Challenges to Australia’s cyber security industry

Challenges to Australia’s cyber security industry

by acsgn_admin

3.1 Overview

Three major challenges are currently detracting from the growth outlook for Australia’s cyber security industry: a lack of focus in research and commercialisation; market barriers that hinder smaller local cyber security providers from becoming scalable, export-oriented firms; and a shortage of job-ready workers. This chapter provides an overview on these challenges, while Chapter 4 (Building a competitive Australian industry) lists a range of recommended actions to address these obstacles to growth.

The first challenge is related to Australia’s current research, development and commercialisation system. To be sure, R&D is important for many industries. In cyber security, however, where customer success is driven predominantly by a firm’s ability to offer effective technology, a failure to invest in R&D can be fatal. Australia’s cyber security industry can only thrive and produce innovative, cutting-edge technology if there is strong support for research and commercialisation.

This chapter shows that Australia’s public investment in cyber security R&D lags that of global industry leaders, such as the US and Israel. A breakdown of grant data suggests that Australia’s national funding for cyber security research currently lacks strategic focus. Interviews with industry participants reveal that research collaborations between universities and businesses—viewed as crucial for a vibrant, innovation-driven industry—are mostly limited to larger firms, and often fail to meet expectations of both parties. Funding data also indicate that it is more difficult for Australian cyber security startups than for their global peers to access early-stage venture capital for the commercialisation of innovative products.

There are strong signs that Australia could make better use of the existing array of funding sources and Chapter 4.1 (Grow an Australian cyber security ecosystem) offers some solutions, including coordinating our research efforts on a limited number of topics that match our existing capabilities and support the focus segments.

The second challenge lies in overcoming market barriers that hamper local firms in their efforts to scale their operations and become leading exporters. Many startups lack a clear understanding of the specific needs of their customers. Many also lack the trust and credibility to win an anchor customer for their products and services. Complex procurement processes in both government and the private sector become an additional hurdle: they prevent many smaller and younger firms from scoring a large customer contract. Chapter 4.2 (Export Australia’s cyber security to the world) outlines a range of strategies to tackle these issues, such as relaxing current procurement procedures.

Thirdly, Australia has difficulty attracting and retaining cyber security talents. While the skills shortage is affecting the cyber security industry globally, there are signs that the lack of cyber talent in Australia is among the worst in the world. Australian firms struggle to find job-ready cyber security workers despite offering high wage premiums. This chapter reveals that Australia will likely need around 11,000 additional cyber security workers over the next decade—for technical as well as non-technical positions—just to meet the industry’s ‘business-as-usual’ demand forecasts.

There are signs that the formal education system fails to produce enough job-ready cyber security graduates in Australia. However, employers themselves may also be hindering the supply of skilled workers, with limited opportunities for cyber security graduates to gain work experience. Many companies have also failed to develop strong training pathways that could prepare workers from outside the industry, who bring a similar skills profile, for jobs in cyber security.

There are ways to address these bottlenecks of skills supply, however, and Chapter 4.3 (Make Australia the leading centre for cyber security education) outlines the most promising ones. For example, partnerships between training institutions and industry can help scale existing cyber security courses and improve the job-readiness of graduates.

3.2 Research and commercialisation

Cyber security firms are operating in a competitive and rapidly changing market environment, in which technology is a key ingredient for success. The growing sophistication of cyber adversaries and revolutions in technology challenge security providers to constantly stay ahead of the curve by developing innovative products. While Australia has strong capabilities in cyber security research, lack of nationally coordinated themes and poor collaboration undermine the commercialisation of that research into marketable software. Inadequate incentives for commercialisation also weaken Australia’s ability to lead on innovation in cyber security.

Competitiveness in cyber security is highly dependent on R&D

Australian cyber security providers can compete on price or on value—for example, by providing products that are easier to use or technically more advanced, or by offering stronger support services. Cog Systems is one Australian cyber security company demonstrating both these elements in its solutions (see Box 5).

Australian providers can also compete on scope, such as having a more comprehensive offering than others and allowing cyber security users to acquire a wider array of products and services from one vendor. An analysis of the attributes that matter most to cyber security customers when choosing a vendor gives valuable insight into what makes a cyber security firm competitive.

Box 5: integrated technology from world leading cyber security R&D

The Internet of Things (IoT) is exposing users, original equipment manufacturers (OEMs) and platform operators to new risks. Cog Systems has developed technology that enables the commercial market to benefit from government grade security for connected devices for the first time, through a commercially available off-the-shelf solution. The Cog Systems solution protects connected devices from current and future threats by responding to threats from the broader security landscape and to specific requirements from devices’ OEMs.

Cog Systems leverages their D4 Secure Platform™ to assemble a software development kit (SDKs) for specific categories of connected devices. D4 Secure SDKs™ protect organizations and their users with embedded virtualization technology that integrates easily into the users’ device. This embedded virtualization enables the user to continue to access their data securely and without restriction to run any application. No longer will your VPN run in the same security domain as third-party downloaded apps. 

Built on Australian developed technology, such as the L4 Microkernel heritage and design principles, the D4 Secure Platform™ leverages the inherent benefits of virtualization to drive towards the concepts of modularity with the fundamentals of security, trustworthiness, robustness, fault tolerance, and adaptability.

The initial reference product, the HTC One A9, secured by D4™, is an ultra-secure smartphone built on a type 1 hypervisor with enhanced storage encryption, non-bypassable VPN, support for nested VPNs, plus many other advanced security features that play an increasingly important role in the security process. 

D4 Secure products provide for an intuitive security solution for OEM integration and in-channel and end-user enablement – the best of all worlds in mobile security. 

Together, the founders of Cog Systems have over 40 years’ experience across the design and implementation stages of mobile and IoT devices. Motivated to ensure all individuals receive the highest level of mobile security, their goal is to ensure all mobile and IoT devices are secure. Cog Systems customer base in Australia and internationally includes government and enterprise across a variety of regulated and non-regulated industries.

A survey among leading Australian Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) reveals that the customer appeal of cyber security firms hinges to a great extent on technological leadership. This is particularly true for software. Australian CIOs and CISOs overwhelmingly said they consider effective technology the most important factor when weighing the purchase of cyber security software.

Exhibit 16:

However, developing the most effective technologies is resource intensive, and requires firms and research institutions to invest heavily in R&D to unearth new ideas and collaborate for their commercialisation. Governments can support these efforts in several ways, either directly through research grants and targeted funding programs or indirectly via R&D tax incentives. For example, governments can provide funds to research institutions or government agencies with the aim of boosting R&D. They can also fund programs to improve research collaboration between universities and industry.

Leading countries in the global market for cyber security software, such as the US and Israel, are conscious of the link between technological innovation and market success, and heavily invest in R&D. For example, the market power of American cyber security software firms—the leading vendors in the global market, generating 61 per cent of the US$26.4 billion of total cyber security software sales worldwide in 2015, as shown in Exhibit 17—coincides with a significant commitment to R&D.

“Tech is essential, but it has to be effective and tailored to our problem. Many firms focus on technological edge without solving a real problem for their customers.”
—Australian private sector CISO

American firms invest more than US$200 million each year to invent and develop new cyber security technologies. The US government adds further weight to the sector by providing additional R&D funding of more than US$500 million per year.

Exhibit 17:

Israel, traditionally boasting some of the highest defence spending in the world, also provides strong government support for cyber security R&D. Israeli firms form the second-strongest vendor group in the global market for cyber security software, accounting for 18 per cent of total sales worldwide. Israel’s Office of the Chief Scientist is frequently cited as the country’s largest single investor in cyber security research, but official budget numbers are not readily available. Israeli firms spent around US$200 million on cyber security R&D in 2014, according to figures from Israel’s National Cyber Bureau obtained by Israeli newspaper Haaretz.

Several other countries have begun to play catch-up in recent years, but their R&D budgets for cyber security still appear modest compared to those of the US or Israel. For example:

  • The United Kingdom government has pledged to create a new Cyber Innovation Fund worth more than US$200 million (GB£165 million) to develop innovative cyber security technologies and products. The investment is part of the country’s latest National Security Strategy, which will inject the equivalent of US$2.37 billion (GB£1.9 billion) into the British cyber security industry over the five years through 2021. Some of the money will fund “cyber start-ups and academics to help them commercialise cutting-edge research and attract investment from the private sector”.
  • The Singaporean government recently announced a five-year plan to build new R&D expertise and improve its cyber security capabilities. The 2013-2020 National Cybersecurity R&D Programme invests around US$20 million per year (or 27 million Singaporean dollars, equivalent to S$190 million over seven years) in cyber security research and innovation.
  • The Australian Government has made cyber security a national priority for science and research. Its current expenditure on cyber security R&D, as shown in Exhibit 18, is estimated to be approximately A$81 million per year, which excludes R&D support through the national R&D tax incentive and research block grants to universities.

Australia could better use public funding sources for cyber security research

There are signs that Australia could increase the firepower of its public spending on cyber security R&D simply by making better use of existing funding channels. A breakdown of available grant schemes, as shown in Exhibit 18, indicates that several potential sources to finance cyber security research remain largely untapped.

Exhibit 18:

Block grants to universities are generally the most important channel to directly fund R&D activities in Australia. In 2015, the Australian Government granted universities almost A$1.8 billion to support their R&D work. However, due to difficulties in the collection of block grant data it is unclear to what extent these funding tools are currently used to finance cyber security R&D. It is fair to assume that Australia still has scope to increase the use of university block grants for cyber security R&D funding.

Grants provided by the Australian Research Council (ARC) form the second largest source of direct R&D funding in Australia. Yet analysis of the ARC’s funding pattern over the past decade reveals that only a fraction—around 0.6 per cent of the ARC’s annual grant budget (A$744 million in 2016)—was used to fund research projects related to cyber security. Access to ARC funding will be improved from 2017 as cyber security is listed as an Industrial Transformation Priority under the Industrial Transformation Research Program (ITRP). This program provides funding for both postgraduate training centres and research hubs.

Accelerating Commercialisation is an area of focus across Australian governments with the aim of helping small and medium-sized businesses to commercialise novel products, processes and services. Around 180 firms have received financial assistance over the past two years through a competitive grants process with a total value of A$99 million. Cyber security firms have not received any assistance from this programme over that period, which may be resulting from a lack of quality applications.

Cyber security researchers may also be able to make better use of the CSIRO Innovation Fund, a joint government-private sector initiative that invests in start-up, spin-off companies and existing small to mid-sized enterprises to improve the translation of publicly funded research into commercial outcomes and stimulate innovation in Australia.

The Department of Defence is another major source of R&D funding in Australia. In the fiscal year ending June 2017, it paid industry, academia and research organisations an estimated
A$160 million to assist them with the development of new, innovative technologies for military use.

The Department will play an even bigger role as a potential funding source for cyber security research in the future. This year, it plans to launch a new fund, dubbed the Next Generation Technologies Fund, that aims at fostering emerging technologies in the earliest stages of development. One of the nine priority areas for the fund is cyber. The fund will invest A$730 million (over the decade to June 2026) in strategic next-generation technologies that have the potential to deliver game-changing capabilities to Defence. The annual funding will increase over the decade.

Lastly, there is potential to encourage more R&D in cyber security through the Australian Cooperative Research Centres (CRC) Programme, which supports industry-led research collaborations with around A$150 million per year. These centres are designed to improve the competitiveness, productivity and sustainability of Australian industries, especially where Australia has a competitive strength. CRCs are established through merit-based selection rounds; and at present, there is no CRC established with a focus on cyber security.

Australia has world-class research, but there are blockages throughout the innovation system

Australia is home to 43 universities. They carry out most of the foundational research and have access to a significant amount of funding relative to other OECD nations. Cyber security research from Australia ranks highly in global comparison, Exhibit 19 reveals.

Exhibit 19:

In terms of citation impact—an indicator of research quality—cyber security research papers from Australia are the most heavily referenced in the world, according to Thomson Reuters data. Australian universities thus appear well placed to lead the knowledge creation and spearhead the invention of new technologies in cyber security.

Many universities in Australia are already regarded as global research leaders in fields with cyber security applications, such as packet switching (a technology that breaks down data into smaller parcels before transmitting them), quantum cryptography, distributed computing and wireless security technology. The Australian National University (ANU) and the University of New South Wales (UNSW) are already considered on the leading edge of research into quantum computing and its potential applications for the cyber security industry (see Box 6).

Box 6: Australia’s lead in the global quantum race

It’s the nightmare of anyone guarding top secret data: a machine so powerful that it could crack even the toughest security codes. Quantum computers could do just that. They exploit the strange behaviour of tiny atoms, better known as quantum physics, to solve problems immensely faster than the world’s fastest supercomputers. This makes them a huge threat for current encryption methods—in theory, at least, because no one has yet managed to build such a code-breaking quantum computer, whose existence was long thought to be a distant vision.

Rapid technological advances by IBM, Google and others have stoked fears, however, that quantum computers may become a reality much sooner than many people think. The National Security Agency in the US last year warned that the time to act and build “quantum-resistant cryptography” is now. The Canada-based Global Risk Institute puts the odds of a quantum computer cracking key security algorithms by 2031 at 50 per cent.

Many countries, including Australia, Canada, the US, Singapore and Japan, have increased their technology investments in recent years, fuelling a global race to develop the world’s first viable quantum computer. At the forefront: a network of 180 researchers from six Australian universities (University of New South Wales, Australian National University, University of Melbourne, University of Queensland, Griffith University and University of Sydney), the Australian Defence Force Academy, and a dozen international university and industry partners.

While scientists around the globe are exploring a range of exotic materials—from synthetic crystals to dye pigments—to build a quantum computer, Australia’s research group is on track to develop the world’s first quantum computer in silicon. “Our Australian centre’s unique approach using silicon has given us a two to three-year lead over the rest of the world,” said Professor Michelle Simmons, director of the Australian Research Council Centre of Excellence for Quantum Computation and Communication Technology, or CQC2T. “These facilities will enable us to stay ahead of the competition.” Funded with more than A$100 million worth of government grants and investments from Telstra and Commonwealth Bank, the CQC2T’s work is crucial for Australia’s nascent cyber security industry.

Startups such as QuintessenceLabs have already begun to seize the emerging business opportunity. QLabs, as the company is known, is at the heart of solving the security threat posed by quantum computers. The company has invented and commercialised a so-called Random Number Generator, which promises to outwit cyber criminals by using encryption codes so random that not even a quantum computer could hack them without being detected. QLabs’s machine, no bigger than a mobile phone, can generate these truly random codes by splitting a laser beam in two at very high speed and converting the resulting signal to numbers.

QLabs, formed in 2008 as a spin-off out of The Australian National University in Canberra, has received numerous accolades. Its clients include IBM and major Australian lender Westpac Banking Corp, which recently bought a 16 per cent stake in the firm and is utilising QLab’s encryption capabilities to boost the security of its banking business. Headquartered in Canberra, QLabs also runs a research lab at a NASA facility in Silicon Valley and was named one of the top emerging innovation companies globally by the Security Innovation Network, which counts the US Department of Homeland Security and the Home Office in the United Kingdom as members.

An often-cited criticism, underpinned by OECD data, is that Australia struggles to translate its academic strengths into marketable solutions. The cyber security industry is no different, as illustrated in Exhibit 20. Several obstacles are blocking the innovation pipeline in cyber security and hamper the commercialisation of high-quality research ideas.

Exhibit 20:

There is a lack of focus in existing research efforts

At present, university R&D in cyber security is comparatively small in scale and fragmented. The distribution of competitive ARC grants, as shown in Exhibit 21, indicates that public funding for cyber security research has been scattered across 16 universities over the past seven years, with no apparent effort to concentrate funding on a few national research flagships that could champion the knowledge creation in cyber security.

Exhibit 21:

Even The Australian National University, which has so far received the highest individual amount of competitive research money in cyber security, still only attracted 14 per cent of the total ARC cyber security funding. While there is value in diversity, a more concentrated funding approach would allow a select few universities to rapidly expand their cyber security research capabilities, and could help accelerate the creation of new ideas and spur the development of competitive technologies. Chapter 4.1 (Grow an Australian cyber security ecosystem) identifies a number of actions to help improve the focus of Australia’s cyber security research

Collaboration between industry and research is weak

A vivid exchange between academia and industry is necessary to help researchers validate the practical applicability of their research and to ensure research ideas get translated into practical applications. University scientists who cultivate a close collaboration with companies will find it easier to identify and select knowledge with commercial relevance. Businesses that collaborated on innovation were twice as likely to develop 10 or more innovations in the fiscal year 2015, Australian government research shows. Yet OECD data show that the ties between academia and industry in Australia are the weakest in the developed world: only three per cent of surveyed businesses in Australia collaborate with universities and other research institutions—a sharp contrast to leading countries like Finland, where 69 per cent of large and 24 per cent of small companies work closely with external research organisations.

The situation is more ambiguous in the Australian cyber security industry. Some of the largest companies in the country’s information-technology sector are acutely aware of the benefits of partnerships with local universities. For example, Commonwealth Bank of Australia is investing
A$15 million to support researchers at UNSW who are striving to build the world’s first silicon-based quantum computer in Sydney (see Box 6).

The investment comes on top of government funding worth A$26 million for the Centre for Quantum Computation and Communication Technology, based at UNSW. An additional A$10 million of research funding for the project comes from Telstra, the nation’s biggest telecom, which has assigned its team of data scientists to work directly with UNSW researchers. “We can work together to put Australia at the forefront of global innovation,” said Telstra chief executive Andrew Penn in 2015, when the company announced the investment. Quantum computing has potentially profound implications for cyber security, particularly through cryptography.

Macquarie University and telecommunications firm Optus partnered in 2016 to establish a multi-disciplinary cyber security hub with a joint investment of A$10 million. While primarily set up to ease the industry’s skills shortage, the “Optus Macquarie University Cyber Security Hub” also offers consultancy services and undertakes research in a variety of areas, including security risk analysis, trustworthy computing and cyber governance (see Box 11).

Meanwhile, US technology company Cisco Systems has been instrumental in developing the Security Research Institute at Edith Cowan University in Western Australia. The company is also a founding member of the Australian Cyber Security Research Institute (ACSRI), which describes itself as the country’s first coordinated strategic research and education effort between national cyber security agencies, industry and researchers. It further committed to invest US$15 million in a newly established “Internet of Everything Innovation Centre” with R&D facilities across Australia. The centre, which Cisco co-founded with Curtin University and Woodside Energy, was designed as a space where customers, startups, open communities, researchers, entrepreneurs and technology enthusiasts can work and brainstorm on new ideas and technologies, including in cyber security.

Others working on deepening research and innovation links between large companies, universities and start-ups in Australia include Data61 within CSIRO (see Box 7) and fintech hub Stone & Chalk, which recently floated the idea of a new Cyber Security Innovation Lab to promote collaborative research and development in the Australian cyber security industry. The plans envisage the launch of the lab sometime later this year. Dimension Data and Deakin University have also announced a partnership to establish Australia’s first dedicated cyber security incubator at the University’s Waurn Ponds campus, with funding support from the Victorian Government’s LaunchVic start-up initiative. The incubator is due to open in 2017.

Box 7: Australia’s digital powerhouse—Data61

Data61 was formed in 2015 when Australia’s national IT research facility NICTA merged with the digital research unit of the country’s chief science organisation CSIRO. Its mission: find and develop new “cutting-edge” technologies for today’s data-driven world. Today, Data 61 is considered Australia’s biggest research facility of its kind. With more than 1,100 staff spread across six states and territories, including more than 400 resident PhD students, it also hosts one of the largest data research teams in the world.

Scientists at Data 61 have developed insect-like legged robots whose sensors allow them to create a digital elevation map of an area. They have created new software tools to help analysts predict the behaviour of bushfires. And they are working on installing a vast wireless network of sensors and nodes in the Amazon region to help track the loss of animals and plants.

Cyber security is a key research focus for Data61. Recently, the group became the first worldwide to investigate a common security feature for Android mobile devices. Now that mobile phones are essentially mobile computers, millions of users worldwide are turning to so-called VPN (or Virtual Private Network) apps to hide their browsing activity, access region-restricted content and ensure their data is secure when using public Wi-Fi networks. Data61, in conjunction with researchers from UNSW and the University of Berkeley, revealed that these apps are not as secure as they make out to be. Another recent achievement was the development of a very small, yet powerful base system for computers and mobile devices—a so-called kernel—that equips operating systems with one of the world’s strongest basic protection against viruses, trojan horses, ad-ware and spyware.

Underpinning the model of Data61 is its strong emphasis on research collaboration. The group is connecting academia, corporations, startups, governments, investors and entrepreneurs across the globe. For example, it has created a Data Research Network to link industry with data researchers and delivers data analytics training to businesses.

Smaller industry participants, however, have been slower in tapping university expertise for the development of new products and services. Interviews with a wide cross-section of local cyber security startups reveal that only two out of more than 22 are currently working closely with universities.

While the Australian Government has picked cyber security as a national priority research area, there is not currently a Cyber Security Cooperative Research Centre (CRC). CRCs provide access to additional government grants and foster collaborative partnerships between industry and research organisations with the aim of improving the development and commercialisation of Australian technology. CRCs exist for a range of other fields, from Satellite Systems to Beef Genetic Technologies, and there is now broad support among industry for the establishment of a Cyber Security CRC to consolidate existing research capability and pursue collaborative research endeavours for national benefit.

In interviews, industry participants have acknowledged several barriers to greater industry research collaboration in Australia. Some executives admit that they lack experience in engaging universities to leverage their knowledge. Some also say that the diverging planning horizons—companies tend to focus on their immediate, short-term needs, while basic research occurs over longer timeframes—are limiting their close collaboration with academics. Some company executives are reluctant to deepen their ties with researchers who they feel lack understanding of practical industry needs. Researchers, in contrast, said some industry customers have unrealistic expectations about what their business can gain from basic academic research. Lastly, both researchers and businesses agreed that negotiating intellectual-property agreements with universities can be time-consuming and costly.

There is scope for a more effective collaboration of researchers and businesses. Chapter 4.1 (Grow an Australian cyber security ecosystem) makes several recommendations for actions that could help deepen the links between universities and industry, including offering work placements for postgraduate students.

Access to capital to support innovation is limited

Venture capital (VC) funds investing in early-stage startups are currently scarce in Australia, noting there is some government assistance and incentives available. This low availability blocks the country’s innovation pipeline because startups are locked out from the high-risk capital they urgently need to turn promising ideas into competitive, real-life technologies.

“Cyber security is […] perceived as a risky and technically complex business. VCs in Australia are not interested in buying that extra complexity, particularly when they are in a medium-sized market that pushes them to be less specialised.”
—Managing Partner of large early stage venture capital fund

OECD data comprised in Exhibit 22 show that, measured as a share of GDP, there is 10 times less early-stage venture capital available in Australia (0.01 per cent) than in the US (0.1 per cent) and almost 30 times less than in Israel (0.27 per cent). Both those countries are considered leaders in the global market for cyber security products.

Data compiled by the World Economic Forum and shown in Exhibit 22 further highlight the difficulties Australian startups are facing when trying to tap VC funding. On a scale from 1 (hard) to 7 (easy), Australian executives surveyed for World Economic Forum’s Global Competitiveness Index rate access to venture capital in Australia at 40th in the world, below the OECD average and well below our competitor nations.

Exhibit 22:

This problem of access to early-stage VC funding is well known and acknowledged by the Government in its assessments of the Australian innovation system. A number of recent policy measures have attempted to address this through tax concessions. The Government in 2016 also launched the CSIRO Innovation Fund, which aims to fill this funding gap by co-investing in spin-offs, startups and SMEs engaged in the commercialisation of early stage innovations.

Cyber security startups, however, might face bigger obstacles than their peers because they offer complex, highly technical products. Most Australian VC funds are generalists by necessity because of the limited market size, as opposed to the US where there are several VC funds with expertise in cyber security (e.g., Rally Ventures). Interviews with Australian cyber security professionals indicate that local VC fund managers perceive the cyber security industry as complex and risky, and are reluctant to invest because of a lack of expertise in this field.

“Pitching to early-stage VCs in Australia was disheartening… They don’t have much clarity and visibility around cyber, and their valuations were much lower than those of [Silicon] Valley investors.”
—CEO of major Australian company

Various approaches to this issues are discussed in Chapter 4.1 (Grow an Australian cyber security ecosystem), including familiarising new investor groups, such as superannuation funds, with investment opportunities in the local cyber security industry.

3.3 Firm growth and export

Developing innovative products and services is crucial to building Australia’s competitiveness in cyber security, but that alone is not enough to ensure our firms succeed and our industry develops. Firms need to be able to effectively sell their products and services into a domestic marketplace where they can build scale, confidence and capabilities. With that local base in place, they can more effectively take on the challenge of exporting to global markets and connecting with global value chains.

Capability gaps and market barriers make it hard for firms to grow in Australia

Interviews with buyers of cyber security and the Australian firms that provide these products and services signal that companies need to overcome three main hurdles to successfully establish and grow their business: they need to understand their customers, gain trust and get to scale.

Box 8: Boomerangs—Australian-born successes expanding back home

Bugcrowd, Dtex Systems and UpGuard are three dynamic Australian-born cyber security companies that have successfully moved overseas and are now boomeranging back home. Founders Casey Ellis (Bugcrowd) and Mohan Koo (Dtex Systems) together with Hamish Hawthorn (COO, UpGuard) are all passionate advocates for cyber security and for Australia’s immense local talent. They agree that by encouraging the domestic market to invest in and procure Australian solutions, there is a significant opportunity to grow our capabilities for economic benefit and establish a globally attractive cyber security ecosystem.

Common themes are threaded through the journey of these companies. Years ago, all three left Australia in order to access high risk early stage capital; be in close proximity to business mentoring and growth support networks; and grow their customer base. All are based in Silicon Valley, with Dtex Systems landing there after exploring market opportunities in South East Asian and the United Kingdom. In 2017, these Australian success stories are all now establishing business units in Australia, mostly in R&D and sales support, as part of global growth strategies.

All are optimistic about Australia’s future as a cyber security leader and offer some perspectives on the sector.

Casey Ellis from Bugcrowd sees the Australian market improving for startups as high value talent and increasing levels of investor capital start to flow. Casey recognises Australians have many strengths and that organisations, including Bugcrowd, want access to the talent of that “Australian DNA” that makes our cyber security professionals so attractive, stating “Australia is world class at troubleshooting, the world knows it but Australia doesn’t – yet.” Establishing a presence in Australia is part of Bugcrowd’s continuing growth and a positive way to engage in the growing local cyber security ecosystem. 

Mohan Koo from Dtex Systems firmly believes that Australia is now in a position to seize opportunities in the global cyber security industry and this will generate economic growth for Australia over the next five to ten years, stating “Australia can be a centre of cyber excellence for the region.” For this to occur, he believes the mindset of Australian businesses and the Government must evolve to be less conservative by encouraging innovation and buying local cyber security solutions. Mohan also sees Australian universities playing a crucial role in fostering the growth as part of maturing the ecosystem.

Hamish Hawthorn from UpGuard is keen to see ‘’less reliance by large Australian enterprises on traditional suppliers and vendors and a greater willingness to work with Australian technology companies who are solving problems in more innovative ways, in the face of a dynamic cyber risk environment.’’ He refers to building a domestic capability being key to developing a vibrant cyber security ecosystem. Hamish attributes his time in Silicon Valley as being beneficial to developing and strengthening the product they now offer, largely due to the intensity of the competition in the US market but also the Silicon Valley ecosystem encouraging fast learning through iterative development of solutions.  This process of innovation is something he believes can be achieved in Australia through continued cultural change and greater risk tolerance for emerging technology.

Cyber security firms need to understand their customers

The AlphaBeta/McKinsey survey of CIOs/CISOs and local cyber security providers indicates that many Australian cyber security firms tend to undervalue aspects of their offerings that are critical for local customers. This mismatch is most evident for customer support, according to the survey results listed in Exhibit 23. When purchasing products, customers consider support to be an essential component of their purchasing decision, while local firms are more focused on providing a user-friendly service. A greater understanding of and focus on local customer needs would likely help Australian cyber security firms grow (described at Box 9 as one example).

Exhibit 23:

Additional survey results shown in Exhibit 24 reveal that cyber security users have widely differing needs, depending on the nature of their businesses. Those most at risk of being targeted by cyber criminals, such as financial-services firms or defence agencies, are typically investing in large in-house cyber security teams and only seek external help to complement their own capabilities. When they do engage external service providers, they generally choose those with the greatest trust, best support and most effective technology on offer.

Exhibit 24:

Customers with a moderate risk exposure, such as retail and healthcare businesses, tend to outsource more of their security needs to external cyber security providers. These mid-market customers are most interested in acquiring the best technology and support when choosing a cyber security vendor. They are also more cost-conscious than other customers in the market, the survey shows.

Firms also need to consider if their product or service might be better targeted not at an end-user customer but at an integrator, such as a Managed Security Service Providers (MSSP). MSSPs are typically focused on serving the needs of mid-market customers and usually bundle several products and services—from managed firewalls to vulnerability scanning and anti-virus services—into one integrated offering. Telecom companies are one example for MSSPs. Interviews suggest that MSSPs, on average, are most focused on offering their customers the best support and least concerned about offering the widest range of solutions.

Box 9: Homegrown startup changing up human verification online

“Completely Automated Public Turing Test to tell Computers and Humans Apart” or CAPTCHA is used to protect websites from spammers. Most available CAPTCHAs require the user to read and type in text, which is often difficult to read—so that the CAPTCHA is effective against the sophisticated range of bots. This verification process becomes annoying for the user and as a result, the user can end up leaving the website.

FunCaptcha have created a unique way to manage the online verification process by engaging users with fun and effective visual puzzles to solve so the website can distinguish automated attackers from human users on the internet. The startup distinguishes itself from traditional CAPTCHAs by using fun visuals during the verification process and by adjusting its security vetting process based on the number of users and how they interact with the CAPTCHA. The solution eliminates the threat of an automated attacker with their enterprise-grade security that is backed by patent-pending technology and a team of experts. 

Founded in Brisbane in 2013, FunCaptcha already has a presence in 100+ countries. FunCaptcha’s customer base is seeing strong growth among some of the world’s most trusted brands’ websites, mobile apps and games to tackle spam, ticket scalping, account fraud, brute forcing or an entirely new attack. After spending a lot of time researching the Australian market, FunCaptcha identified opportunities in the US market due since a large portion of websites that Australians use are built and hosted of the US. FunCaptcha attribute their early success in entering the international markets by attending US security conferences as a platform to build a strong referral network.

The founders of FunCaptcha are driven by their natural curiosity to embrace any discovery and have extensive experience successfully designing, developing and selling gaming technology.

New firms struggle to develop the trust needed to gain anchor customers

A range of local cyber security firms were analysed to understand which factors—including funding, R&D collaborations and industry regulation—were most important for their development and success. The results shown in Exhibit 25 highlight that acquiring an “anchor customer” ranks as the most commonly cited success factor for Australian cyber security firms.

Anchor customers can add material value to a small business. They often have clout in an industry and can become a catalyst for demand by adding credibility to a start-up and its new products. Their reputation often helps startups acquire further customers. They can also act as a strategic partner, provide access to fresh capital and give feedback on how to improve a startup’s offerings. The survey results show that Australian cyber security firms most commonly relied on an anchor customer from industry (relevant for approximately half the firms surveyed), while about a quarter of the firms surveyed said a government contract was critical to their success.

Exhibit 25:

However, acquiring an anchor customer is not easy and requires more than just a convincing product or service. A survey of CIOs and CISOs in leading Australian companies with the potential to act as anchor customers for cyber security firms reveals that trust is a crucial factor, particularly when selecting service providers. And while buyers of cyber security products, such as antivirus software or firewalls, are generally most interested in buying the most effective technology, Exhibit 26 shows that finding a trustworthy producer still ranks as the third-most important driver for their purchasing decision.

This customer preference for dealing with a trusted vendor particularly affects the early-stage cyber security firms in Australia. In this market, which is dominated by well-established and reputable foreign competitors, many local startups lack the credibility needed to win an anchor customer.

Exhibit 26:

“A common concern around local firms is that they need to go overseas to get their first sale…It’s in fact an issue on the maturity of the local market…the fact that we don’t realise that home-grown products can be world-class.”
—CIO of an Australian bank

Large potential customers may remain reluctant to engage if a firm has no track record to indicate that a new product or service will deliver the promised outcome. Interviews with CISOs in Australia reveal that many hesitate buying from smaller or newly established providers with no reputation, even if these firms offer technologically appealing products. Potential customers may also question the financial health of a cyber security start-up and seek evidence that it will exist long enough to support its products and services well into the future.

Box 10: Select accreditation programs for Australian cyber security firms

The Australian Signals Directorate (ASD), an Australian Government intelligence agency in the Department of Defence, evaluates and certifies ICT products and services that meet the high-level security standards of Government agencies, making it a go-to address for any cyber security firm wishing to win a government agency as customer. The ASD currently has several certification and accreditation schemes in place that businesses can join to bridge a gap in trust:

  • Australasian Information Security Evaluation Program (AISEP) – The program assesses whether ICT security products and systems work correctly and effectively and do not show any exploitable vulnerabilities. Products and systems that pass this test are added to an Evaluated Products List, which approves of their use in Australian and New Zealand government agencies and certifies them against international standards. The program reviews a range of products from data and network protection to security modules.
  • Service certification – The ASD tests and certifies the effectiveness of certain ICT services, in particular gateway services, which seek to prevent malicious web traffic from entering the network of an organisation, and cloud services. Australian Government agencies are strongly discouraged from working with uncertified cloud or gateway security service providers to protect government information.

Information Security Registered Assessors Program – This program trains and accredits individual cyber security professionals to undertake assessments of organisations’ security compliance and highlight information security risks, with a focus on compliance with Australian Government information security standards and requirements. The Council of Registered Ethical Security Testers Australia New Zealand (CREST), a not-for-profit based in Canberra, is another entity that assesses, accredits and certifies cyber security professionals and firms in Australia and New Zealand. Its accreditation scheme is limited to firms providing penetration and vulnerability testing services, i.e. screening a computer system, network or web application for vulnerabilities that an attacker could exploit. A CREST membership comes at a cost of A$10,000 per year and it takes a maximum of six months to obtain a CREST certification.

“Bizarrely, firms have found it easier to gain contracts in the US than in Australia, due to a lack of willingness of Australian companies to embrace them.”
—SINET61 2016 conference brochure

In cyber security, a trust deficit can act as a stronger market barrier than in other industries. This is because buyers of cyber security products and services take a bigger risk with their purchases than buyers of other goods. As they invest in the protection of vast corporate IT networks with large amounts of sensitive data, they need a quality assurance and guarantee that what they buy will indeed shield them against cybercrime.

One way for firms to overcome the lack of trust is to use one of several certification and accreditation programs available in Australia (see Box 10 for further details). Another, perhaps surprising, way to overcome local market barriers is to expand overseas. Some local cyber security firms have found it easier to penetrate the Australian market after acquiring an international customer first. In interviews, company executives said the fact that foreign customers can help increase the perceived trustworthiness of Australian cyber security firms illustrates the widespread risk aversion in the local market.

Chapter 4.1 (Grow an Australian cyber security ecosystem) outlines a range of actions that can assist cyber security startups in their search for anchor customers, including showcasing Australian cyber security products and services and coaching to help startups mature their business operations.

Procurement processes favour larger, established firms

Strict procurement rules oblige many government agencies and private-sector companies to engage only cyber security providers with a proven track record of fulfilling complex and sizeable security tasks. These internal procedures typically work in favour of large cyber security companies, while startups frequently miss out.

Many small, emerging cyber security firms lack the resources to deliver large-scale projects, particularly when they cover multiple product and service areas like government contracts often do. Government agencies often search for providers who are capable of meeting a variety of security and other ICT needs at once—a tendency that is clearly reflected in the scope of government contracts, which are among the most valuable in the market.

An analysis of Australian Government tender agreements for the provision of cyber security services over the past decade, comprised in Exhibit 27, shows that just one quarter of all government contracts made up almost 87 per cent, or A$274 million, of the entire government spending on cyber security contractors over that period. Yet, only eight per cent of these high-value government contracts were concluded with local Australian grown and owned firms, as most of them are still too small to effectively compete against large foreign rivals in a government tendering process.

Exhibit 27:

The large-scale contracts commonly offered by Australian government agencies—a median size of A$300,000 for the top quarter of contracts—are a significant barrier to entry for smaller Australian cyber security providers. In fact, large-value contracts are seen as the most important market hurdle for startups globally.

“Big organisations tend to hire big organisations.”
—CIO of an Australian bank

Research shows, for example, that the share of small and medium-sized firms securing government tenders in European Union countries rapidly declines once the overall contract value rises above A$150,000. Tender processes could be made more accessible if governments divided their contracts into smaller parcels. Rather than contracting a few very large cyber security service providers, they could allow many small firms to service different aspects of their security needs. Of course, purchasing from more providers could also make systems more complex and less integrated, so any move to smaller contracts would need to be properly weighed against such potential complications.

Other aspects of the public procurement process are also hindering cyber security startups from working more closely with government. Public agencies usually appoint a panel of suppliers for products and services they regularly acquire, referred to in the Federal Government as Standing Offer Notices. These suppliers are pre-approved to do business with the government for a period of several years. While this offers convenience for procurement officers, it limits opportunities for new entrants. One example is the panel for “Consultancy and Business Services”, which comprises of 170 suppliers and has been used to procure some cyber security-related contracts. The current panel was appointed in 2013, and there will be no new opportunities to join this panel until it expires in 2019.

The Australian Government is trying to remove barriers to entry. This year, it has added new features to its Digital Marketplace—an online platform for buyers and sellers of various ICT products and services—and opened it up to cyber security businesses, making it easier for them to work with Australian Government agencies. The Digital Marketplace uses a strict selection process for firms wishing to use the platform for their offerings. Similarly, cyber security services firms must demonstrate certain abilities and experiences before they can join the Digital Marketplace.

Importantly, the Digital Marketplace could also provide cyber security firms with access to state and local government buyers. The NSW government has already announced that the Marketplace is compliant with its procurement policies, and it will begin purchasing some ICT services through the new platform. Some local governments have also joined as registered buyers. A uniform set of procurement requirements to access buyers at all levels of government will significantly reduce compliance costs for firms.

Many of these issues in public sector procurement are also common to private sector procurement processes, which are often deliberately designed to weed out startups and smaller firms through narrow evaluation and review criteria. The preference to work with larger players is particularly strong in cyber security, which affects highly sensitive parts of the business. Lengthy procurement processes, usually lasting between three and six months, can additionally deter smaller providers.

Simplifying procurement procedures in the public and private sector would likely remove some of the substantial hurdles that cyber security startups are facing. For more details on recommended actions to address this issue, see Chapter 4.1 (Grow an Australian cyber security ecosystem).

Australian cyber security firms struggle to access global export markets

An analysis of the geographical spread of Australian cyber security firms reveals significant scope for the industry to export its products and services and connect to global value chains. While many Australian hardware and software providers are already engaging with global customers, most services firms in the Australian cyber security industry have not yet developed an export capability. In fact, Exhibit 28 reveals that only 12 per cent of Australian cyber security services firms surveyed have customers outside of Australia.

Exhibit 28:

Of course, not all cyber security services are equally exportable. Education is unique because it is relatively easy for a cyber security training provider to bring individual students to Australia to study. A data analytics firm, however, might struggle to export its services due to country-specific laws around data privacy. Service providers offering advice and support on compliance issues might also find it difficult to export their work, as they require a deep knowledge of local regulations.

Some services exports require a local operating base in another country. Others can be delivered remotely, meaning the jobs created are predominantly in Australia. How firms design their service offerings can have a major impact on their exportability, and some Australian cyber security firms may need more support and guidance to develop the most exportable service possible. Still, some service providers may not yet have the staff, expertise and resources needed to serve customers abroad. In interviews, several cyber security services firms indicated that, for them, exporting is not a priority simply because they already struggle to recruit enough cyber security professionals to meet strong domestic demand.

Chapter 4.2 lists several strategies that could help overcome some of the common export issues Australian cyber security firms are facing, such as intensifying Australia’s marketing presence for cyber security in key target markets and analysing remote delivery models for Australia’s existing services strengths.

3.4 Skills and workforce

A strong and well-trained workforce is critical to Australia’s ability to capture the growth opportunity presented by the rapid increase in demand for cyber security. Yet there are signs that Australian cyber security firms are struggling more than their global peers to attract the right talent for their businesses. The lack of job-ready candidates, caused by the inability of formal education providers to rapidly produce more cyber security graduates and the failure of many workplaces to offer on-the-job training, is a major challenge for the cyber security industry, as this chapter will show.

The cyber security industry is grappling with a skills shortage

In 2016, three out of four local cyber security professionals surveyed by the Australian Information Security Association (AISA) said a skills shortage is plaguing their industry, as shown in Exhibit 29. A similar survey, undertaken by the Centre for Strategic & International Studies (CSIS) and Intel Security across eight countries, paints an even more concerning picture. It reveals that the talent drought affecting the Australian cyber security industry is one of the worst in the world: 88 per cent of Australian cyber security professionals observe a skills shortage in their industry. Only Mexican professionals share similarly dire views, as shown in Exhibit 29.

Exhibit 29:

Interviews with company executives, government officials and other stakeholders echo the perception that the Australian cyber security industry is grappling with an acute talent shortage. Wage premiums paid by cyber security firms in Australia to attract and retain employees are symptomatic of the lack of available skills.

Exhibit 30 reveals that cyber security workers in Australia earn 11 per cent more money than the average IT worker and 81 per cent more than the average Australian. This is slightly higher than the US, where the premium for cyber security salaries over IT salaries was nine per cent in 2015. Salaries in cyber security are also rising faster than in other occupations. Between 2014 and 2016, the average wage of a cyber security worker in Australia increased by 2.7 per cent per year—compared with an average annual wage growth of 1.7 per cent in the wider IT industry and 2.0 per cent in the Australian economy overall.

Exhibit 30:

A shortage of skilled cyber security workers causes direct economic damage. Every third firm surveyed by the Centre for Strategic & International Studies and Intel Security says the lack of specialised cyber security staff makes them a more likely target for cyber adversaries who seek to exploit any vulnerabilities, and 25 per cent of respondents said their organisation has lost proprietary data through a cyber attack due to the skills shortage.

While the skills shortage is already visible, modelling of future workforce needs indicates the challenge may become significantly more severe. A detailed analysis based on current labour-market trends suggests that the Australian cyber security industry will need to increase in size by 7,500 workers by 2026—implying an average growth rate of at least 3.5 per cent per year—just to meet the forecast future demand.

Exhibit 31 shows that the gross demand for new workers is likely to be closer to 11,000, however, because Australia is expected to lose several thousand of cyber security professionals over the next decade, either due to retirement or to jobs overseas.

Exhibit 31:

Most of Australia’s future demand for cyber security workers will be driven by the services segment, which is in line with the overall growth profile of the industry, Exhibit 32 shows.

External cyber security services firms could absorb more than half (59 per cent) of all additional workers needed in the cyber security industry by 2026, Exhibit 32 illustrates. Meanwhile, government agencies, banks and other highly-risk sensitive firms are expected to drive around 37 per cent of the growing cyber security workforce demand in Australia, as they seek to bolster their internal IT security teams over the next decade. Hardware and software manufacturers are forecast to require the smallest number of additional staff, which reflects the smaller size and lower labour intensities for those product types.

Exhibit 32:

Understanding the diversity of the workforce is an important element of addressing the skills shortage. There is a tendency to think that the cyber security workforce consists only of highly technical professionals. However, this is not the case, Exhibit 33 reveals: in the past year, just over half (58.6 per cent) of job advertisements for cyber security were for high-technicality IT professionals.

These technical professionals work across all industry segments and comprise occupations such as computer network professionals, programmers and ICT security specialists. Almost 20 per cent of demand in cyber security is for medium or low-technicality professionals, including lawyers, accountants and teachers. A further 24 per cent of job advertisements are for non-cyber security professional roles such as admin, sales and management. While demand for different types of workers will of course shift over time, this assessment of recent trends provides a reasonable gauge of the future demand patterns.

Exhibit 33:

The formal education system is not producing enough job-ready candidates

The good news first: Australian universities and vocational institutions are already working on alleviating the acute skills shortage affecting the cyber security industry. Interviews with various university representatives indicate that the pipeline of graduates with relevant skills is growing.

In 2015, close to 13,500 students acquired a general IT degree in Australia. They would be suited to work as cyber security professionals if they completed some additional training. At the same time, the array of specialised study opportunities have expanded as universities have begun to respond to the need for talent by offering tailored subjects and degrees. For example, Deakin University offers both a Bachelor and Masters of Cyber Security, while Edith Cowan University (ECU) has a Bachelor of Science (Cyber Security) and a Masters of Cyber Security. UNSW Canberra has a suite of Masters programs in cyber security with varying levels of technicality. Several other universities are offering cyber security as a major within their basic IT or computer science bachelor degree programs.

Universities have also entered into partnerships with industry in order to accelerate their teaching capacity. In 2016, Macquarie University and Optus announced a co-investment of A$10 million to establish a Cyber Security Hub that will offer several degree programs at undergraduate and postgraduate level (see Box 11 for further details). This follows a partnership announced in late 2015 by the Commonwealth Bank of Australia and UNSW called sec.edu.au, which aims to deliver, among other things, a comprehensive cyber security specialisation as part of UNSW’s computer science degree.

Box 11: Businesses and universities join forces to bridge the skills gap

A recent series of high-profile security breaches in Australia has put business leaders on the alert. Malicious cyber actors are launching increasingly sophisticated attacks on corporate data networks, compromising a growing range of targets—airports and power grids, retailers and credit card firms, and even the national weather bureau. But as threats are multiplying, most businesses remain vulnerable. They lack the expertise to identify and manage mounting security risks, and many are struggling to find help amid a severe skills shortage in cyber security globally.

While the Australian Government’s Cyber Security Strategy acknowledges the urgent need to address this skills shortage, some leading Australian companies have recently begun to tackle the challenge themselves. Late last year, Australian telecommunications firm Optus entered an alliance with La Trobe University in Melbourne to co-develop a new tertiary degree in cyber security. The partnership will invest up to A$8 million to turn the university’s existing campus into a digitally connected learning and research precinct. It will also fund a new chair of cyber security to help Australia become a leader in cyber security research and teaching.

In a similar move, Optus has joined forces with Macquarie University in Sydney to create a new cyber security training and education hub, which brings together industry experts and university academics in a bid to grow Australia’s cyber security talent pool. The A$10 million project includes a new cyber security degree for university students, as well as executive and business short courses. Optus uses these training courses to equip its own employees, and those of enterprise and government customers, with the latest cyber security skills and expertise. “By collaborating with industry to tailor our study programs, we give our students a head-start in their careers, placing them at the top of Australia’s cyber security talent pool,” said David Wilkinson, Deputy Vice-Chancellor at Macquarie University.

The announcement came after the nation’s largest bank, Commonwealth Bank of Australia, teamed up with the University of New South Wales to boost the number of cyber security professionals and cyber security teachers in Australia. The bank has A$1.6 million over five years to develop a “centre of expertise for cyber security education”, complete with an overhauled study curriculum and a new lab for experimental, hands-on teaching of cyber skills. It has also begun to award a cash prize, the Commbank Cyber Prize, to Australia’s best and brightest cyber students with the goal of enthusing more young people for a career in cyber security.

In the near term, however, the pipeline of job-ready graduates will not reach the critical mass needed to mitigate the cyber security industry’s skills shortage and enable future growth—even when accounting for these newly established cyber security study programs.

For one, the volume of cyber security students is still too low. While it is difficult to clearly define what constitutes a cyber security qualification (some students may only study a few cyber security-specific subjects within their degree program), interviews with universities suggest that currently about 300 students are graduating annually with undergraduate cyber security degrees, and a further 200 with postgraduate qualifications in cyber security. Even if new courses coming online were to add a further 200 graduates annually in the next few years, demand projections suggest that this would not resolve skills shortages.

A shortage in teaching staff adds to the problem and prevents a rapid expansion of the graduate pipeline. Partnerships with industry and government may help ameliorate this situation somewhat; Commonwealth Bank through sec.edu.au is offering four fellowships for teaching staff at UNSW, while other industry partners are providing adjunct lecturers to universities from amongst their professional staff. CERT Australia provides teaching support for some courses at Edith Cowan University and Queensland University of Technology. However, supplying more qualified teachers to universities seeking to expand their cyber security offerings will remain difficult.

Secondly, industry participants are questioning the employability of many graduates. While Australian universities offer an increasing number of cybersecurity, several company executives have mentioned in interviews that graduates could be better prepared for the workplace. The issue extends beyond Australia, as Exhibit 34 proves. Globally, more than three-quarters (77 per cent) of cyber security professionals surveyed by CSIS and Intel Security think the industry’s current training and education programs are not fully preparing professionals for the workplace reality, leading to calls for academic programs to incorporate more practical learning.

Exhibit 34:

Part of the dissatisfaction might stem from outsized expectations. Employers looking for cyber security staff typically demand a relatively high level of work experience. In 2016, almost nine out of ten cyber security job advertisements requiring tertiary qualifications also requested applicants to have at least two years of work experience, reveals Exhibit 35.

Exhibit 35:

“Candidates often have many certifications, but cannot effectively engage with business or other technical staff in order to complete their roles.”
—response to the 2016 AISA Skills Survey

Employers in other areas of the Australian economy tend to set the bar much lower. Only two-thirds of economy-wide job ads targeting applicants with bachelor degrees ask candidates to have work experience of three years or more. New graduates typically also require some practical training before they’re considered ready to perform on the job. However, opportunities for on-the-job training in the cyber security industry are sparse, which aggravates existing bottlenecks in the supply of workers.

Companies with large cyber security teams—mostly big banks and professional IT services firms—have the capacity to train candidates from varied backgrounds. But limited resources currently prevent the large number of small and medium-sized companies (and even some of the larger corporates with smaller IT security teams) from offering extensive training for new hires. Many prefer to search for highly experienced candidates instead. This may also reflect a broader reluctance of employers to invest in workplace training, as employees change firms more often in today’s economy.

“Whether there is a skills shortage depends on who you are. We had the resources to train people from a variety of backgrounds and could pay to attract good candidates. But if you’re a smaller team, you will struggle.”
—CISO of an Australian bank

Another often-cited criticism is a lack of soft skills among graduates. Cyber security professionals, in addition to being technically versed, need to be able to manage projects and build relationships, as illustrated in Exhibit 36. Yet, interviews with industry professionals signal that many graduates lack such skills.

Exhibit 36:

Chapter 4.3 (Make Australia the leading centre for cyber security education) outlines a range of actions to improve the number of job-ready cyber security professionals emerging from the formal education system, including developing further industry partnerships and expanding awareness of cyber security careers in high schools.

Transition pathways for other IT professionals are not well developed

New cyber security graduates are not the only possible supply of workers for the industry. There is a significant opportunity to adapt the skills of existing IT professionals to enable them to take up more specific cyber security roles. A breakdown of IT occupations that are most sought after by the cyber security industry, as detailed in Exhibit 37, reveals a large stock of IT workers with potentially transferable skills.

For example, the five IT occupations most relevant to the cyber security industry boast a workforce of more than 225,000 people outside cyber security. They comprise of a range of specialists—from database and system administrators to computer network professionals and support technicians. Targeted training could enable these people to switch jobs and join the cyber security workforce.

Exhibit 37:

To be sure, skills shortages are found across the entire Australian ICT industry, and it is unrealistic to assume that the demand for cyber security specialists could be met just by re-training existing IT professionals. Still, the cyber security industry with its high wages and strong growth outlook would likely be attractive for a significant number of IT workers wishing to accelerate their careers. The difficulty for many firms to find experienced cyber security staff and their willingness to pay wage premiums signal that too little has been done so far to help these workers transition.

Interviews with public officials, company executives and academics indicate that some government agencies and firms have drawn on the broader pool of general IT professionals to fill specialist cyber security roles. However, these skill transfers often occur without the necessary training, which impairs their effectiveness. Anecdotal evidence suggests that many organisations shy the expense or struggle to make training staff available to help workers from other industries or IT areas gain a foothold in the cyber security sector. A successful skills transfer is possible, though, as proven by some financial institutions in Australia that offer IT staff a six-months intensive ‘apprenticeship’ to help them transition into more specific cyber security roles.

Vocational training providers have an important role to play in facilitating the transition of workers by offering shorter, non-degree courses in cyber security. A number of institutions have already responded to the growing need for cyber security training by expanding their offerings. In Victoria, Chisholm TAFE and Box Hill Institute are both offering Certificate IV qualifications focused on cyber security, as is the ACT’s Canberra Institute of Technology. TAFE SA, South Australia’s largest vocational education and training provider, recently announced a partnership with a listed US cyber security provider to address the industry’s skill shortage. It will offer new cyber security training courses under the umbrella program “Fortinet Network Security Academy” designed to “help fill the pipeline of cybersecurity experts needed to manage and thwart increasingly sophisticated cyberattacks”.

There are also a number of private sector training organisations, such as Ionize and UXC Saltbush, which both provide training for the Australian Signals Directorate‘s Information Security Registered Assessors Program. Overall, however, there is still plenty of scope for registered training organisations to become involved in cyber security.

Several steps could be undertaken to establish more visible and attractive pathways for the professional development of cyber security workers. Chapter 4.3 (Make Australia the leading centre for cyber security education) provides further detail on those recommended actions.

Australia has difficulties in retaining cyber talent

“Students with Distinction and high Distinction averages are receiving $100k job offers to leave in their second or third year and are not completing. Many of these graduates are leaving to take up positions in the [Silicon] Valley.”
—Professor of cyber security at an Australian university

Interviews with a range of industry participants suggest that Australia is at risk of a ‘brain drain’ in the cyber security industry. Both company executives and university course coordinators have observed that recruiters are increasingly successful in luring Australia’s top university talent abroad. Even before graduating, many students commit to taking up a role in Silicon Valley or elsewhere. In interviews, some employers also expressed a reluctance to invest in staff training and development out of fear they could lose their highest-skilled workers to well-resourced U.S. competitors. Mobility of Australian workers into different markets can deepen their skills and experience, providing benefits from the Australian industry upon their return. However, some of these workers won’t return and their departure does decrease the talent pool on offer for Australian cyber security firms. The supply of workers through the education system needs to take account of this loss to overseas.

Equally, there are signs that Australia could make better use of foreign professionals to reverse the ‘brain drain’. While the number of Temporary Work (Skilled) visas (subclass 457) issued to workers classified as ICT Security Specialists—the largest occupational group within the cyber security industry—has steadily increased over the last decade, only 74 of these visas were granted in the fiscal year 2015-16. Based on based for ANZSCO 262112 ICT Security Specialist, they are estimated to make up no more than two per cent of all ICT Security Specialists working in the Australian industry.

Chapter 4.3 (Make Australia the leading centre for cyber security education) lists a range of actions that could help Australia attract and retain the world’s best and brightest cyber security talents, including scholarships with ‘return of service’ obligations and more efficient pathways for skilled migration to Australia for cyber security professionals.