Australian Cyber Security Professionalisation program
AustCyber is leading an industry co-design team to create the Australian Cyber Security Professionalisation Program (ACSP) with key stakeholders, including universities, TAFEs, cyber security experts and industry associations.
ACSP is a critical step in professionalising the cyber security industry in Australia to global standards, with the intent of being a world leader and improving trust and confidence in Australian cyber security professionals.
Together we are collaborating, sharing, and co-creating. We’re leveraging human centred design methodology and using a co-design framework.
Today the cyber security industry in Australia is fragmented, with no clear career pathways for those that have aspirations to work in the sector.
ACSP is designed to give current and future cyber security employees something tangible to aspire to in terms of professional recognition, as well as improving employers’ trust when hiring cyber security professionals.
Purpose of the co-design team
The purpose of the co-design team is to design and develop solutions to improve government, business and community trust and confidence in Australian cyber security professionals, to ultimately grow the ecosystem in a sustainable way. The team will focus on the role of cyber security career and education pathways, approaches to professional recognition, and consistency of role definitions.
Current status
We are in our infant stage, establishing the co-design team, engaging with key stakeholders and learning from employees and employers through qualitative research.
And this is just the beginning.
We will design. Test. Optimise. Re-design. Test again.
We are committed to ensuring that what is developed as part of this Program meets the needs of cyber security employees and employers as well as the broader ecosystem.
Who is involved?
Professor Matt Warren
Centre for Cyber Security Research & Innovation Director
Jo Cave
General Manager, TAFECyber
Professor Jill Slay
Vice Chairperson of the Board
Jo Stewart-Rattray
Former Global Board Director, Oceania Regional Ambassador
Rupert Grayston
Director Capability
Tony Vizza
Executive Director Cybersecurity
Rachel Bailes
Head of Policy
Kathleen Moorby
Director, Programs
Frequently asked questions
The Australian Cyber Security Professionalisation program, or ACSP for short, is a government backed, industry-led program run by AustCyber. Working with key industry leaders using a co-design approach, the goal of the program is to improve government, business and community trust and confidence in Australian cyber security professionals in order for the ecosystem to continue to grow.
Professionalising an industry essentially means establishing a set of standards, qualifications and practices that individuals must meet or follow to be recognised as a professional in that field. This process often includes the formation of a governing body or professional association that oversees the industry, sets these standards, and regulates the conduct of its members.
The purpose of professionalisation is to ensure that those working in the industry are competent, ethical, and can be trusted by the public.
Professionalisation provides:
clear career pathways and opportunities for those currently working or aspiring to work in the sector;
clarity and confidence when hiring or engaging professionals in the skills, knowledge and experience they have; and
those not in the field with the ability to understand, with confidence, the capabilities of a professional - in this case, the cyber security professional.
Cyber security presents a growing problem for governments, and consumers are increasingly affected by corporate cyber security breaches. So who are the experts relied on for cyber security advice and solutions and what are their skills? At present there is no standard, and anybody can claim expertise.
This means that members of the public have no way of knowing what level of competency an individual claiming to be a cyber expert actually has.
Considering the level of sensitivity that some information can hold, allowing anyone access to this without some level of assurance that they are competent, ethical and trustworthy is not ideal.
What level of assurance do firms have that insiders are meeting a minimum level of competency levels and are adhering to a code of conduct? Currently none, unless the firm knows what the global certifications are and what recourse they have with them.
The problem we are trying to solve is that, given the impact and scale of cyber security threats and challenges, as a nation, we need to define a minimum level of competency and standards that we expect individuals operating in the sector to uphold. This in turn will improve cyber outcomes across government, industry and academia.
The Australian government is seeking a basis for public trust and accountability in cyber security expertise and has asked the tech industry to collaborate and co-design a solution. The challenge is to define ‘cyber security professionals’, roles and capabilities.
There is also a growing skills shortage in cyber security, exacerbated by inconsistency in job roles and lack of clarity in entry qualifications and pathways. A successful solution should grow the workforce, while establishing standards.
For some in the sector, this may feel like an opportunity for recognition of competency. For others, it may feel unnecessary and unwelcome. It would be timely for us to have some answers. In other sectors, inaction in the face of consumer or public risk has led to statutory interventions.
Introducing professionalisation brings substantial value to the sector by establishing clear standards and guidelines. It ensures consistent expertise, promotes industry-wide best practices, and fosters trust among the community.
It is also proven to drive equality, acting as a useful tool to promote diversity and gender equality. For instance, specific provisions to encourage the participation of underrepresented groups can be included. This has been successful in other fields, such as medicine (Source: Gender Equality in the Medical Profession: A Cross-Sectional Study).
Professionalising the cyber security sector benefits the Australian community. Professional standards guarantee a minimum level of competence amongst cyber security professionals, which in turn, will enhance the security that businesses, government agencies and individuals rely on.
Professional standards are designed to protect the community by ensuring that cyber security professionals are well-trained, experienced, competent, and adhere to a code of ethics that prioritises safeguarding the public's information and digital assets.
This will ultimately foster greater trust in the digital economy, contribute to economic growth, and protect individuals, businesses and institutions from cyber threats.
Professional standards establish the minimum standard of competence/excellence to be considered a professional.
They are:
Vendor/product neutral and independent
Dependent on the maintenance of competence through continuing professional development and education
Supported by a disciplinary code with a process for public complaint and sanctions
No, professional recognition is not an entry level requirement. It is a career aspiration and choice, not a licence to operate in the industry.
No, professional recognition is a choice and a career opportunity. It is not a licence to operate.
No, this program is not creating another certification. The program aims to consolidate what already exists to create clarity around what to do to progress in your career.
The government is supporting the program by empowering the sector to take the lead and work together to design a solution that is fit for purpose and meets the needs of the sector and the broader Australian community, rather than imposing a solution without industry consultation.
The government is also providing the initial funding to support the design and development of this program.
Co-design is a design-led process that involves working with the people who are closest to the problem in order to create a workable solution. It encourages active participation and information sharing from everyone, and prioritises making things together.
There is no one-size-fits-all approach. Importantly, co-designers make decisions, not just suggestions (Burkett, 2012).
We're committed to creating a solution to help all cyber security professionals in Australia. By using a co-design team approach, we can incorporate the viewpoints of a diverse group of people from all stakeholder groups, listening to their particular challenges and creating something that works for everyone.
Government-backed and industry-led, the co-design team is made up of the following experts:
Phase 1 - research and design
Professor Matt Warren, RMIT University
Jo Cave, TAFECyber
Professor Jill Slay, (ISC)²
Rupert Grayston, Australian Computer Society (ACS)
Jo Stewart-Rattray, ISACA
Tony Vizza, KordaMentha
Rachel Bailes, Australian Information Industry Association (AIIA)
Damien Manuel and Akash Mittal, Australian Information Security Association (AISA)
Scott O'Neill and Scarlett McDermott, Tech Council of Australia
Kathleen Moorby, AustCyber
Phase 2 - detailed development and in-market testing
Professor Matt Warren, RMIT University
Jo Cave, TAFECyber
Professor Jill Slay, (ISC)²
Rupert Grayston, Australian Computer Society (ACS)
Jo Stewart-Rattray, ISACA
Tony Vizza, KordaMentha
Rachel Bailes, Australian Information Industry Association (AIIA)
Shireane McKinnie, Engineers Australia
Eamon Sloane, Insurance Council of Australia
Kathleen Moorby, AustCyber
Yes, as well as the co-design team, the following stakeholders and groups have provided feedback and input:
Cross-government collaborators:
Department of Industry, Science and Resources (DISR)
Australian Cyber Security Centre (ACSC)
Department of Employment and Workplace Relations (DEWR)
Australian Public Service Commission
Department of Home Affairs
Job and Skills Australia
Professional Standards Authority
Investment NSW
Victorian Government - Cyber branch
Tasmanian Government
Other collaborators and stakeholders:
Cyber security employees and employers
Digital Skills Organisation
Engineers Australia
Global organisations including UK Cyber Security Council and government, (ISC)2, ISACA, SFIA and Crest
University sector including University of Tasmania, Macquarie University, Melbourne University, RMIT, Deakin, UNSW and Australian Technology Network