AMP does maths on infosec shortage

Australia’s persistent cyber security talent shortage is forcing a top tier rethink about how companies can draft in complementary skills from other business lines, with financial services giant AMP now hiring mathematicians to help automate once manual processes.

The company used its annual Amplify conference this month to reveal how it’s prosecuting a back-to-basics approach to better fortify the business against threats by harnessing machine learning algorithms and predictive analytics to slash fix times for vulnerabilities.

With ‘classic’ cyber practitioners now some of the most sought after staff across business and government, AMP’s chief technology officer reckons it’s time to think beyond traditional job silos and look at what people can actually bring to a role.

“The reality is that you go to any particular technological domain, cyber is one of the hardest to find people with the skillset because they are so in demand. So we’ve had to think quite laterally around the people we bring into the organisation and train them up,” AMP’s chief technology officer Chris Bell said.

“Skills around data and analytics are just so vital. Whilst we’re starting in cyber there’s actually a whole bunch of problems for the technology business we can solve with those skills. AI is the leading edge of that.”

More than bodies

For AMP’s head of cyber security, Rahn Wakeley, one of the dividends of diversity and broader skills is an uplift in efficiency and processes that a fresh set of problem solving eyes can bring.

“The data scientist that we have hired is the first person I have ever hired who doesn’t have a cyber background, her background is two degrees in mathematics. The rate at which she has picked up cyber has just blown me away,” Wakely said.

The escalation in cyber workload has prompted a reassessment of how to best apply resources because money and people were both finite whereas vulnerabilities just kept increasing.

“If you think about…the size and scope of attacks that are happening in cyber, there’s no way we can sit here and say every year we are going to go back to our executive and board and ask for an exponential increase in the funding for cyber security,” Wakely said.

“That’s just not going to happen. Throwing bodies at it is just not the answer anymore.”

AMP’s enhanced approach to cyber security includes running a “squad” that has a sharp focus on reducing vulnerabilities across every portfolio in the business.

The cyber data scientist’s role is to help discern why vulnerabilities exist using “science, performance analytics and algoithms [and] hardcore maths,” Wakeley said, adding “it saves time, saves money and gets our numbers back up.”

Countering groupthink

Cyber security and risk advisor at analyst firm IBRS, James Turner, said the cyber skills shortage was prompting a wider rethink around the domain in terms of resourcing for the last few years.

“It’s partly about talent scarcity but it’s also about bringing fresh eyes. It shows up in the diversity of thinking around cyber issues,” Turner said.

“Diversity is incredibly valuable, it counters groupthink. You want that in your security team, and definitely in any good red team.”

Turner said human history was “littered with disasters that stemmed from a group of people all thinking the same way and not contemplating that there could be other views.”

“I’ve seen people from not just analytics backgrounds but also as broad as history, languages and music go into cyber security and be highly effective.”