GG: So many cybersecurity jobs

Yes, but ironically there are few ‘qualified’ to fill them. It is not an area that traditional graduate computer scientists can walk into. It requires a mix of professional and personal skills that are not either easily or currently available via the usual undergrad courses.

Although Australia is responding. There are now about 13 Bachelor of IT Security degrees in Australia, but this goes nowhere near providing the finished work-ready talent needed to fill jobs. A graduate does not a cybersecurity expert make!

GG: According to Monster.com, fighting cybercrime takes a highly curious, if devious mind, high-level logic and programming skills. It is enhanced by exposure to white hat ethical hackers and cybersecurity professionals.

Yes and no. Cybersecurity Jobs fall into three categories

  • Stopping the cybercriminals getting in (defence)
  • Predicting future attack vectors (offence)
  • Managing the attack, determining losses, and minimising harm (management)

All three require different skill sets. Math is a good basis for some cybersecurity jobs but management for others.

Competent cybersecurity ‘experts’ are in such high demand that they frequently swap jobs to gain different exposure to different cybersecurity issues. Or they move to the lucrative ‘dark side’.

In the longer term, determined STEM graduates with strong math skills will be the primary source of raw material. Their education will require a mix of formal tertiary qualifications, on-the-job training, specialist certification short courses and exposure to the industry.

They will also need exposure to the underbelly of cybercrime (in a nice way, of course). That underbelly is driven by greed, money, deviousness, survival and a desire to rise above fellow cybercriminals. The only way to beat cybercrime is to think like them and be even badder (in a nice way, of course).

GG: We have seen some new titles emerging in the cybersecurity world. These have salaries over US$100,000

To my point – cybersecurity is a layered approach. These new jobs require new and distinctly different skill sets.

  • Penetration tester – ethical hackers who find ways into systems
  • Investigator – document the impact and what data was lost
  • Analyst – looks deeply at the attack vector used and code seeing how it got past defences
  • Engineer – the programmer that has to write code or patch systems to defend against hacks
  • Director – the person with their backside on the line managing cybersecurity people and resources – the big picture person
  • There is also a sub-speciality on cloud (versus on-premises) cybersecurity

The current problem for employment job sites is that these are lumped under ‘Information Technology or Computing’. It is high time to have a dedicated Cybersecurity category.

It is also a problem for prospective employers as they cannot rely on a ‘Bachelor of Cybersecurity‘ to fill all their needs. Sure it is a great start, but that is all.

GG: Cybersecurity education is still in its infancy with a lot of experts coming from the military.

Yes. If you came from Israel’s Unit 8200 or the United States’ National Security Agency or any state  SIGINT (Signal’s Intelligence unit), you were hot property. But as you can see, it takes more than ethical hackers. You need a multi-disciplinary team to have ‘bulletproof’ corporate and government cybersecurity.

While it is a broad statement, Universities have a way to go to produce work-ready cybersecurity graduates. It is not their fault but a system fault. Unis must follow the traditional research funding model and cybersecurity is not yet the new ‘black’. Finding a cure for cancer, climate change or feeding/watering the world is a higher priority.

In other respects, it is also hard to develop a new curriculum. It takes several years to build a new bachelor course. Then many more for employers to accept its bona fides, e.g. can the graduate be a cybersecurity expert from day one. It could take a decade to produce graduates with the right skills.

GG: Kaspersky has developed three ‘modules’ suitable for insertion in TAFE or University programs.

Yes and no. We have developed three ‘train-the-trainer’ modules that expose lecturers and professors to real-world cybersecurity issues so they can, in turn, use these new skills to train students.

We have one MOU with the Swinburne University of Technology. We have trained about 30 across different universities in the APAC region. Feedback has been great – new knowledge and new approaches.