Fighting cybercrime – cybersecurity experts – will soon be one of the more sought after and lucrative careers on the planet. How do you get there?
Fact: Globally we don’t have enough cybersecurity experts fighting cybercrime – the bad guys are ahead on points. Cybersecurity spending is increasing at more than a trillion dollars each year.
Cybersecurity is the number one concern of any public-facing
organisation. Cybercrime damages may cost the world US$6 trillion annually by
2021. What is Australia doing to ensure we get the skills and experts needed
for fighting cybercrime?
In 2017, the Australian Government said that Australia would need another 11,000 cybersecurity specialists over the next decade. In 2018 AustCyber stated around 18,000 more cybersecurity professionals are needed by 2026. This shortfall would cost the nation more than $400 million in lost revenue and wages. Not to mention cybercrime losses.
How can we quickly breed the next generation skilled at fighting cybercrime?
GadgetGuy set out to see what Australia is doing to fill the cybersecurity gap.
If you look at global job advertisement figures from
Indeed.com, government estimates for skilled cybercrime fighters are woefully
Margrith Appelby, Kaspersky GM for Australia and New Zealand agreed,
Our big challenge in Australia is to quickly breed the next generation of cybersecurity experts or risk enterprise, state and even personal data used against us. We are the lucky country, and we need to protect that.
It’s a shame that there is such a limited talent pool in Australia. We are trying to help tertiary institutions address that – but that is a whole other discussion.
Fact: According to indeed.com cybersecurity jobs are in high demand.
In 2018 cybersecurity jobs in the US increased by over 7%. They are likely to grow at ‘double-digit’ rates soon. In places like Ireland and India that are building a huge tech sector, cybersecurity jobs were up 18%, and 37%. The US Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs there by 2021.
Importantly, Australian demand was up 11%. This shows we now recognise the threat and are serious about protecting our corporate, government and citizen’s data. The graph below is significant – it shows without exception that there are vastly more jobs than applicants.
The top organisations needing cybersecurity skills
The primary users are industries that deal with sensitive
information or run large online accessible database – the frequent targets of
Online shopping or services (Amazon, eBay etc.)
Government (Non-defense including electoral, social
security, medical, registries)
Not to mention the good guys. Cybersecurity companies are trying to bridge the gap between defence and offence.
We wanted to find out how we can train effective cybersecurity experts.
GadgetGuy spoke to Shan Loy, Kaspersky Academic Partnerships Manager for Asia/Pacific.
GG: Your title is ‘Academic Partnerships’. Tell me more?
Our founder Eugene Kaspersky is very vocal about cyber-immunity.
He has invested a lot into Academic Partnerships to help Unis and others
develop more experts at fighting cybercrime.
Cybersecurity is about two things. Traditionally it has been
about defence and protecting endpoints (computers, smartphones and IoT) via
firewalls, VPNs, passwords, anti-virus/malware and tools to reduce scams and ID
theft. Yet cybercrime flourishes, so we are all doing something wrong.
Kaspersky says we need switch direction and train for
‘offence’ – build cyber-immune platforms.
GG: So many cybersecurity jobs
Yes, but ironically there are few ‘qualified’ to fill them.
It is not an area that traditional graduate computer scientists can walk into.
It requires a mix of professional and personal skills that are not either
easily or currently available via the usual undergrad courses.
Although Australia is responding. There are now about 13 Bachelor of IT Security degrees in Australia, but this goes nowhere near providing the finished work-ready talent needed to fill jobs. A graduate does not a cybersecurity expert make!
GG: According to Monster.com, fighting cybercrime takes a highly curious, if devious mind, high-level logic and programming skills. It is enhanced by exposure to white hat ethical hackers and cybersecurity professionals.
Yes and no. Cybersecurity Jobs fall into three categories
Stopping the cybercriminals getting in (defence)
Predicting future attack vectors (offence)
Managing the attack, determining losses, and
minimising harm (management)
All three require different skill sets. Math is a good basis for some cybersecurity jobs but management for others.
Competent cybersecurity ‘experts’ are in such high demand
that they frequently swap jobs to gain different exposure to different
cybersecurity issues. Or they move to the lucrative ‘dark side’.
In the longer term, determined STEM graduates with strong
math skills will be the primary source of raw material. Their education will
require a mix of formal tertiary qualifications, on-the-job training, specialist
certification short courses and exposure to the industry.
They will also need exposure to the underbelly of cybercrime
(in a nice way, of course). That underbelly is driven by greed, money,
deviousness, survival and a desire to rise above fellow cybercriminals. The
only way to beat cybercrime is to think like them and be even badder (in a nice
way, of course).
To my point – cybersecurity is a layered approach. These new
jobs require new and distinctly different skill sets.
Penetration tester – ethical hackers who find
ways into systems
Investigator – document the impact and what data
Analyst – looks deeply at the attack vector used
and code seeing how it got past defences
Engineer – the programmer that has to write code
or patch systems to defend against hacks
Director – the person with their backside on the
line managing cybersecurity people and resources – the big picture person
There is also a sub-speciality on cloud (versus
The current problem for employment job sites is that these are lumped under ‘Information Technology or Computing’. It is high time to have a dedicated Cybersecurity category.
It is also a problem for prospective employers as they cannot rely on a ‘Bachelor of Cybersecurity‘ to fill all their needs. Sure it is a great start, but that is all.
GG: Cybersecurity education is still in its infancy with a lot of experts coming from the military.
Yes. If you came from Israel’s Unit 8200 or the United States’ National Security Agency or any state SIGINT (Signal’s Intelligence unit), you were hot property. But as you can see, it takes more than ethical hackers. You need a multi-disciplinary team to have ‘bulletproof’ corporate and government cybersecurity.
While it is a broad statement, Universities have a way to go
to produce work-ready cybersecurity graduates. It is not their fault but a
system fault. Unis must follow the traditional research funding model and
cybersecurity is not yet the new ‘black’. Finding a cure for cancer, climate
change or feeding/watering the world is a higher priority.
In other respects, it is also hard to develop a new curriculum. It takes several years to build a new bachelor course. Then many more for employers to accept its bona fides, e.g. can the graduate be a cybersecurity expert from day one. It could take a decade to produce graduates with the right skills.
GG: Kaspersky has developed three ‘modules’ suitable for insertion in TAFE or University programs.
Yes and no. We have developed three ‘train-the-trainer’
modules that expose lecturers and professors to real-world cybersecurity issues
so they can, in turn, use these new skills to train students.
We have one MOU with the Swinburne University of Technology. We have trained about 30 across different universities in the APAC region. Feedback has been great – new knowledge and new approaches.
We have other MOUs pending and interest from professional IT associations to run short-courses. That is a true industry/vendor partnership, and I would love to spend 24/7 spreading the word in this way. Kaspersky train-the-trainer Modules include:
Malware Reverse Engineering
An overview of how to dissect and analyse executables and
scripts, as well as understand what they do. This is a hands-on,
practice-oriented module enabling participants to learn how to analyse and
reverse engineer software/malware, avoid common software bugs exploited by
attackers and build better, more secure applications.
Incident Response and Digital Forensics
New and different cyberattacks happen every day. Someone
has to have the necessary skills to respond to security incidents, conduct an
initial live analysis of compromise, collect digital evidence in a forensically
sound environment and analyse that evidence to uncover the attack scenario.
Cyber Threat Intelligence and Cyber Threat Hunting
What are the modern attack tactics, techniques, and
procedures? Practical take-home skills in attack detection and investigation.
GG: A good start, but is this enough?
A good start, yes, but we need to sing out at the top of our
voices that countries, government, academia and industry must do more.
We need to shift public opinion from apathy to action. No
matter how loud Eugene Kaspersky shouts, it is going to take a paradigm shift
to answer the call.
Kaspersky runs a global Kaspersky Secure’ IT cup for students 18-26 year’s old. It focuses on different cybersecurity themes. The 2019 competition ( now closed) explores machine learning, Fintech and Automotive cybersecurity.
The top 40 entrants receive sponsored participation at our global
conference. The winner gets US$10,000.
Why do we do this? Well, it helps identify the top talent
coming through and gives us a fresh look at cybersecurity issues that may help
shape the future.
You can read more about RMIT Universities pilot program to participate in the Kaspersky SecureIT Cup here.
GG: Last Words on Fighting Cybercrime?
To quote Eugene Kaspersky, “There’s no nation in the world
that has enough cybersecurity specialists. If you have any opportunity to
advise your governments or anyone to invest more in education in your
countries, please do!”
Eugene’s Q&A session at INSEAD is below