Opinion article

Skilling Australia’s cyber security professionals

Professor Jill Slay examines a key problem within the cyber security field; how to train and educate the cyber security professionals of Australia.

The issue of how to train and educate Australia’s cyber security professionals, and also the problem of developing the 10,000 new cyber security professionals which are estimated to be needed by 2025 is highly problematic.  Much thought has gone into this issue and there is considerable discussion on ways that collaboration may be achieved through partnerships between government, industry and academia.

Recent successful events that display elements of  this collaboration include the first government Cyber War games developed by Narelle Devine and her staff at the Department of Human Services which allowed several government departments to compete in defending systems and display their teamwork and communication skills and also the Cyber 9/12 Student Challenge run by Dr Frank Smith at the University of Sydney where student teams tackled a major – fictional but realistic – cyber attack and developed policy recommendations that respond to this evolving crisis.

One major question that has to be asked in this domain is ‘what (or who) is a cyber security professional?’ and this is a fairly complex one to answer given that cyber security has a broad reach from international policy to reverse engineering and beyond.

The Australian Computer Society (ACS) has recently developed a set of Professional Standards in Cyber Security as a specialism to the ACS Professional Standards in ICT to begin to address this issue. The task force has:
 
  • Identified all job roles and occupations aligned with cyber security;
  • Identified national and international best practice for accreditation and certification within cybersecurity;
  • Established a baseline of knowledge and skills criteria which represents the minimum expectations of cyber security technician and professional;
  • Provided recommendations of professional assessment techniques for determining whether an individual has the cyber security knowledge and skills to fulfil the identified baseline requirements; and
  • Ensured recommendations are aligned with international best practice and comply with appropriate national and international cyber security professional and technical standards.
Existing frameworks that informed the taskforce are:
 
  • The United States Department of Defense Information Assurance Workforce Improvement Program;
  • National Institute of Standards and Technology, US Department of Commerce;
  • National Initiative for Cyber Security Education, Workforce Framework; and
  • US Department of Labor sponsored industry Cybersecurity Competency Model.
The Taskforce drew on the work of the ACM Joint Taskforce on Cybersecurity Education and the British CyBOK project developing a UK national cyber body of knowledge. The view of the Taskforce has been that quality and sufficient works have been developed internationally in Taskforce focus areas, and rather than reinvent new frameworks, the work of the Taskforce should focus on contextualising these resources appropriately to the landscape in Australia.
 
An environmental scan on global certifications held in high esteem has been undertaken via the taskforce and broader industry consultations. It is the Taskforce’s view that those certifications with the greatest global acceptance provide an opportunity to expedite the introduction of an ACS Cyber Specialism. It should be noted that this aligns with US, UK and other developed countries.

These have been identified for Certified Technologist (Cyber Security) as Systems Security Certified Practitioner from ISC² and Certified Information Systems Auditor from ISACA. For Certified Professional (Cyber Security) as Certified Information Systems Security Professional and Certified Secure Software Lifecycle Professional from ISC² and Certified Information Security Manager from ISACA

A mapping exercise of the nominated ISC² and ISACA certifications have been mapped to SFIA and levels three and five as required through the ACS certifications.  These are in many cases higher than the nominated SFIA levels. Reflecting the multi-disciplinary nature of Cyber Security, there is little overlap across these certifications.  As a result, the taskforce is of the view that flexibility needs to be built into the specialism process.  For our purposes at outset, we are recommending three SFIA skills from a limited SFIA list of 10 for Certified Technologist and four skills from 10 for Certified Professional. 
 

Certified professional - cyber security

Cyber security specialism assessment requirements are equivalent to existing ACS certified professional assessment criteria and pathways with the addition of demonstrating in-depth competence in four SFIA skills at

SFIA level five

SFIA skills must be from the following skills:
  • IT governance
  • Information management
  • Information security
  • Information assurance
  • Business risk management
  • Penetration testing
  • Security administration
  • Programming/software development
  • Systems software
  • Testing
  • Asset management

Certified technologist - cyber security

Cyber security specialism assessment requirements are equivalent to existing ACS Certified Technologist assessment criteria and pathways with the addition of demonstrating in-depth competence in three SFIA skills at SFIA level three.
 
SFIA skills must be from the following skills:
  • Information management
  • Information security
  • Information assurance
  • Business risk management
  • Systems development management
  • Asset management
  • Change management
  • Security administration
  • Incident management
  • Conformance review
This framework was launched by the Minister Assisting the Prime Minister for Cyber Security, the Hon. Dan Tehan on September 6, 2017. As Anthony Wong, President of ACS said: “I believe it is probably one of the first in the world, and I believe it is one of the only professional standard certifications which is actually backed up by legislation in states and territories, so Australia is well ahead of the world in this regard.”
 
Separate guidance documentation is being developed for universities, since ACS also accredits all undergraduate and some Masters programs in ICT in Australia, providing advice in terms of expected curriculum approaches and knowledge areas for a Cyber Security program to be reflective of contemporary practice.
At this stage, greater research is required to be undertaken on certifications provided by others but similar mappings will also be produced. This includes defence contractors, vendors and the big four with a view to mapping the learning outcomes of their training courses to those SFIA outcomes recommended above.
 
ACS is developing a repository of open source resources for self-education and running, where necessary, specialised workshops to allow for the development of specific SFIA skills and will offer micro-credentialing to test for these SFIA skills.

We genuinely encourage broad critique of this work and look for collaboration with other organisations who would want to broaden the approach to cyber security standards.

Read CEDA's research report, Australia's place in the world.
About the author
JS

Jill Slay

See all articles
Professor Jill Slay is Director Cyber Resilience for the Australian Computer Society.  Previously she was founding Director of the Australian Centre for Cyber Security at UNSW Canberra @ ADFA.  She has established an international research reputation in cyber security and has worked in collaboration with many industrial partners.