Fighting cybercrime – cybersecurity experts – will soon be one of the more sought after and lucrative careers on the planet. How do you get there?

Fact: Globally we don’t have enough cybersecurity experts fighting cybercrime – the bad guys are ahead on points. Cybersecurity spending is increasing at more than a trillion dollars each year.

Cybersecurity is the number one concern of any public-facing organisation. Cybercrime damages may cost the world US$6 trillion annually by 2021. What is Australia doing to ensure we get the skills and experts needed for fighting cybercrime?

In 2017, the Australian Government said that Australia would need another 11,000 cybersecurity specialists over the next decade. In 2018 AustCyber stated around 18,000 more cybersecurity professionals are needed by 2026. This shortfall would cost the nation more than $400 million in lost revenue and wages. Not to mention cybercrime losses.

How can we quickly breed the next generation skilled at fighting cybercrime?

GadgetGuy set out to see what Australia is doing to fill the cybersecurity gap.

If you look at global job advertisement figures from Indeed.com, government estimates for skilled cybercrime fighters are woefully low.

Margrith Appelby, Kaspersky GM for Australia and New Zealand agreed,

Our big challenge in Australia is to quickly breed the next generation of cybersecurity experts or risk enterprise, state and even personal data used against us. We are the lucky country, and we need to protect that.

It’s a shame that there is such a limited talent pool in Australia. We are trying to help tertiary institutions address that – but that is a whole other discussion.

 Margrith Appleby
Margrith Appleby, GM Kaspersky Australia

Fact: According to indeed.com cybersecurity jobs are in high demand.

In 2018 cybersecurity jobs in the US increased by over 7%. They are likely to grow at ‘double-digit’ rates soon. In places like Ireland and India that are building a huge tech sector, cybersecurity jobs were up 18%, and 37%. The US Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs there by 2021.

Importantly, Australian demand was up 11%. This shows we now recognise the threat and are serious about protecting our corporate, government and citizen’s data. The graph below is significant – it shows without exception that there are vastly more jobs than applicants.

Fighting Cybercrime job stats

The top organisations needing cybersecurity skills

The primary users are industries that deal with sensitive information or run large online accessible database – the frequent targets of cybercriminals.

  • Banking/Finance/Insurance
  • Online shopping or services (Amazon, eBay etc.)
  • Information Technology/Management
  • Government (Defence)
  • Government (Non-defense including electoral, social security, medical, registries)
  • Consulting/Professional Services

Not to mention the good guys. Cybersecurity companies are trying to bridge the gap between defence and offence.

We wanted to find out how we can train effective cybersecurity experts.

GadgetGuy spoke to Shan Loy, Kaspersky Academic Partnerships Manager for Asia/Pacific.

Fighting cybercrime
Kaspersky’s Shan Loy

GG: Your title is ‘Academic Partnerships’. Tell me more?

Our founder Eugene Kaspersky is very vocal about cyber-immunity. He has invested a lot into Academic Partnerships to help Unis and others develop more experts at fighting cybercrime.

Eugene Kaspersky addresses academia on Cyber-immunity

Cybersecurity is about two things. Traditionally it has been about defence and protecting endpoints (computers, smartphones and IoT) via firewalls, VPNs, passwords, anti-virus/malware and tools to reduce scams and ID theft. Yet cybercrime flourishes, so we are all doing something wrong.

Kaspersky says we need switch direction and train for ‘offence’ – build cyber-immune platforms.

GG: So many cybersecurity jobs

Yes, but ironically there are few ‘qualified’ to fill them. It is not an area that traditional graduate computer scientists can walk into. It requires a mix of professional and personal skills that are not either easily or currently available via the usual undergrad courses.

Although Australia is responding. There are now about 13 Bachelor of IT Security degrees in Australia, but this goes nowhere near providing the finished work-ready talent needed to fill jobs. A graduate does not a cybersecurity expert make!

GG: According to Monster.com, fighting cybercrime takes a highly curious, if devious mind, high-level logic and programming skills. It is enhanced by exposure to white hat ethical hackers and cybersecurity professionals.

Yes and no. Cybersecurity Jobs fall into three categories

  • Stopping the cybercriminals getting in (defence)
  • Predicting future attack vectors (offence)
  • Managing the attack, determining losses, and minimising harm (management)

All three require different skill sets. Math is a good basis for some cybersecurity jobs but management for others.

Competent cybersecurity ‘experts’ are in such high demand that they frequently swap jobs to gain different exposure to different cybersecurity issues. Or they move to the lucrative ‘dark side’.

In the longer term, determined STEM graduates with strong math skills will be the primary source of raw material. Their education will require a mix of formal tertiary qualifications, on-the-job training, specialist certification short courses and exposure to the industry.

They will also need exposure to the underbelly of cybercrime (in a nice way, of course). That underbelly is driven by greed, money, deviousness, survival and a desire to rise above fellow cybercriminals. The only way to beat cybercrime is to think like them and be even badder (in a nice way, of course).

GG: We have seen some new titles emerging in the cybersecurity world. These have salaries over US$100,000

To my point – cybersecurity is a layered approach. These new jobs require new and distinctly different skill sets.

  • Penetration tester – ethical hackers who find ways into systems
  • Investigator – document the impact and what data was lost
  • Analyst – looks deeply at the attack vector used and code seeing how it got past defences
  • Engineer – the programmer that has to write code or patch systems to defend against hacks
  • Director – the person with their backside on the line managing cybersecurity people and resources – the big picture person
  • There is also a sub-speciality on cloud (versus on-premises) cybersecurity

The current problem for employment job sites is that these are lumped under ‘Information Technology or Computing’. It is high time to have a dedicated Cybersecurity category.

It is also a problem for prospective employers as they cannot rely on a ‘Bachelor of Cybersecurity‘ to fill all their needs. Sure it is a great start, but that is all.

GG: Cybersecurity education is still in its infancy with a lot of experts coming from the military.

Yes. If you came from Israel’s Unit 8200 or the United States’ National Security Agency or any state  SIGINT (Signal’s Intelligence unit), you were hot property. But as you can see, it takes more than ethical hackers. You need a multi-disciplinary team to have ‘bulletproof’ corporate and government cybersecurity.

While it is a broad statement, Universities have a way to go to produce work-ready cybersecurity graduates. It is not their fault but a system fault. Unis must follow the traditional research funding model and cybersecurity is not yet the new ‘black’. Finding a cure for cancer, climate change or feeding/watering the world is a higher priority.

In other respects, it is also hard to develop a new curriculum. It takes several years to build a new bachelor course. Then many more for employers to accept its bona fides, e.g. can the graduate be a cybersecurity expert from day one. It could take a decade to produce graduates with the right skills.

GG: Kaspersky has developed three ‘modules’ suitable for insertion in TAFE or University programs.

Yes and no. We have developed three ‘train-the-trainer’ modules that expose lecturers and professors to real-world cybersecurity issues so they can, in turn, use these new skills to train students.

We have one MOU with the Swinburne University of Technology. We have trained about 30 across different universities in the APAC region. Feedback has been great – new knowledge and new approaches.

We have other MOUs pending and interest from professional IT associations to run short-courses. That is a true industry/vendor partnership, and I would love to spend 24/7 spreading the word in this way. Kaspersky train-the-trainer Modules include:

Malware Reverse Engineering

An overview of how to dissect and analyse executables and scripts, as well as understand what they do. This is a hands-on, practice-oriented module enabling participants to learn how to analyse and reverse engineer software/malware, avoid common software bugs exploited by attackers and build better, more secure applications.

Incident Response and Digital Forensics

New and different cyberattacks happen every day. Someone has to have the necessary skills to respond to security incidents, conduct an initial live analysis of compromise, collect digital evidence in a forensically sound environment and analyse that evidence to uncover the attack scenario.

Cyber Threat Intelligence and Cyber Threat Hunting

What are the modern attack tactics, techniques, and procedures? Practical take-home skills in attack detection and investigation.

GG: A good start, but is this enough?

A good start, yes, but we need to sing out at the top of our voices that countries, government, academia and industry must do more.

We need to shift public opinion from apathy to action. No matter how loud Eugene Kaspersky shouts, it is going to take a paradigm shift to answer the call.

Kaspersky runs a global Kaspersky Secure’ IT cup for students 18-26 year’s old. It focuses on different cybersecurity themes. The 2019 competition ( now closed) explores machine learning, Fintech and Automotive cybersecurity.

Fighting cybercrime

The top 40 entrants receive sponsored participation at our global conference. The winner gets US$10,000.

Why do we do this? Well, it helps identify the top talent coming through and gives us a fresh look at cybersecurity issues that may help shape the future.

You can read more about RMIT Universities pilot program to participate in the Kaspersky SecureIT Cup here.

GG: Last Words on Fighting Cybercrime?

To quote Eugene Kaspersky, “There’s no nation in the world that has enough cybersecurity specialists. If you have any opportunity to advise your governments or anyone to invest more in education in your countries, please do!”

Eugene’s Q&A session at INSEAD is below