From desert to oasis: Replenishing Australia’s cyber talent pool – Dr Stephenie Andal, CSCRC

Dr Stephenie Andal

Cyber actors have proven adept at adapting to amorphous environments, and cyber threats are likely to escalate, morph and mutate as the pandemic continues and the world becomes ever more digitally connected.


In the world of cyber, Dr Stephenie Andal cannot help but stand out – and stand tall.

As a female leader and in an all-too-male industry, Dr Andal is already setting a lofty benchmark for every ambitious cybersecurity professional. Yet, commanding the ears of policymakers, business leaders, legal authorities, as well as ground-level cybersecurity teams and digital novices, Dr Andal has also proved a rare knack for demystifying complex issues for a diversity of stakeholders.

As Head of Strategic Policy at the Cyber Security Cooperative Research Centre, or CSCRC, she leads a team dedicated not only to protecting Australia’s digital economy but also to nurturing the next generation of local cyber talent.

After a year of seemingly perpetual crises, Dr Andal offers us an insider’s view into a chaotic chapter for the ever-changing cyber discipline. Here, we explore the evolution of the cyber threatscape through the Covid pandemic, efforts to address the talent shortfall in Australia’s cyber industries, and why a “plurality” – of thought and of background – is critical to an organisation’s digital defences.


FST Media: Charged with strengthening the nation’s overall cybersecurity capability, the CRC is part of a growing coterie of local cyber advisory organisations working to boost industry’s as well as the government’s cyber posture.

After a tumultuous 2020, take us through some of the CRC’s priorities and key initiatives for the year ahead? 

Andal: The CSCRC is dedicated to fostering the next generation of Australian cybersecurity talent, developing innovative projects to strengthen our nation’s security capabilities. We achieve this by identifying, funding and supporting research projects that build Australia’s cybersecurity capacity and address issues across the cyber spectrum, both technology and policy-related.

For 2021, and through until the end of our funding in 2025, we are focused on being responsive to Australia’s Cyber Security Strategy 2020, launched by the Federal Government last year, which mentions the CSCRC as a key strategic partner in “helping governments and key stakeholders bring this Strategy to life by driving relevant and innovative research to build Australia’s cybersecurity capacity and capability” (p. 34). The CSCRC will do this through alignment with our research themes on critical infrastructure security, cybersecurity-as-a-service (support for SMEs), and through our law and policy research.

 

FST Media: Realistically, why should cyber be positioned as a top-order priority for Australian industry – and, moreover, for financial services?

Further, how would you rate Australia’s overall response to the growing cyber threat?

Andal: Cybersecurity should be a key priority for all organisations. It is a top business risk and is increasingly being elevated to the board, no longer purely a technical issue relegated to IT departments as it was just a few years ago. Although the financial services sector is relatively cyber mature, there is no time for complacency. No sector is immune from harmful cyber activity. And the potential ramifications are huge.

In February 2020, Christine Lagarde, president of the European Central Bank, warned that a cyberattack on a major financial institution could kickstart a systemic liquidity crisis, leading to widespread economic instability.

Australia has been at the forefront of global responses to growing cyber threats. One needs only to look to the proposed legislation on securing Australian critical infrastructure and systems of national significance to see an indication of where Australia has been leading.

 

It proposes to expand the number of critical infrastructure sectors from four to 11 to capture a much wider swathe of our economy and more effectively manage security risks, thus safeguarding Australia’s economy. Under the legislation, financial services sector would be encompassed.

 

FST Media: What have you observed in the evolution of threat vectors over the last 12 to 18 months, particularly those targeting Australia’s financial services industry?

Are there any unique attack trends cropping up that had not featured previously?

Andal: Against the backdrop of Covid-19, globally we are seeing a heightened threat environment, rising geopolitical tensions, and a sharp uptick in malicious cyber activity.

Globally, the financial services sector remains vulnerable, with Jerome Powell, the Chair of the US Federal Reserve declaring in April 2021 that cybersecurity threats are the top risks to the financial services sector, and by extension the entire American economy.

In Australia, although financial services is considered to be among the most cyber mature sectors, the head of the Australian Prudential Regulation Authority (APRA) recently warned that a significant future breach at an Australian institution was highly likely. Shortly thereafter, these sentiments were confirmed by ANZ Bank, who noted that, year-on-year, malicious emails had more than doubled  from approximately four million to up to 10 million per month.

When it comes to trends, Covid-19 has proved a boon to nefarious cyber actors, seeking strategic disruption and political and/or financial gain.

Cyber actors have proven adept at adapting to amorphous environments, and cyber threats are likely to escalate, morph and mutate as the pandemic continues and the world becomes ever more digitally connected.

 

Of these, the global ransomware scourge continues, with its very tangible impacts starkly illustrated by the 7 May 2021 ransomware attack on America’s Colonial Pipelines, which provides fuel to 45 per cent of the East Coast. The attack brought the operator’s entire network to a standstill, prompted the invocation of emergency powers by the Biden administration, and highlighted the impacts it could bring to consumers and a recovering American economy, potentially causing petrol prices to skyrocket.

 

FST Media: The Federal Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020, currently before Parliament, is likely to increase regulations for those organisations responsible for key infrastructure assets in designated ‘critical’ sectors – financial services, included – as well as the Government’s powers over these assets.

What direction do you see this piece of legislation taking, and what steps should industry take to prepare?

Andal: The proposed legislation is currently under review and it will be some time before we see it come to fruition. The CSCRC is broadly supportive of the Bill and its intent, which will help protect Australia’s interests and its people. The CSCRC has submitted a number of submissions in relation to the proposed legislative changes, highlighting key considerations from a cybersecurity perspective, the Bill’s sharpened focus on mitigating cybersecurity threats, and the positive flow-on effects that these would have on an economy-wide security uplift.

As to steps industry should take to prepare, there are simple steps that can be taken to mitigate risks, patching being key. There also needs to be an acute awareness that people play a key role in cyber uplift, so organisations should focus on teaching staff about what ‘good’ cybersecurity looks like. They should also familiarise themselves with the Bill and the proposed measures and look to methodologies and measures through which they can bolster their organisational cyber posture.

 

FST Media: Among the key mandates of the CRC is to “foster the next generation of Australian cybersecurity talent”.

What do you feel best explains the dearth of cyber professionals in the Australian job market? How can industry serve to attract and nurture budding cybersecurity talent? 

Andal: Indeed, one of the CSCRC’s mandates is to build cybersecurity capacity. We do this by cultivating the next generation of outstanding talent to solve pressing cybersecurity challenges. We attract, inspire, mentor and develop cybersecurity professionals by offering the best and brightest students scholarships through our participating research institutions. Through the CSCRC’s three-way collaborative model (industry, government, academia), our cybersecurity researchers are uniquely placed to address real-world cybersecurity problems.

Ensuring a pipeline of job-ready cybersecurity talent has proven to be a challenge for most countries, not just Australia. Globally, it is estimated there is a cybersecurity workforce gap of over four million people, with a 2.6 million-person shortfall in the APAC region.

 

Given that most of the market demand remains driven by industry, ensuring that programs are co-designed together with industry is key, to ensure that outcomes are tailored to need. Australia is well-positioned to build this talent, with the August 2020 Cyber Security Strategy articulating that it will launch a Cyber Security National Workforce Growth Program to build a holistic pipeline of cybersecurity talent for the nation.

FST Media: And, faced with a lack of qualified cybersecurity professionals, what steps should organisations take to stay ahead of malicious actors and maintain a viable defence? Do you also see opportunities to nurture and grow this talent in-house?

Andal: We advise all organisations to refer to the Australian Cyber Security Centre (ACSC) for relevant advice about how to mitigate against current cybersecurity threats. The ACSC, which sits within the Australian Signals Directorate, offers a range of up-to-date information for large enterprise, SMEs and individuals about how to protect digital assets, digital data and prevent cybersecurity incidents.

However, at the end of the day, cybersecurity remains a human issue. We are the users and creators of technology. More needs to be done to raise cybersecurity awareness and hygiene across all of Australian society. Achieving this rests on taking a multi-stakeholder approach to building cybersecurity resilience across the economy – cybersecurity, after all, is a shared responsibility. This is why the CSCRC’s key public role in cybersecurity advocacy, through our law and policy research, is key. We act as an independent voice for cybersecurity, providing evidence-based commentary around relevant cybersecurity issues to demystify complex issues for boards, organisations and the wider public.

 

FST Media: As a female leader with a bird’s eye view over Australia’s cyber capabilities, how do you rate Australia’s progress in promoting diversity within the field?

Further, how important is diversity (in thought as well as personal background) in supporting holistic enterprise security practices?

Andal: I think it is an exciting time to be in cybersecurity – this is a field that values left-of-field, creative thinking and the challenging of long-held assumptions and biases. I encourage all young students that I meet to consider cybersecurity as a profession, given the incredible opportunities it offers for intellectual and professional growth – one will never be bored!

Plurality of thought and perspectives is a key driver to success in effective cybersecurity practices, and this will only become more valued as cybersecurity continues to be elevated to the board within organisations and moves away from being merely a technical consideration. To support this, Australia is going to need a diverse supply of talent from across a range of backgrounds not typically considered ‘cybersecurity’ – from the social sciences, policy, humanities, law enforcement – all with a demonstrated mindset of intellectual curiosity, adaptability and collaboration.

 

FST Media: What to you are some of the key traits among the best cyber leaders? How common do you feel these are within Australia’s existing cyber talent?

Intellectual curiosity for me would be a key trait that I see in leading cyber professionals. Since cybersecurity is such a fast-moving, ever-evolving space, one risks being left in the dust if they rest on previous assumptions, understandings and frameworks. There is a constant need to educate oneself and continuously upskill to ensure that you remain at the top of your game. Also, a spirit of collaboration is essential.

The Australian cybersecurity sector is a small one, with still-limited resources and capacity. The more leaders can be doing to uplift others, the sooner we will see significant security benefits across the economy and society. And that is ultimately what we are striving for. 

 

Thankfully, I see both of these traits across Australia’s existing cybersecurity workforce, which is exciting. More, however, can be done to instil these traits in young people from an early age, as we increasingly move to a digital economy. Doing so requires policy creation, meaningful public-private partnerships, and a recognition that the next generation of talent will steer our nation through the future digital world. As a nation, we need to be thinking now about how we most effectively equip them with the necessary skillsets to do that.


Dr Stephenie Andal will be a featured keynote speaker at the Future of Security, Sydney 2021 and Melbourne 2021 events in August. Register now to secure your place!