Australia is facing a severe cyber skills shortage, with the demand for skilled professionals far surpassing the available supply. With the proliferation of cyber threats and attacks becoming more sophisticated, the lack of a skilled workforce poses a substantial risk to Australia’s national security, privacy, and economic integrity.
A report from AustCyber found that Australia will need at least 17,000 additional cyber security professionals by 2026 to manage our nation’s cyber security and build a globally competitive cyber industry. While graduate numbers are expected to quadruple to 2,000 by 2026, this growth is not enough to meet our near-term needs. The cyber skills shortage will significantly hinder Australia’s ability to safeguard its digital landscape and capture the opportunity to triple revenue from the cyber security industry to $6 billion over the next decade.
Why is the cyber skills shortage an issue?
Beyond security concerns, the cyber skills shortage is also an economic issue. A lack of cyber security experts means organisations are more vulnerable to attacks which can result in financial losses, disruption of services, and erosion of customer trust. The true cost of cyber crime is difficult to identify, however its estimated cyber incidents cost the Australian economy up to $29 billion per year. A strong cyber security sector is also foundational to the success of all Australian industries, as it boosts confidence in Australia as a secure environment for businesses to pursue digital expansion.
National security risks
The cyber skills shortage leaves Australia’s critical infrastructure and government systems vulnerable to cyber espionage and attacks from nation-states and terror groups. There’s also concerns around the ability to safeguard the personal and sensitive data of Australian citizens, posing privacy and identity theft risks.
A lack of cyber professionals can potentially stifle the advancement and development of technology and innovation within the country.
3 ways to overcome the cyber skills shortage
To tackle this shortage, a multi-faceted approach is paramount, from educational reforms to fostering diverse skillsets to build a new generation of cyber security professionals.
1. Educational reforms and awareness
Engaging the future generation of cyber security professionals at a young age is key to overcoming the cyber skills shortage. Creating awareness about cyber security careers from an early age can inspire more young people to join the field. It’s important for schools and universities to offer cyber security courses and integrate cyber education into existing curricula. Partnerships between government, academia, and the private sector are also vital for developing comprehensive cyber security solutions and talent, and in defining clear career paths in cyber security.
Dr Michelle Ellis runs outreach and engagement programs for cyber security at Edith Cowan University and is the co-founder of the PeCAN Capture the Flag (CTF) event. “My experience in education has shown that digital technologies is a compulsory subject usually only to year seven and eight and after that it’s an elective”, says Michelle.
“Within the digital technologies’ curriculum, there’s only about two lines that indicate cyber security practices and that’s mostly about network security, cyber awareness, and how to be responsible for your personal identity. There’s nothing really in there that talks about cyber security as a career and it’s not a subject that students are encouraged to join. We did just have the computer science curriculum updated for the ATAR levels, which is fantastic, but students are still leaning towards choosing applied informational technology which is more about videography and graphic design but again not much about cyber.”
Michelle says that to help students learn more about cyber security, it’s crucial to run events like the PeCan CTF competition. Established in 2019 a ‘Perth versus Canberra’ friendly Capture the Flag (CTF) competition, the annual event has since grown to over 400 participants across ACT, NSW, QLD, SA, TAS, VIC and WA. The competition is aimed at high school students in years 10 and above and is designed to suit beginners through to experienced CTF competitors. PeCan is a weekend long event run through Edith Cowan University and includes a training day on Saturday followed by the competition day on Sunday where students implement the skills they’ve learned.
“Events like PeCan help students learn more about the field, meet people in the industry, talk to university students about their pathway and units they took at school, and get interested in it” says Michelle. “We also have school teachers come along to the event to learn about cyber security and feed it back into their schools. It supports this whole nurturing process of showcasing cyber security as a career but also giving them opportunities to practice it at school and feed the pipeline to get them into TAFE or university or even straight into the industry so we can fill this job market.”
RELATED CONTENT: Want a career in cyber security? Experts share 7 useful tips
2. The gamification of cyber
Gamification is one of the key elements of what makes CTFs and other educational events so attractive to a wider audience. Introducing complex cyber security concepts through engaging games and challenges transforms an otherwise daunting subject into an enjoyable and accessible experience, where they can grasp foundational knowledge, test their skills, and gain a sense of achievement. The competitive and interactive nature of games can foster community involvement and inspire participants to consider cyber security not just as a hobby, but as a rewarding profession.
We talked to Emu Exploit, the winning team from PeCan CTF+ 2023, about why gamification is so important in cyber. “PeCan provides a gamified experience, which is very appealing to young people and helps them get interested in the industry in the first place and build their skills from that, especially when events like this are free,” they said. “That’s the next generation we need to be upskilling and getting ready to go into the to the cyber workforce.”
Some of the team talked about how they first got into cyber security.
“The first CTF I did was the WA CTF in 2018. Unfortunately, that event is no longer around, but I had no idea what a CTF is until about a week before signing up. A friend of mine had just come across it and went ‘oh I like computers, I might have a go’. To be honest, part of the reason we went was because it was free pizza for a weekend, and it sounded like a good time. From there spawned an interest in cyber security and this little world of computing.”
“None of that would have happened if there wasn’t this gamified experience that was made available to somebody who was just starting out in high school. Even if it had been a paid event, if it had not been gamified and it had just been talks then I don’t think it would’ve really attracted me and I wouldn’t have ended up where I am now.”
“It’s also really accessible for employers and industry companies because it gives them an insight into the talent that’s coming up and allows people to showcase their talent. It allows those like companies to see that early and to adjust for that. It also gives people a good feeling when they solve something, and it makes them want to continue learning about what they’ve done.”
The Emu Exploit team also spoke about the importance of offering different educational formats and why school or university courses aren’t always the best way to learn.
“There are certain skills and knowledge which are best taught in the format of a lecture. However, the human attention span only lasts so long, and when you’re trying to teach a practical skill, something where there is a bit of nuance to everything that you do and huge amounts of variation, it becomes slow and tedious to try and teach these in a purely lecture style setting.
When you are engaging with any kind of challenge, when you’re doing practical work, every single fork in that journey, every possible action that you take, has a degree of nuance to it. It has a degree of problem solving. And to try and teach someone every possible outcome is not feasible and people won’t be able to pay attention to that. I think that CTF gamified learning is a really good way to build those practical skills because it keeps people engaged while they do it and it gives people that hands on intuitive experience which can just never be taught in a lecture at all.”
3. Invest in training and reskilling of diverse groups of people
There is a growing emphasis on providing training and reskilling opportunities to both existing IT professionals and people who are completely new to cyber security. When we invest in professional development and education programs for diverse groups of people, we not only rapidly increase the number of qualified cyber security professionals, but also enhance Australia’s overall security posture.
Kevin O’Sullivan, Group Executive Professional Services, says “There has been a lot of research on diversity across many of the Fortune 500 companies, with the key finding being that organisations with more diversity outperformed less diverse companies over the last five years. Studies have also shown that organisations with more diverse teams have above-average profitability, avoid more errors, and have less turnover.”
“From my experience, diversity of thought and lived experiences across varied genders, ages, and ethnicities leads to more creative ways of working. Promoting different perspectives brings unique ideas across the teams and both our crew and customers benefit from this. We all think differently, and when we collaborate, amazing things happen.”
Adrian Collins, Lead Security Architect, agrees. “It’s important to get the message out to people that there are lots of different ways to get into cyber. I got my current role after a career in service management process, application development, and other roles. Some of my colleagues got into cyber in completely different ways, through governance risk and compliance, and through law and psychology.”
“There’s so many different roles and I think that’s part of the reason why there’s a cyber skills shortage. There’s a lot of stereotypes about cyber security, like the guy in the black hoodie typing on a computer in a basement. When people think about cyber security, they tend to think about cyber criminals or intelligence organisations and spies. They’re not going to see themselves.”
“But in PROTECT+ I see so many different people. There’s more diversity in this small organisation that anywhere else I’ve worked. We’ve had gender-fluid people and people who are actively transitioning. We have people on the autism spectrum and with ADHD. We’ve got a higher representation of women than other areas. We’ve got people from all different learning, socio-economic, political, and cultural backgrounds. It just reflects that diversity, and it really does feel like a very supportive environment.”
How Kinetic IT is helping fill the cyber skills shortage
Kinetic IT’s PROTECT+ cyber security solution has a strong focus on nurturing the next generation of cyber security professionals, starting with our own crew.
“Everyone’s been talking about the cyber skills shortage for a very long time and you’re not going to fix that by going out to market for the same cyber professionals that other large companies are trying to attract,” says Adrian. “You actually need to develop them, so we do work to develop new cyber professionals from within Kinetic IT. We nurture the skills and careers of our existing employees and always post our jobs internally to see if there’s anyone that’s interested in joining.”
Kinetic IT encourages people from all walks of life to pursue a career in cyber, with initiatives such as Women in Technology WA’s (WiTWA) Techtrails, sponsor programs like the Go Girl tech conference, run by our long-term partner VIC ICT 4 WOMEN, our Aboriginal and Torres Strait Islander traineeship program, our partnerships with Registered Training Organisations such as The Gordon Institute. We also offer opportunities for different groups such as parents returning to the workforce and veterans transitioning into civilian careers.
Ryan Gray, Kinetic IT Operations Manager DOD ICTSD (Leeuwin Barracks) and volunteer Director of the Veterans Transition Centre, says “We have created an environment at Kinetic IT that is familiar and welcoming to veterans as everyone in the team, including myself, are either current serving ADF Reservists or veterans. We make it clear that this is an entry level role and therefore a stepping stone to transition from military to civilian career.
Ryan sees the benefits for everyone in upskilling and hiring diverse groups of people, particularly veterans “as they are not only people with a broad and diverse skill set and the ability to learn tasks quickly, but they also often hold a Federal Government security clearance which can take upwards of 12 months to obtain if never held previously”. It’s a great example of how looking outside of the traditional educational pathways can reap great benefits for both organisations looking to enhance their security posture and diverse communities looking to reskill.
RELATED CONTENT: Supporting veterans into ICT careers drives Soldier On Silver Pledge
It’s clear Australia’s cyber skills shortage is a pressing issue with far-reaching implications for national security, economic stability, and societal wellbeing. Tackling the shortage is not just about shuffling students through courses and filling vacancies; it’s about actively fostering a culture of cyber awareness and responsibility across the country and breaking down barriers to appeal to people of all different backgrounds.
When we invest in different ways of learning and embrace diverse skillsets, more people will see cyber security as a viable career and enter an environment where talent can thrive and protect the nation’s digital landscape.