A limited pool of cyber security expertise is causing Australian employers to poach skilled cyber staff more often than in other countries, according to new figures suggesting Australian universities are well behind global benchmarks in teaching desirable skills.

Just one in five hiring managers said they consider candidates’ credentials when deciding whether a candidate is qualified, industry body ISACA found in its new State of Cybersecurity 2022 study – which also discovered that just 27 per cent require their cyber security hires to have university degrees.

That’s almost half the 52 per cent global figure – suggesting that Australian employers have given up on waiting for universities to close the cyber security skills gap.

Rather, they are looking past formal qualifications to instead focus on issues such as candidates’ prior hands-on cyber security experience – named as the top factor by two-thirds of hiring managers – and recommendations from previous employers, used by one in three hirers.

Other indications suggest that universities simply aren’t producing the kind of workers that companies want, with 62 per cent of respondents reporting a skills gap in the soft skills of existing cyber security professionals – many of whom have been working in cyber security jobs for many years.

The soft skills gap was even wider, at 73 per cent, among recent graduates – and it is much worse in Australia than the global average of 54 per cent.

Such findings reinforce concerns that Australian universities are churning out technically-focused graduates from courses that aren’t teaching or developing the soft skills that employers actually want.

Key in-demand soft skills include communication, critical thinking and problem-solving capabilities – all widely desired characteristics that are, by some accounts, expected to dominate all jobs by 2030.

More poaching than a Sunday brunch

Disaffection with universities’ cyber security training is so high that 55 per cent of respondents to the ISACA survey generally don’t believe applicants are well qualified.

With skilled cyber security employees recognising both that they require soft skills and that those skills will improve their employability, ISACA found that cyber security staff were far more likely to be poached from rivals in Australia than elsewhere.

Fully 71 per cent of cyber security professionals had left their jobs because they were recruited by other companies – well ahead of the 59 per cent figure globally – suggesting that the Australian market is struggling more than most to supply enough skilled cyber security experts.

Previous studies have found many workers leaving because their employers aren’t giving them training in soft skills – yet despite all the poaching, two-thirds of ANZ respondents reporting understaffed cyber security teams.

Local industry, it seems, simply can’t find enough candidates with the qualities they’re actually looking for.

“The pandemic put a strain on organisations that saw vulnerabilities appear in security systems during the migration to support remote working,” said Jo Stewart-Rattray, a member of ISACA’s Information Security Advisory Group.

“Demand increased rapidly for security professionals in a time that international and state border restrictions were imposed, creating lack of access to this essential workforce and a reduced talent pool.”

Recruitment searches are running for months – half of ISACA respondents said it take three to six months to find qualified cyber security candidates – and more companies now say they have more unfilled cyber security roles this year than last.

The findings suggest that Australia’s efforts to close the cyber security skills gap, for example by increasing diversity and recruiting from other industries, are failing to fix the problem despite the industry adding over 26,000 new workers.

With large-scale cyber security efforts quickly absorbing these workers – industry giant CyberCX has over 400 staff, for example, while consulting giants PwCMTX and Deloitte have added hundreds of tech staff and new Budget allocations will add 1,900 cyber security experts to the Australian Signals Directorate – supply simply can’t keep up with demand for cyber skills.

Chronic shortfalls have driven companies to consider new ways of attracting talent, but with budgets also straining – just 29 per cent of ISACA respondents said they had appropriate cyber security budgets, much less than the 42 per cent figure globally – companies’ willingness to compete for skills may be plateauing.

“The Great Resignation is compounding the long-standing hiring and retention challenges the cyber security community has been facing for years, and systemic changes are critical,” ISACA director for professional practices and innovation Jonathan Brandt said.

“Flexibility is key. From broadening searches to include candidates without traditional degrees to providing support, training, and flexible schedules that attract and retain qualified talent, organisations can move the needle in strengthening their teams and closing skills gaps.”