A new report has found that Australia’s available pool of cybersecurity skills is smaller than realised.
The report, Australia’s Cybersecurity and Technical Skills Gap, an analysis by security provider StickmanCyber and based on an analysis of ABS census and labour force data, revealed a shortage of 10,000 technical roles throughout the country. There is just one cybersecurity professional for every 240 Australian businesses.
The lack of Australian security professionals is partially to blame for the spate of recent data breaches in the region — and increases the risk of future cybersecurity incidents.
According to the report, several factors contribute to the IT skills gap.
Firstly, there is a rapid pace of technological change combined with the evolving nature of cyber threats. This has created a demand for professionals with highly specialised knowledge that are not necessarily easy to train into an existing workforce.
Consequently, the supply of people with these skills is being outpaced by demand.
As Ajay Unni, CEO of StickmanCyber, said in an interview with TechRepublic: “Cybersecurity is a relatively new discipline, having only emerged in the last decade. It requires a multi-disciplinary approach, blending technical expertise with strategic oversight. Unfortunately, the talent pool with this unique skill set is limited, with larger enterprises often outcompeting smaller businesses for these professionals.”
The skills shortage will be particularly challenging for small to mid-sized enterprises, which often lack the resources of larger corporations and struggle to compete in an “arms race” for wages. As a result, they are increasingly turning to managed security service providers to fill the gap.
Companies are becoming comfortable with this approach, Unni said.
“Outsourcing cyber security is becoming as common as outsourcing IT, bookkeeping, and legal functions,” he explained. “But for this to be effective, organisations need to set clear goals and define the scope of work. This ensures they receive a high-quality outcome at a reasonable cost.”
However, relying solely on MSSPs isn’t a sustainable, long-term solution. Managed services work best in collaboration with internal teams, and SMEs still need to look for ways to develop their internal capabilities to manage and mitigate cyber risks. This requires a strategic focus on training and upskilling existing staff, as well as attracting new talent into the field.
Meanwhile, the Australian government has recognised the importance of cyber security and has initiated several programs to address the skills gap. These efforts include establishing multiple agencies at both the federal and state levels and appointing a national cybersecurity coordinator.
However, as previously noted on TechRepublic, this interest and commitment to cybersecurity is potentially a well-meaning catalyst for an even deeper skills challenge.
Furthermore, the effectiveness of these efforts is still debatable. As Unni said, “while these initiatives are positive, they often lack coordination. The multitude of agencies can lead to fragmented efforts.
“There’s a real need for a more unified approach to skills development, particularly in growing these skills in rural and remote areas where access to training and resources is limited.”
According to Unni, Australian organisations, educational institutions, and governments need to coordinate on both short- and long-term solutions to these challenges. In the short term, smaller cybersecurity firms can mentor new graduates and provide them with hands-on experience.
“Smaller firms should take new graduates under their wing and train them up,” Unni said. “Larger companies often have graduate programs, but these are frequently too competitive and difficult to access. Smaller firms can offer more personalised mentorship, helping bridge the gap between education and industry requirements.”
He also suggested that governments offer internships at cybersecurity agencies to encourage graduates to enter the field. “This would provide invaluable real-world experience and help build a pipeline of skilled professionals ready to meet the industry’s demands,” Unni noted.
Meanwhile, addressing the IT skills shortage properly requires a long-term, multi-faceted approach. Educational institutions can play a key role by updating curricula to reflect the latest developments in cyber security. This includes not only technical skills but also critical thinking, problem-solving, and strategic planning.
Moreover, there’s an urgent need to make the cybersecurity field more inclusive. Women remain significantly underrepresented in the industry. As the StickmanCyber research noted, just 16% of cybersecurity professionals are women.
This is a trend that must be reversed to fully tap into the available talent pool.
“Having been in IT and cyber for more than 35 years, I’ve worked with many women who have been amazing at what they do,” Unni said. “We don’t see any reason why this cannot be across the industry. With our national cybersecurity coordinator being a woman, I hope this will encourage more women to enter the profession.”
Australia has dug itself into a hole by moving slowly with cyber security. Fixing the problem will require some significant effort. This means a national effort across the private and public sector to invest in education, offer targeted training programs, and create pathways for underrepresented groups to enter the field.