnessing now before, I landed in London in 2008 at the peak of Global Financial Crisis and had to pivot from being a penetration tester into risk assurance. This was not my preference but I needed to eat. Later in my career I was back in the penetration testing space leading red teams on global engagements in the financial services. Students: a cyber career is by no means linear so don't get disenfranchised, stick at it.

My primary concern is the quality of outcome from education: once a student has completed their studies what is the likelihood of landing an entry level cyber security role (and/or some other academic research opportunity). At the moment the likelihood in my opinion in WA is minimal to low. To put it bluntly we are losing talent to other industries or other states, or countries because we set too high expectations for roles (3-5 years experience) but yet we do not provide enough entry level opportunities or provide limited investment into graduate learning experiences. The students invest in their education to only be met with once they complete their course to "you need to move state or change careers" does not sit well with me when there are gaping security holes in most organisations in WA and we keep calling out the "cyber security talent shortage". This issue is exacerbated even more with addition of diversity, inclusion and equity challenges for graduate job seekers.

Another prevalent issue in WA are international students who have been sold the dream of the "cyber security talent shortage" in Australia who come for education and work opportunities. To pick up one's life and move countries is probably one of the most stressful experiences out there, I have done this multiple times, it is just as challenging as exciting. Once they complete the cyber security course a high percentage are forced to leave Australia because they are not fortunate in finding local roles. The model is broken.

This is by no means an easy topic, and I do not have all the answers, but please do not scream about a talent shortage and then don't contribute to addressing the real entry level problems. We have attracted students to this industry on the premise of "finding a job in cyber security is easy", it's not. We have a duty to maximise the opportunities for graduates and one not to take lightly for the sake of national security.

If you are passionate about Western Australia and the cyber security industry please consider my call to action:

1. If you are in charge of federal and state policy: Please remember there are 8 states and territories in Australia and they all don't reside on the east coast. For state policy, small business really needs your support in this sector there is a lot more that can be done, especially from the startup space. Lot of talk of support but from my perspective I've seen limited impact. (e.g. I competed with an outdoor cricket game for a innovation voucher, WTF)
2. If you are a hiring manager: I urge you to create entry level cyber security roles and invest in our local talent pipeline;
3. If are a student: start building your work portfolio today, network your heart out at university with prospective employment opportunities don't leave this until you finish your degree. Follow me on LinkedIn, each week I post "Interesting Perth Cyber Security Jobs" for entry level opportunities and most importantly for WA locals: attend a Students of Cyber monthly event;
4. If you are a Western Australian business (public or private): give local business an opportunity to be included in the proposal/quotation process and support businesses that are truly focused on growing the local industry and talent.

This is my personal blog. The views expressed in these articles are mine alone and not those of my employer.