Australia is facing a significant shortfall in the number of cybersecurity professionals needed to defend people, governments and businesses. With AustCyber forecasting a shortfall of almost 17,000 cybersecurity workers by 2026, current efforts by the education system will fall well short of filling that gap. 

 There is no single silver bullet that can solve this problem. Tackling the cybersecurity shortage requires a multi-faceted approach that attracts new workers to the industry. These efforts must provide multiple entry points to attract workers to minimise the impact of the current, acute need and create pathways to make cybersecurity attractive, so young people see cybersecurity as not just a lucrative career but one that offer rich experiences and job satisfaction.  

Countering the hacker perception 

For many people, the image of a cybersecurity professional is taken straight from The Matrix with a figure – typically a male – in a darkened room hunched over a screen filled with computer code. And while technical roles are important in cybersecurity, the reality is that there is far more diversity in the types of roles that are needed.  

Cybersecurity is not just about solving technical problems. A look at the modern threat landscape tells us cybersecurity encompasses everything from psychology and human behaviour through to education and strategic planning. While technical skills are important, not all cybersecurity roles are dependent on software engineering or hacking skills.  

Overcoming the cybersecurity skills shortage requires an industry-wide rethink of how cybersecurity careers are portrayed. While The Matrix might be one way cybersecurity professionals are portrayed, another might be the classic movie Sneakers where one party used social engineering and psychology to gain information they could use to infiltrate their target.   

The Australian Government’s goal of becoming the most cybersecure country in the world by the end of the decade will not be achieved by only focussing on technical skills.  

The role of education 

Our public and private education sectors may be seen as competitors but both  are important and complementary. University degrees are critical for teaching foundational skills that are needed. But, because of the way these degrees are designed and accredited, they can struggle to keep up with a fast-changing world. This is why vocational and just-in-time training are so important. 

 Just as the tools, techniques and procedures used by attackers evolve, the skills and tools needed by cybersecurity professionals must keep pace. Short, intensive training can be delivered quickly by private educators who can use industry experience far faster and with greater agility than the public education sector. 

We need the public and private education sectors to acknowledge they have complementary parts to play in erasing the skills deficit the cybersecurity industry faces.  

Create more points of entry 

With just 2000 cybersecurity graduates expected to finish study in 2026, it is clear the education sector, alone, cannot fix the skills deficit. By attracting people from other disciplines with diverse backgrounds it is possible to make a significant difference to the cybersecurity skills deficit. 

This starts with how cybersecurity jobs are advertised. For example, rather than focussing on specific technical experience, job ads can focus on skills such as problem solving, communication, teamwork, and willingness to learn. There are many examples of people who have brought extensive experience from other industries and become exceptional cybersecurity professionals. Those human skills, honed through experience are critical.  

 Cybersecurity is a constantly evolving field. Finding people that have demonstrated great human skills and who are willing to continually develop technical skills are immensely valuable. But finding and attracting them means casting a much wider net than the industry has traditionally. 

It may seem risky to hire someone from outside the industry, but we will not grow the industry if organisations simply rotate the existing pool of professionals among themselves. 

 Diversity matters 

 Today’s attackers come from many different cultural backgrounds. They are often highly educated and bring diverse experiences. According to research from RMIT, just 17% of cybersecurity jobs are held by women. Yet, cybercrime affects every Australian regardless of gender or cultural background. 

 Educators must find ways to make courses, whether we are looking at multi-year degrees or shorter programs, attractive to a broader cross-section of potential students. That means ensuring educational programs do not use language that might exclude or discourage people, have instructors from diverse backgrounds, and are designed with input from groups that are underrepresented in cybersecurity. 

 The Australian Government’s goal of becoming the world’s most cyber secure nation by 2030 will not be achieved unless we find ways to address the growing skills deficit. While the public education system has a significant role, so do private, vocational education providers and the broader cybersecurity industry. We can only breach the skills gap by bringing more people into the industry. And that is something every organisation in the industry can contribute to.