As Australia aspires to become the global leader in cybersecurity by 2030, new data reveals where Australian cybersecurity professionals need to catch up to international counterparts. 

In Oceania, higher levels of understaffing (65%); somewhat or significantly underfunded cybersecurity budgets (61%); and lower confidence in their organisation’s ability to detect and respond to cyber threats (only 36% are completely or very confident), have been revealed in ISACA’s annual research report, State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources and Cyberoperations.

Interestingly, only 42% of respondents in Oceania say their organisation conducts a cyber-risk assessment at least annually – compared to 43% in 2022 – despite 56% reporting an increase in attacks over the past twelve months.

Globally, the ninth annual survey reveals soft skills, cloud computing, and security controls are emerging as the most significant skills gaps in today's cybersecurity professionals.

Jo Stewart-Rattray, Oceania Ambassador, ISACA, says the State of Cybersecurity research has been highly anticipated considering the escalating threat landscape experienced in our region over the past twelve months.

“It is concerning that 65% of cybersecurity leaders in the region said their teams remain understaffed, considering 93% say they are experiencing the same or increased number of attacks compared to a year ago,” adds Stewart-Rattray.

Among those with cybersecurity positions open in their organisations, 51% of respondents have job openings for non-entry level roles, compared to 19% with job openings for entry-level positions. Oceania sits just behind India and alongside Africa, anticipating an 82% increase in demand for technical cyber professionals over the next year.

“Under-staffing remains a critical issue facing the sector, and it’s time for organisations to create real change by re-considering hiring practices and increasing opportunities for entry-level positions and training up staff,” she says.

“A key element of the Australian Federal Government’s newly announced ‘six cyber shields’ is to ensure cybersecurity is a desirable profession for young people. ISACA’s research indicates 58% of organisations don’t require entry-level applicants to hold a University degree.”

“As a sector, we must therefore ensure mentoring and other methods of training, support and incentives are escalated so young people, and those transitioning from other sectors, feel equipped to pursue a cyber career and supported to remain in one.”

The research indicates some strides have been made in addressing employee retention, but it continues to be challenging. Over half of cybersecurity leaders in Oceania (70%) say they have difficulty retaining qualified cybersecurity professionals.

This is despite the benefits offered to cybersecurity pros increasing. In Oceania, university tuition reimbursement is 15% (compared to 9% in 2022), recruitment bonuses are 21% (compared to 13% in 2022), and reimbursement of certification fees is 58% (up from 55% in 2022).  

When hiring, respondents in Oceania say they are looking for the following top five technical skills in cybersecurity pros: identity and access management (58% vs. 49% globally); incident response (55% vs. 44% globally); data protection (50% vs 44% globally); cloud computing (45% vs 48% globally); DevSecOps (35% vs 36% globally).

When looking at soft skills, critical thinking (62%), communication (59%), problem-solving (50%), teamwork (49%) and attention to detail (43%) come in as the top five skills employers are seeking in cybersecurity job candidates. The skills of empathy (17%) and honesty (13%) came in lower importance, a noteworthy finding given that 78% of respondents in Oceania believe organisations under-report cybercrime.

Respondents examined where cybersecurity professionals in Oceania are lacking—citing soft skills (69%), cloud computing (47%), security controls (45%), networking-related topics (30%), data-related topics (27%) and coding skills (25%) as being the most significant skills gaps.

To mitigate these technical skills gaps, respondents indicate their top three approaches are training non-security staff who are interested in moving into security roles (56%), increasing the usage of contract employees or outside consultants (44%), and offering apprenticeships/internships (22%). When addressing non-technical skills gaps, organisations are leveraging online learning websites (47%), mentoring (40%) and corporate training events (33%).

When looking at the cybersecurity threat landscape, 93% of Oceania respondents reported the same or increased cybersecurity attacks, compared to only 8% who reported fewer attacks. Despite this, only 36% of respondents are confident that their organisation can detect and respond to an attack.

The top three attack concerns in Oceania remain the same as last year - enterprise reputation (86%), data breach concerns (70%) and supply chain disruptions (55%).

82% of survey respondents in Oceania say demand for technical cybersecurity individual contributors will increase next year, and half (51%) expect an increased demand for cybersecurity managers. Over half (59%) believe that cybersecurity budgets will slightly increase in the coming year. 

 “The cybersecurity workforce faces a significant talent gap. Adobe believes that great talent can come from anywhere and sustained investment both by our industry and governments worldwide will be critical to developing a diverse pipeline of talent to help us all address this growing gap,” says Maarten Van Horenbeeck, senior vice president and chief security officer at Adobe. 

“This is especially critical when it comes to being able to respond to the evolving complexity and ingenuity in the cybersecurity threat landscape, accelerated by AI technologies.”