How CBA and UNSW plan to tackle the cyber skills shortage

The Commonwealth Bank and the University of NSW will join forces to close the gap between demand and supply of information security professionals through a new $1.6 million, five-year partnership.

CBA CISO Ben Heyes and UNSW associate professor in computer security and cybercrime Richard Buckland. Credit: Lee Henderson/UNSW

Employers are increasingly struggling to fill skilled IT security roles as demand outstrips the trickling flow of new graduates coming out of the country's universities.

They are demanding higher skill levels for cybersecurity workers, leaving the education system straining to keep up.

There's been a boom in the field in recent years - according to the federal Department of Education [pdf], employment of IT security specialists in the five years to November 2015 jumped over 38 percent, with 43,100 infosec professionals currently working in Australia.

Hiring managers listed information security as one of the most valuable skill sets over the next 12 to 18 months in Greythorn's Australian IT market insights and salary guide for 2014-15 [pdf]. 

Figures in the US are comparable - IT security job openings grew three times faster than all other IT jobs from 2010 to 2014 in the US, according to job market analytics firm Burning Glass Technologies.

But while employers are clamouring to hire IT security professionals, they're often finding themselves coming up short.

More than one third of IT security jobs ask for industry certification, compared to 23 percent of IT jobs overall. Eight in ten employers want a cyber security bachelor's degree and/or three years experience, according to Burning Glass. Infosec positions also take 8 percent longer to fill than other IT jobs.

"The skills for some IT positions can be acquired with relatively little training, but cybersecurity isn’t one of them," the firm wrote.

"For example, five years of experience is required to even apply for a CISSP certification.

"This suggests that the shortage of cybersecurity workers is likely to persist, at least until the education and training system catches up."

Catching up with demand

This is where CBA and UNSW come in.

The pair hope that by offering a specialised and dedicated IT security stream at the university and to the general public, more students will leave uni with the specialised training the market is crying out for, while others will be able to upskill themselves in their own time.

The partnership will create a new Bachelor of Computer Science (Security Engineering), pieces of which will be made publicly available online as a massive open online course (MOOC). UNSW intends to release "as much as possible" of the course content.

The deal also includes a new security engineering lab that will provide hands-on experience for cyber security students.

The stream will span five subjects, in the areas of threat modelling, web application testing, incident response and digital forensics, malware reversal, and one practical project unit. 

"There's huge demand everywhere that no country can fulfil, for two reasons," UNSW cyber security associate professor Richard Buckland told iTnews.

"There is greater demand because more things are now done online and it's more tempting to attack online, and attackers are getting more sophisticated. But the supply side isn't growing that fast. The sort of people CBA wants to employ are hard to find because we're not turning them out at universities."

UNSW churns out 40 graduates a year in cyber security, according to Buckland, compared to local demand for 1000 specialists annually.

"The gap is in the numbers, and this program is about scaling it up," he said.

According to Ben Heyes, CISO at the Commonwealth Bank - which has a reputation of cornering the cyber skills market - new graduates currently require up to two years of training to get them to where they need to be to work on the bank's security front line.

"This is about making that distance shorter," he said.

"The [UNSW] course combines two things: a science which actually requires structured learning and knowledge, and applied skills, and that's one of the gaps that we're seeing at the moment: people coming out of university and the gap between them being effective for us to put to use on the front line. 

"If you just get the structured learning and knowledge piece, typically you've lost some of the creativity along the way, and I don't think we as an industry can afford to do that."

"If we do it right, we'll save you two years," Buckland said.

UNSW and CBA expect that the new cyber stream will result in a pipeline of "hundreds" of specialists graduating university each year, but recognise that's not enough to solve the problem.

The next generation of teachers

There's also the question of who - given the skills shortage - will teach the students.

As Buckland notes, "cyber security has changed a lot since I was a boy and went through university, so the people at teaching at universities aren't always up to date".

The pair's answer to this problem is to develop a new generation of educators.

The partnership will fund the recruitment of "world-class" lecturers and up to four fellowships, sponsored by CBA, for graduates who want to teach at UNSW. Industry experts will also form a big part of the course, coming back to help teach the next generation of cyber specialists.

Additionally, PhD students researching "critical internet security problems" will receive sponsorship and dedicated support.

Heyes references this as the second of two conveyor belts in the wider effort.

"This is a generational play for a pipeline of talent," he said.

"One is the conveyor belt that produces the workforce ... [and] the curriculum and the content being open and scalable. And the other ... is a conveyor belt of teachers - the PhD sponsoring grant and the training grant.

"That's to provide the opportunity for research activites but also to encourage the teachers of tomorrow."

Around 300 students have already signed up to the stream, according to Buckland.

Its first course, introduction to security engineering, will go live in the first semester of next year, and will be released to the public around the same time.

The wider course will be developed iteratively over the next two years.