Why "2023-2030 Australian Cyber Security Strategy" will fail?
One cornerstone that it fails to achieve will lead to failure
On 22 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy.
What do I think of it?
In short, it is a highly aspirational document that will not become a reality. It will not become a reality because it is too ambitious. It is too ambitious because the dire cybersecurity skills shortage in Australia will cripple the effort right from the start. The effort is crippled because the strategy to address the cybersecurity skills shortage is unsound.
Cornerstone
Addressing the cybersecurity skills shortage is the cornerstone of the entire strategy. If the government fail at this cornerstone, the entire strategy will fail. Everything in the strategy relies on having enough cybersecurity professionals in the country to turn aspiration into reality. If the government fail at that, the entire strategy will fail.
Section 17: Grow and professionalise our national cyber workforce
Let’s dive into the details of Section 17 of the strategy:
Firms face challenges recruiting and retaining experienced world-class cyber talent – exacerbated by complex migration paths for foreign experts, and competition with higher pay rates abroad.
So, in the first 2 years of the strategy, the action plan will be:
Attract global cyber talent through reforms to the migration system as part of the government’s Migration Strategy. Government will enhance both international and domestic outreach efforts to increase Australia’s competitiveness and attract highly skilled migrants to expand the cyber security workforce.
So, for the first 2 years, the government will try to import cybersecurity skills from abroad to fill the skills shortage at home.
This is doomed to fail. Why?
India is facing its own IT skills shortage crisis
India, the IT powerhouse where we get most of our IT talent, has its own IT skills shortage problems. According to this CNBC article,
Despite its growing population, India grapples with talent shortage — specifically skilled labor. According to a recent report from job portal TeamLease, over two million jobs in AI, cyber security, and blockchain are expected to remain unfilled in 2023.
You can easily do a Google search to confirm that there is indeed an IT skills shortage crisis in India. Therefore, Australian employers looking for cybersecurity talents in India will have to compete fiercely with Indian employers.
Sure, pay may be better in Australia. But everything in Australia is freaking expensive, from housing and groceries to haircuts. Also, Australia is already in a recession based on GDP per capita. So, I am not sure whether the lifestyle premium that Australian employers can offer to Indian IT talents is going to remain attractive.
How can India face an IT skills shortage crisis despite its large and growing population?
The reason is, as I explained in Why 'dead bodies' of cybersecurity victims will pile up faster?, demand for cybersecurity (and IT) skills is asking for a mathematical impossibility. No amount of education, skills and training can fill the insatiable demand for IT skills and talents.
Why?
The IT industry has a unique problem. It has an ever-growing hyper-fragmentation of specialisations for which the training and education industry can never catch up with. As you can read from this article (published last month), the private sector is finding out the hard way:
The cybersecurity skills gap issue may be further from being solved than expected despite the large amount of money being invested around the world to train professionals, according to a report by the Information Systems Audit and Control Association (ISACA). While the volume of training has increased the number of entry-level professionals, organizations are looking for experienced cybersecurity personnel, the international IT governance professional association says.
Therefore, this aspect of the government’s strategy is doomed to fail too:
The Government’s reforms to the vocational education and training (VET) system will provide training relevant to Australia’s labour market and keep pace with emerging skills needs, including in critical areas like cyber security.
The industry has found out the hard way. The government is going to find out the hard way as well.
That is why India has its own IT skills shortage to grapple with. India cannot solve Australia’s cybersecurity skills crisis when they have their problems at home to solve. Both India and Australia are faced with the same problem.
Demand-side dysfunction
The hyper-fragmentation of specialisations in IT resulted in mayhem for the recruitment and staffing industry. As I explained in Why is the job market so brutal? Because it’s RIGGED AGAINST you!,
Basically, nobody understands what the other person does for a living. Your boss may not even understand what you do every day at work. HR is most probably completely clueless about what your job is all about.
Recruiters and HR have no idea how to hire IT workers. They have no clue what the IT job is all about. All they see is a freaking sea of meaningless alphabet soups. This led to situations where even highly qualified IT people struggled to find employment in the IT sector because too many of them were eliminated from consideration by clueless recruiters and HR.
And guess what? These highly qualified people are forced to leave the IT industry, resulting in the survivorship bias of the remaining ones who can find employment. However, the survivors are facing poor working conditions and poor job security, with stress and overwork the common theme among them.
That is why, as I wrote in Why 'dead bodies' of cybersecurity victims will pile up faster?, there is a demand-side dysfunction where the insatiable demand for IT skills can never be matched by supply because it is asking for a mathematical impossibility.
Hyper-fragmentation muddles the career pathways
With hyper-fragmentation, it creates another problem. Hyper-fragmentation creates far too many permutations and combinations. With the mind-bogglingly huge number of permutations and combinations, how can career pathways be mapped out?
So, this aspect of the government’s strategy is going to fall flat too:
To support a thriving ecosystem, we will also work with industry to enhance efforts to professionalise the cyber security workforce. This will create clear pathways into cyber security roles, reduce barriers to entry and build greater consistency across the cyber workforce. A clear cyber skills framework will provide assurance to employers that the cyber workforce is appropriately skilled, and will give workers confidence that their qualifications and relevant experience are recognised and fit for purpose.
Why using migration to solve the IT skills shortage crisis will make Australians fire the Labor government?
Let’s look at the numbers. This Australian Financial Review article reported that,
The numbers tell the story. Australia’s technology workforce reached a record 870,300 last year and is expected to exceed 1 million next year and to swell to 1.2 million by 2027. Yet only about 7000 students are graduating each year with IT degrees. The biggest shortage of skills is centred around software knowledge.
Let’s do a rough back-of-the-envelope calculation.
With only 7,000 students graduating with IT degrees a year, Australia needs to import around 130,000 IT workers within 2 years. And in the next 3 years, Australia needs to import about 200,000 additional IT workers.
Can the Australian electorate tolerate so many migrants needed to fill the IT sector alone? Remember, that huge number is for the IT sector alone. We still have to import a large number of tradies, hair-dressers, child-care workers, aged-care workers, and so on, plus a huge number of foreign students to fill the university coffers.
Of course not!
The Australian electorate is facing serious bread-and-butter issues and they are pointing the finger at the huge unsustainable number of migrants coming into the country. The current Labor government will likely be fired in the next Federal election as they face widespread discontent and anger among the populace. And I doubt the Coalition party will benefit from it because they are seen as part of the colluding establishment. The Greens are unlikely to benefit from the discontent and anger because they are too ideologically-possessed to be against migration.
The next Federal election is going to be very interesting to watch.
Why are youngsters not wanting to go into IT?
So, depending on migration to fill the cybersecurity skills shortage is doomed to fail. How about developing the skills internally within the country?
Judging from the fact that only 7,000 students are graduating each year with IT degrees, it is not going to happen. Why are youngsters shying away from IT as a career?
The reason is because of the demand-side dysfunction. Furthermore, IT is seen by employers as an expense, rather than an investment. Expenses are treated worse than investments.
Youngsters have already heard from the grapevine that there is no future in IT:
Decades of relentless outsourcing of IT workers to overseas labour resulted in a decimated skills base within Australia to train and mentor the next generation. Why learn IT when your job can be outsourced too easily?
Youngsters are not confident about finding a job in the IT sector after graduation because they face a catch-22 problem: without a job, they don’t have experience, which precludes them from a job, which in turn denies them experience.
Then they notice that the IT workers they know in full-time employment are labouring in poor working conditions: stress, long hours, irritability, poor mental health, anger issues, and so on.
They also notice that IT workers have no job security. Most of them are either contracting or working in fixed-term contracts.
That’s the reason why there are only 7,000 IT graduates per year in Australia. They can see that going into IT is a career suicide.
So, what is the government going to do about it? Their cybersecurity strategy wrote,
To encourage young people to pursue careers in the cyber workforce, learning cyber skills needs to start in primary and secondary school.
Instead of addressing the demand-side dysfunction, their plan is to resort to propagandizing youngsters to pursue a career in IT.
What’s going to happen?
Call me cynical, but there is nothing much to see here.
This aspiration is not going to become reality. At best, there may be some individual scatter-gun successes. But overall, within 2 years, all will be forgotten and we will still be on the back foot.