With AustCyber touting a shortfall of 16,000 cybersecurity professionals by 2026, the race to build the nation’s cybersecurity talent and capacity is on. Organisations of all sizes and across every industry vertical are trying to find skilled people to help protect their vital digital assets. But with entry level positions now being paid in excess of $100,000, Australian companies are looking to maximise the return on that investment.  

Setting Expectations

Hiring specialist resources in cybersecurity is like hiring specialist resources in construction. These is no single person that can fulfil every need. In construction you can’t have someone who is a carpenter, plumber, electrician, project manager in one person. The same applies to cybersecurity. 

The mythical cybersecurity unicorn – someone that can manage the minutiae of data coming in from logs, understand business risks in detail, communicate them to your board and run your security education and awareness program – does not exist.  

To address the skill shortage in cybersecurity, we need to be specific about the capabilities we need. When building an internal cybersecurity team organisations need to look at creative ways to attract, retain, nurture talent and train and the types of skills required to manage risk effectively. Some of this talent may be managed internally while it may make sense to partner with external parties for other parts. 

Improvise. Adapt. Overcome

While technical skills are valuable, communication, analysis and problem solving are just as important. And these are skills you’ll find within finance, HR, marketing and other disciplines. You may have already hired your next generation of cybersecurity professionals, without realising it. Rather than looking for people that have a specific background in cybersecurity, think about the skills you need to solve the problems and address the risks you have. Those skills will be transposable from other fields to cybersecurity.  

If your organisation is working to improve cybersecurity culture, your marketing team will have the skills to present to messages you want. Or if you want to detect anomalous information in a system log, you might find someone in your accounting team has an innate talent for seeing discrepancies in data.  

In our ranks we have a great example of diverse talent and thought, with a former chef turned cybersecurity practitioner. Heidi is a great example of someone that forged one career path but held a curiosity for cybersecurity and decided to make a mid-life career pivot. Keep an open mind to individuals with a strong desire to learn and who can bring much life experience to the table and consider developing and nurturing that interest and invest in upskilling and cross skilling.  

This approach not only boosts your cybersecurity capability but helps to build relationships between the security team and business units. One of the most discussed issues in cybersecurity is the disconnect between technical and business teams. By bringing people from business units into your cybersecurity initiatives, you build bridges and forge relationships.  

Mercenaries Are Useful

There may be times when bringing outside help is the best and most cost-effective way to boost your cybersecurity capability. External service providers can boost your capability without the need to go through protracted recruitment processes. Routine tasks such as log management or specialist activities such as penetration testing are good candidates for outsourcing.  

As well as reducing the need for you to recruit specialist resources, it means you can invest your budgets into staff who can focus on strategic activities such as incident management and risk management which require deep internal knowledge.  

Summary

Finding, hiring and retaining cybersecurity professionals is hard. And like any other specialist industry, you need to find people with specific skills. In medicine we have endocrinologists, cardiologists, orthopaedic surgeons and other specialised fields. The same applies in cybersecurity. The skills you need to build a great cybersecurity team may already be in your organisation. Instead of looking for unicorn, you may be able to create something better with what you already have.