Australian Cyber Security Professionalisation program

The Australian Cyber Security Professionalisation program, or ACSP for short, is a government backed, industry-led program run by AustCyber. Working with key industry leaders using a co-design approach, the goal of the program is to improve government, business and community trust and confidence in Australian cyber security professionals in order for the ecosystem to continue to grow.

Professionalising an industry essentially means establishing a set of standards, qualifications and practices that individuals must meet or follow to be recognised as a professional in that field. This process often includes the formation of a governing body or professional association that oversees the industry, sets these standards, and regulates the conduct of its members.

The purpose of professionalisation is to ensure that those working in the industry are competent, ethical, and can be trusted by the public.

Professionalisation provides:

• clear career pathways and opportunities for those currently working or aspiring to work in the sector;
• clarity and confidence when hiring or engaging professionals in the skills, knowledge and experience they have; and
• those not in the field with the ability to understand, with confidence, the capabilities of a professional - in this case, the cyber security professional.

Cyber security presents a growing problem for governments, and consumers are increasingly affected by corporate cyber security breaches. So who are the experts relied on for cyber security advice and solutions and what are their skills? At present there is no standard, and anybody can claim expertise.

This means that members of the public have no way of knowing what level of competency an individual claiming to be a cyber expert actually has.

Considering the level of sensitivity that some information can hold, allowing anyone access to this without some level of assurance that they are competent, ethical and trustworthy is not ideal.

What level of assurance do firms have that insiders are meeting a minimum level of competency levels and are adhering to a code of conduct? Currently none, unless the firm knows what the global certifications are and what recourse they have with them.

The problem we are trying to solve is that, given the impact and scale of cyber security threats and challenges, as a nation, we need to define a minimum level of competency and standards that we expect individuals operating in the sector to uphold. This in turn will improve cyber outcomes across government, industry and academia.

The Australian government is seeking a basis for public trust and accountability in cyber security expertise and has asked the tech industry to collaborate and co-design a solution. The challenge is to define ‘cyber security professionals’, roles and capabilities.

There is also a growing skills shortage in cyber security, exacerbated by inconsistency in job roles and lack of clarity in entry qualifications and pathways. A successful solution should grow the workforce, while establishing standards.

For some in the sector, this may feel like an opportunity for recognition of competency. For others, it may feel unnecessary and unwelcome. It would be timely for us to have some answers. In other sectors, inaction in the face of consumer or public risk has led to statutory interventions.

Introducing professionalisation brings substantial value to the sector by establishing clear standards and guidelines. It ensures consistent expertise, promotes industry-wide best practices, and fosters trust among the community.

It is also proven to drive equality, acting as a useful tool to promote diversity and gender equality. For instance, specific provisions to encourage the participation of underrepresented groups can be included. This has been successful in other fields, such as medicine (Source: Gender Equality in the Medical Profession: A Cross-Sectional Study).

Professionalising the cyber security sector benefits the Australian community. Professional standards guarantee a minimum level of competence amongst cyber security professionals, which in turn, will enhance the security that businesses, government agencies and individuals rely on.

Professional standards are designed to protect the community by ensuring that cyber security professionals are well-trained, experienced, competent, and adhere to a code of ethics that prioritises safeguarding the public's information and digital assets.

This will ultimately foster greater trust in the digital economy, contribute to economic growth, and protect individuals, businesses and institutions from cyber threats.

Professional standards establish the minimum standard of competence/excellence to be considered a professional.

They are:

• Vendor/product neutral and independent
• Dependent on the maintenance of competence through continuing professional development and education
• Supported by a disciplinary code with a process for public complaint and sanctions

No, professional recognition is not an entry level requirement. It is a career aspiration and choice, not a licence to operate in the industry.

No, professional recognition is a choice and a career opportunity. It is not a licence to operate.

No, this program is not creating another certification. The program aims to consolidate what already exists to create clarity around what to do to progress in your career.

The government is supporting the program by empowering the sector to take the lead and work together to design a solution that is fit for purpose and meets the needs of the sector and the broader Australian community, rather than imposing a solution without industry consultation.

The government is also providing the initial funding to support the design and development of this program.

Co-design is a design-led process that involves working with the people who are closest to the problem in order to create a workable solution. It encourages active participation and information sharing from everyone, and prioritises making things together.

There is no one-size-fits-all approach. Importantly, co-designers make decisions, not just suggestions (Burkett, 2012).

We're committed to creating a solution to help all cyber security professionals in Australia. By using a co-design team approach, we can incorporate the viewpoints of a diverse group of people from all stakeholder groups, listening to their particular challenges and creating something that works for everyone.

Government-backed and industry-led, the co-design team is made up of the following experts:

Phase 1 - research and design

• Professor Matt Warren, RMIT University
• Jo Cave, TAFECyber
• Professor Jill Slay, (ISC)²
• Rupert Grayston, Australian Computer Society (ACS)
• Jo Stewart-Rattray, ISACA
• Tony Vizza, KordaMentha
• Rachel Bailes, Australian Information Industry Association (AIIA)
• Damien Manuel and Akash Mittal, Australian Information Security Association (AISA)
• Scott O'Neill and Scarlett McDermott, Tech Council of Australia
• Kathleen Moorby, AustCyber

Phase 2 - detailed development and in-market testing

• Professor Matt Warren, RMIT University
• Jo Cave, TAFECyber
• Professor Jill Slay, (ISC)²
• Rupert Grayston, Australian Computer Society (ACS)
• Jo Stewart-Rattray, ISACA
• Tony Vizza, KordaMentha
• Rachel Bailes, Australian Information Industry Association (AIIA)
• Shireane McKinnie, Engineers Australia
• Eamon Sloane, Insurance Council of Australia
• Kathleen Moorby, AustCyber

Yes, as well as the co-design team, the following stakeholders and groups have provided feedback and input:

Cross-government collaborators:

• Department of Industry, Science and Resources (DISR)
• Australian Cyber Security Centre (ACSC)
• Department of Employment and Workplace Relations (DEWR)
• Australian Public Service Commission
• Department of Home Affairs
• Job and Skills Australia
• Professional Standards Authority
• Investment NSW
• Victorian Government - Cyber branch
• Tasmanian Government

Other collaborators and stakeholders:

• Cyber security employees and employers
• Digital Skills Organisation
• Engineers Australia
• Global organisations including UK Cyber Security Council and government, (ISC)2, ISACA, SFIA and Crest
• University sector including University of Tasmania, Macquarie University, Melbourne University, RMIT, Deakin, UNSW and Australian Technology Network
• Tech Council and AIIA Members
• Australian Women in Security Network (AWSN)
• Lumify Group
• Fifth Domain
• Hudson, Technology & Projects
• IoT Alliance Australia
• Wise Law

Visit our website to learn more or email info@austcyber.com.