Fortifying cybersecurity: Smart ways to address the cyber skills shortage 

The Australian Minister for Cyber Security, Hon Clare O’Neil, has been explicit in her public goals for Australia to be the safest cyber nation. In 2023, industry and government will need to focus on innovative ways to address the shortfall in highly skilled cyber professionals.

How can we address cyber skills shortage?

This may involve a genuine national discussion about the focused skilled migration programs for cyber practitioners, greater emphasis on formalised personnel transfers within Five Eyes, QUAD and AUKUS nation states and funding initiatives such as an extension to the current ADF Cyber Gap Program which is set to end in 2023. Additionally, we may see fee relief for cyber related tertiary training, like what we’ve seen with nursing and other disciplines.

Australia may start a discussion regarding the formation of a national “Cyber Militia”, as a way to bolster our cyber defences at the national level during times of crisis, in a similar way to how Australia maintains a regular Army Reserve in a part-time military capacity. 

Digilantism vs. Cyber Militia

Against the backdrop of the govt’s ramping up of “hacking back” in response to the Medibank data breach, the private sector is reminded that unless you’re working for the Department of Defence such activity is illegal (as defined by all cybersecurity industry codes of conduct).

With growing frustration in the community including personal vendettas arising from the swathe of compromised data being leveraged by scammers, security researchers in 2023 may be tempted into digilantism, a form of hacking back, despite better advice not to. Given the severe skills shortage in cybersecurity, it’s plausible that the government in coming years may call for volunteers in times of need, under the banner of a state-backed cyber militia.

Securing digital assets and cryptocurrency

While the crypto industry despite broad media coverage actually remains tiny (in terms of market capitalisation of only $900B) compared with economic markets (around $120 trillion, or over 130x larger), recent developments with the collapse of FTX highlight the challenges of securing digital assets that rely on custodial management of private encryption keys.

In addition, few people across the globe understand the intricacies of cryptography, and put too much trust in other parties in these notionally decentralised systems, mostly due to the complexity and lack of good solutions when self-managing private keys.

New players are likely to emerge in 2023 and beyond around the increased use of secure hardware wallets and making this problem more accessible to the masses, but also, more attackers are likely to target custodial exchanges and third parties holding keys for others.

Compliance cost breaking point

Many Aussie firms are experiencing pressure on spending related to ensuring compliance to all legal, contractual, and regulatory mandates; whether it’s APRA, ASIC, or PCI-DSS, or ISO27001, or “third party security questionnaires” that justify the many compliance teams.

In addition, with the Australian Government threatening more fines for organisations that might suffer a data breach, the challenge is where preemptive spending will be directed in 2023 – should it go towards legal protections and larger compliance teams, or towards tangible initiatives that can genuinely lower the risk, or somewhere in the middle?

Some experts, especially in the financial sector, have suggested that banking might not be profitable at all in the future if compliance burdens continue to expand at the rate they have in the last decade; and many other organisations are experiencing the same effect.

Tesserent predicts that we’ll see some kind of reset or push back emerging in 2023 as businesses realise that compliance must be easier, not harder. Perhaps through choosing smarter partners in cyber, and leveraging technology to automate compliance systems.

Acceleration of identity management

With a growing focus on Zero Trust technology solutions and architectures in Australia and across the globe, identity management will become the weakest link to address in 2023. Users will become the credential. Proof of identity won’t rely on traditional authentication methods but will, instead, look for ways to prove that the user is who they really claim to be.

Solutions that boost current approaches to multi-factor authentication, especially leveraging verified biometric tech, will start to become the minimum standard in mature organisations and a benchmark for aspiring ones. To combat cyber breaches, data loss prevention solutions will become more widespread and leverage AI and machine learning to accelerate data categorisation and classification to minimise potential damage and reduce data leakage.

Data classification will become more sophisticated in order to determine what data is valuable and vulnerable. Systems will become more adept at detecting data leakage through more channels like social media and encrypted paths, leveraging polymorphic encryption in 2023. 

Take no prisoners

CISO’s are the subject of many industry jokes with alternative suggestions on the role’s acronym like “Career Is Soon Over”. It highlights the risk of extreme accountability this role requires often to breaking point, and in the new year, in light of recent breaches in ANZ, we’re no doubt likely to see a much more feisty and determined vigour from cybersecurity leaders.

There is no more time left for not taking action, and letting teams get away with a lack-lustre response. Maybe the acronym will mean “Complacency Is Sent Overboard” in the future.

Quantum computing still in infancy

Quantum computing is emerging, but will still be in a nascent state in 2023, but is one to watch for future developments. We are several years away from something of direct concern, but smart CISO’s should keep a watchful eye on this space. 

Roger Spence is the Director Client Services at Tesserent while Michael McKinnon is the CIO at Tesserent.