Welcome to the second blog in our series which discusses the Cyber National Assessment Program for Skills & Employment (CYNAPSE) led by FifthDomain. In this blog, we delve deeper into the long-term diversity of the Australian cyber workforce and how the CYNAPSE program will contribute to that goal. Matt, CEO and founder of FifthDomain, sheds light on the challenges the industry faces in terms of the cyber skills shortage and how CYNAPSE aims to address these issues. Through this blog, we gain insight into the anticipated outcome of the CYNAPSE program and how it will benefit the Australian cyber industry in the long run. Let’s dive into the details with Matt as he shares his vision for a more diverse and skilled cyber workforce in Australia.
Looking long term, the cyber industry is expected to benefit greatly from diversity. By tapping into a wider pool of potential talent within the Australian population, the industry can give individuals an entry point to experience cyber operations and potentially transition into a career in cyber, addressing Australia’s cyber workforce gap. This provides employers with improved cyber capability and more tailored learning pathways into the cyber workforce. FifthDomain’s platform enables users to track their cyber operations skills performance, monitoring speed and accuracy across different cyber operations tasks, similar to how an athlete might track their performance in order to improve. The platform data can then be provided to SOC managers and hiring managers who can identify areas where applicants can improve their skills through training activities. Cyberspace is rapidly growing, but the nature of cyber still remains opaque; there is still so much we can all learn.
Within the current cyber workforce, there are both positive and negative developments that have been observed by FifthDomain. One of the negative trends is the emergence of cyber service providers who may overstate the capabilities of their teams. These providers might be small or medium-sized businesses that lack the knowledge, infrastructure, and experience to differentiate between good and bad cybersecurity practices. Another challenge arises when businesses pay for these cyber services and assume that everything is fine as long as they don’t hear from the security provider. However, this approach may not always work, as security measures are put in place to prevent incidents and sometimes these measures may not detect initial issues.
To address this issue, consumers need an objective way to evaluate cybersecurity service providers’ skills and performance. This would enable consumers to make informed decisions and understand the risks involved. It would also be a significant boost for the industry as a whole. By having access to such data, consumers can better understand the quality of service they are paying for and can make informed decisions about which cybersecurity provider to use.
A key industry insight within the cyber security industry is that having a formal qualification isn’t always an indicator of an applicant’s capabilities and skills. Many operators are self-taught enthusiasts, gaining skills by watching YouTube videos, researching techniques, and setting up their own home cyber lab environment. Therefore hiring managers would be better served by cyber skills assessments than relying on qualifications listed on a resume.
In the software development industry, software developers often link their GitHub repo as part of their resumes so that employers can assess their coding and writing skills. This is almost like a portfolio of their work. Similarly, using FifthDomain’s platform, cyber security applicants build their own portfolios that showcase what the applicant has done, how they have done it, and what they have learned from it. A key part of the hiring process is understanding what the applicant has learned.
Another key, industry insight is that people who excel in a lab environment are not always great at writing resumes or interviewing. Some hiring managers suggest interviewing cyber operators via chat to avert this issue. Many people use chat environments for communication, even in the workplace. In the hunt for people with cyber skills, it is essential to recognise how people process information, perform tasks, and communicate differently. It is crucial not to judge applicants for something they may not be required to do on the job such as writing selection criteria. Everyone has innate biases that can affect the hiring process. For example, a hiring manager might prefer a candidate who attended the same university as they did. In an industry where people are often self-taught, such biases can lead to a preference for certain candidates and unfair treatment of others with comparable or even superior skills. It is crucial to recognise and eliminate biases during the hiring process to ensure fairness and objectivity.
There is currently a talent shortage within cyber organisations, which has led to the emergence of cyber academies and consulting companies with their own branded cyber academy programs. The primary issue is exposing inexperienced individuals to complex cyber situations with complicated technologies under time pressure, where decisions have real risk consequences, in order to replicate real-life scenarios. Cyber operators are similar to first responders in firefighting and policing, dealing with dangers and complexities, requiring knowledge and experience to succeed. Some individuals thrive in this type of environment, while others cannot handle the pressure. The CYNAPSE program harnesses the talents of those who excel in such situations, assessing skills and approaches for the role. While it is impossible to know everything about technology, it is essential to recognise that a job in cyber security operations is more akin to working as a first responder.
The recruiting situation in cyber security is not yet at a crisis level, but it poses significant challenges, particularly in terms of employee remuneration. Larger organisations that can afford to offer high salaries are in a talent rush, while smaller and medium-sized businesses struggle to compete. Junior employees who are fresh out of university may be hired at a high pay grade, even if they lack the necessary skill set, while their skill set develops over the next few years. To address this, it is crucial to tap into previously overlooked talent pools. The education sector is establishing private academies, and there is a large pipeline of talent, but it is essential to train and find individuals with the right mindset to work on the frontline of cyberspace operations. The work environment in cyber operations requires resilient individuals who can remain calm and respond at any time, particularly during crises.