- Published on
Oddities in the Australian Cyber Security Industry
- Authors
- Name
- Mark Williams
- @securemess
Introduction
I've worked in the Australian cyber security industry since 2016. It's not without its oddities.
"Australian Experience"
When I first moved to Australia, multiple recruiters asked me the same question: "Do you have experience in Australia?". Despite having then 11 years' experience in cyber security -- in New Zealand, the UK, and Germany -- this was a question that I was seriously asked.
What makes Australia special such that one requires "Australian experience"? Nothing. Business culture is similar to New Zealand. In the UK there's a lot more complaining and drinking after work. In Germany... well, that's a topic for another day.
Unsurprisingly, nine years later, I've seen nothing significantly different in Australia's business culture compared to the other countries in which I've worked.
The ACSC
The Australian Cyber Security Centre, brought to you by the ASD... a spy agency. Notoriously, Edward Snowden showed the ASD's involvement in mass surveillance.
However, despite the ASD's clear conflict of interest, the ACSC's Essential 8 is followed religiously by many Australian organisations. The Essential 8 is cyber security 101; it's nothing one can't find in any cyber security textbook, course, or sprawled across the Internet.
Despite being part of a spy agency, the ACSC is rarely, if ever, criticised by cyber security professionals.
"I'm a CISO"
No, you're not a CISO. You don't have the word "Chief" in your title, and you still report to someone who reports to the CIO. You're N-5 from the CEO, and your LinkedIn profile shouldn't include the word "CISO".
Head of Cyber Security != CISO.
Vendors & SI Partners
Vendors are generally awful. In Australia, they're even worse because they can be. Many vendors are from the US, and hence organisations in Australia have little influence. SI partners are often incompetent; I've lost count of the number of incomplete solution architecture documents from SI vendors, including systems of which I'm no guru.
The quality of service is generally too low. In my humble opinion, Australian organisations rely too heavily on SI partners for system implementation.
Unprofessional Hiring Practices
I've been ghosted twice by Australian companies. Twice I've been told that the job was mine; we agreed on my salary, and then... nothing. No contract arrived, no response to my follow-up, and I was left wondering, "What happened?". Likewise, I've been in a couple of Zoom/MS Teams first round interviews in which the hiring manager was more interested in his phone than interviewing me. I gave my feedback to HR or the recruiter that I had zero interest in working for someone who can't even make time for me.
I've been in first round interviews in which I was repeatedly told that the interview was not a technical interview, only to be told that I was technical enough for the position because I'm not a developer. My CV says nothing about software development, I repeatedly told HR or the recruiter that I'm not a developer, but that apparently wasn't enough.
Unfortunately this approach to interviewing staff -- unorganised, unprofessional -- is quite common in Australia. One hears an endless series of complaints about how difficult it is to hire cyber security professionals in Australia, yet hiring managers often -- not always -- make little to no effort. It's not uncommon for gaps between first and second interviews to be weeks. It's not uncommon for organisations to lose people due to being too slow to make an offer.