Published on the 13/09/2018 | Written by Jonathan Cotton
There are a few bad habits that need to be addressed before AU can be proud of its infosec...
Australia certainly has a problematic relationship with IT security. On the surface things look good, especially with the news that Australia has committed to a new regional security initiative, setting up a centre for crunching security data.
The excruciatingly-titled Pacific Fusion Centre – an outfit that, according to the Department of Foreign Affairs and Trade will ‘fuse’ information gathered from regional partners to better respond to certain security threats, such as illegal fishing, people smuggling and narcotics trafficking – a positive step tackling the changing threat landscape.
The recently launched cyber.gov.au office is another positive step. The site will act as a central hub for information, advice and assistance for Australians.
“Only 14 percent of Australian organisations consider ransomware a serious issue.”
And hey, a few big deals in the works – most notably the acquisition of Sydney-based information security firm Azimuth Security to L3 Technologies – shows we’ve got the infosec chops to compete on the world stage.
Azimuth Security provides threat modelling and design, source code review and software systems analysis services, and was recently the subject of a Motherboard exposé detailing how the startup sold exploits to certain ‘friendly’ governments around the world.
L3 Technologies on the other hand is a provider of communications and electronic systems for military, homeland security and commercial aviation customers, including ‘advanced defense technologies’ and “commercial solutions in pilot training, aviation security, night vision and EO/IR, weapons, maritime systems and space”.
It’s heady stuff and with L3 reporting sales of US$9.6 billion it’s a big deal.
But while news of the successful sale is heartening, the winning streak might be short lived, especially if Australia fails to address an apparent infosec skills shortage: New research shows real market pressure to put trained IT security bums in seats.
According to a survey conducted by Osterman Research on behalf of Malwarebytes, Australia pays among the highest salaries in the industry, beating out the US, UK, Germany and Singapore. Pay rates for both entry level and senior executives are, on average, US$30,000 higher than similar positions in the US. Senior Australian information security professionals are the highest paid, averaging salaries of US$155,000, compared to the global average of US$130,000.
This is despite – or perhaps because of – Australia’s relatively low infosec spend: Australian organisations have the lowest average security budgets out of all the countries surveyed.
And that might have a lot to do with Australia’s general indifference when it comes to infosec.
“Sixty-three percent of German organisations consider ransomware to be a ‘very serious’ threat,” says the report. Compare that to Australia: Only 14 percent of Australian organisations consider ransomware a serious issue.
“Globally, 17 percent of organisations conduct red/blue team activity to test the strength of their cybersecurity defenses. However, US organisations are twice as likely to do so (34 percent) and Australian organisations the least likely (five percent).”
That might be about to change however.
New research from Gartner entitled Forecast: Information Security, Worldwide, 2016-2022, 2Q18 Update, predicts Australia’s IT security spending will hit US$3.5 billion this year – a six percent growth rate for 2018. That rate of growth is predicted to then increase further with 9.8 percent growth in the short term to take total spending for Australia to almost $3.9 billion in 2019.
“Security leaders are striving to help their organisations securely use technology platforms to become more competitive and drive growth for the business,” said Siddharth Deshpande, research director at Gartner.
“Persisting skills shortages and regulatory changes like the EU’s Global Data Protection Regulation are driving continued growth in the security services market.”
The top three drivers for security spending? Security risk, ‘business needs’ and industry changes.
Privacy concerns are also becoming a key factor, says the report with the researchers predicting that privacy concerns will drive at least 10 percent of market demand for security services next year, impacting growing segments such as identity and access management, identity governance and administration and data loss prevention.
Whether this growing cognisance of business risk will actually impact the way Australian businesses handle IT security issues remains to be seen, but with a shortage of infosec skills in the industry it could well be a case of things getting worse before they get any better.