Rapid7 Global Chief Scientist and Head of Research Raj Samani, who has assisted multiple law enforcement agencies on major cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague, said the firm was prepared to invest significantly in cybersecurity education in Australia.

In his first visit to Australia last week Mr Raj attended several round table meetings with leading Australian companies, who revealed their concerns about a lack of training opportunities to build a significant local workforce to fight cybercrime.

“As a country, as a nation, for foreign companies to see Australia as one of the most secure nations on the planet, it needs talent here. How can we create pathways for young students to come through an education program and work here in Australia,” Mr Samani said in an interview with The Australian.

“There appears to be a clear disconnect between having the aim of being the most cybersecure country in the world and being able to fulfil that because there isn’t the pipeline of talent coming through.”

Kurt Hansen, the CEO of Tesserent – Australia’s largest ASX listed cybersecurity company - recently claimed Australia could reach that goal next year as he welcomed the federal government’s creation of a National Office for Cybersecurity within the Department of Home Affairs.

Rapid7’s Mr Samani said his firm had recently partnered with the University of South Florida in North America on an education program to allow “students in the US to come through and work on real data and projects.“

He said he would be open to striking similar partnerships in Australia.

AustCyber, the Australian Cyber Security Growth Network, has estimated that the shortage of local cyber security workers could reach 18,000 roles in Australia in the next decade.

Consulting giant Deloitte last year partnered with the University of Wollongong, TAFE NSW, and Swinburne University of Technology to launch Cyber Academy, the country’s first-ever programme initiative to boost the cyber security workforce.

Leading local firm CyberCX has also launched an academy designed to create new pathways for candidates to work in cybersecurity, which is initially bringing 500 additional cyber professionals into the workforce.

The first candidates have recently graduated.

Rapid7, which has a market capitalisation of more than US$3 billion, employs close to 100 people in Australia and runs an around-the-clock security operations centre in Melbourne.

It specialises in cloud-based services based on analytics that let businesses create risk-management programs to manage vulnerabilities, monitor for malicious behaviour, and investigate and shut down cyber attacks.

The firm now wants to develop partnerships with Australian law enforcement bodies to help bring cyber criminals to justice and has urged the local public and private sectors to work harder to collaborate.

“We want to provide the evidence so law enforcement can issue the indictments,” Mr Samani said.

While he welcomed the federal government’s creation of the National Office of Cyber Security within a new cyber security department, he added that “how you implement that has to be a partnership with the private sector.”

“It has to move away from marketing. There are many organisations that will say we work collaboratively with government. But you dig under the surface and see that they don’t really,” Mr Samani said.

Rapid7 last week released its latest Vulnerability Intelligence Report examining 50 of the most notable security vulnerabilities and high-impact cyberattacks globally in 2022. The report found that attackers are developing and deploying exploits faster than ever.

“We continue to see a shortened window between when new vulnerabilities are discovered and when they become leveraged in attacks. In 2022, 56 per cent of the vulnerabilities in our report were exploited within seven days of discovery, and more than 40 per cent of widespread attacks began with a zero-day exploit,” the report said.

“This means security teams have a steadily shrinking or simply non-existent window to patch new vulnerabilities and prevent successful attacks, which puts considerable strain on the already stretched security resources of many organisations.”

Last year’s attack on private health insurer Medibank by Russian hackers saw the leaking online of the personal details of 9.7 million current and former customers, after an earlier attack on telecommunications giant Optus.

The Vulnerability Intelligence report also found that challenging macroeconomic conditions in 2022 and 2023 had put further pressure on risk management teams within companies looking to drive efficiencies without compromising the integrity of sensitive data or business operations.

Especially in the current volatile macroeconomic climate, it warned that ongoing resource constraints could lead to hidden risk accumulation and the loss of technical expertise required for effective security operations, including emergency incident response capabilities.

“I don’t think cybersecurity has a lack of priority in boardrooms. But the most important question that boards need to ask themselves is who do you trust when something happens? Have a plan. If we are hit by ransomware, who are we going to call, are we going to pay the ransom, have we got insurance, etc? You have the opportunity to get all these things in order before you get hit,” Mr Samani said.

“Nobody expects you to be able to potentially withstand every attack and breach in the history of cyber security. But you must be able to articulate the reasonable measures you have implemented in order to protect the data your customers have entrusted you with. If you cannot do that, you will be held liable.”

Mike Rogers, former director of the US National Security Agency (NSA), warned recently that an improvement in diplomatic relations between China and Australia would not reduce the risk of cyber-attacks.

Mr Samani agreed.

“As long as there is crime, there will be cyber crime. Having partnerships with different nations isn’t going to stop somebody thinking they can make a quick buck,” he said.

“The technical barriers to work in cybercrime are the lowest they have ever been.”

Mr Rogers also warned that Australia’s move to increasingly automate its mining industry, its biggest driver of exports, made that sector more vulnerable to cyber attacks.

Last year PwC estimated that just over a third of all cyber-attacks in 2023 could target operational technology systems, such as mining operations.

But Mr Samani said the risk was more widespread across the economy.

“All sectors are a potential target and the information that firms hold and the IP they own is the lifeblood of these businesses,” he said.

Damon KitneyColumnist

Damon Kitney writes a column for The Weekend Australian telling the human stories of business and wealth through interviews with the nation’s top business people. He was previously the Victorian Business Editor for The Australian for a decade and before that, worked at The Australian Financial Review for 16 years.

@DamonKitney

More related stories

Property

Spicetown introduced to Sydney’s Little Italy

The creators of Burwood Chinatown have redeveloped the old Leichhardt Hotel, transforming the old venue which has been shut for eight years into an Asian-themed food precinct.

Read more

Property

Lendlease taps Japanese firm to back $500m Docklands tower

The developer is the latest to benefit from the rise in Japanese companies chasing higher-growth opportunities in the local property market.

Read more