Micro-Credentialling Helps Plug Australia’s Cyber Skills Gap


By Staff Writer

On the back of continued attacks and growing cybersecurity awareness, the cybersecurity industry is expanding fast. But the industry’s capacity to meet the demand for its services is constrained by a severe shortage of skilled workers.

The cybersecurity industry in Australia directly employed approximately 26,500 people in 2020. That’s tipped to grow by 7,000 by 2024. The Australian Government has nominated the skills shortage as a potential barrier to shoring up the country’s cybersecurity defences.

Australia’s 2020 Cyber Security Strategy flagged the problem, with the Government committing millions of dollars via the Cyber Security National Workforce Growth Program to address the skills shortage.

But medium to long term strategies do little to address the skills shortage now. The lack of clarity around pathways to a career in cybersecurity exacerbates the issue. However, micro-credentialing, short upskilling courses, and remote learning could provide a solution or stopgap.

“We have a huge demand in Australia for cybersecurity professionals,” says Dr Rebecca Vivian from the University of Adelaide’s School of Computer Science. “Cybersecurity roles are so diverse. You don’t necessarily need a technical background to work in the field. You could have a marketing background, or a law background, and add that layer of a cybersecurity micro-course, online course, or some sort of training, to add strength to what you are doing.”

While many cybersecurity short courses are free, and the knowledge learnt can be useful, payment of a fee usually results in a verifiable credential.

“It’s a nice way to demonstrate to employers you’ve been learning in the area,” said Dr Vivian. “You are seeing that demand creeping into businesses and all kinds of industries. Everyone needs to know about cybersecurity now, and education can play that critical role.”

Dr Vivian also sees short courses as a backdoor into the cybersecurity industry, particularly for professionals working in other industries. She says they can also be pathways into a formal diploma or degree. A six-week self-paced course at home also offers a potential cybersecurity industry employee a handy taster of what the industry is really like.

“There are a number of courses on cybersecurity; we call them MOOCs – massive open online courses, anyone can go and enrol and learn about cybersecurity.”

The Australian Signals Directorate (ASD) needs cybersecurity workers with specific skills. They have six grades of cybersecurity knowledge; a learner who has some knowledge, the novice who understands cybersecurity requirements, the practitioner who can apply the knowledge and requirements, the senior practitioner who can enable, the principal practitioner who can advise on cybersecurity, and the expert practitioner who can do all of the above as well as initiate cybersecurity procedures.

The ASD’s grades may be more than the average business or organisation needs, but it provides a valuable framework for cybersecurity roles in an industry that largely lacks frameworks and clear pathways to entry.

Adding a layer of complexity to workforce shortages and the growing cybersecurity threat is the rise of remote working. An Australian Government Institute of Family Studies survey conducted in June found 67% of respondents now worked remotely some or all of the time.

It is a catch-22 for the industry because remote working raises cybersecurity risks in most businesses and organisations. But remote working makes cybersecurity industry recruitment and formal learning harder and more challenging to manage.

However, remote working can slot in nicely with short online learning, especially if it is self-directed and self-paced. Remote working often allows for more flexibility than working in the office, making education a more viable option. It potentially elevates the role of micro-courses within the cybersecurity industry.

Dr Vivian says the demand is there for cybersecurity short courses, and there’s a growing number on offer. “It’s a nice way to have a short, more informal style of course,” she says. “But you are also building the skills you can apply in any sort of professional context.

She argues the cybersecurity industry is far broader than many assume. It goes beyond the technical and analytical roles. Consequently, there are many ways to enter the industry, and sometimes people need to think outside the box.

And that may be worth doing. The cybersecurity industry generated approximately $5.6 billion in Australia last year and is expected to grow to $7.6 billion by 2024. The average salary in the industry is around $90,000.

“There are a lot of different roles,” said Dr Vivian. “You could be combining your law hat, your policy hat, your medical hat… but by upskilling in cybersecurity, you’ll have the language to participate and inject diverse perspectives.”

Not-for-profit body AustCyber identified a critical shortage of nearly 18,000 people cybersecurity specialists in 2020. They also argue education and training is the answer.

Like the ASD, AustCyber has also documented a framework that describes and classifies the cybersecurity industry and its workers, attempting to bring some order to a young and untidy industry.

AustCyber groups cybersecurity work functions into seven categories. They further break down specialist functions into 33 types and work roles into 52 types. Each role has specific tasks and skills.

These frameworks provide, to say, a budding exploitation analyst, some sort of formal guidance in terms of the training and education required. The previous lack of documented guidance and framework is arguably one reason why the current skills shortage exists.

Dr Vivian thinks Australia’s cybersecurity workforce numbers will catch up, but it needs to be addressed through various pathways. She thinks upskilling the existing workforce through micro-courses and in-house training is one of those pathways.

But Rebecca Vivian also has an ace up her sleeve. Among other things, she is heavily involved in educating primary school-aged kids and their teachers about IT.

Down the track, a whole generation of cyber-savvy school kids will enter the workforce. They’ll have grown up as cybersecurity natives. For them, cybersecurity will be just another end of school option. Worse comes to the worse; they’ll sort everything out when they grow up.

MySecurity Media is an official partner with AustCyber’s Australian Cyber Week 2021 Virtual Conference between 25-29 October.