SCP - Chapter 2 - The potential: Australia could become world-leading in cyber security

Key points in this chapter

  • Cyber security in Australia employs around 20,500 people
  • Total expenditure is A$5.0 billion in 2018
  • More than three-quarters of the market is dominated by foreign companies, mostly with local bases employing Australians
  • Many local companies are not harnessing their full export potential
  • Australia can compete most effectively in software (in areas of distinctive research capability) and services (in the protection stack and underlying processes)
  • A$3.9 billion spent on external cyber security 2018
  • A$1 billion on their internal cyber security functions in 2018
  • Small but fast-growing sector
  • Strong cyber security will enhance Australia’s global reputation as a trusted and secure place to do business
  • Foundation for future success of all industries in national economy

2.1 Overview

Cyber security in Australia is a small but fast-growing sector that is starting to rapidly mature. It is estimated to employ approximately 20,500 people, either as part of an organisation’s internal cyber security workforce or through external cyber security providers. Total expenditure on cyber security in Australia in 2018 amounted to approximately A$5.0 billion. Australian demand and employment is dominated by outsourced cyber security services, and more than three-quarters of this market is controlled by foreign companies – though mostly operating from local bases and employing Australians. Software and hardware markets are dominated by direct imports.

Despite this, there are already a number of home-grown cyber security success stories. Australian cyber security providers have developed strong offerings in software and service niches. Several Australian software companies have also joined global value chains and established worldwide reputations for their products. Developments over the last year are particularly promising. Interviews conducted for this updated Sector Competitiveness Plan indicate that procurement officers are increasingly aware of the growing number of Australian cyber security providers with compelling products and services. AustCyber’s new initiative GovPitch has contributed to this growing awareness by offering a space for domestic cyber security startups to pitch their solutions to public sector officials and stand a chance to secure a government contract. The cyber security workforce has grown strongly, despite a persistent talent shortage in Australia.

Australia’s internationally successful cyber companies have continued to expand, including Bugcrowd, Dtex Systems and UpGuard. Many are building on their international success as a lever to drive further expansion at home.

However, many Australian cyber security service companies are still failing to harness their full export potential. This is at odds with evidence that Australia is considered a services hub, with Australian businesses generally earning much more revenue (relative to national GDP) from services than their peers elsewhere in the world. Cyber security companies could do more to make use of this fundamental country-specific advantage.

Given the small scale of the domestic market, Australia will struggle to become globally competitive in all segments of the cyber security sector. Instead, limited resources should be targeted to parts of the cyber security sector that are both attractive and where Australia can compete most effectively. Analysis suggests this includes:

  • software – in areas of distinctive research capability
  • services – in the protection stack and underlying processes.

While these segments will be the initial focus of industry development, many government and AustCyber actions will also support the competitiveness of the industry as whole.

Australia should also consider the opportunity in cyber security to build on other national sector strengths, such as resources and financial services. By building products and services that address the specific cyber security needs of these sectors, Australian companies can develop distinctive, competitive offerings for the global marketplace.

Cyber security services will likely experience a much stronger growth in demand than cyber security hardware and software

2.2 Strong local demand for cyber security services

Increasing risk awareness has led companies to invest more heavily in the safety of their networks and IT systems. According to a recent Telstra survey, 84 per cent of Australian companies are planning to increase their overall security spending (cyber and electronic) over the next 12 to 24 months. Only 2 per cent of respondents are planning to decrease their security budgets.1

In 2018, total external spending on cyber security in Australia reached A$3.9 billion (see Figure 9) and is expected to remain strong. From 2018 to 2026, external cyber security spending in Australia is likely to increase more than twice as fast (7.9 per cent annual growth) as broader IT spending (3.8 per cent), which was almost A$91 billion in 2018.2 It is estimated that Australian organisations spent a further A$1 billion on their internal cyber security functions in 2018.

The demand for cyber security products and services in Australia is comparable to global demand trends, but with a larger emphasis on services. Figure 9 shows that around 71 per cent of the local sector’s external demand is for cyber security services, compared with around 60 per cent globally. Demand is particularly strong for services that strengthen the operational security of a business or other organisation. The dominance of the services segment in Australia may be partly explained by the particular structure of the local economy, where small and medium-sized enterprises make up around 95 per cent of all Australian businesses. These businesses may lack the scale and resources to run in-house cyber security management teams.

Over the next decade, the current demand pattern is set to intensify as organisations are expected to make even greater use of outsourced services to manage growing security needs and a proliferation of security breaches. It means that cyber security services will likely experience a much stronger growth in demand than cyber security hardware and software. This basic trend applies to both Australia and the world, but in Australia the additional demand is expected to bolster a broad spectrum of different security services – from the protection stack to underlying processes – whereas globally demand is expected to strengthen most notably for security operations services.

Figure 9 – Breakdown of Australian external cyber security spend

Figure 9

2.3 Much of local demand is met by foreign companies

Foreign providers meet much of the existing domestic demand for cyber security products and services. For example, currently there are no local companies among the 15 largest software providers by value in the Australian cyber security market. The combined market share of Australian companies is estimated to be less than five per cent. It is a similar picture in hardware, with no major Australian hardware providers. The representation of Australian companies is stronger in services. Noting that the market data is not strong, interviews and other sources suggest the market share of Australian home-grown services companies is about 25 per cent, while around half of the market is served by foreign-owned companies with core personnel in Australia (this excludes foreign companies with only a sales presence in Australia).3

Putting these findings together provides a view of Australia’s cyber security sector revenue – defined as the revenue from the sale of cyber security products and services by businesses with a core team in Australia.4

Figure 10 shows that Australia’s cyber security sector generated around A$2.6 billion in revenue in 2018 (see Appendix B for details of the methodology and assumptions).5

Figure 10 – Breakdown of Australian external cyber security spend

Figure 10

There are important signs over the last two years that the local sector is maturing. The pace of mergers and acquisitions across the sector is increasing, with the acquisition of Hivint by Singtel, Aleron by EY, SmartEncrypt by Rhipe and the recent creation of CyberCX, which combines 12 Australian cyber security services firms under a single brand. The flow of capital into cyber security in Australia also appears to be improving, with a number of Australian firms completing significant capital raisings during 2018 and 2019, including archTIS, Cloud Conformity, Kasada, Secure Code Warrior and Vault Cloud.

While employment in cyber security in Australia has increased above 20,500 in the last year, limited availability of skilled workers is still a significant challenge constraining the growth of the sector (see Chapter 3 for further details on the skills challenge). Government, educational institutions and industry are working hard to ramp up cyber education and training but it will take some time for the impact of these initiatives to be observed in workforce growth.

Foreign service providers with local operations remain the largest employer in Australia’s external cyber security market (as seen in Figure 11). Multinational corporations currently employ around 7,000 cyber security workers. Since many services are difficult to import directly (for reasons discussed in the previous chapter) and need to be provided through local operations, these companies make a very significant contribution to the overall workforce. They are only exceeded by internal employment of cyber security teams, which is estimated to be around 9,000 workers.

Figure 11 – Breakdown of cyber security employment in Australia by the type of firm*

Figure 11

2.4 Local cyber security companies are competitive in software and services

Australian companies have been successful in areas of both software and services, in both domestic and international markets.

Software

In software, there is a strong ‘beachhead’ of Australian companies in the area of security operations. Companies such as Covata, StratoKey, Airlock Digital, Kasada and Huntsman have developed successful software products and established market presence both in Australia and in international markets.

Australian cyber security software companies are also exporting their products in the protection stack area (for example, Mailguard) and in the area of underlying processes (for example, Secure Code Warrior).

Hardware

The representation of local companies in hardware is weaker, although the innovative work of Penten (see Box 4), QuintessenceLabs (see Box 14), Amplify Intelligence and Serinus Security demonstrates that Australian companies can still play a strong role in niche areas of hardware.

Box 3

ArchTIS: Canberra-based tech company tackles the information sharing trust deficit

One of the most challenging issues facing government and industry in a digital age is how to securely share sensitive, valuable and classified information. While sharing information comes with benefits for productivity and service outcomes, it does come with risks. Malicious actors and cyber criminals are targeting this information, which can threaten national security and lead to financial and reputational harm.

archTIS was founded in 2006 to solve this global critical problem. The company built its credentials in the TOP SECRET information environment, with various consulting contracts in Australia and abroad.

One of these contracts included building an information sharing and collaboration platform for Defence, which would enable users to share TOP SECRET/SCI classified information between Australia and the United States. The platform did this using a revolutionary tagging method, based on Attribute Based Access Control (ABAC).

archTIS saw a broader need for collaboration of classified information across government, particularly at the federal level. The company raised private and eventually public equity to develop the fourth generation of the platform for government to government and government to industry collaboration at the PROTECTED level.

This platform is now available as a Digital Transformation Agency (DTA) assessed cloud service, and as an on-premise (Kojensi Enterprise) or deployable platform (Kojensi Field) for collaboration up to TOP SECRET.

The key benefit of this platform is its multi-level security model, enabling it to host information of varying classification levels where each user accesses only what they are entitled to access.

Since launching in April 2019, archTIS’ Kojensi platform has been met with strong demand and understanding in Australia and abroad.

archTIS has:

  • successfully listed Kojensi Gov on the DTA’s Cloud Marketplace;
  • been invited to NATO to demonstrate the platform to NATO Communications and Information Agency staff;
  • deployed the platform to the company’s first client – Australia’s Attorney General’s Department;
  • entered the intelligence and law enforcement market, selling to the Australian Criminal Intelligence Commission; and
  • expanded to New Zealand with a reseller agreement with local company Team Asparona.

The company sees its uses expand well beyond government, including the Defence supply chain, multi-coalition collaboration and universities conducting research for government and Defence.

ArchTIS

 

Box 4

Penten: Cyber deception for trapping attackers and high-grade encryption for mobility

For Penten, the last 12 months have been about scaling up, managed services, and yet more growth and innovation, including:

  • signing major projects, including with Defence;
  • growing their customer base in Australia and the UK;
  • increasing staff numbers from 50 to 75;
  • experiencing a 100 per cent revenue increase for the third consecutive year; and
  • launching two new products – the AltoCrypt Phone and TrapAir (a WiFi honeytrap).

At the release of AustCyber’s first Sector Competitiveness Plan in 2017, Penten also launched AltoCrypt Stik – its flagship secure mobility product for Defence and other government agencies. Penten’s AltoCrypt Stik is a secure, small and discreet USB device that enables government users to access highly classified networks wirelessly, both in the office and remotely. AltoCrypt Stik has been described as the game changer for access to classified information, and Penten has secured significant government contracts to deliver the capability, including to Defence via the Defence Innovation Hub.

In 2019, Penten rebranded their new Applied Artificial Intelligence (AI) business unit in response to growing customer demand. The team has commenced several new partnerships with international and local businesses to expand cyber deception offerings. Their AI expertise is used to support cyber training, testing and automation. These new offerings include Honeytrace (a joint offering with Australian startup WorldStack) to detect data theft of customer and business records, and TrapAir, an innovation that mimics your WiFi hotspots to detect malicious interactions with your computer networks.

AustCyber has provided customer introductions, mentoring and market awareness opportunities to Penten. ‘AustCyber has encouraged us to work with other Australian cyber businesses to create more complete and compelling offerings,’ says Penten’s CEO, Matthew Wilson. ‘Our partnership with QuintessenceLabs was born out of collaboration opportunities created by AustCyber.’

Penten continues to grow its security cleared and highly experienced team – adding project managers, logistics and finance professionals – along with significantly growing its hardware, software, networking and security engineering capabilities. Penten has focused heavily on building the team, processes and artefacts to shape Australian solutions ready for export. The outcomes enable customers to solve their challenges with world leading capability that can be simply transitioned into service.

Penten

Services

The services segment of Australia’s cyber security sector contains a large number of local companies. In the protection stack, Australian companies such as archTIS and Shearwater Solutions provide services in security architecture and penetration testing. Security operations are dominated by service providers managed by large multinationals, but does include some smaller Australian companies including Telstra.

Australia is strongest in the third security need area of underlying processes. In addition, Australia’s universities and TAFEs are increasingly participating in the services segment by providing cyber security courses designed to train students for work in the sector (see Box 9 for details).

An increasing number of local companies are exporting their services, with particular success in the Indo-Pacific. Among those that do have a significant presence abroad is Bugcrowd (see Box 1). The company was founded in Australia in 2012, but has since shifted its headquarters to San Francisco, partly for better access to venture capital. Telecommunications company Telstra has ventured into Southeast Asia, through a partnership with Telkom Indonesia, comprising a jointly managed data network and security services. Other examples of cyber service providers with large international operations include risk-analysis company UpGuard and endpoint-protection company Dtex Systems. Both were founded in Australia but, similar to Bugcrowd, are now headquartered in the US. Some Australian universities also ‘export’ education by offering cyber security courses to international students.

Revealed competitive advantage

The concept of revealed comparative advantage (RCA) can help identify country-specific strengths by measuring an economy’s current supply of a product or service against the backdrop of global supply. It measures how much more or less successful that country is than the world average when supplying a particular good or service. An RCA index value above 1 signals that a country enjoys a comparative advantage in the supply of a certain product or service. In contrast, an index value below 1 indicates a disadvantage relative to other suppliers globally.

The analysis in Figure 12 reveals that Australian companies and foreign companies with core operations in Australia already earn much higher revenue (relative to national GDP) in services than their average peers worldwide. This highlights a substantial comparative advantage in the services segment of the cyber security sector. The situation, however, is reversed in the hardware and software segments, where the current revenues (relative to national GDP) of Australian companies and foreign companies with core operations in Australia are significantly lower than the equivalent world average, signalling a comparative disadvantage.

Figure 12 – Revenue and advantage

Figure 12

 

2.5 Australia’s opportunity: focus initially on a limited number of segments

Australian cyber security companies have proven to be successful abroad, even in highly competitive markets such as the US and Europe. To emulate the success of these local ‘pioneer’ companies across the wider Australian cyber security sector, Australia needs to identify and focus on its country-specific competitive advantages. The talent base and resources also need to be developed to turn Australia’s strengths into a competitive edge. While the role of AustCyber is to promote and improve the competitiveness of the entire cyber security industry, it will also support the development of several initial focus segments.

In developing this updated Sector Competitiveness Plan, a rigorous framework of analysis was used to identify several segments within the Australian cyber security sector that promise the largest opportunities for the Australian economy over the next decade. Seven segments appear most noteworthy – three software segments and three services segments meeting the three basic security needs (protection stack, security operations and underlying processes), and one segment for hardware. To understand which of these segments warrant the greatest initial focus, they were analysed according to their:

Attractiveness – This is based on the segment’s size and growth internationally and in Australia, its exportability, its potential to create jobs and the quality of those jobs, and its fit with technological trends.

Competitiveness – This is based on Australia’s ability to compete, considering existing presence, any revealed comparative advantage, and the segment’s match with Australia’s skill profile.

As a result of this analysis and tested through extensive interviews with industry participants, three focus segments stand out: software (prioritising areas of existing research strength), services in the protection stack, and services in underlying processes.

Figure 13 – Cyber security sector segments assessed on attractiveness and Australia's ability to compete

Figure 13

 

Software

Software is an attractive segment in both security operations and the protection stack. It has a strong existing presence in the protection stack and the largest forecast increase in demand for security operations. Software products are highly exportable and generate high-quality jobs. The convergence of IT and OT, mobile internet and the Internet of Things will also have a positive effect, multiplying the complexity of networks and security operations. Automation is also likely to emphasise software at the expense of services, as developments in AI and advanced machine learning lead to more sophisticated software-based solutions.

Given the appeal of both these areas for software, the best approach for Australia is to consider software as one broad segment and then identify specific areas of research capability to build on for a strong software ecosystem. Two possible areas of focus are cryptography (which is typically applied in the protection stack) and data analytics (in security operations). However, these will need to be further refined through more detailed assessment of Australia’s comparative research strengths.

Though software is an attractive segment, it is not as strong in terms of competitiveness – the evidence is not as strong for Australia’s ability to compete effectively in software. Australia’s current revenue in software is very low, which implies a lack of comparative advantage. However, several companies have succeeded both domestically and in export markets. These include Huntsman and Stratokey. These ‘beachhead’ companies can provide a model for the development of a stronger Australian software segment.

Services - protection stack

The protection stack includes a range of services that protect organisational networks, applications and endpoints from malicious attackers (see Box 5 for an example). Specific services include network security architecture, firewall configuration and management, penetration testing, vulnerability assessment, and patch and configuration management. Services in the protection stack currently comprise the second largest segment in the Australian industry – after services in security operations – and this area is forecast to experience continued strong demand growth.

While harder to export than software, protection stack services are still relatively exportable due to less need for in-country technical teams to provide the services than is the case in security operations. It requires a strong supply of medium- to high-skill workers, which matches well with the skill profile of the Australian cyber security workforce. The convergence of IT and OT along with the Internet of Things are two trends that increase the number of network endpoints and the need to protect them. Automation may have some negative impact on employment in the protection stack services market, but the strong outlook for demand growth means the negative effect should remain limited.

Australia already has a strong competitive advantage in cyber security protection stack services

In interviews, many CISOs and CIOs say services such as penetration testing and network security architecture are currently Australia’s most outstanding segments in the cyber security sector. Australian companies are already successfully exporting these services. Mailguard, for example, has developed an email and cloud security service that is now sold in 27 countries worldwide. Mailguard’s solution builds on a platform of ‘Software as a Service’ (SaaS) to create what is effectively a niche-managed service providing email filtering.

Box 5

ResponSight: Identifying cyber risks in new ways

ResponSight is an Australian data science company focused on delivering behavioural reputation and risk insights using only statistical and telemetry data, while avoiding the collection and storage of risky sensitive or private information.

While traditional systems actively search for cyber threats, ResponSight focuses on monitoring a person’s typical behaviour by collecting numerical, mathematical and statistical data with the help of cloud-based analytics engines. ResponSight consolidates and analyses metrics usually ignored by traditional technologies to understand a user’s ‘behavioural fingerprint’, that is a unique, nuanced way of how people use their computers.

ResponSight says its approach is more innovative than many other approaches that analyse user behaviour by relying on incomplete or inaccurate log data or centralised Security Incident and Event Management repositories. It says endpoint analytics collected in this new way allow it to create behavioural fingerprints that provide insights not available in existing technologies. ResponSight’s approach allows organisations to improve the value of their existing investments, and potentially reduce time and effort associated with alert management and incident investigations.

Founded in 2015, ResponSight has partnered with a national advisory firm to deliver technology and services in incident response and forensics, with plans to expand its customer base into the US in 2020. ResponSight was part of trade missions to San Francisco in 2017 and 2018, jointly organised by AustCyber and Austrade.

ResponSight

Services – underlying processes

Organisations seeking to increase the security of underlying processes can choose from various services, including the development of cyber security strategies, risk and compliance policies, employee training, and measures to raise the general awareness of cyber security risks (see Box 6 for one example). Services to improve underlying processes represent about 16 per cent, or A$421 million, of the total external spending on cyber security services in Australia (see Figure 5).

The exportability of services varies considerably. Governance, risk and compliance, for example, is challenging to deliver without having a strong technical team on the ground that understands a country’s regulatory environment. In contrast, awareness, training and oversight services can be delivered remotely. Cyber security training appears particularly well suited for exporting, as it can be offered online or through international student enrolments.

Education-related travel services are now Australia’s largest non-resource export, generating A$28 billion in the fiscal year 2017, or 7.5 per cent of total export revenues.6 The quality of Australian education is highly regarded abroad, particularly in the Indo-Pacific region. As continued strong global growth in cyber security creates demand for skilled professionals (see Chapter 4 for details on skills shortages), Australia’s experience in export of education means the nation’s universities and vocational training institutions are well positioned to exploit this opportunity. Several universities and training institutions are already active in this segment and report a high number of international students in cyber security programs, especially in Masters study programs.

Similarly, Australia already has a strong ecosystem of local companies offering cyber security governance, risk and compliance services. While most have not yet attempted to export these services, some are currently exploring more scalable service delivery models that may enable exportability. Cyber security company Hivint, for example, has established an innovative service platform Security Colony which it is now launching in the US through the Australian Landing Pad Program.

Box 6

Airlock Digital: Keeping cyber intruders at bay

Airlock Digital, an Australian company founded in 2013, helps keep cyber intruders out of an organisation’s network by enabling organisations to implement application whitelisting.

Application whitelisting is the practice where organisations specify which applications (such as programs, software libraries, scripts and installers) are trusted, while blocking everything else by default. This strategy is recognised by the Australian Signals Directorate as one of the most effective strategies to mitigate against malicious cyber security incidents.

But what sounds simple in theory, is often a challenging endeavour for both small and large organisations. Airlock Digital exists to solve this challenge, offering application whitelisting solutions focused on ease of implementation, incorporating workflows that align to the customers’ existing business processes.

Unlike signature-based file blocking (blacklisting) such as antivirus software, Airlock Digital’s solution proactively sets up barriers to ensure attackers cannot execute malicious and unknown code. Airlock then verifies, monitors and records all file executions, permitting only authorised files to run in customer environments. This makes the solution extremely effective at preventing both opportunistic and sophisticated attacks, including ransomware. Airlock Digital provides customers with proactive security that reduces the need for incident response and provides insight into the files and scripts that exist within their organisation.

Airlock Digital application whitelisting has proven effective in many industries – including government agencies, critical infrastructure, large enterprises, education and small business both domestically and abroad. Airlock has recently accelerated their business by partnering with CrowdStrike to deliver application whitelisting through the CrowdStrike platform internationally in 2020.

Airlock Digital's process

These three segments – software, services in the protection stack, and services in underlying processes – will be the initial focus of efforts to develop a globally competitive Australian cyber security sector. However, many of the strategies and actions proposed for AustCyber and others to support of these segments will also benefit the wider cyber security industry. AustCyber will regularly review the set of focus segments to respond to changes in the industry structure and technology trends that have not been anticipated.

2.6 Playing to Australia’s strengths

Australia’s most promising opportunities in cyber security, while driven primarily by the attractiveness and feasibility of the different product types and security needs, should also consider opportunities emerging from the varying needs of different industries that use cyber security.

While all industries have the same basic security needs, the specific cyber security threats they face – for example, protecting large quantities of confidential user data or hardening the resilience of operational technology – informs the specific mix of products and services required. This means there are potential sources of comparative advantage for Australian companies in the industry composition of Australian cyber security demand, the industry mix of the broader economy, and in the nation’s export performance.

The Australian Cyber Security Industry Roadmap, jointly developed by CSIRO Futures, Data61 and AustCyber, specifically identifies growth opportunities at the intersection of cyber security and Australia’s five other priority growth sectors: medical technologies and pharaceuticals; mining equipment, technology and services; advanced manufacturing; oil and gas; and food and agribusiness.

One other example of such industry strengths is financial services. Australia’s financial services companies are the largest users of cyber security in the country. They account for almost one-third of the nationwide security demand, which means they are a much more relevant customer group for cyber security providers in Australia than financial services companies are elsewhere in the world, as illustrated in Figure 14. Financial services organisation face some of the most challenging threats to their cyber security, as the convenience of modern consumer banking – featuring ATMs, point-of-sale systems and mobile banking – has vastly increased the number of endpoints that need to be protected. Banks are also responsible for some of the most sensitive consumer and corporate data, and risk serious reputational damage in case of a breach.

Cyber security companies could harness Australia’s strength as a regional banking and finance hub by tailoring their products and services to the specific security needs of financial services companies. This would allow them to quickly build scale and reach international markets. Interviews with successful Australian cyber security companies revealed several have pursued this strategy effectively. The financial services sector can also play a valuable role through investment in, and becoming an anchor customer for, Australia’s cyber security startups. Westpac, for example, has invested in both QuintessenceLabs (Box 14) and Kasada (Box 7) over the past two years.7 The most recent investment in Kasada demonstrates a large market opportunity for the financial services sector to help scale cyber security products that their customer base can then also adopt.

Figure 14 – Cyber security external spending by industry scaled for size of economy

Figure 14

 

2.7 Size of the prize: Australia’s cyber revenue could more than double by 2026

Australia could harness substantial benefits from developing a globally competitive cyber security sector – even beyond the strong forecast growth in the industry over the next decade. ‘Business-as-usual’ forecasts imply revenues in the Australian cyber security sector could more than double from A$2.2 billion in 2016 to $4.7 billion in 2026, as shown in Figure 15.

However, the growth potential is even bigger if Australia undertakes concerted actions to support the three initial focus segments – software, services in the protection stack, and services in underlying processes. In this case, revenues in the domestic cyber security sector could increase to A$6.0 billion in 2026, which equates to an annual growth rate of almost 11 per cent over the decade.

If Australia undertakes concerted actions to support the three initial focus segments, revenue could increase to $A6 billion in 2026

Figure 15 – Forecast cyber security external revenue growth between 2016 and 2026*

Figure 15

 

This revenue growth would generate new jobs in the Australian cyber security sector. ‘Business-as-usual’ forecasts, illustrated in Figure 15, suggest employment could increase by 7,500 jobs – from 19,000 in 2016 to 26,500 in 2026.

However, the job potential is significantly greater (see Figure 16). If Australia takes decisive action to develop the three focus segments in the cyber security market, in which it already has a competitive advantage, a further 5,100 cyber security jobs could be created. To reach this workforce growth goal of 12,600 more jobs, workers lost from the sector through natural retirement and workers moving overseas will also need to be replaced. The workforce could grow even further if Australia can address the current skills shortage, as discussed in more detail in Chapter 3.

This growth potential is substantial but may still be relatively conservative, as it is based on ‘business-as-usual’ forecasts and assumes modest improvements in the three focus segments. The performance of leading countries globally in cyber security sector development shows that, if aspiring to global leadership in cyber, Australia could target a much larger sector and workforce by 2026. If Australia could match the performance of global leaders such as the US and Israel, the cyber workforce would expand to almost 60,000 with industry revenue of $11 billion in 2026.8

Figure 16 – Forecast cyber security workforce growth between 2016 and 2026*

Figure 16

 

This growth potential is substantial but may still be relatively conservative, as it is based on ‘business-as-usual’ forecasts and assumes modest improvements in the three focus segments. The performance of leading countries globally in cyber security sector development shows that, if aspiring to global leadership in cyber, Australia could target a much larger sector and workforce by 2026. If Australia could match the performance of global leaders such as the US and Israel, the cyber workforce would expand to almost 60,000 with industry revenue of $11 billion in 2026.8

Cyber investment also has large spillover benefits

Developing a globally competitive cyber security sector in Australia will have significant spillover benefits to the wider economy. Strong cyber security will enhance Australia’s global reputation as a trusted and secure place to do business, increasing demand for other Australian goods and services exports. This is because cyber security is not only a ‘vertical’ sector in the economy, but a critical ‘horizontal’ enabler of activity across other sectors. Without strong cyber security, organisations cannot safely and effectively digitise their operations and realise the significant growth benefits that flow from investments in ICT.

Strong cyber security will enhance Australia’s global reputation as a trusted and secure place to do business

Analysis of the global benefits and costs of different cyber scenarios provides some sense of the potential impact of cyber security on Australia’s broader economy. Research for the Atlantic Council found that cyber security expenditure, while a significant annual cost to the global economy for many years to come, support investments in ICT that yield massive cumulative benefits over the long-term. In Australia, the difference between strong cyber leading to a positive future, and weak cyber leading to lack of trust and investment, could be more than 1 per cent higher GDP by 2026. In the worst-case scenario, where cyber attacks generate constant and widespread disruption to ICT usage, Australia’s GDP could be more than 5 per cent lower in 2026 than the base case. This modelling, while based on global rather than national scenarios, demonstrates that cyber security is a critical driver of growth.

However, the role of cyber security in enabling growth is still not well accepted. A 2016 Cisco survey by of senior executives across 10 countries including Australia, found that only one-third believed the primary purpose of cyber security is to enable growth.9 The remaining two-thirds still viewed cyber security as principally for risk reduction. Less than half perceived cyber security as a source of competitive advantage for their organisation. Further research to understand the impact of cyber security on the growth outlook of the Australian economy could help to change this mindset and support appropriate investments in cyber capability by Australian organisations.

There are also signs that senior executives are beginning to change their understanding of cyber security from risk mitigation to strategic opportunity. In a survey conducted in 11 countries including Australia for KPMG’s 2019 Global CEO Outlook, 71% of CEOs said they now see cyber security as a strategic function and a source of competitive advantage.10 This is markedly higher than previous surveys have found.11 Further research to understand the impact of cyber security on the growth outlook of the Australian economy could help foster this emerging mindset and support ongoing investments in cyber capability by Australian organisations.

Box 7

Kasada: Youth and innovation stopping malicious web bots

Kasada

Sam Crowther, the now 24-year-old founder of Australian cyber security startup Kasada, has developed a ‘road spike’ tool to stop fast moving cyber attacks, called Polyform. The tool foils malicious internet bots by bombarding them with irritating tasks until they give up.

Bots are pieces of code that cyber criminals use to dupe online customers. Wherever people sell something desirable online, bots are usually not far away. For example, they enter the websites of ticketing agencies, e-commerce shops and hotel chains to manipulate their content, pretending concert tickets, limited-edition sneakers or luxury rooms are sold out. Then they offer the same product on eBay and other marketplaces for a higher price, cashing in on the difference. Anyone completing online transactions is susceptible to bots and malicious automation.

It usually only takes bots a few seconds to do the damage, as cyber adversaries have now automated their assaults. They let thousands of bots simultaneously attack websites, leaving traditional cyber defences overwhelmed.

‘There’s so much power in the code, and automation is ubiquitous,’ says Crowther, who as a high school student gained critical work experience with cyber teams at the Department of Defence and Macquarie Group. At just 19 years old, he discovered that blocking malicious code from entering a website is much more effective than trying to destroy it. ‘The solutions people have used so far against bots are nothing more than a band-aid,’ says Crowther. ‘Cyber criminals are increasingly using sophisticated automation to launch attacks, which is why automation is key to staying ahead of the threats.’

Polyform detects and mitigates malicious bot traffic that other security measures are unable to identify. The security Software-as-a-Service offers strategic protection on a massive scale against attacks on websites, mobile apps and APIs, including account takeovers, data-scraping and other unwanted automated activities. With a time to value of under 30 minutes, Kasada offers a unique, cost-effective solution to bot attacks that improves network bandwidth saturation, computing infrastructure costs and digital marketing ROI.

Kasada’s defence strategy proved so successful that it’s now trusted by ASX 100, Forbes Global 2000 and mid-sized enterprises in Australia, the UK and US.

Craig Templeton, Chief Information Security Officer at realestate.com.au, appreciates the speed of deployment that Kasada provides. ‘You can be up and running in minutes. Kasada has nailed the onboarding process and once you start to see bots being blocked in real time, wanting to turn it off becomes really hard – they’ve nailed the customer acquisition fierce.’

The company’s latest success includes securing a $7 million investment led by CSIRO’s venture capital fund Main Sequence Ventures, Westpac’s venture capital fund Reinventure Group, and In-Q-Tel, the internationally respected non-profit organisation that delivers technology capabilities to support the Australian and US national security communities.

Kasada will use the capital to hire more Australian-based software engineers, expand its US team, and step up marketing and sales support. In the past 12 months, the company has doubled its team and revenue, and rolled out more bot fighting technologies.

‘In today’s highly connected world, a secure digital experience is key to building and retaining trust,’ says Crowther. ‘Smart businesses know cyber security, data protection and customer experience are inextricably linked.’

  1. Telstra (2019), Telstra Security Report 2019.
  2. Which 50 (2017), ‘Australian IT Spend Nears $87 Billion: Gartner’. Available at: https://www.arnnet.com.au/article/660273/australia-it-spending-reach-94b-2019/
  3. Services are more likely to be provided locally due to the lower exportability of cyber security services compared with hardware and software.
  4. Estimating sector revenue requires subtracting imports (defined in this context as cyber security products and services provided from abroad, without core personnel in Australia), and adding exports (defined as revenue obtained from serving foreign customers from Australia). This definition captures all the revenues that contribute to Australian cyber security employment.
  5. Estimating gross revenue or value added for the cyber security sector is difficult because of the lack of sector-specific data on cyber security collected by the Australian Bureau of Statistics. Cyber security, for example, does not appear in the Australian and New Zealand Standard Industrial Classification, which is used for the compilation of industry statistics in Australia. One cyber security-related profession, ICT Security Specialist, occurs at the 6-digit level of the Australian and New Zealand Standard Classification of Occupations, but little employment data is collected or reported at this low level.
  6. Austrade (2017), ‘Australia’s export performance in FY2017’.
    Available at: https://www.austrade.gov.au/news/economic-analysis/australias-export-performance-in-fy2017.
  7. Australian Financial Review (2017), ‘Westpac’s Kasada deal points to cyber security as a service’. Available at: http://www.afr.com/business/banking-and-finance/financial-services/westpacs-kasada-deal-points-to-cyber-security-as-a-service-20180324-h0xx9h.
  8. Given the lack of standardised data globally about the size of different countries’ cyber security workforces, direct comparisons are difficult.
    Available data indicates that the US and Israel have around 200 to 250 cyber workers per 100,000 people. In Australia that number is around 80, and the potential 2026 workforce identified in Figure 16 would bring that to around 120 per 100,000. For more information see CyberSeek (2018), Cybersecurity Supply Demand Heat Map, available at: http://cyberseek.org/heatmap.html and Haaretz (2017), ‘Israel at Risk Amid Shortage of Cyber Security Experts’,
    available at: https://www.haaretz.com/israel-news/business/israel-at-risk-amid-shortage-of-cybersecurity-experts-1.5491404.
  9. Cisco (2016), Cybersecurity as a growth advantage. Available at: https://www.cisco.com/c/dam/assets/offers/pdfs/cybersecurity-growth-advantage.pdf.
  10. KPMG (2019), Agile or irrelevant: 2019 Global CEO Outlook. Available at: https://assets.kpmg/content/dam/kpmg/xx/pdf/2019/05/kpmg-global-ceo-outlook-2019.pdf.
  11. Cisco (2016), Cybersecurity as a growth advantage. Available at: https://www.cisco.com/c/dam/assets/offers/pdfs/cybersecurity-growth-advantage.pdf.