Bridging Australia's infosec skills gap

There's a massive and expanding gap in the global information security workforce, which by 2020 will see a huge deficit of as many as 1.5 million workers.

That's according to (ISC)^2's latest publication in its series of Global Information Security Workforce Study research papers [pdf].

The 1.5 million figure is an astoundingly big number given the expansion of new consumer markets into online connectedness where infosec hasn’t been needed before - such as the aviation and automotive industries - and it begs the question as to what we can do about getting more people skilled up and working in this sector.

The impending launch of the fourth annual Cyber Security Challenge is a great step forward in the effort to bridge the gap.

This year’s competition pits the wits of 250 of Australia’s best and brightest infosec students (working in 60 teams) against a series of challenges designed to test their practical and theoretical security knowledge.

Teams will be expected to conduct penetration tests and forensic analysis on specially designed computer systems where there are a number of vulnerabilities to discover and malicious activity to find and eradicate.

There is one primary challenge that contains a number of interconnected activities, as well as a variety of linked challenges that test candidates’ understanding of web application testing, cryptographic systems, and techniques such as password cracking.

Historically, hacking competitions have been around a lot longer than we in Australia have been doing them, emerging as a US government initiative that also focused on hacking and penetration testing. 

Australia and the UK kicked off annual challenges around the same timeframe, about four years ago, with both nations having a similar governance structure, under the stewardship of the PM&C office here in Australia and the Cabinet Office in the UK.

Not surprisingly, both competitions work closely with the respective government’s cyber security technical authority: ASD in Australia and Government Communications  Headquarters (GCHQ) in the UK. 

The main difference between the two challenges is that of scale. Since the UK competition is open to anyone who wants to have a go (rather than university teams) it clearly gets more entrants. The UK competition is also split into a variety of streams that runs all year, with challenges running each calendar month in different areas of focus. 

Two minds are better than one

Collaboration between those nations running cyber security challenges is needed to bridge the impending infosec skills gap.

An international competition run across a few different countries would boost awareness, while adopting some of the features of the UK challenge locally would open our own competition to more entrants and keep interest up by running the challenge for longer.

Australia's competition has grown from 40 to 250 participants in its four years of operation, while the UK has seen a swell of well over 1000 active participants in the same timeframe.

An open approach would undoubtedly drive more media coverage, bring in more sponsorship and increase awareness for the infosec profession in schools, colleges and industry.

And we might even start to make a dent in that 1.5 million shortfall over the coming years.