Overconfident Australian technology leaders believe they are much better at protecting their companies’ networks from cybercriminals than statistics suggest, according to new figures suggesting that many companies simply don’t have all the security skills they need.

Asked to rate their company’s IT security capabilities on a scale of 1 to 10, 65 per cent of the CxOs surveyed by specialised recruitment firm Robert Half gave their companies a score of 8 or higher.

Only one in 10 executives rated their company’s cyber security defences a 5 or lower.

The figures raise questions for Robert Half director Andrew Brushfield, who warned that “the rapid uptake of remote technologies has exposed growing gaps in cyber security, data exposure and user error.”

“While Australian leaders are confident in their companies’ existing capabilities,” he said, “to stay protected, businesses must evolve their cyber security talent pipeline and expertise in line with evolving cyber security threats.”

Despite their strong confidence in overall security protections, executives were less optimistic that they have enough skilled cyber security staff – with just 63 per cent of respondents confident that they have all of the necessary skillsets to mitigate known and unknown security threats.

More than a third of CIOs (36 per cent) believe they have some of the skills they need, with around a quarter of respondents identifying their key areas of deficiency as network security, security architecture, cloud security, and data privacy.

These shortfalls could foster serious problems down the track, with recent high-level government reports suggesting companies aren’t as good at keeping up with attackers as their executives believe.

The newly updated Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report, for one, noted that volumes of cyber attacks had increased by 13 per cent in the last year alone – with more incidents with ‘substantial’ impact due to the “increased complexity and sophistication of [cybercriminal] operations.”

Similarly, the latest half-year report from the Office of the Australian Information Commissioner (OAIC) noted that the percentage of data breaches caused by malicious attacks increased from 57 per cent in the second half 2020, to 65 per cent in the first half of this year.

Australian companies are expected to have “appropriate internal practices, procedures and systems”, Australian information commissioner and privacy commissioner Angelene Falk said, to prevent data breaches and business interruption from ransomware attacks that surged by 24 per cent during the half-year.

Finding staff

Implementing and policing those procedures, however, requires suitably skilled staff – and it’s in sourcing and developing them, Brushfield said, that many companies are failing to keep up.

“Demand for the niche skillsets required for an effective security strategy is significantly outpacing supply,” he explained, “so companies need to prioritise internal training and upskilling to sustain their talent pipeline into 2022.”

Sourcing appropriate talent from external agencies will be a crucial part of that pipeline, with 65 per cent of Asia-Pacific respondents to a recent Sophos global survey admitting that the attacks targeting their organisation were too advanced for them to deal with on their own.

Pressure to keep up with growing cyber security attacks had pushed many teams to improve their internal cyber security skills and knowledge, Sophos noted, with 72 per cent of IT teams reporting that they had done so – but 55 per cent saying they were also likely to source additional IT staff from outside the organisation by 2023.

Competition for critical cyber security skills has intensified as managed and cloud service providers hoover up available cyber security professionals to bulk out their ranks.

Macquarie Telecom Group, for one, recently announced that it now has more than 200 government-cleared security staff on its books – double the number it had just a year ago.

The certifications allow employees to deal with SECRET level government resources, enabling them to protect government data and departments from attacks that are, managing director Aidan Tudehope said, “far more frequent than what we see in enterprise settings.”

As a trusted supplier to government, he said, “we see it as our responsibility to invest in the sovereign skills and security clearances needed to provide the Commonwealth with the level of capability that is required to support this vital national asset.”