Share this article on:
A lack of professionals with cyber security expertise has been a longstanding dilemma within Australian organisations for many years. This has been exacerbated over the past 12 months by the COVID-19 pandemic.
The pandemic has triggered cybercriminals to find opportunity in the chaos, crafting attacks to exploit people’s health and financial wellbeing concerns. Organisations also rapidly shifted their operating models to remote working without having the time for the security due diligence required.
In addition, organisations have been forced to accelerate their digital programs to either survive or take advantage of consumers shifting to spending money online rather than in physical storefronts. Unfortunately, this rapid adoption exceeds security’s ability to keep up.
One thing the pandemic has highlighted is that cybersecurity teams can work remotely and still provide effective capabilities. Organisations that took rapid steps to ensure their security capabilities were tuned to operate remotely, and further honed over the following months, found ways to deliver effective security services. In particular, security monitoring and operations, policy development, security governance and reporting, security awareness and incident response can be provided via dispersed teams.
Gartner predicts that 30 per cent of all security teams will have increased the number of employees working remotely on a permanent basis by 2022.
This is a significant shift given security operations has predominantly been a physically “in the office” activity for decades. This requirement exacerbated the issue of security talent availability, which has contributed to long, open job requisitions, sometimes leading to third-party services and staff augmentations. This is often costly and the lack of personnel places a greater strain on existing staff.
The pandemic has proven that there is almost nothing that is being delivered in an office that can’t just as effectively be accomplished remotely, with the exception of interacting with physical equipment, such as security appliances in a data centre.
Gartner surveys show that 53 per cent of employees, in Australia and worldwide, want to work remotely some or all the time after the pandemic. Demand for security talent will continue to grow and remote work is one way to attract and retain key staff.
Opportunities emerging
In the aftermath of the pandemic, and as operations settle into whatever the new normal looks like, opportunities to help alleviate the struggles of finding and hiring security professionals begin to emerge, even as the demand for security talent continues to grow.
Australia’s Cyber Security Strategy 2020 is encouraging business and government to work together to find innovative ways to improve cyber security skills. Specifically, the Cyber Security Skills Partnership Innovation Fund launched a few weeks ago, is dedicating $26.5 million towards this problem.
Organisations should consider adapting their security operating models if they haven’t already and expand their job advertising marketing reach to gain access to candidates residing outside of their traditional recruitment geographies.
There will always be competition to attract top talent from large, well-funded organisations regardless of their security operating model, mainly due to their ability to pay higher salaries. This will continue to make it difficult for smaller, not-for-profit and public sector organisations to attract top talent. But there are things you can do to increase your chances.
Where to start
If you’re struggling to attract security talent, opening up the security role to permanently shift some functions to remote work may alleviate this challenge. This is primarily because it allows the organisation to access security talent previously deemed unavailable or unviable for recruitment due to being outside traditional hiring geographies.
Closely examine your current cyber security vacancies and determine which roles, in part or in their entirety, could be performed remotely. Also, review existing security processes to determine the viability of them being executed by personnel operating remotely, and where viable, be prepared to make adjustments to enable them to be performed remotely.
Continue to focus recruitment efforts on potential and general digital and security competencies, rather than seeking out specific security skills that “tick all the boxes” for a specific role and that only the rarest of talents possess.
In addition, focus on embedding a team culture that embraces and supports remote work to ensure those working away from the office permanently are part of an inclusive team environment. Make sure they don’t become excluded when it comes to internal opportunities, reassignments, training and/or promotions.
By adapting your team’s operating model to accommodate those working remotely, you’ll be better placed to retain top talent.
Richard Addiscott is a senior research director at Gartner. He works with information and cyber security leaders on improving security risk management maturity and outcomes, optimising organisational security risk postures, and demonstrating clear links between security and business outcomes.