Skills shortage in security and our leaky pipeline
- 08 February, 2018 10:00
As we head into 2018, many organisations will be facing the daunting task of filling security roles in their organisation. At time of writing there are at least 30 open vacancies advertised nationally and yet more will appear as companies emerge from the blissful calm of summer holidays and into the realities of the end of FY 2017.
In addition to the advertised posts, Australia and New Zealand have a history of security jobs filled by shoulder tap or via networking groups. Roles like this rarely get advertised and lead to the annual dominos of job moves common in February.
It is no secret that we don’t have enough people to fill our security roles (at all levels of the organisation).
Since its inclusion in the New Zealand Cyber Security Strategy, there have been programmes and events established at several national universities to attract and train young talent and bring them into the field. Programmes at Victoria University of Wellington and Waikato have proven successful, each inspiring hundreds of young technical and engineering graduates to enter a career in information security.
In the United States, security teams are typically much larger and may be up to 100 people. This sense of community and this availability of peers is a big draw for those seeking a career in an industry that deals with disaster and issues every day.
Once we step back from the start of the pipeline however, things get a little less positive.
Roles for junior or graduate level security professionals are rare. Only a fraction of companies in this part of the world have programmes or resources to take this new generation. Most companies still insisting on three to five years of experience before hire.
Notable exceptions to this have been integration with NCSC and government who have continued to hire from university onwards as well as Summer of Tech working with a small number of firms to place security graduates.
So where do the rest of our new entrants go and are we solving our recruitment problem if they can’t find their first job?
At SafeStack we have trained up or transitioned six graduates across several disciplines in the past three years. We receive on average five cold emails a month from new graduates looking for a new role. We simply can’t take them and we have nowhere to send them. Even those we train up, we don’t get to keep for long. After a couple of years they go overseas and we start all over again.
So where are they going?
The information security skills shortage is global. Employers such as Google are hiring aggressively into their Sydney office and further afield. USA employers such as LinkedIn, Salesforce, Apple and Riot Games have all taken Kiwi and Aussies with one to two years’ experience and helped them migrate. While some eventually return in their late 30s with a family in tow, some never come back.
We are not competing for our staff nationally anymore, we are competing globally and we are losing.
We receive on average five cold emails a month from new graduates looking for a new role. We simply can’t take them and we have nowhere to send them.
If we start looking at the incentives available to those willing to migrate so far, you begin to see why they go:
Salaries are higher (20 per cent or more) and the cost of living is around the same or lower (especially for those hiring in Auckland).
The challenges are bigger. It never hurts to go and work for a company or brand that is globally recognised.
Career progression, education and mentors are more widely available.
Security in New Zealand is lonely.
Can loneliness really be a reason to leave New Zealand? Some say it is.
Security teams in New Zealand and Australia are small. Many organisations are coping with one or two people to serve an entire organisation. In the United States, security teams are typically much larger and may be up to 100 people. This sense of community and this availability of peers is a big draw for those seeking a career in an industry that deals with disaster and issues every day. Having a team to share your challenges with, to learn and grow from and to laugh and cry with, really is a big deal it seems.
So can we compete with these overseas employers and how can we keep our brightest and best?
The solution to this is much wider than just salaries and incentives. We need to make sure that security in New Zealand and Australia is a career path and a community. We need to talk about the big challenges we are solving and we need to diversify.
It’s time to create a security culture and environment within our countries that not just inspires young people to join the industry but also provides entry level jobs, career paths and education as well as career support.
New Zealand and Australia are launching great initiatives to create a pipeline of new talent to solve some of our hardest information and cyber security problems. It’s important that we fix the leaks in our pipeline before we just become a provider of keen security talent to the rest of the world.