The lack of skilled cyber security talent is a bigger challenge for companies in Australia than overseas, according to new research that also found high stress levels and inadequate supporting technologies are causing many workers to bolt after a data breach.
Fully 45 per cent of the Australian CISOs surveyed for Trellix’s newly released global study, The Mind of the CISO, said they had experienced “major” attrition from their security operations teams after a large security incident – slightly higher than the 43 per cent global figure.
In a workforce that has long struggled with the immense pressure of a ransomware attack or data breach, stressed-out CISOs face even more stress as they stare down potentially crippling cyber incidents without the staff they need.
There are signs that ongoing attrition is taking an even bigger toll on Australian companies, with 40 per cent of Australian CISOs saying that a lack of skilled talent was a primary challenge – well above the 34 per cent global figure.
This suggests Australia’s lingering cyber security skills gap – which will require 30,000 more cyber security staff by 2026 to fill – has made it harder to replace lost employees here than in many other countries.
“CISOs are operating in an extremely pressurised environment that has virtually no off-time,” said Trellix ANZ managing director Luke Power, “often leading to feelings of being unheard, invisible and unsupported.”
CISOs interviewed for the study likened the job to being a football goalkeeper, recounting the “absolute hell” and “pit in the stomach” when even a single cyber attack gets by corporate cyber security defences.
“You are a hero and held in high esteem and everything is hunky-dory until it’s not,” said the CISO of a UK financial services firm. “Your head is on the chopping block the moment there’s a problem.”
Keeping cool as cybercriminals turn up the heat
Challenges winning and keeping cyber staff are nothing new, with boards already paying premiums for certified cyber security staff and businesses paying students to study cyber.
Then, there are the challenges of skilled visa policy changes and a gender imbalance that’s preventing employers from gaining access to a diverse enough range of cyber workers.
Even as CISOs wrestle with losing staff to burnout and stress, a new Surfshark analysis has found that Australia had the world’s fourth highest ‘cybercrime density’ last year – with 106 cyber crime victims per 1 million Internet users.
That was up 5 per cent on the previous year and nearly twice the density of fifth-place South Africa and sixth-ranking Greece, although Australia was well off the pace set by top-ranked UK (4371) and runner-up the US (1612).
The wide range of attack densities suggests that “hackers target some countries more than others”, Surfshark’s analysis notes while pointing out that cyber crime currently costs the world around $1.79 million ($US1.18 million) per hour.
Despite the high stakes of today’s cyber crime environment, many CISOs surveyed for the Trellix report admitted using cyber security tools that are too fragmented, and too numerous, to provide an effective defence.
And while organisations allocate an average 34 per cent of their IT budget for cyber security, that investment was predominantly targeted at network detection and response – which receives average funding of $10 million ($US6.65 million) per year as businesses forego strategic investment to maintain the back-footed status quo.
Inadequate cyber security tools only exacerbate the problems caused by readily-departing staff, warned Trellix’s Power, noting that “Australia has emerged as a highly vulnerable target for cybercriminals, and thus CISOs and their teams being ill-equipped to face cyberattacks is a recipe for further large-scale breaches.”
“Across every sector, immediate action must be taken in the fight against cybercriminals. By revolutionising the strategies of security operations teams, and by breaking down the barriers that prevent them from safeguarding critical data, we can move towards a safer future.”