SCP - Chapter 3 - The challenge: Australia needs to fill the workforce gap, remove startup barriers and strengthen research and development

Key points in this chapter

  • Severe shortage of job-ready cyber security workers
  • Nearly 18,000 more cyber security workers needed by 2026
  • Education providers increasing cyber security courses, with number of graduates could quadruple to 2,000 a year by 2026
  • But growth is not sufficient to meet medium-term shortfall
  • Lack of focus in research and commercialisation
  • Scattered public funding weakening Australia's ability to lead on innovation
  • Market barriers holding back ecosystem development

Despite the recent growth in Australia's core cyber workforce, a substantial number of positions remain unfilled because companies can't find the right talents

3.1 Overview

Three major challenges are detracting from the growth outlook for Australia's cyber security sector:

  • a shortage of job-ready workers
  • a lack of focus in research and commercialisation
  • barriers to growth and export for smaller local cyber security providers.

The severe shortage of job-ready cyber security workers is a key challenge. It is estimated that Australia may need around 17,600 additional cyber security workers for technical as well as non-technical positions by 2026. But despite the recent growth in Australia's core cyber workforce, a substantial number of vacant cyber security positions remain unfilled because companies can't find the right talents. In a promising sign, the education system has begun to mobilise, with a large number of universities and TAFE colleges launching new cyber security degrees and courses. However, it will take time before this pipeline of graduates is ready to enter the workforce, and even then they may face obstacles because of outdated hiring practices.

Despite the recent growth in Australia's core cyber workforce, a substantial number of positions remain unfilled because companies can't find the right talents

In the meantime, Australia's cyber security sector will need to draw heavily on workers with transferrable skills from other industries, such as the broader IT sector. There are signs that companies could offer stronger training pathways to accelerate the transition of workers from outside the sector into cyber security roles. The section Make Australia the leading centre for cyber security education in Chapter 5 outlines the most promising ways to address these bottlenecks, including stronger partnerships between training institutions and businesses.

Strong research and development (R&D) is the backbone of a thriving cyber security sector. Customers in cyber security, more than in other industries, rely on technological innovation to effectively protect their digital assets from adversaries. Australia's public spending on cyber security R&D and efforts to foster research collaborations between universities and businesses - viewed as crucial for a vibrant, innovation-driven industry - lack focus and lag other leading cyber nations such as the US and Israel. There are also signs that Australian cyber security startups face greater difficulty to commercialise innovative ideas than their global peers, due to a lack of early-stage venture capital. The section Grow an Australian cyber security ecosystem in Chapter 5 offers some solutions to overcome this challenge, including concentrating Australia's cyber security research efforts on a small number of topics that match existing strengths and support the three focus segments.

The third challenge is overcoming market barriers that hamper local companies in their efforts to scale their operations and become leading exporters. Many startups lack a clear understanding of customer needs. Many also lack the credibility to win government agencies or large private businesses as anchor customers. GovPitch, an initiative by AustCyber launched in 2017, is removing some hurdles for small companies to become government contractors. However, complex procurement processes in the public and private sector may prevent smaller companies from scaling their operations. The section Export Australia's cyber security to the world in Chapter 5 outlines a range of strategies to tackle these issues, such as relaxing current procurement procedures.

3.2 Skills and workforce gap

Strong cyber security skills and capabilities are a key driver of economic activity across the Australian economy and are critical for Australia’s future prosperity.

’Cyber literacy’, or knowing how to effectively protect digital assets, is not only relevant for professionals working in the cyber security sector, it is also becoming a must-have skill for every Australian worker in the digital age, regardless of occupation. All Australian organisations that rely on the internet to conduct business today need a ‘cyber-literate’ workforce that can secure it against routine cyber risks. A robust education in cyber literacy is a foundation for workplace security, and several national initiatives are already helping to raise the cyber literacy of the broader workforce.

This Sector Competitiveness Plan focuses on the specialised professionals working in the cyber security sector. In Australia, this core cyber security workforce continues to grow. However, current growth is insufficient to cover the rapidly increasing demand for cyber security specialists.

Analysis undertaken for AustCyber’s inaugural Sector Competitiveness Plan in 2017 indicated that Australia is facing a severe shortage in specialised cyber security workers.1 New analysis for this updated 2018 plan reveals that the cyber security skills gap is larger than initially anticipated and is costing both the sector and the broader economy.

The cyber security skills gap is larger than initially anticipated and is costing both the sector and the broader economy

New education programs are critical for filling the skills gap in the long-term. Over the past year, universities and vocational training providers have accelerated efforts to launch new cyber security courses and degrees. Partnerships with employers are helping to improve the quality of cyber security education by focusing curricula more on industry needs and facilitating more on-the-job training opportunities.

However, the cyber security skills shortage in Australia will remain severe in the medium-term unless employers start offering better pathways for workers to transition from other industries into cyber security roles. Most workers currently taking up roles in the Australian cyber security sector have previously worked in broadly similar roles in IT and other industries. But to develop strong cyber defences, Australia needs to build a more diverse workforce with both technical and non-technical skills. Improving the gender balance will also help the cyber security workforce grow and mature.

The Australian cyber security workforce is growing, but skills shortage still severe

Every workplace requires a cyber-literate workforce. All employees, including managers and board members, need a basic ability to implement cyber hygiene in the workplace (daily practices and routines to keep online information secure), as seen in Figure 17. Ensuring every Australian worker acquires basic cyber literacy is fundamental to securing Australian workplaces, large and small, from malicious cyber activity.

Public health provides an analogy. A healthy population has a balanced diet, exercises regularly and minimises risky behaviour like smoking and excessive consumption of alcohol. Similarly, in a cyber-literate workforce all workers use strong passwords, can identify suspicious online activity such as phishing emails, and minimise risky online behaviour, including oversharing personal information or using public WIFI without Virtual Private Network (VPN) protection or other adequate defences.

Several national initiatives have been launched to help equip every Australian with the cyber literacy required to thrive in the digital age. This includes programs aimed at improving company directors’ understanding of cyber security.2

The Australian Industry and Skills Committee is currently reviewing the cyber skills workers will need in the future, to develop new common training units across multiple industry approved training packages.3 The intention is to ensure all people skilling or re-skilling through vocational education and training in Australia, regardless of their field of study, will acquire at least a basic competency in cyber security.

Still, at times even the most cyber-literate workers will require expert help from specialised cyber security professionals. Just like the medical profession has different specialists for different ailments, Australia’s core cyber security workforce now consists of a range of specialists.

Many organisations in Australia have begun to build designated teams with specific cyber security knowledge, skills and abilities. These are mostly larger organisations, including big banks, with an in-house requirement for workers with a dominant function and role in cyber security. They are typically lead by a Chief Information Security Officer (CISO). Organisations may also outsource their cyber security needs and contract cyber security professionals from external specialist providers, such as software or services companies.

Cyber security skills are therefore essential for both:

  • a general cyber-literate but non-specialist workforce
  • a specialised workforce with technical and non-technical professional cyber security skills (see Figure 17).4

Figure 17 – Cyber skill needs in a typical Australian workplace

Figure 17

Growth is not sufficient to meet demand

Latest data indicates that Australia’s core cyber security workforce is growing strongly, but not sufficiently to fill the substantial short-term demand for cyber security professionals.

Australia’s core cyber workforce has increased 7 per cent to around 19,500 workers over the past two years (see Figure 18). This growth is mostly driven by workers transitioning from adjacent sectors such as IT. Graduates and skilled migration - the two other key sources of supply - have so far contributed relatively little to Australia’s cyber security workforce growth.5

Figure 18 – Cyber security workforce

Figure 18

Most workers based in the eastern states

Australia’s core cyber security workforce is concentrated in the eastern states, with New South Wales hosting the largest number of cyber security professionals, closely followed by Victoria (see Figure 19) then Queensland. The Australian Capital Territory (ACT), though small in population, has experienced the fastest growth in the cyber security workforce. Between 2015 and early 2018, the ACT’s core cyber security workforce increased by more than 60 per cent. This is likely a consequence of the Government’s focus on strengthening the cyber defence capabilities of government agencies. The workforce growth is set to continue as the Australian Defence Force (ADF) and other departments continue to expand their cyber teams.6

Roles becoming increasingly diverse

As employers adapt their business practices to the digital economy, their requirements for an increasingly diverse range of cyber security specialists has become more apparent. It is no longer useful to think of the cyber security occupation as one uniform job role or skill set.

Today, cyber security comprises a range of technical roles from architecture to operations and newer, multidisciplinary, non-technical roles that incorporate elements of law, risk, communications and psychology. While the face of the cyber security workforce is changing fast, Australia has not yet adopted a widely accepted skills framework to describe the various cyber security work roles.

Australia has not yet adopted a widely accepted skills framework to describe the various cyber security work roles

Other countries have already taken action. For example, the US National Initiative for Cybersecurity Education (NICE) has developed a Workforce Framework to standardise the taxonomy of cyber security occupations (see Box 7). It is a comprehensive, skills-based categorisation of cyber security roles. Companies in the US and other countries are using the framework as a common nomenclature for identifying the skills required in the cyber security workforce.

Figure 19 – Australia's cyber security workforce by state

Figure 19

Box 7

NICE: A standardised framework to understand what cyber security professionals do

The US National Initiative of Cybersecurity Education (NICE), led by the US Department of Commerce, is a partnership between government, academia and the private sector that seeks to improve the America’s cyber security education, training, and professional development.7 The NICE program could serve as an example for Australia, which has yet to implement a comprehensive set of definitions to classify its cyber security workforce.

A critical part of the NICE program is a standardisation of cyber security roles, based on the skills, knowledge and tasks needed to perform them. By providing such a framework of professional role categories, NICE closes a crucial information gap at a time of a global shortage in cyber security skills. For example, many cyber security roles have not yet been well defined or understood, there is a lack of consistency among cyber training programs, and many potential employees don’t know which skills are required in different cyber security jobs.

The NICE Workforce Framework consists of seven categories of cyber security work:

Categories Description
Securely Provision Designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development
Operate and Maintain Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security
Oversee and Govern Provides leadership, management, direction, or development and advocacy so the organisation may effectively conduct cybersecurity work
Protect and Defend Identifies, analyses, and mitigates threats to internal information technology (IT) systems and/or networks
Analyse Performs highly-specialised review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence
Collect and Operate Provides specialised denial and deception operations and collection of cybersecurity information that may be used to develop intelligence
Investigate Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence

These categories are further divided into 32 specialty areas, 52 work roles and hundreds of tasks, skills, knowledge and abilities.

The NICE Framework enables organisations to identify their cyber security skill needs and assess the aptitude of their existing cyber security workforce. It can also be used to inform hiring practices and offers a common terminology to effectively communicate cyber security needs both internally and with stakeholders. In addition, education and training institutions can use the NICE framework to align their curricula with an accepted standard of cyber security knowledge, skills and abilities.

The NICE Framework is updated regularly to ensure it remains relevant as the nature of the cyber security workforce changes. Education providers and employers, both in the public and private sector, provide key information for the updates, allowing the Framework to continuously serve as a fundamental reference.

Structure of NICE Workforce Framework

Structure of the NICE Workforce Framework

For Australia, the NICE Framework offers a template to understand the skill needs of its cyber security workforce. This is particularly important for policymakers and company executives who are looking for ways to overcome the current skills shortage.

Using the NICE Framework, the makeup of the cyber security workforce can be explored in detail. As shown in Figure 31, most cyber security workers in Australia currently work in roles related to building, buying and operating secure IT systems (Securely Provision, Operate and Maintain, Protect and Defend). Meanwhile, workers tasked with cyber-related intelligence and law enforcement activities (Collect and Operate and Investigate) are occupying a niche. Overall, the composition of the Australian cyber workforce is broadly comparable with the US workforce, though with a greater emphasis on identification and mitigation of threats, and leadership and management of cyber security (Protect and Defend and Oversee and Govern).

There is a tendency to think that the cyber security workforce consists only of highly technical professionals. However, today's cyber security workforce encompasses a variety of roles and responsibilities that require non-technical skills and abilities. For example, the Oversee and Govern category includes legal advice, cybersecurity management, strategic planning and policy, training education and awareness, and change management. Employers report in interviews that 'soft skills', including the ability to work in teams across an organisation and to communicate clearly (both verbally and in writing), are important across almost all cyber roles, and are often in short supply. These skills ensure that the cyber function within an organisation is able to effectively engage across other parts of the organisation and implement processes and practices that recognise and respond to the human dimension of cyber security.

Employers have also noted in interviews that cyber defences are most effective if an organisation employs a diverse team of cyber security specialists - people with different backgrounds and viewpoints, and a wide range of skills. Building real workplace diversity goes beyond pure skills. It also requires a balance of cultures and gender among staff.

'We need people from more diverse backgrounds, a diversity of thought is essential for our cyber defences us.'
Cyber security manager of an ASX 100 company

Despite this acknowledgement, the gender diversity in the Australian cyber security sector remains weak. The share of women working as ICT Security Specialists has declined from 22 per cent to 19 per cent over the 10 years to 2016, according to the Australian Census of Population and Housing.8 Australia appears to perform better on this measure than global peers, with evidence suggesting only 14 per cent of cyber security professionals in North America and 7 per cent in Europe are female.9 However, much more has to be done to improve the gender balance in Australia's cyber security sector.

Job market indicators show employers are struggling to fill cyber security roles

The first version of this Sector Competitiveness Plan, published in 2017, noted that Australia's cyber security sector is grappling with a substantial skills shortage - an assessment that relied largely on anecdotal and survey evidence. For example, in 2016, three out of four local cyber security professionals surveyed by the Australian Information Security Association (AISA) said their industry is facing a severe skills shortage, as shown in Figure 20. A similar survey, undertaken by the Centre for Strategic & International Studies (CSIS) and Intel Security across eight countries, paints an even more concerning picture. It reveals that the talent drought affecting the Australian cyber security sector is one of the worst in the world: 88 per cent of Australian cyber security professionals observe a skills shortage in their industry. Extensive interviews with cyber security users and providers in Australia support the survey results.

The talent drought affecting the Australian cyber security sector is one of the worst in the world

Figure 20 – AISA survey (2016) and CSIS survey (2016)

Figure 20

Skills shortage more severe than expected

This updated Sector Competitiveness Plan provides further insight into the workforce, with an estimate of the severity of Australia's cyber skills shortage. New research, undertaken exclusively for this plan update, draws on a range of job market data to show that the skills shortage in Australia's cyber security sector is more severe than expected and is already creating real economic costs.

Despite the recent growth in Australia's core cyber workforce, companies have been struggling to fill a substantial number of vacant cyber security positions. Figure 21 aggregates data across wages, recruitment failure rates, the time to fill a position, and the size of the potential candidate pool (job market depth). All indicators strongly point to a substantial skills shortage in the Australian cyber security sector.

Wage premium: Wages are high across the cyber security profession with a $12,000 average wage premium paid for a cyber security worker over an IT worker. Cyber security workers in all but one NICE category (Operate and Maintain) earn more on average than the average IT salary. Roles in management and leadership, and involving design and build of cyber systems, are currently commanding the highest salaries, with average wage premiums of more than $20,000 above general IT. This may partly reflect more acute shortages, but also the level of experience and specialisation required to perform these roles.

'We are offering workers $100k+ who are getting their first job in cyber.' CISO, large Australian company

Recruitment failure rate: Labour market research on IT professions from the Australian Department of Jobs and Small Business shows that 42 per cent of ICT Security Specialist vacancies in Australia went unfilled in 2015 - significantly more than the average recruitment failure rate of 33 per cent across the broader IT sector.10 The research also found there were on average only 1.7 suitable applicants per vacancy for ICT Security Specialists, which was the lowest number across all IT professions studied.

Recruitment time: Recruitment difficulties appear widespread in the cyber sector. Interviews with industry participants suggest it takes 20 to 30 per cent longer to fill a cyber security role compared with roles in the IT sector.

'We can find the right people, but it can take much longer than for other jobs, it can take two or three months of searching.' Cyber security manager, large Australian company

Job market depth: Job market depth is defined as the number of people employed in an industry per job ad, which is used as a proxy measure for worker supply. The job market for cyber security has less depth than either IT or the broader economy, with less than seven people employed in the sector for every job ad.

Any of these job market indicators, when looked at in isolation, would not provide conclusive evidence that Australia's cyber security sector is facing a skills shortage. However, the fact that all four indicators point in the same direction - significantly tighter conditions than either the wider IT sector or the workforce as a whole - clearly demonstrates that cyber security is facing major labour market constraints.

Figure 21 – Skills shortage indicators in cyber security

Figure 21

Figure 22 – Estimated cyber security workforce supply shortage

Figure 22

The skills shortage is costing the sector and the wider economy

Measuring the precise size of a skills shortage is difficult because of the dynamic nature of labour markets. Calculations using a range of methodologies, based on a combination of the job market indicators described above, suggest Australia’s cyber security sector was short 800 to 2,300 workers in 2017. That is equivalent to roughly 4 to 12 per cent of the total Australian cyber workforce in that year (see Figure 22).11 This is likely to be a conservative estimate because it is based on only observable labour market behaviour and does not account for depressed growth expectations as a result of the perception of the shortage. In other words, employers know it will be difficult to find cyber workers at wages they can afford, so they never create or advertise positions they might like to fill.

The workforce shortfall has significant economic consequences. The cyber security sector is estimated to have forfeited up to $405 million in revenue and wages in 2017, which it could have generated if companies had been able to find the cyber security workers to fill existing vacancies.

The cyber security sector is estimated to have forfeited up to $405 million in revenue and wages in 2017

This loss of revenue and wages only represents the direct cost to the cyber sector. The cost to the wider economy is likely many times greater because the skills shortage in the cyber security sector has a ripple effect throughout the economy that would propel the true economic cost far higher. As the cyber sector is a critical enabler of broader economic activity, workforce constraints can curtail revenue growth in the wider economy. For example, a lack of security staff could make an organisation more prone to cyber attacks, which would undermine business and consumer confidence and lower the productivity of workers because of service downtime. It is difficult to accurately estimate the indirect economic costs of the skills shortage due to limited data on the economic benefits of cyber investments and, conversely, the consequences of cyber breaches (see Size of the prize in Chapter 2 for further discussion). However, anecdotal evidence suggests the shortage of cyber skills is already causing organisations to slow their digital transformations.

Lack of skilled workers is not the only cause of the skills shortage

The apparent lack of skilled workers is not surprising given cyber is a young and emerging profession that has faced rapid demand growth and limited educational pathways. It is also a product of the increased need for cyber security experts and broader cyber security awareness and literacy among all workers in a period of rapid digitisation in a fast-moving technological landscape.

In addition, there are signs that employers’ hiring practices may be exacerbating the lack of skilled workers. For instance, two-thirds of information and cyber security professionals surveyed by the Australian Information Security Association in 2016 cited management’s failure to understand skills requirements as a key driver of the current cyber skills shortage, while just over half said employers were reluctant to recruit and train entry-level candidates for cyber security roles.12

'HR writes position descriptions based on things that they know how to assess, like qualifications and experience. The new cyber security workforce doesn't yet have these qualifications or experience.'
CISO, large Australian company

An analysis of cyber security job ads supports the survey findings. As shown in Figure 23, employers advertising cyber roles tend to demand more work experience from cyber security professionals compared with other workers in the broader IT and professional services sector. On average, one-third of cyber security job ads request more than eight years of experience. In some roles (for example, in the NICE Collect and Operate category), almost half (49 per cent) of all job ads demand such extensive experience.

Figure 23 – Breakdown of job ads by experience requested

Figure 23

With continued strong demand forecast, the shortage is likely to persist

Demand for cyber security workers is set to remain strong in coming years, meaning the skills shortage will not ease without consistent efforts to increase supply. As shown in Figure 24, the sector could require up to 17,600 additional workers by 2026.

This estimate is made up of several components:

  • The first Sector Competitiveness Plan in 2017 identified an additional 11,000 workers would be needed by 2026 just to meet the current growth of cyber security needs in Australia (business-as-usual demand). There has been some progress over the past 12 months, with around 700 workers added to the sector.
  • However, the current skills shortage of 800 to 2,300 cyber security workers still needs to be filled.
  • And up to 5,000 more workers could be required if the cyber sector significantly lifted its performance in three key areas identified in Chapter 2.

The sector could require up to 17,600 additional workers by 2026

Figure 24 – Forecast additional cyber security workers in 2026

Figure 24

Australia's education system is mobilising, but faces risks

Education and training providers play an important role in supporting the expansion of Australia's cyber security sector. Companies will only be able to draw on new cyber security talent if TAFEs and universities offer a wide variety of cyber security qualifications that are attractive to students and relevant to employer needs. Encouragingly, the education system has begun to mobilise over the past several years. A significant number of TAFEs and universities are now offering courses or degrees in cyber security.

However, there are risks to this mobilisation that Australia needs to address.

  • Student demand will need to grow strongly to fill the new courses being created. Improving the cyber security talent pipeline needs to start in primary and secondary schools. The more schools encourage students to consider a career in cyber security, and the more they foster early skills, the higher the quality of students in the tertiary education system will be. This means schools should place greater emphasis on developing cyber security skills in curricular and extracurricular programs as pathways to higher education.
  • High schools and tertiary education providers must find ways to encourage more female students to pursue cyber security related programs to help improve gender diversity in the industry.
  • Shortages of teaching staff are affecting universities and TAFEs.
  • There is lack of funding for the required technical infrastructure, like cyber ranges (virtual or physical spaces for simulating real-world scenarios) and cyber labs, to train the next generation of cyber security workers.
  • Rapid growth in educational programs poses a risk to course quality. Yet high-quality education that matches industry needs is essential to ensure graduates acquire the right skills to find a job.

Universities and TAFEs are launching new cyber-specific courses

TAFEs and universities around the country have rapidly expanded their cyber security program offering in recent years, often in close partnership with industry (see Box 8). Approximately half of all universities in Australia are now offering cyber security as a specific degree or as a major in IT or computer science university qualifications. Another quarter offer at least some cyber security course units. As of March 2018, only 20 per cent of Australian universities do not yet offer any cyber security units or courses. This led total enrolments and completions in university courses classified as security science to almost double between 2012 and 2016.13

Approximately half of Australia's universities now offer cyber security as a specific degree or a major in IT or computer science qualifications

Multidisciplinary cyber courses are becoming increasingly common in Australia. The University of Western Sydney now offers a Bachelor in Cyber Security and Behaviour, which focuses on the human and technical sides of cybercrime and includes a number of units in psychology. The University of New South Wales Canberra now offers a Master in Cyber Security, Strategy and Diplomacy in the School of Humanities and Social Sciences. This interdisciplinary course focuses on the interplay between cyber security, strategy and diplomacy. Latest course trends reflect the evolution of cyber security education outside its traditional home in ICT faculties and departments as well as the growing demand from employers for graduates with strong policy writing, risk management and strategy skills to work in cyber security related roles in their organisations.

The vocational education and training sector is also increasing the emphasis on cyber security education. Leading TAFEs around the country joined forces in late 2017, coordinated nationally by AustCyber, to play a greater role in providing nationally consistent cyber security training. Box Hill Institute in Victoria has been paving the way with the development of two new cyber security certificate and diploma-level courses that are now being taught across the country (see Box 8). These offerings help to diversify the range of education pathways into the cyber security sector and provide a high-quality vocational cyber security training option that is in high demand by Australian employers.

Box 8

TAFEs commit to new national standard for cyber security education

TAFEs across the country are joining forces for the first time to introduce a national standard for cyber security education in Australia. The new scheme, dubbed Cyber Security National Program, will give Australians the practical skills they need to secure jobs as cyber security experts - filling acute shortages in the banking, telecommunications and defence industries. Box Hill Institute in Melbourne is leading the way with vocational cyber security courses that are now being replicated country-wide. In 2018 TAFEs in every Australian state and the Australian Capital Territory (ACT) will offer a streamlined Certificate IV in Cyber Security and Advanced Diploma in Cyber Security.

The new qualifications have been developed in close consultation with industry, including National Australia Bank (NAB), Commonwealth Bank of Australia, ANZ Bank, NBN Co, Cisco Australia and New Zealand, REA Group, BAE Systems, Telstra, Deloitte, CITT, the Australian Information Security Association and ISACA.

Curriculum development was supported by a grant from the Victoria Government, with the Australian Government supporting the national roll-out of the program. The program will help to close the widening skills gap in Australia's cyber security sector.

'This initiative by the TAFE network comes at a time when getting skills into industry is more critical than ever,' says Telstra Chief Information Security Officer Asia Pacific, Berin Lautenbach. 'Telstra, like other companies, is actively seeking to recruit new talent that have practical hands-on-keyboard cyber security skills. Knowing that the programs have been developed in close consultation with industry and are being delivered by TAFEs provides us with reassurance of the quality of the graduates that will come through.'

The nationwide TAFE collaboration in cyber security has the potential to set a benchmark for other industries experiencing skills shortages, says Meegan Fitzharris, ACT Minister for Higher Education, Training and Research. 'Through this partnership, the TAFE network will share training resources, programs and the strengths of teachers and facilities across the country to ensure we have a coordinated approach to training cyber security experts across Australia,' she says.

Together, the new cyber-specific degrees and courses will have a strong positive impact on Australia's future cyber security workforce supply. It is expected that even without the addition of further courses or new institutions teaching cyber, current plans could see the number of cyber graduates increase from around 500 per year in 2017 to about 2,000 a year in 2026. Assuming the quality of graduates remains strong, this growth will make a significant contribution to closing the skills shortage and meeting employer demand for cyber security workers in the long-term.

Box 9

Businesses and universities join forces to bridge skills gap

Many businesses are struggling to find help amid a severe skills shortage in cyber security globally. Some leading Australian companies have recently begun to tackle the challenge themselves. Late last year, Australian telecommunications company Optus entered an alliance with La Trobe University in Melbourne to co-develop a new tertiary degree in cyber security.14 The partnership will invest up to A$8 million to turn the university’s existing campus into a digitally connected learning and research precinct. It will also fund a new chair of cyber security to help Australia become a leader in cyber security research and teaching.

In a similar move, Optus has joined forces with Macquarie University in Sydney to create a new cyber security training and education hub, which brings together industry experts and university academics in a bid to grow Australia’s cyber security talent pool. The A$10 million project includes a new cyber security degree for university students, as well as executive and business short courses. Optus uses these training courses to equip its own employees, and those of enterprise and government customers, with the latest cyber security skills and expertise.15 ‘By collaborating with industry to tailor our study programs, we give our students a head-start in their careers, placing them at the top of Australia’s cyber security talent pool,’ says David Wilkinson, Deputy Vice-Chancellor at Macquarie University.16

The nation’s largest bank, Commonwealth Bank of Australia, has teamed up with the University of New South Wales to boost the number of cyber security professionals and cyber security teachers in Australia. The bank has invested A$1.6 million over five years to develop a ‘centre of expertise for cyber security education’, complete with an overhauled study curriculum and a new lab for experimental, hands-on teaching of cyber skills.17 It has also begun to award a cash prize, the Commbank Cyber Prize, to Australia’s best and brightest cyber students, with the goal of encouraging more young people to pursue a career in cyber security.18

Figure 25 – Students noting cyber being mentioned in schooling

Figure 25

Note: The survey was a study of 3,779 adults aged 18–26 undertaken in 2016 in 12 countries.

Source: Raytheon Australia (2016), ‘Securing our future: Closing the Cyber Security Talent Gap’, avail. at:

Risks to the quality and sustainability of cyber education need to be addressed

Despite the push by various education providers to increase cyber security study opportunities, the projections of strong growth in high-quality graduates will not be realisable without addressing a range of risks.

The education system's success in generating a sufficient amount of work-ready cyber security graduates to meet the market demand depends on three key factors:

  • student demand for cyber courses
  • the sustainability of cyber education
  • the quality of the courses in generating job-ready graduates.

Student demand for cyber courses: The number of training places in cyber security education has expanded rapidly and is forecast to continue to grow strongly. To fill these places, student demand also needs to increase significantly and remain of high quality.

A critical barrier complicating efforts by universities and TAFEs to increase the number of skilled graduates is the low level of awareness of cyber security careers among school students. For example, surveys suggest that many Australian secondary students, unlike peers in the UK and the US, are not aware of cyber security careers pathways and job options. Unless this is remedied, post-secondary student demand for cyber security education may not increase fast enough. Tertiary education providers need to ensure cyber security is seen as a desirable study option to attract the best and most motivated students (see Figure 25).

Cyber security should be explicitly taught as part of the Digital Technologies component of the National Curriculum. By not doing so, Australia is failing to seize an opportunity to strengthen the cyber security talent pipeline. The next update of the Curriculum is due in 2020. In the meantime, the Curriculum could be enriched by adding cyber-specific learning and teaching resources to the 'Digital Technologies Hub', which supports the Curriculum with practical lesson plans, case studies, advice and activities to be included in relevant classes. An increased focus on cyber security in the National Curriculum will help build interest in cyber careers and will the cyber literacy of all students, which is critical for improving cyber hygiene and understanding in the broader Australian workforce.

Cyber security challenges play an important role in developing and testing practical skills while generating interest in cyber security careers. For example, the 'CyberPatriot' program in the US is a competition where teams of high school students can experience the work day of IT professionals with responsibility for managing the network of a small company. Teams are tasked with identifying cyber security vulnerabilities and increasing the robustness of the system. Successful students earn both national recognition and scholarship money for further studies. The competition has proven to lift the profile and awareness of cyber security careers. Implementing a similar competition in Australian high schools would almost certainly have the same affect.

Implementing more focused cyber security competitions and awareness programs is as vital as improving the gender diversity in the industry. TAFE data shows that female enrolment in the new vocational cyber certificates and diplomas is as low as 9 per cent, and as high as 20 per cent at best. Unless targeted measures encourage more girls to opt for a career in cyber security, the core cyber security workforce will not develop the diversity it needs to ensure quality and relevance. School programs need to explicitly address this gender challenge in their design. Scandinavian research shows that girls, on average, start to lose interest in STEM subjects at the age of seven and most have lost interest by the age of 14. While no comparable research exists for Australia, the study highlights the importance of school education for future career paths.

Sustainability of cyber education: The increase in cyber security courses over the last few years will only be sustainable with sufficient teaching staff and a stable financial model for providers. Most education providers are reporting difficulties in attracting and retaining skilled cyber security teachers, largely because high-quality cyber security teachers are demanding above-average pay. In some cases, salaries for cyber security professionals in teaching roles are more than 45 per cent lower than salaries for other cyber security practitioners (see Figure 26). Education providers will likely continue to compete for skilled cyber security staff, as the number of cyber security teachers required to meet the skills shortage may triple over the next five years.

'Salary is a real issue for us. We can't pay anywhere near what industry can pay.' TAFE program manager

Vocational institutions appear particularly limited to pay higher wages because of financial constraints and enterprise agreements. The problem could worsen if wage growth in the cyber security sector remains strong and demand for teaching staff expands as expected.

Universities are also feeling the pressure. They are not only competing with industry, but also with universities around the world, which can often offer higher salaries and more prestige. Some cyber security professionals are also discouraged from teaching in universities because they are not interested in an academic role or lack the aptitude for academic research.

An increased focus on cyber security in the National Curriculum will help build interest in cyber careers.

Figure 26 – Average salary range in the cyber industry and in cyber education

Figure 26

Some institutions are investigating new ways of online education and synchronous remote teaching (through video-conferencing and online chat) to use their existing teachers most efficiently. However, e-learning may have an adverse effect if students fail to obtain the practical, hands-on skills that employers demand. Partnerships with industry have allowed course providers to draw on guest lecturers to supplement their permanent teachers - for example, cyber security staff from Commonwealth Bank of Australia have been guest lecturers at University of New South Wales - but to date this approach is only operating at a relatively small scale.

Many education providers also struggle to pay the establishment and maintenance costs of launching new cyber security courses and degrees. Cyber security education can involve significant upfront investments in teaching infrastructure, including cyber security labs, cyber security ranges (virtual or physical spaces for simulating real-world scenarios), and specialised computer hardware and software. In most other disciplines, the technical infrastructure required for the practical delivery of programs has built up over a longer period of time. Education institutions delivering cyber security programs are therefore on the back foot. They need to be able to rapidly deploy and maintain the technical infrastructure required to produce world-class graduates.

'We could train 300 to 500 people, but we cannot afford to pay for all the infrastructure. Government expects that industry will pay for it, but this is not happening.' Vocational Education and Training manager in cyber security

Course fees are typically not sufficient to cover these large infrastructure costs, particularly in vocational education and training courses. While both New South Wales and Victoria have supported the new nationally consistent Certificate IV in Cyber Security by placing it on their state skills shortage lists, total fees (government subsidy and student payable fee) for that course are around 9 per cent lower than total fees for a comparable Certificate IV in Information Technology.19

Universities are facing similar challenges but can usually draw on larger financial resources. Several Australian universities have also been able to attract industry support for investments in educational infrastructure. For example, the Commonwealth Bank of Australia’s partnership with University of New South Wales has provided funding for a new lab for experimental, hands-on teaching (see Box 8). Edith Cowan University and Melbourne University have also received additional funding for their cyber security education and research through the Australian Government’s Academic Centres of Cyber Security Excellence program - a total commitment of $1.9 million over four years. There is a risk that without a more strategic approach to investment in cyber security teaching infrastructure, the hands-on skills development will not meet these needs of employers.

Course quality: The current expansion of cyber security courses in Australia is healthy and necessary. However, maintaining course quality is essential. A flood of new cyber security education providers will heighten the competition for teaching staff, who are already in critically short supply. This poses a considerable risk to the quality of graduates.

Education providers may also struggle to build a curriculum that is responsive to market changes. Cyber security is a fast-evolving industry where technology and industry needs are continuously changing. Courses need to be flexible and responsive to these changes and designed with ongoing input from industry.

At present, there is no accreditation model in Australia designed specifically for cyber security courses. This is in contrast to the US and UK, where governments have established accreditation programs.20 The Australian Computer Society (ACS) already accredits IT education programs using the ICT Profession Core Body of Knowledge (CBOK). The Academic Centres of Cyber Security Excellence model could play a role similar to accreditation, but to date only two universities have received support under the program and there are no plans for further rounds.

Strong partnerships between education providers and industry have helped to shape curricula that meet employer needs. However, it will be hard to keep industry involved as more education providers enter the market with their own cyber security offerings. Industry, especially large financial companies and telecommunications companies, are likely to concentrate their time and resources on a few high-performing institutions. This will likely leave some education providers struggling to be responsive to the changing needs of industry and technological progress.

Employers are looking for verifiable proof that new hires have the skills required to do the job. A cyber security challenge model can help them identify talented individuals suited to a career in cyber security. Companies around the world, including Barclays, are increasingly running and sponsoring such challenges to identify and recruit the next generation of cyber security professionals.21 In Australia, CySCA - Cyber Security Challenge Australia, a partnership between government, business and educational institutions - is the preeminent program for TAFE and university students. Cyber Security challenges could be used as part of an accreditation process. They offer employers an opportunity to identify the best performing educational institutions and the best performing students.

Interviews suggest that the quality of cyber security courses can suffer if work-integrated learning opportunities are missing. Work-integrated learning is embedding meaningful industry projects or placements into an academic program of study. It has been shown to improve graduate employment outcomes by developing more job-ready skills. Research for the Office of the Chief Scientist finds that less than half of IT students in Australian universities have an opportunity to do an industry placement.22 Work-integrated learning is particularly important in the cyber security sector because there is a greater need for employees to think strategically beyond technical IT tasks.

Various models of industry placement could easily be adapted to cyber security education in Australia. For example, industry-funded scholarship programs, known to some universities as ‘co-op’ scholarships, have been used effectively in disciplines such as information systems, accounting and engineering. The UK has improved the availability of work-integrated learning by developing professional apprenticeships, including in cyber security, where students combine employment with part-time study to achieve a diploma or bachelor-level qualification. Australia is currently piloting higher apprenticeships with one stream of IT apprenticeships.23 The pilot program has been running since 2016, and 200 apprentices will complete the program at the end of 2018. AustCyber has commenced discussions about setting up a cyber security apprenticeship stream in this program.

It is critical to enable more workers to transition into cyber security

Given the time lag for the formal education system to graduate students from specialist cyber security qualifications, workers with applicable skills-sets who may want to transition into a cyber security work role will be very important to grow the cyber security workforce in the near-term. While graduate supply is now accelerating and provides a clear path to close the gap between demand and supply in cyber security skills, it will take some time until the supply pipeline of graduates is large enough to fully meet workforce demand (see Figure 35). To close the cyber security skills gap in the short- and medium-term, workers from the broader IT sector and other industries with relevant knowledge, skills and abilities will need to transition into the cyber security workforce.

Figure 27 – Cyber workforce demand and supply

Figure 27

There is a significant opportunity to adapt the skills of existing IT professionals to enable them to take up more specific cyber security roles

As detailed in Figure 28, a breakdown of the IT occupations most relevant to the technical roles required in the cyber security workforce reveals a large stock of IT workers with potentially transferable skills. People in IT occupations who are highly suited for a career shift to cyber security include Software and Applications Programmers, IT Support Technicians, and IT Managers. Workers from other industries with experience in risk oversight, regulatory management and incident response could also potentially transition into cyber security. This may include lawyers, people in risk management, and communications professionals.

Between 2011 and 2016, more than 70 per cent of workers who became IT Security Specialists (the only cyber security-specific occupation classification currently tracked by the Australian Bureau of Statistics) came from other IT occupations. This is a strong sign that there is a large pool of workers currently employed in the broader IT sector with transferrable skills and who could transition into more specific cyber security roles. Most of those who transitioned between 2011 and 2016 were IT and Telecommunications Technicians, followed by IT Network and Support Professionals, and Systems Analysts/Programmers.

However, it is also evident that there is a lack of workers transitioning into the cyber security sector from industries outside IT. This is largely because current recruiting practices still place strong emphasis on technical skills. This is despite the well-acknowledged need to improve the 'soft skills' and diversity of workers in the sector. There is also a lack of public understanding of the range of different career paths spanning technical and non-technical cyber security roles.

The new national vocational training curriculum in cyber security is opening up new pathways for workers from other industries to transition into the cyber security sector (see Box 8). Early evidence suggests that students opting for the new vocational cyber security training are older than the average vocational education and training student. At two of the institutions offering the courses, more than half this student cohort was over 30.

'The average age is 30 to 35 in our courses. Students are coming from a diverse background wanting to develop skills in cyber security.'
Vocational Education and Training Manager

Ensuring training options for transitioning workers, while critical, is not sufficient. A number of other enablers need to be in place to support workers to transition into the cyber security sector.

Figure 28 – Employment in the top 5 occupations relevant to cyber security

Figure 28

Employer-led transition is currently limited to larger organisations

Interview evidence suggests that at the moment the greatest emphasis on transition into cyber security is employer-led, or within organisations. This is a critical mechanism to facilitate transition, as employers are well-placed to guide and fund workers through the transition journey. Large employers (for example, banks and government) in particular have the greatest capacity to transition their workforces as they have the scale and resources necessary to offer internal mobility to their workers. Transition within small to medium-sized organisations is more limited but could be boosted if these companies have access to clear transition models that help them identify target workers, assess what additional skill-sets they require, and find the means internally or externally to skill them appropriately.

Large organisations that are already successfully training workers from various backgrounds to shift into cyber security roles have identified five steps for effective workplace transitions:

  • 1. Map out the cyber workforce needs of the organisation over the next two to three years, using a skills framework if helpful, and identify roles that can be effectively filled with transitioning workers.
  • 2. Identify sources of high potential, non-cyber employees who could transition to cyber. Key functions to look for within the organisation are IT, risk management, communications and legal.
  • 3. Offer an attractive opportunity to potential cyber employees including a clear career path, training opportunities, good salary and engaging job tasks/activities. The fast growth of cyber may also offer faster progression to management opportunities than other functions within the organisation.
  • 4. Train and support transitioning workers through internal mentoring and on-the-job training, and private internal or external short-course training programs, such as SANS or micro-credentials. Many organisations are using executive education courses instead of full university degree courses to train workers in transition. This is because university degrees tend to take longer and cost more than executive education.
  • 5. Leverage the newly transitioned workers to provide mentoring to the next 'tranche' of potential cyber employees, allowing rapid scaling of the workforce.

Further developing these steps into a model for employer-led transition that small to medium-sized organisations can quickly apply, and socialising through industry associations will support improved flow of workers through employer-led transition programs.

Worker-led transition requires better access to information and training, and more support from employers

Worker-led transition is also a key mechanism to help bridge the cyber security skills gap. It has substantial potential to scale (as it draws upon a wide pool of potential workers across the economy) but it is more complex that employer-led transition. Workers must independently move through several stages, as illustrated in Figure 29. They must independently gather information on transition, undertake training, and find employment in the cyber security workforce, bearing the full burden and costs of transition themselves.

A worker's progress through the transition journey relies on several enablers at each stage. For example, at the beginning when a worker considers transitioning they require information on the cyber security sector - what it is, why it matters, the wages offered and potential career paths. Further down the transition journey, they need an understanding of their skills match, training requirements, access to training places and job placement services.

The most critical enabler to facilitate transition is access to information (such as cyber careers and pathways), training access, training affordability, and employer attitudes.

Figure 29 – The transition journey – worker-led transition

Figure 29

Information access: Currently there is very limited information available to those outside the cyber sector on cyber careers and the sector more broadly. The available information is scattered, not necessarily cyber-specific, and not tailored for people unfamiliar with the sector. There is an opportunity to build on existing platforms for example, the Government’s JobOutlook website hosts information on IT occupations - including ICT Security Specialist.24 This includes information about average weekly pay, future growth, and degree levels required. Enhancing this to include information on career pathways and broader work roles that require cyber security skills would assist people considering a transition to the sector.

In addition, there is no clear source of information to help potential workers understand the training requirements for different cyber roles. This increases uncertainty around the transition process and amplifies risk that workers who could transition into a cyber security role will not have the required information to make an informed decision.

Workers considering a career change into cyber security need a centralised source of information about pathways into the sector. Cyberseek, funded by NICE in the US, is a good example.25 It provides up-to-date data on supply and demand in the US cybersecurity job market via interactive visual tools, including heat maps that show worker demand and supply per state. The website also outlines cyber security career pathways and offers key information such as average salaries, required skills/certifications, and the number of job openings. Australia could explore implementing a similar tool to Cyberseek.

Figure 30 – Costs of different cyber training programs

Figure 30

Affordability of training: Training affordability is also a key issue for worker-led transition. While course numbers and places have grown rapidly in recent years, the majority of cyber training places are still concentrated in longer, more expensive courses, such as bachelor's or master's degrees, which can cost $30,000 to $55,000 (see Figure 30).

Even though these course fees can usually be deferred through FEE-HELP, accumulating transition-related debts could be a barrier to workers shifting to cyber. More intensive, shorter courses of good quality would ease the transition burden for potential workers and help stimulate the supply of cyber workers in the short- to medium-term. This would also minimise the costs to employers from employer-led transition, as training costs would be lower, workers would not need to take as much time away from work to retrain, and they would transition faster.

Universities and TAFEs are not the only institutions with a role to play. There is scope for select high-quality private providers of niche cyber security education and training to supplement the selection of short courses currently on offer. For example, WithYouWithMe - a training and placement service for veterans - takes candidates through the entire transition process, including an intensive cyber course that aims to get them job-ready in four weeks (see Box 10). Private sector training organisations such as Ionize and UXC Saltbush provide training for the Australian Signals Directorate's Information Security Registered Assessors (IRAP) Program. Overall, however, there is still plenty of scope for high quality training providers as well as universities to broaden their course offering to include shorter, more targeted cyber security training to help with the transition process.

Employer attitudes: Industry interviews suggest that employers, especially small to medium-sized organisations, are still reluctant to hire transitioning workers. Employers perceive these potential workers as risky prospects, lacking experience and job-readiness. To help resolve the cyber skills gap, employers need to broaden their hiring strategies. Instead of relying on rigid 'check-box' recruiting that focuses heavily on work experience, employers need to look for translatable skills for specific cyber security work roles as a way of identifying promising candidates.

To help resolve the cyber skills gap, employers need to broaden their hiring strategies.

A transition model for employers could help in this respect. A clear transition blueprint for companies of different sizes would minimise the risks associated with identifying suitable workers and training them appropriately.

Placement services could also have a role in changing attitudes within the sector. Given their intimate knowledge of recruiting and their relationships with companies, they could be influential in challenging the prevailing recruitment methods, which over-emphasise technical skills and experience. Some placement services are already using unorthodox approaches to change employer perceptions, pitting their transitioning cyber candidates against in-house cyber teams of major companies in hackathons to demonstrate their capabilities.

The section Make Australia the leading centre for cyber security education in Chapter 4 lists a range of actions that could help Australia build a strong, high-quality cyber education system, including support for educational infrastructure and expansion of school programs to build a talent pipeline.

Box 10

WithYouWithMe retrains military veterans and athletes for a career in cyber security

An Australian startup has set out to prove that military veterans make better cyber security specialists than IT engineers.

Tom Moore, co-founder and chief executive of employment and training provider WithYouWithMe (WYWM) says a new, computerised skills testing and career matching tool allows his company to find and train the most suitable workers for any vacant cyber security role in the market. And he realised that while former military personnel may lack private-sector job experience, they bring just the right amount of combat intelligence to fend off cyber adversaries.

Newly trained veterans who move into cyber security are regularly measuring up against seasoned banking analysts.

'We worked out that combat and intelligence veterans are better at being an analyst and better at being a penetration tester because they worked in a counter-insurgency environment,' says Tom Moore. 'They're more inclined, their previous roles required a higher level of variables such as logic, reasoning, spatial intelligence and quantitative aptitude.'

Moore says much of today's cyber security sector requires specialists that are good at 'social engineering', which is the art of understanding attackers and their thinking. 'It actually has more to do with what people are studying in humanities or social science. It's more about who is attacking and why like: state-sponsored groups and state actors who are representative of a portion of threats a cyber security analyst has to deal with in banks, utilities, state governments and federal governments,' says Moore.

However, he says many employers are at risk of missing this trend. They continue to value job applicants with a long list of work experience and technical IT skills. Many also pay little attention to how well a candidate fits into an existing cyber security team.

The biggest obstacle: companies who follow 'check-box recruiting'

In an effort to break this pattern of 'check-box recruiting', WYWM chose a radically different approach. Founded in December 2016, this startup relies heavily on automation. A virtual assistant welcomes new applicants. Special software conducts a predictive analysis to identify skills gaps in the Australian jobs market and then assembles a training program. To stay up to speed in today's fast-changing tech world, program content is updated at least every 12 months.

There are no classrooms at WYWM. Instead, students learn online, supported by a network of career instructors and mentors from military ranks and private companies. An online testing tool checks the suitability of applicants for more than 15 career paths, from cyber security to robotics.

The company initially focused on helping army veterans change careers but has since expanded to help all sorts of unemployed or underemployed people, as well as athletes and school leavers. Its model has rapidly gained traction: WYWM is currently retraining 100 veterans per quarter as cyber security specialists in Sydney alone, and sees potential to increase this number to 1,000 by 2020. Around 90 per cent of participants find employment after completing the course, and 97 per cent are still in these jobs 12 months later, according to WYWM.

Moore relates WYWM's success to the accuracy of its testing tool, which not only measures skills but also matches the level of conscientiousness - the ability to be aware of surroundings and co-workers - between applicant and employer. 'The second part of the matching is really important,' says Moore. 'You might be smashing as a cyber security analyst, but if you go to a company or a team that isn't aware and has a low level of conscientiousness, then you'll hate your job.'

With You With Me

3.3 Research and commercialisation

Cyber security companies are operating in a competitive and rapidly changing market environment, in which technology is a key ingredient for success. The growing sophistication of cyber adversaries forces security providers to constantly stay ahead of the curve by developing ever-more innovative products. Australia’s cyber security research capability is strong. However, several factors undermine the country’s innovative strength. Australia lacks nationally coordinated and collaborative R&D in cyber security. Another major problem is the difficulty for many researchers to turn new and innovative technologies into marketable products that truly meet customer needs. To improve this technological transition, Australia needs to strengthen its pre- and post-R&D activities, such as supporting researchers to engage with industry to identify problems and reach out to potential investors.

Australia lacks nationally coordinated and collaborative R&D in cyber security

Competitiveness in cyber security is highly dependent on R&D

Australian cyber security providers can compete on price or on value - for example, by providing products that are easier to use or technically more advanced, or by offering stronger support services. Cog Systems is one Australian cyber security company whose solutions achieve both (see Box 11).

Australian providers can also compete on scope, for example, by offering a more comprehensive array of products and services. Analysis of the attributes that matter most to cyber security customers when choosing a vendor gives valuable insight into what makes a cyber security company competitive.

A survey of leading CIOs and CISOs for this Sector Competitiveness Plan reveals that customer appeal of cyber security companies largely hinges on technological leadership (see Figure 31). This is particularly true for software. Australian CIOs and CISOs overwhelmingly said they consider effective technology the most important factor when weighing the purchase of cyber security software.26

Box 11

Cog Systems: integrated technology from world-leading cyber security R&D

The Internet of Things is exposing users, original equipment manufacturers and platform operators to new risks. Cog Systems has developed technology that enables the commercial market to benefit from government-grade security for connected devices for the first time, through a commercially available off-the-shelf solution. The Cog Systems solution protects connected devices from current and future threats by responding to threats from the broader security landscape and to specific requirements from devices’ original equipment manufacturers.

Cog Systems leverages its D4 Secure Platform™ to assemble a software development kit (SDKs) for specific categories of connected devices. D4 Secure SDKs™ protect organisations and their users with embedded virtualisation technology that integrates easily into the user’s device. This embedded virtualisation enables the user to continue to access their data securely and without restriction to run any application. No longer will a Virtual Private Network (VPN) run in the same security domain as third-party downloaded apps.

Built on Australian-developed technology, such as the L4 Microkernel heritage and design principles, the D4 Secure Platform™ leverages the inherent benefits of virtualisation to drive towards the concepts of modularity with the fundamentals of security, trustworthiness, robustness, fault tolerance, and adaptability.

The initial reference product, the HTC One A9, secured by D4™, is an ultra-secure smartphone built with enhanced storage encryption, non-bypassable VPN, support for nested VPNs, plus many other advanced security features that play an increasingly important role in the security process.

D4 Secure products provide an intuitive security solution for original equipment manufacturer integration and in-channel and end-user enablement - the best of all worlds in mobile security.

Between them, the founders of Cog Systems have over 40 years’ experience across the design and implementation stages of mobile and Internet of Things devices. Motivated to ensure all individuals receive the highest level of mobile security, their goal is to ensure all mobile and Internet of Things devices are secure. Cog Systems’ customer base in Australia and internationally includes government and enterprises across a variety of regulated and non-regulated industries.

Cog Systems

Figure 31 – Most relevant purchasing factors for organisations when selecting a cyber security products vendor, 2017*

Figure 31

Tech is essential, but it has to be effective and tailored to our problem. Many companies focus on technological edge without solving a real problem for their customers.’
Australian private sector CISO

Unearthing new ideas

Developing effective technologies is resource-intensive because it requires companies and research institutions to invest heavily in R&D and collaborate to unearth new ideas and commercialise them. Governments can support these efforts, either directly through research grants and targeted funding programs or indirectly via R&D tax incentives. For example, governments can provide funds to research institutions or government agencies with the aim of boosting R&D. Governments can also fund programs to improve research collaboration between universities and industry.

Translating ideas into products

Post-R&D activities are equally important. The most innovative idea will fail to make an impact if it finds no user. Researchers and inventors need strong support from government funding agencies and industry partners to improve the success rate of transitioning innovative cyber security technologies into real-world products that customers want to buy.27 This will involve broadening the scope of transition activities and exposing new technologies and tools to a wider audience. Australia could do more to bridge the gap between researchers and vendors, sometimes described as a ‘valley of death’.

Leading countries in the global market for cyber security software, such as the US and Israel, are conscious of the link between technological innovation and market success, and invest heavily in R&D.

Figure 32 – Global cyber security software market share by company domicile

Figure 32

For example, the market power of American cyber security software companies coincides with a significant commitment to R&D. These companies are the leading vendors in the global market, generating 61 per cent of the US$26.4 billion of total cyber security software sales worldwide in 2015, as shown in Figure 32. They invest more than US$200 million each year to invent and develop new cyber security technologies. The US government adds further weight to the sector by providing additional R&D funding of more than US$500 million per year.

Israel, traditionally boasting some of the highest defence spending in the world, also provides strong government support for cyber security R&D. Israeli companies form the second-strongest vendor group in the global market for cyber security software, accounting for 18 per cent of total sales worldwide. Israel’s Office of the Chief Scientist is frequently cited as the country’s largest single investor in cyber security research, but official budget numbers are not readily available.

Several other countries have begun to catch up in recent years, but their R&D budgets for cyber security still appear modest compared to US and Israel. For example:

  • The United Kingdom government has developed a Defence and Cyber Innovation Fund worth more than US$200 million (GB£165 million) to develop innovative cyber security technologies and products. The investment is part of the country’s National Security Strategy, which will inject the equivalent of US$2.37 billion (GB£1.9 billion) into the British cyber security sector through to 2021. Some of the money will fund ‘cyber startups and academics to help them commercialise cutting-edge research and attract investment from the private sector’.28
  • The Government of Singapore recently announced a five-year plan to build new R&D expertise and improve its cyber security capabilities. The National Cybersecurity R&D Programme is investing around US$20 million per year (equivalent to S$130 million over the five years) in cyber security research and innovation.29
  • The Australian Government has made cyber security a national priority for science and research. Current expenditure on cyber security R&D, as shown in Figure 32, is estimated to be approximately A$81 million per year, which excludes R&D support through the national R&D tax incentive and research block grants to universities.30

Several potential sources of finance for cyber security research remain largely untapped

Cyber security research needs a stronger focus

Australian organisations undertaking cyber security R&D need to be more competitive for public research funding, for example, by better articulating commercialisation pathways and the potential for economy wide benefits. Similarly, funding agencies could improve their understanding of cyber security’s importance to the entire Australian economy, and how improving our cyber security R&D outcomes would make Australia a world leader. A breakdown of available grant schemes, as shown in Figure 33 indicates several potential sources of finance for cyber security research remain largely untapped.

Block grants to universities are generally the most important channel to directly fund R&D activities in Australia. In 2015, the Australian Government granted universities almost A$1.8 billion to support their R&D work. Block grants are awarded on a yearly basis based on a university’s performance in attracting research income and the successful completion of higher degree by research students. When awarded block grant funding, universities have complete autonomy in deciding how the grant is administered across its research portfolio. However, due to difficulties in collecting block grant data, the extent to which these funding tools are currently used to finance cyber security R&D is unclear. It is fair to assume, however, that Australia still has scope to increase the use of university block grants for cyber security R&D funding A new industry-led Cyber Security CRC, announced in late 2017, will be critical to strengthening Australia’s cyber security R&D capabilities. The Australian Government will invest $50 million in the Centre over the seven years to 2024. This is in addition to about $90 million in funding from a consortium of 25 government, research and business partners led by the Cyber Security CRC. The CRC represents a coordinated research effort focused on delivering real-world cyber security solutions (Box 12).

Figure 33 – Existing and potential sources of funding for cyber security R&D in Australia #

Figure 33

The Department of Defence is another major potential funding source for cyber security research. In the fiscal year ending June 2017, the Department paid businesses, academia and research organisations an estimated A$160 million to help develop new, innovative technologies for military use.31 The Department’s Defence, Science and Technology Group, the second largest publicly funded R&D organisation in Australia, just launched the Next Generation Technology Fund, which can invest over $730 million over the decade to June 2026 into emerging early-stage technologies of strategic value to Australia’s defence forces. Cyber security is one of the fund’s nine priority areas.

Cyber security researchers may also be able to make better use of the CSIRO Innovation Fund. This joint government-private sector initiative invests in startup, spin-off companies and existing small- to mid-sized enterprises, to improve the translation of publicly funded research into commercial outcomes and stimulate innovation in Australia.

Accelerating commercialisation is an area of focus across Australian governments with the aim of helping small and medium-sized businesses to commercialise novel products, processes and services. Around 180 companies received financial assistance between 2015 and early 2017 through a competitive grants process, with a total value of A$99 million.32 Cyber security companies did not received any assistance from this program over that period, which may be due to a lack of quality applications.

Grants provided by the Australian Research Council (ARC) form the second largest source of direct R&D funding in Australia. Yet analysis of the ARC’s funding pattern over the past decade reveals that only a fraction - around 0.6 per cent of the ARC’s annual grant budget (A$744 million in 2016) - was used to fund research projects related to cyber security.33 Postgraduate training centres and research hubs can apply for ARC funding through the Industrial Transformation Research Program (ITRP), which now lists cyber security as an Industrial Transformation Priority.

Australian Government invested $50 million over seven years

Almost $90 million contributed from a consortium of 25 industry, research and government partners

Box 12

Australia’s new Cyber Security CRC

Australia’s CRC Program has become a proven model for funding joint R&D work between businesses and researchers. Participants include private sector organisations (both large and small enterprises), industry associations, universities, and government research agencies such as the Commonwealth Scientific and Industrial Research Organisation (CSIRO).

The CRC Program supports collaborative research projects led by industry. It aims to develop and commercialise solutions for industry-specific problems, and ultimately improve the competitiveness, productivity and sustainability of Australian industries. CRCs are particularly relevant in sectors where Australia already has a competitive strength. For example, current CRCs cover areas such as advanced manufacturing, plant biosecurity and mining.

Acknowledging that cyber security is a strategic priority, the Australian Government last year invested $50 million over seven years into a new industry-led Cyber Security CRC to create a more mature national cyber security capability. The Government funding comes on top of almost $90 million from a consortium of 25 industry, research and government partners led by the Cyber Security CRC, a not-for-profit company dedicated to promoting industry investment into cyber security R&D.

The Australian Government says the new CRC will contribute to the country’s reputation as a secure and trusted place to do business, and will also deliver broad economic benefits by enabling industry to attract and increase investment, trade and commerce.

Research at the CRC will focus on delivering real-world cyber-security solutions, says Professor Sanjay Jha, head of the Cybersecurity and Privacy Research Lab at the University of New South Wales, a founding member of the new Cyber Security CRC.

’The CRC is very industry driven - we’re focused on solving real problems for Australian community, industry and government,’ says Mr Jha. ‘It will be a truly collaborative and cooperative project between the universities and the industry partners. The expectation is to have very high degree of collaboration and a tight timeline and target to deliver.’

Figure 34 – Quality measures of Australia's research performance

Figure 34

Blockages to cyber security innovation in Australia

Australia is home to 43 universities. They carry out most of the foundational research and have access to a significant amount of funding relative to other OECD nations.34 Cyber security research from Australia ranks highly in global comparison, Figure 34 reveals.

In terms of citation impact - an indicator of research quality - cyber security research papers from Australia are the most heavily referenced in the world, according to Thomson Reuters data.35 Australian universities appear well placed to lead the knowledge creation and spearhead the invention of new technologies in cyber security.

Cyber security research papers from Australia are the most heavily referenced in the world

Many universities in Australia are already regarded as global research leaders in fields with cyber security applications, such as packet switching (a technology that breaks down data into smaller parcels before transmitting them), quantum cryptography, distributed computing and wireless security technology. The Australian National University and the University of New South Wales are already at the leading edge of global research into quantum computing and its potential applications for the cyber security sector (see Box 13).

Box 13

Australia’s lead in the global quantum race

It is the nightmare of anyone guarding top secret data: a machine so powerful that it could crack even the toughest security codes. Quantum computers could do just that. They exploit the strange behaviour of tiny atoms, better known as quantum physics, to solve problems immensely faster than the world’s fastest supercomputers. This makes them a huge threat for current encryption methods - in theory, at least, because no one has yet managed to build such a code-breaking quantum computer.

The existence of quantum computers was long thought to be a distant vision. However, rapid technological advances by IBM, Google and others have raised concerns that quantum computers may become a reality much sooner. The National Security Agency in the US recently warned that the time to act and build ‘quantum-resistant cryptography’ is now.36 The Canada-based Global Risk Institute puts the odds of a quantum computer cracking key security algorithms by 2031 at 50 per cent.37

Many countries, including Australia, Canada, the US, Singapore and Japan, have increased their technology investments in recent years, fuelling a global race to develop the world’s first viable quantum computer. At the forefront is a network of 180 researchers from six Australian universities (University of New South Wales, Australian National University, University of Melbourne, University of Queensland, Griffith University and University of Sydney), the Australian Defence Force Academy, and a dozen international university and industry partners.38

The network is coordinated through the Australian Research Council Centre of Excellence for Quantum Computation and Communication Technology, or CQC2T.

While scientists around the globe are exploring a range of exotic materials - from synthetic crystals to dye pigments - to build a quantum computer, Australia’s CQC2T research group is on track to develop the world’s first quantum computer in silicon.

’Our Australian centre’s unique approach using silicon has given us a two to three-year lead over the rest of the world,’ says Professor Michelle Simmons, director of CQC2T.39 ‘These facilities will enable us to stay ahead of the competition.’

Funded with more than A$100 million worth of government grants and investments from Telstra and Commonwealth Bank of Australia, the CQC2T’s work is crucial for Australia’s nascent cyber security sector.40

Startups such as QuintessenceLabs have already begun to seize the emerging business opportunity. QLabs, as the company is known, is at the heart of solving the security threat posed by quantum computers. The company has invented and commercialised a so-called Random Number Generator, which promises to outwit cyber criminals by using encryption codes so random that not even a quantum computer could hack them without being detected. QLabs’s machine, no bigger than a mobile phone, can generate these truly random codes by splitting a laser beam in two at very high speed and converting the resulting signal to numbers.

QLabs, formed in 2008 as a spin-off from the Australian National University in Canberra, has received numerous accolades. Its clients include IBM and major Australian lender Westpac Banking Corp, which in 2017 bought a 16 per cent stake in the company and is using QLab’s encryption capabilities to boost the security of its banking business.41 Headquartered in Canberra, QLabs also runs a research lab at a NASA facility in Silicon Valley and was named one of the top emerging innovation companies globally by the Security Innovation Network, which counts the US Department of Homeland Security and the Home Office in the United Kingdom as members.

Australia needs to more effectively commercialise its cyber research. An often-cited criticism, underpinned by OECD data, is that Australia struggles to translate its academic strengths into marketable solutions.42 The cyber security sector is no different. Several obstacles are blocking the innovation pipeline in cyber security and hampering the technological transition of high-quality research ideas into commercially viable products, as illustrated in Figure 35.

Figure 35 – Key stages of the cyber security research and innovation pipeline

Figure 35

There is a lack of focus in existing research efforts

At present, university R&D in cyber security is comparatively small in scale and fragmented. The distribution of competitive ARC grants, as shown in Figure 36, indicates that public funding for cyber security research has been scattered across 16 universities

over the past seven years, with no apparent effort to concentrate funding on a few national research flagships that could champion the knowledge creation in cyber security.

Even the Australian National University, which has so far received the highest individual amount of competitive research money in cyber security, still only attracted 14 per cent of the total ARC cyber security funding.43 While there is value in diversity, a more concentrated funding approach would allow a select few universities to rapidly expand their cyber security research capabilities, and could help accelerate the creation of new ideas and spur the development of competitive technologies. The section Grow an Australian cyber security ecosystem in Chapter 4 identifies actions to help improve the focus of Australia’s cyber security research.

Figure 36 – Distribution of competitive ARC research grants in cyber security

Figure 36

Collaboration between industry and research is weak

A rich exchange between academia and industry is necessary to help researchers validate the practical applicability of their research and ensure research ideas get translated into practical applications. University scientists who cultivate a close collaboration with companies would find it easier to identify and select knowledge with commercial relevance. Businesses that collaborated on innovation were twice as likely to develop 10 or more innovations in the fiscal year 2015, Australian Government research shows.44 Despite this, OECD data shows the ties between academia and industry in Australia are the weakest in the developed world: only 3 per cent of surveyed businesses in Australia collaborate with universities and other research institutions - a sharp contrast to leading countries like Finland, where 69 per cent of large and 24 per cent of small companies work closely with external research organisations.45

The ties between academia and industry in Australia are the weakest in the developed world

As noted earlier, some of Australia’s large companies in are acutely aware of the benefits of partnerships with local universities. For example, Commonwealth Bank of Australia has invested A$15 million to support researchers at UNSW who are part of the CQC2T network striving to build the world’s first silicon-based quantum computer in Sydney (see Box 13 for details on CQC2T).46

Quantum computing has potentially profound implications for cyber security, particularly through cryptography. The Commonwealth Bank of Australia’s investment comes on top of Australian Government funding worth A$26 million for the CQC2T, based at the University of New South Wales. An additional A$10 million of research funding for the project comes from Telstra, the nation’s biggest telecommunications company, which has assigned its team of data scientists to work directly with University of New South Wales researchers. ‘We can work together to put Australia at the forefront of global innovation,’ said Telstra chief executive Andrew Penn in 2015, when the company announced the investment.47

Macquarie University and telecommunications company Optus partnered in 2016 to establish a multi-disciplinary cyber security hub with a joint investment of A$10 million. While primarily set up to ease the sector’s skills shortage, the Optus Macquarie University Cyber Security Hub also offers consultancy services and undertakes research in a variety of areas, including security risk analysis, trustworthy computing and cyber governance (see Box 9).48

Meanwhile, US technology company Cisco Systems has been instrumental in developing the Security Research Institute at Edith Cowan University in Western Australia.49 Cisco further committed to invest US$15 million in a newly established Internet of Everything Innovation Centre with R&D facilities across Australia. The centre, which Cisco co-founded with Curtin University and Woodside Energy, is a space where customers, startups, open communities, researchers, entrepreneurs and technology enthusiasts can work and brainstorm on new ideas and technologies, including in cyber security.50 Others working on deepening research and innovation links between large companies, universities and startups in Australia include Data61 within CSIRO (see Box 14) and financial technology hub Stone & Chalk.

Box 14

Australia’s digital dynamo: Data61

Data61 was formed in 2015 when Australia’s national IT research facility, National ICT Australia (NICTA), merged with the digital research unit of the country’s chief science organisation, CSIRO. Its mission is to find and develop new cutting-edge technologies for today’s data-driven world. Today, Data 61 is considered Australia’s biggest research facility of its kind. With more than 1,100 staff spread across six states and territories, including more than 400 resident PhD students, it also hosts one of the largest data research teams in the world.

The work is diverse. Scientists at Data 61 have developed insect-like robots with legs, whose sensors allow them to create a digital elevation map of an area. They have created new software tools to help analysts predict the behaviour of bushfires. And they are working on installing a vast wireless network of sensors and nodes in the Amazon region to help track the loss of animals and plants.

Cyber security is a key research focus for Data61. Recently, the group became the first worldwide to investigate a common security feature for Android mobile devices. Now that mobile phones are essentially mobile computers, millions of users worldwide are turning to Virtual Private Network (VPN) apps to hide their browsing activity, access region-restricted content and ensure their data is secure when using public Wi-Fi networks. Data61, in conjunction with researchers from the University of New South Wales and the University of Berkeley in the US, revealed that these apps are not as secure as suggested. Another recent achievement was the development of a very small, yet powerful base system for computers and mobile devices - called a kernel - that equips operating systems with one of the world’s strongest basic protection against viruses, trojan horses, ad-ware and spyware.

A strong emphasis on research collaboration underpins the Data61model. The group connects academia, corporations, startups, governments, investors and entrepreneurs across the globe. For example, it has created a Data Research Network to link industry with data researchers and it delivers data analytics training to businesses.

Smaller industry participants, however, have been slower to tap into university expertise to develop new products and services. Interviews with a wide cross-section of local cyber security startups reveal that only two out of more than 22 industry particpants are currently working closely with universities.51

In interviews, industry participants cited several barriers to greater industry research collaboration in Australia. Some executives admit they lack experience in engaging universities to leverage their knowledge. Some also say that the different planning horizons limit their close collaboration with academics - companies tend to focus on their immediate, short-term needs, while basic research occurs over longer timeframes. Some company executives are reluctant to deepen their ties with researchers who they feel lack understanding of practical industry needs. Researchers, in contrast, said some industry customers have unrealistic expectations about what their business can gain from basic academic research. Lastly, both researchers and businesses agreed that negotiating intellectual-property agreements with universities can be time-consuming and costly.

There is scope for a more effective collaboration of researchers and businesses. Chapter 4.1 (Grow an Australian cyber security ecosystem) makes several recommendations for actions that could help deepen the links between universities and industry, including offering work placements for postgraduate students.

There is scope for a more effective collaboration of researchers and businesses

Access to capital to support innovation is limited

Venture capital funds investing in early-stage startups are currently scarce in Australia, noting some government assistance and incentives are available. This low availability blocks the country’s innovation pipeline because startups are locked out from the high-risk capital they urgently need to turn promising ideas into competitive, real-life technologies.

OECD data, as shown in Figure 37 shows that, measured as a share of GDP, there is 10 times less early-stage venture capital available in Australia (0.01 per cent) than in the US (0.1 per cent) and almost 30 times less than in Israel (0.27 per cent). Both these countries are considered leaders in the global market for cyber security products.

’Cyber security is [...] perceived as a risky and technically complex business. [Venture capital funds] in Australia are not interested in buying that extra complexity, particularly when they are in a medium-sized market that pushes them to be less specialised.’ Managing Partner of large early-stage venture capital fund

Data compiled by the World Economic Forum, also shown in Figure 37 further highlight the difficulties Australian startups are facing when trying to tap venture capital funding.52 On a scale from 1 (hard) to 7 (easy), Australian executives surveyed for the World Economic Forum’s Global Competitiveness Index rate access to venture capital in Australia at 40th in the world, below the OECD average and well below our competitor nations.

This problem of access to early-stage venture capital funding is well-known and acknowledged in Australian Government assessments of the Australian innovation system.53 Recent policy measures have attempted to address this through tax concessions. In 2016, the Australian Government also launched the CSIRO Innovation Fund, which aims to fill this funding gap by co-investing in spin-offs, startups and small to medium enterprises engaged in the commercialisation of early stage innovations. CSIRO’s science and technology innovation Accelerator, ON, also helps startups commercialise promising cyber security ideas.

Figure 37

Figure 37

'Pitching to early-stage [venture capital funds] in Australia was disheartening...They don’t have much clarity and visibility around cyber, and their valuations were much lower than those of [Silicon] Valley investors.’ CEO of major Australian company

Cyber security startups, however, might face bigger obstacles than their peers because they offer complex, highly technical products. Most Australian venture capital funds are generalists by necessity because of the limited market size - as opposed to the US where there are several venture capital funds with expertise in cyber security (such as Rally Ventures). Interviews with Australian cyber security professionals indicate that local venture capital fund managers perceive the cyber security sector as complex and risky. Many are reluctant to invest because of a lack of expertise in this field, although this is starting to improve.

Local venture capital fund managers perceive the cyber security sector as complex and risky

Incubators and accelerators play an important role for Australia’s cyber security ecosystem. They are part of the key infrastructure to foster business creation and innovation. While studies show that startups may be just as successful without that initial support, it is indisputable that accelerators and incubators help entrepreneurs learn a lot and improve their professional networks. There is also strong evidence that accelerators and incubators have a positive indirect impact, by ‘serving as beacons’ to unite a community and by increasing the diversity of interconnections in the ecosystem.54 Focused incubators and accelerators that understand the cyber security ecosystem and its specific challenges should lead to a stronger performance of startups and their capacity to innovate.

Australia’s first dedicated cyber security incubator, CyRise was launched in 2017. CyRise was borne out of a partnership between Dimension Data and Deakin University and with funding support from the Victorian Government’s LaunchVic startup initiative. Australia could build on this great potential to develop an end-to-end network of cyber security infrastructure as a critical step towards a stronger domestic cyber security ecosystem.

’Cyber security startups work in the deep tech space. It therefore takes longer to build the right product and get traction, so they need more support than others.’ Scott Handsaker, CEO CyRise

Various approaches to overcome these issues are discussed in the section Grow an Australian cyber security ecosystem in Chapter 4, including familiarising new investor groups, such as superannuation funds, with investment opportunities in the local cyber security sector.

3.4 Cyber security companies’ growth and export

Developing innovative products and services is crucial to building Australia’s competitiveness in cyber security, but that alone is not enough to ensure our companies succeed and our industry develops. Companies need to be able to effectively sell their products and services into a domestic marketplace where they can build scale, confidence and capabilities. With that local base in place, they can more effectively take on the challenge of exporting to global markets and connecting with global value chains.

Barriers to growth for small cyber security companies in Australia

Interviews with buyers and sellers of cyber security solutions show companies need to overcome three main hurdles to successfully establish and grow their business - they need to understand their customers, gain trust, and get to scale.

Box 15

Boomerangs: Australian-born successes expanding back home

Bugcrowd, Dtex Systems and UpGuard are three dynamic Australian-born cyber security companies that have successfully moved overseas and are now ‘boomeranging’ back home. Founders, Casey Ellis (Bugcrowd) and Mohan Koo (Dtex Systems), together with Hamish Hawthorn (COO, UpGuard) are passionate advocates for cyber security and for Australia’s immense local talent. They agree that by encouraging the domestic market to invest in and procure Australian solutions, there is a significant opportunity to grow the nation’s capabilities for economic benefit and establish a globally attractive cyber security ecosystem.

There are common themes threaded through the journey of these three companies. Years ago, all three left Australia in order to access high risk early stage capital, be in close proximity to business mentoring and growth support networks, and grow their customer base. All are based in Silicon Valley in the US, with Dtex Systems settling there after exploring market opportunities in Southeast Asia and the UK. In 2017, all three companies built on their overseas success to establish new business units in Australia, mostly in R&D and sales support. All are optimistic about Australia’s future as a cyber security leader.

Bugcrowd’s Casey Ellis sees the Australian market improving for startups, as high-value talent and increasing levels of investor capital start to flow. Ellis recognises Australians have many strengths and that organisations, including Bugcrowd, want access to the ‘Australian DNA’ that makes the country’s cyber security professionals so attractive.’Australia is world-class at troubleshooting. The world knows it, but Australia doesn’t - yet,’ says Ellis. Establishing a presence in Australia is part of Bugcrowd’s continuing growth and a positive way to engage in the growing local cyber security ecosystem.

Mohan Koo from Dtex Systems firmly believes Australia is now in a position to seize opportunities in the global cyber security sector and that this will generate economic growth for Australia over the next five to 10 years. ‘Australia can be a centre of cyber excellence for the region,’ says Koo. For this to occur, he believes the mindset of Australian businesses and Government must evolve to be less conservative by encouraging innovation and buying local cyber security solutions. Koo also sees Australian universities playing a crucial role in fostering growth as part of maturing the ecosystem. Dtex Systems, which was awarded the Australian American Chamber of Commerce (AACC) Innovation Award in 2017 for its commitment to improving cybersecurity infrastructure in Australia, recently opened its first Canberra office.

UpGuard’s Hamish Hawthorn is keen to see ‘less reliance by large Australian enterprises on traditional suppliers and vendors and a greater willingness to work with Australian technology companies who are solving problems in more innovative ways, in the face of a dynamic cyber risk environment.’ He says building a domestic capability is key to developing a vibrant cyber security ecosystem. Hawthorn attributes his time in Silicon Valley as beneficial to developing and strengthening the product UpGuard now offers, largely due to the intensity of the competition in the US market, but also the Silicon Valley ecosystem that encourages fast learning through iterative development of solutions. This process of innovation is something Hawthorn believes Australia can achieve through continued cultural change and greater risk tolerance for emerging technology.

Bugcrowd, DTex Systems and UpGuard logos

Figure 38 – Most relevant factors for customers choosing a provider of cyber security products (software and hardware)

Figure 38

Cyber security companies often fail to understand their customers

The AlphaBeta/McKinsey survey of CIOs and CISOs and local cyber security providers indicates many Australian cyber security companies undervalue aspects of their offerings that are critical for local customers. This mismatch is most evident for customer support, according to the survey results shown in Figure 38. When purchasing products, customers consider support to be an essential component of their purchasing decision, while local companies are more focused on providing a user-friendly service. A greater understanding of, and focus on, local customer needs would help Australian cyber security companies grow (see Box 16 for example).

Additional survey results shown in Figure 39 reveal that cyber security users have widely differing needs, depending on the nature of their businesses. Those most at risk of being targeted by cyber criminals, such as financial-services companies or defence agencies, are typically investing in large in-house cyber security teams and only seek external help to complement their own capabilities. When they do engage external service providers, they generally choose those offering the greatest trust, best support and most effective technology.

Figure 39 – Most relevant factors for different customer segments choosing a cyber security product provider

Figure 39

Customers with a moderate risk exposure, such as retail and healthcare businesses, tend to outsource more of their security needs to external cyber security providers. These mid-market customers are most interested in acquiring the best technology and support when choosing a cyber security vendor. The survey shows they are also more cost-conscious than other customers in the market.

Cyber security companies also need to consider if their product or service might be better targeted to an integrator, such as a Managed Security Service Providers (MSSP), rather than to end-user customers. MSSPs typically serve the needs of mid-market customers and usually bundle several products and services - from managed firewalls to vulnerability scanning and anti-virus services - into one integrated offering. Telecommunication companies are one example of MSSPs. Interviews suggest that MSSPs, on average, are most focused on offering their customers the best support, and least concerned about offering the widest range of solutions.

Box 16

FunCaptcha: homegrown startup changing human verification online

’Completely Automated Public Turing Test to tell Computers and Humans Apart’ or CAPTCHA is used to protect websites from spammers. Most available CAPTCHAs require the user to read and then type in text to verify they are not a bot. To be effective against the sophisticated range of bots, the text is often difficult to read. However, this makes the process annoying for users who can end up leaving the website as a result.

FunCaptcha has created a unique way to manage the online verification process by engaging users with fun and effective visual puzzles to solve so the website can distinguish automated attackers from human users on the internet. The startup distinguishes itself from traditional CAPTCHAs by using fun visuals during the verification process and by adjusting its security vetting process based on the number of users and how they interact with the CAPTCHA. The solution eliminates the threat of an automated attacker with enterprise-grade security that is backed by patent-pending technology and a team of experts.

Founded in Brisbane in 2013, FunCaptcha already has a presence in more than 100 countries. FunCaptcha’s customer base is growing strongly among some of the world’s most trusted brand websites, mobile apps and games to tackle spam, ticket scalping, account fraud, brute forcing or an entirely new attack. After spending substantial time researching the Australian market, FunCaptcha identified opportunities in the US market, which hosts a large portion of websites that Australians use. FunCaptcha attributes its early success in entering the international markets by attending US security conferences as a platform to build a strong referral network.

FunCaptcha logo

New companies often lack the trust to gain anchor customers

To inform this Sector Competitiveness Plan, a range of local cyber security companies was analysed to understand which factors - including funding, R&D collaborations and industry regulation - are most important for their development and success. The results, shown in Figure 40 highlight that acquiring an ‘anchor customer’ is the most commonly cited success factor for Australian cyber security companies.

Anchor customers can add material value to a small business

They often have clout in an industry and can become a catalyst for demand by adding credibility to a startup and its new products. Their reputation often helps startups acquire further customers. They can also act as a strategic partner, provide access to fresh capital, and give feedback on how to improve a startup’s offerings. Survey results show Australian cyber security companies most commonly relied on anchor customers from industry (relevant for approximately half the companies surveyed), while about one-quarter of the companies surveyed said a government contract was critical to their success.

Figure 40 – Success factors for Australian Cyber security firms*

Figure 40

However, acquiring an anchor customer is not easy and requires more than just a convincing product or service. A survey of CIOs and CISOs in leading Australian companies with the potential to act as anchor customers for cyber security companies reveals that trust is a crucial factor, particularly when selecting service providers.55 And while buyers of cyber security products, such as antivirus software or firewalls, are generally most interested in buying the most effective technology, Figure 41 shows that finding a trustworthy producer still ranks as the third-most important driver for their purchasing decision.

This customer preference for dealing with a trusted vendor particularly affects the early-stage cyber security companies in Australia. In this market, which is dominated by well-established and reputable foreign competitors, many local startups lack the credibility needed to win an anchor customer.

’A common concern around local companies is that they need to go overseas to get their first sale...It’s in fact an issue on the maturity of the local market...the fact that we don’t realise that home-grown products can be world-class.’
CIO of an Australian bank

Figure 41 – Most relevant purchasing factors for customers choosing a cyber security provider, 2017*

Figure 41

Large potential customers may remain reluctant to engage if a company has no track record to indicate that a new product or service will deliver the promised outcome. Interviews with CISOs in Australia reveal many are hesitant to buy from smaller or newly established providers with no reputation, even if these companies offer technologically appealing products. Potential customers may also question the financial health of a cyber security startup and seek evidence that it will exist long enough to support its products and services well into the future.

In cyber security, a trust deficit can act as a stronger market barrier than in other industries. This is because buyers of cyber security products and services take a bigger risk with their purchases than buyers of other goods. As they invest in the protection of vast corporate IT networks with large amounts of sensitive data, they need a quality assurance and guarantee that what they buy will indeed shield them against cybercrime.

In cyber security, a trust deficit can act as a stronger market barrier than in other industries

One way for companies to overcome the lack of trust is to use one of several certification and accreditation programs available in Australia (see Box 17 for further details). Another, less obvious way to overcome local market barriers is to expand overseas. Some local cyber security companies have found it easier to penetrate the Australian market after acquiring an international customer first. In interviews, company executives said the fact that foreign customers can help increase the perceived trustworthiness of Australian cyber security companies illustrates the widespread risk aversion in the local market.

The section Grow an Australian cyber security ecosystem in Chapter 4 outlines actions that can assist cyber security startups in their search for anchor customers, including showcasing Australian cyber security products and services and coaching to help startups mature their business operations.

Box 17

Select accreditation programs for Australian cyber security companies

The Australian Signals Directorate (ASD), an Australian Government intelligence agency in the Department of Defence, evaluates and certifies ICT products and services that meet the high-level security standards of government agencies, making it a go-to address for any cyber security company wishing to win a government agency as customer. The ASD currently has several certification and accreditation schemes that businesses can join to bridge a gap in trust:

  • Australasian Information Security Evaluation Program (AISEP) - This program assesses whether ICT security products and systems work correctly and effectively, and do not show any exploitable vulnerabilities. Products and systems that pass this test are added to an Evaluated Products List, which approves of their use by Australian and New Zealand government agencies and certifies them against international standards. The program reviews a range of products from data and network protection to security modules.
  • Service certification - The ASD tests and certifies the effectiveness of certain ICT services, in particular gateway services, which seek to prevent malicious web traffic from entering organisations’ networks, and cloud services. Australian Government agencies are strongly discouraged from working with uncertified cloud or gateway security service providers to protect government information.
  • Information Security Registered Assessors Program - This program trains and accredits individual cyber security professionals to assess organisations’ security compliance and highlight information security risks, with a focus on compliance with Australian Government information security standards and requirements.

The Council of Registered Ethical Security Testers Australia and New Zealand (CREST), a not-for-profit based in Canberra, is another entity that assesses, accredits and certifies cyber security professionals and companies in Australia and New Zealand. Its accreditation scheme is limited to companies providing penetration and vulnerability testing services, that is screening a computer system, network or web application for vulnerabilities that an attacker could exploit. A CREST membership costs A$10,000 per year, and it takes a maximum of six months to obtain a CREST certification.

Procurement processes favour larger, established companies

Strict procurement rules oblige many government agencies and private-sector companies to engage only cyber security providers with a proven track record of fulfilling complex and sizeable security tasks. These internal procedures typically work in favour of large cyber security companies, while startups frequently miss out. Many small, emerging cyber security companies lack the resources to deliver large-scale projects, particularly when they cover multiple product and service areas as government contracts often do. Government agencies often search for providers who are capable of meeting a variety of security and other ICT needs at once - a tendency clearly reflected in the scope of government contracts, which are among the most valuable in the market.

An analysis of Australian Government tender agreements for the provision of cyber security services over the past decade, illustrated in Figure 42 shows that just one-quarter of all government contracts made up almost 87 per cent, or A$274 million, of the entire government spending on cyber security contractors over that period. Yet, only 8 per cent of these high-value government contracts were concluded with Australian grown and owned companies, as most are still too small to effectively compete against large foreign rivals in a government tendering process.

Missing out on the large-scale contracts commonly offered by Australian government agencies - a median size of A$300,000 for the top quarter of contracts - is a significant barrier to entry for smaller Australian cyber security providers. In fact, large-value contracts are seen as the most important market hurdle for startups globally.

Figure 42 – Government cyber security-specific contracts*, 2007–17

Figure 42

’Big organisations tend to hire big organisations.’
CIO of an Australian bank

Research shows, for example, that the share of small and medium-sized companies securing government tenders in European Union countries rapidly declines once the overall contract value rises above A$150,000.56 Tender processes could be made more accessible if governments divided their contracts into smaller parcels. Rather than contracting a few very large cyber security service providers, they could allow many small companies to service different aspects of their security needs. Given that purchasing from more providers could also make systems more complex and less integrated, any move to smaller contracts would need to be properly weighed against such potential complications.

Tender processes could be made more accessible if governments divided their contracts into smaller parcels

Other aspects of the public procurement process are also hindering cyber security startups from working more closely with government. Public agencies usually appoint a panel of suppliers for products and services they regularly acquire, referred to as Standing Offer Notices. These suppliers are pre-approved to do business with the government for a period of several years. While this offers convenience for procurement officers, it limits opportunities for new entrants. One example is the panel for ‘Consultancy and Business Services’, which comprises 170 suppliers and has been used to procure some cyber security-related contracts.57 The current panel was appointed in 2013, and there will be no new opportunities to join this panel until it expires in 2019.

The Australian Government is trying to remove barriers to entry. Recently, it has added new features to its ‘Digital Marketplace’ - an online platform for buyers and sellers of various ICT products and services. It has opened up the Digital Marketplace to cyber security businesses, making it easier for them to work with Australian Government agencies. The Digital Marketplace uses a strict selection process for companies wishing to use the platform for their offerings. Similarly, cyber security services companies must demonstrate certain abilities and experiences before they can join the Digital Marketplace.58

Importantly, the Digital Marketplace could also provide cyber security companies with access to state and local government buyers. In addition to launching its own marketplace for the cloud,59 the New South Wales government has already announced that the Marketplace complies with its procurement policies, and it will begin purchasing some ICT services through the new platform.60 Some local governments have also joined as registered buyers. A uniform set of procurement requirements to access buyers at all levels of government will significantly reduce compliance costs for companies.

Many of these issues in public sector procurement are also common to private sector procurement processes, which are often deliberately designed to weed out startups and smaller companies through narrow evaluation and review criteria. The preference to work with larger players is particularly strong in cyber security, which affects highly sensitive aspects of the business. Lengthy procurement processes, usually lasting between three and six months, can additionally deter smaller providers.

Simplifying procurement procedures in the public and private sector would remove some of the substantial hurdles that cyber security startups are facing. Section Grow an Australian cyber security ecosystem in Chapter 4 has more details on actions to address this issue.

Cyber security companies traditionally struggle to access export markets

An analysis of the geographical spread of Australian cyber security companies reveals significant scope for the sector to export its products and services and connect to global value chains. While many Australian hardware and software providers are already engaging with global customers, most services companies in the Australian cyber security sector have not yet developed an export capability. In fact, Figure 43 reveals that only 12 per cent of Australian cyber security services companies surveyed have customers outside Australia, although anecdotal reports suggest this is growing.

Not all cyber security services are equally exportable. Education is unique because it is relatively easy for a cyber security training provider to bring individual students to Australia to study. A data analytics company, however, might struggle to export its services due to country-specific laws around data privacy. Service providers offering advice and support on compliance issues might also find it difficult to export their work, as they require a deep knowledge of local regulations.

Some services exports require a local operating base in another country. Others can be delivered remotely, meaning jobs created are predominantly in Australia. The way companies design their service offerings can have a major impact on their exportability, and some Australian cyber security companies may need more support and guidance to develop the most exportable service possible. Still, some service providers may not yet have the staff, expertise and resources needed to serve customers abroad. In interviews, several cyber security services companies indicated that exporting is not a priority for them, because they already struggle to recruit enough cyber security professionals to meet strong domestic demand.

Chapter 4 lists several strategies that could help overcome some of the common export issues Australian cyber security companies are facing. Examples include intensifying Australia’s marketing presence for cyber security in key target markets and analysing remote delivery models for Australia’s existing services strengths.

Figure 43 – Overseas activities of Australian cyber security firms

Figure 43

  1. In this plan the skills shortage is defined as the additional number of workers that would be in the core cyber workforce if the supply of suitable workers was unconstrained. Given the difficulty of modelling an unconstrained sector, other sectors that are less constrained than cyber, such as IT generally, are used as benchmarks.
  2. See for example Australian Government (2017), Australia’s Cyber Security Strategy. First annual update. Available at:
  3. More information available at:
  4. Analysis in this Sector Competitiveness Plan focuses on the specialist, or core, cyber security workforce in Australia.
  5. At present there are only around 150 ICT Security Specialists in Australia on Temporary Resident (Skilled) visas (becoming Temporary Skill Shortage visas). While there are likely to be other ICT professions working within the cyber security sector, the total number is unlikely to be more than 200 workers, or around 1 per cent of the core cyber workforce. See: Department of Home Affairs (2018), ‘Temporary resident (skilled) visa holders in Australia at 31 December 2017’. Available at:
  6. The ADF announced the establishment of an Information Warfare Division in July 2017. Further information available at:
  7. National Initiative for Cybersecurity Education (NICE). NICE Cybersecurity Workforce Framework. More information:
  8. ABS (2018), Australian Census Longitudinal Dataset.
  9.  Nature (2018), “Cybersecurity needs women”. Available at:
  10. 10 – Department of Jobs and Small Business (2015), Labour Market Research - Information Technology (IT) Professions, December Quarter 2015.
  11. The estimate was generated using the four different job market metrics. See Appendix B for details.
  12. Australian Information Security Association (2016), The Australian Cyber Security Skills Shortage Study 2016. Available at:
  13. Department of Education and Training (2018), Higher Education Statistics. In 2016, there were 1,150 enrolments and 231 completions from security science courses. While security science is the only cyber-specific field of education, some cyber security courses or other courses with significant cyber components are likely classified elsewhere and not captured in these totals. Student numbers for 2017 and 2018 are not yet available.
  14. La Trobe University (2016), ‘Optus & La Trobe tech-collaboration’. Available at:
  15. Macquarie University (2016), ‘$10 million partnership with Optus for new cyber security hub’. Available at:
  16. Macquarie University (2016), ‘Optus Business and Macquarie University to establish new cyber security hub’. Available at:
  17. Commonwealth Bank of Australia (2015), ‘Commonwealth Bank and UNSW confront chronic cyber security shortage’. Available at:
  18. Commonwealth Bank of Australia (2016), ‘Commbank Cyber Prize 2016’. Available at:
  19. In New South Wales, the full price (including government subsidies) for a Certificate IV in IT is $8,880 while a Certificate IV in Cyber Security is $8,100. In Victoria the full price (including government subsidies) for a Certificate IV in IT is $9,100 while a Certificate IV in Cyber Security is $8,300.
  20. In the US, the National Security Agency and the Department of Homeland Security accredit university and college courses. To date, they have accredited over 200 courses. In the UK, the National Cyber Security Centre, a government body, certifies cyber security degrees. To date, it has accredited over 25 postgraduate degrees.
  21. Cyber Security Challenge UK (2017), ‘Barclays delivers skills boost with Cyber Challenge UK competition’, available at:
  22. Office of the Chief Scientist (2015), STEM-trained and job-ready. Available at:
  23. Further information on the Apprenticeship Training - alternative delivery pilots is available at:
  24. For more information see:
  25. For more information see:
  26. AlphaBeta/McKinsey (2017), ‘Survey of Australian CIO and CISO purchasing factors’.
  27. Maughan, D., et al. (2013), ‘Crossing the “Valley of Death”: Transitioning Cybersecurity Research into Practice’, IEEE Security & Privacy, Vol. 11, No. 2, pp. 14-23, March-April 2013. Available at:
  28. British Government (2016), National Cyber Security Strategy 2016-2021. Available at:
  29. Singapore Government (2017), National Cybersecurity R&D Programme. Available at:
  30. Australian Government (2016), Cyber Security - Capability Statement. Available at:
  31. Innovation and Science Australia (2016), Performance Review of the Australian Innovation, Science and Research System. Available at:
  32. Australian Government Business (2017), ‘Accelerating Commercialisation funding offers’. Available at:
  33. ARC (2016), ‘Grants Dataset’. Available:
  34. Innovation and Science Australia (2016).
  35. Referenced in Australian Government (2016), Cyber Security - Capability Statement. Available at:
  36. National Security Agency (2016), Information Assurance Directorate. Commercial National Security Algorithm Suite and Quantum Computing FAQ. Available at: .
  37. Global Risk Institute (2016), ‘A quantum of prevention for our cyber-security’. Available at: .
  38. UNSW (2016), ‘Backgrounder: Quantum computing at UNSW and timeline of major scientific and engineering advances’. Available at: .
  39. UNSW (2016), ‘Prime Minister hails UNSW’s quantum computing research as the world’s best’. Available at: .
  40. Greg Hunt, then Australian Minister for Industry, Innovation and Science (2016), ‘Major leap forward for Australian quantum computing’. Available at: .
  41. QuintessenceLabs (2017), ‘QuintessenceLabs Sees Additional Investment from Westpac Group to Strengthen Partnership’. Available at: .
  42. Department of Industry, Innovation and Science (2017), ‘Innovation, science and commercialisation at a glance’. Available at:
  43. Australia Research Council (2017), Grants Dataset. Available at:
  44. Australian Government, Office of the Chief Economist (2016), Australian Innovation System Report. Available at:
  45. OECD (2015), Science, Technology and Industry Scoreboard. Available at:
  46. Commonwealth Bank of Australia (2015), ‘Commonwealth Bank Increases Support for Australian Leadership in Quantum Computing’. Available at:
  47. Telstra (2015), ‘Telstra announces plan to co-invest with Federal Government in silicon quantum computing’. Available at:
  48. Macquarie University (2016), ‘Optus Business and Macquarie University to establish new cyber security hub’. Available at: See also the Optus Macquarie University Cyber Security Hub website at:
  49. ECU Security Research Institute (2017), Director’s notes. Available at:
  50. Cisco Systems (2015), ‘Cisco Brings Internet of Everything Innovation Centre to Australia’. Available at:
  51. AlphaBeta/McKinsey (2017), Survey of Australian CIOs, CISOs and cyber security companies.
  52. World Economic Forum (2017), The Global Competitiveness Report 2016-17. Available at:
  53. Australian Government, Innovation and Science Australia (2016), Performance Review of the Australian Innovation, Science and Research System 2016. Available at:
  54. See for example UNSW Business School (2016), The role and performance of accelerators in the Australian startup ecosystem. Available at: