Australia’s Cyber Security Sector Competitiveness Plan 2022

Chapter 2

Australian cyber security sector growth is slower than peers for three reasons

Australia’s cyber sector annual revenue growth has averaged 8.7 per cent over the past five years – slower than other leading cyber jurisdictions

The Australian cyber sector’s revenue growth has been slower than other leading nations. Australian firms’ annual revenue growth has averaged 8.7 per cent since 2017. The average growth rate for the 10 leading cyber jurisdictions (based on 2022 revenue) has been 11.5 per cent. Chinese cyber firms’ revenue growth has been the strongest of all leading nations at 21.4 per cent.

External tensions, ecosystem benefits and strict regulations have contributed to strong growth in leading jurisdictions. Countries such as China and South Korea have invested heavily in their cyber sector driven by an increased focus on sovereignty due to political tensions. Cyber firms in the Netherlands have benefitted from a strong digital ecosystem supported by the government. The Hague is home to the Global Forum on Cyber Expertise, Europol’s European Cybercrime Centre, the NATO Communications and Information Agency and The Hague Security Delta, the largest security cluster in Europe. The cyber sector in the UK has benefitted from the EU’s General Data Protection Regulation (GDPR), retained in the UK post-Brexit, that enacts some of the strictest penalties for data breaches (up to 20 million euros or four per cent of turnover – whichever is greater).1,2

In 2022, Australia is ranked ninth globally in terms of revenue. The US has the greatest share of global revenue, followed by China, the UK, Japan, Germany, France, Canada, South Korea, Australia and the Netherlands.

Exhibit 7: Growth rates of largest cyber jurisdictions3, 4, 5

Average annual revenue growth rate between 2017 and 2022 (%) of top 10 cyber jurisdictions based on 2022 revenue

Exhibit 7: Growth rates of largest cyber jurisdictions

Australian cyber security sector growth is slower than international peers for three reasons

Australian cyber security growth is slower than peers

Australian cyber security startups receive 300 times less funding than peer leaders

Australian startups generate less value in early-stage funding than international competitors. In 2022, Australian startups received 300 times less funding than Israeli and Canadian startups. As a result, they have less ability to scale.

Australia’s venture capital ecosystem is immature compared to peer countries.10 Australia has a small venture capital market compared to international peers. Australia ranks 20th out of 38 OECD countries in venture capital funding as share of GDP, lower than Israel, Canada and Singapore.11 Government funds in Israel and Canada have supported strong investment in both countries. The preparedness to invest in early startups further decreased during COVID-19, evidenced by a decline in investments characterised by higher uncertainty.11

Cyber security firms consider the lack of funding a key challenge. When asked about challenges the sector faces in AustCyber’s Digital Census 2022, respondents highlighted funding as a significant barrier to growth.

STC12429_Quotes

Exhibit 8: Value of early-stage funding rounds12,13

A$ million

Exhibit 8: Value of early-stage funding rounds

Cyber security research funding has decreased by 23 per cent since 2019 due to consecutive decreases in ARC funding

Cyber security research funding has decreased by 23 per cent since 2019. Funding has reduced due to consecutive annual decreases in Australian Research Council (ARC) funding. ARC funding has decreased by $2.3 million since 2019, with just $500,000 being distributed in 2022.19

Cyber security attracts less research funding than similar research fields. In 2022, ARC allocated over $10 million in research funding to artificial intelligence, more than 20 times more funding than cyber security. In the same year, machine learning received $1.1 million research funding from ARC, twice the amount directed to cyber security. Sector experts suggested that the relatively low funding for cyber security from the ARC could be due to limited cyber security expertise and awareness among ARC grant assessors.

Currently, the Cyber Security Cooperative Research Centre (CSCRC) provides 93 per cent of cyber security research. CSCRC funding is due to expire in 2024, which, if not extended or replaced, would reduce government funding for cyber security to almost zero, based on current trends. The CSCRC is the sector’s central research organisation and has a long-term focus on critical infrastructure security and cyber security as a service.20 It has more than 20 partners from industry, government and research, including six leading Australian universities, all of which contribute funding.

Exhibit 9: Government funding directed to cyber security research21,22

A$ million

Exhibit 9: Government funding directed to cyber security research1

As a result of limited startup support in the form of investment and research funding, the rate of new firm entries in cyber security has slowed in recent years

Australia’s cyber security sector has seen years of rapid growth. Between 2014 and 2019, the number of businesses in the cyber security sector grew by more than 10 per cent each year, more than three times higher than the broader economy or the comparable IMT sector.

There has been a slowdown in the entrance rate of new cyber security startups over the past two years. The growth rate in new businesses has decreased from 22 per cent in 2019 to six per cent in 2021, according AustCyber’s Digital Census 2022.

The decline in growth is likely due to limited early-stage funding and a period of economic uncertainty during COVID-19. The Australian cyber security sector has a low level of early-stage funding compared to international peers, and funding in 2020 and 2021 was lower than 2019, which has likely impacted the growth rate in the number of firms in the sector. Additional economic uncertainty from 2020 as the pandemic ensued may also have impacted the entry rate of cyber security startups.

Although growth has slowed, there is still strong activity in the startup space. 13 per cent of cyber security firms in Australia were established in 2020. Examples include RightSec, CyberUnlocked, Blackheart Cyber and StarkNEX.

Exhibit 10: Growth rate in number of firms by sector24,25,26

% per year

Exhibit 10: Growth rate in number of firms by sector1

Australian cyber security firms derive less revenue from export than other comparable international firms

Australian cyber security firms do not receive a significant share of revenue from exports. The Australian cyber security sector receives approximately 17 per cent of its revenue from exports currently, less than half of the UK’s 42 per cent share.27

Cyber security products and services are well-suited to exporting. The cross-border nature of cyber security threats supports a global market for security solutions. Australian products and services are applicable in most markets, presenting a strong opportunity for exports.27

Increasingly, Australian firms are facing competition from overseas. Not only is global competitiveness important for growing revenue but also for protecting existing domestic revenue. According to the AustCyber’s Digital Census 2022, 53 per cent of Australian firms report their main competitors are international firms. Sector experts suggested that firms targeting organisations in critical infrastructure face strong competition from international firms.28

Exhibit 11: Percentage off firms exporting in Australia and the UK

% of survey respondents

Exhibit 11

Exhibit 12: Share of Australian and UK sector revenue from exports28, 29

% of 2022 revenue, by source

Exhibit 12: Share of Australian and UK sector revenue from exports

Focusing on serving local demand offers fewer opportunities, as Australian cyber security expenditure represents only 2.1 per cent of global demand

Australia accounts for only 2.1 per cent of global cyber security demand. Australia’s domestic demand ranks eighth globally. The US has the greatest share of global cyber security expenditure, followed by Japan, the UK, Germany, China, France and Canada.

Australia’s domestic demand has been gradually declining and is forecast to continue to decline. Australia’s share of global cyber security expenditure is 2.1 per cent in 2022. The share is down from 2.2 per cent in 2017 and is forecast to further decline to 1.9 per cent by 2025.

Australian cyber security firms that only focus on the domestic market have a small serviceable market. Australian cyber security firms need to expand overseas to achieve scale.

Exhibit 13: Cyber security expenditure by country30

Share of global cyber security expenditure, 2022 (%)

Exhibit 12: Cyber security expenditure by country

Workforce shortages are further handbrakes on growth, with the sector forecast to have 3,000 fewer cyber security workers than required by 2026

Australia’s cyber security sector is expected to have 3,000 fewer workers than required by 2026, despite projected growth of 1,200 workers over the period. Demand for cyber security workers will increase to 51,100 workers by 2026. However, based on projected inflows and outflows from the cyber security workforce, by 2026 there will be a shortage of 3,000 workers. Only 48,100 of the demanded roles will be filled.

Between 2022 and 2026, it is expected that 9,500 current cyber security workers will leave the workforce. This figure includes workers retiring from the workforce and those moving to other industries. This estimate is based on the exit rate for the broader ICT sector. 

8,300 new cyber security workers and 2,400 skilled migrants are expected to join the Australian cyber security workforce by 2026. Together, new graduates, upskilled and reskilled workers and skilled migrants will more than replace workers leaving the workforce. This means that there will be an increase of 1,200 workers to the Australian cyber security workforce by 2026.

These results are based on AUCyberExplorer estimates of sector employment. Estimates are not comparable to those published in the 2020 SCP, where employment estimates were derived from revenue and value added.

Exhibit 14: Cyber security workforce forecast31, 32

Number of cyber security workers 2022-2026

Exhibit 13: Cyber security workforce forecast

The workforce shortage is partially a result of lower migration, with the number of skilled visas granted in tech almost halved since FY19

Skilled visas for tech occupations have declined by 49 per cent between 2019 and 2021, contributing to the skills shortage. Australia has historically relied on skilled migrants to support the tech and cyber security workforce.34 To achieve sectoral growth, the cyber security sector requires 3,100 skilled migrants over the next four years. Border closures during COVID-19 significantly reduced tech and cyber security skilled migration.

Skilled migration is expected to return to above pre-pandemic levels by 2026. Migration is expected to fully return to pre-COVID levels in 2025.35 However, there is currently a backlog of more than 140,000 skilled migrant visas.36 Processing times for skilled visas have doubled since COVID-19. A quarter of applications now take more than a year to process, and the slowest 10 per cent of skilled visas take 15 months to process.37

Despite being one of seven priority sectors, only 5% of all visas issued across these seven priority sectors in 2021 were for cyber security workers. Australia’s Global Talent Program aims to attract highly skilled professionals in seven priority sectors to Australia. These sectors are information and communications technology, energy and mining tech, medtech, fintech, advanced manufacturing, agritech and cyber security. The number of visas granted for cyber security skilled workers was lower than any other sector.

Increasing skilled migration of cyber security workers is essential. Attracting experienced cyber security workers from overseas will be vital to reducing the skills gap, particularly for experienced professionals. Expert interviews revealed that many firms face a shortage of mid to senior-level cyber security professionals, which are difficult to attract domestically.

Exhibit 15: Supply of skilled visas for all tech occupations38

'000s, number of skilled visas granted for tech occupations

Exhibit 14: Supply of skilled visas for all tech occupations1

Exhibit 16: Skilled visas granted to priority sectors39, 42

'00s, number of skilled visas granted for tech occupations40

Exhibit 16: Skilled visas granted to priority sectors2

Notes and Sources

1. International Trade Administration (2021)

2. GDPR (2022)

3. Gartner Information Security Forecast, Worldwide, 2016-2026, 1Q22 Update

4. McKinsey (2020)

5. Statista (2022), Accenture analysis

6. OECD countries and direct peers (Singapore and South Korea) are included in rankings. Enrolments in ICT degrees is used as a proxy for cyber security, in absence of cyber security specific data. Leading countries are based on FY22 figures and as such, may not align to those outlined in Exhibit 7, which are measured over the 2017-2022 period.

7. Crunchbase (2022)

8. Gartner Information Security Forecast, Worldwide, 2016-2026, 1Q22 Update

9. OECD (2022), Accenture analysis

10. Blackbird Ventures (2021)

11. OECD (2021)

12. 2022 figures include investments made between Jan and June.

13. ‘Cyber security firms’ based on Crunchbase’s reported data, which captures a broader range of firms than AUCYBERSCAPE.

14. Haaretz (2022)

15. Crunchbase (2022)

16. AFR (2022)

17. AFR (2022)

18. Expert interviews, Accenture analysis

19. ARC figures include both Discovery and Linkage projects and include total funding announced for 2022. CSCRC figures are based on $50 million of government funding over the seven years to 2024.

20. Individual funding from the CSCRC’s members is not included as this is not classified as government funding. 

21. Funding includes money allocated to universities or other research institutions.

22. Australian Research Council (2022)

23. Cyber Security Cooperative Research Centre (2022), Accenture analysis

24. Analysis is based on AustCyber’s Digital Census 2022 data, which – due to sample composition – might understate recent growth.

25. AustCyber’s Digital Census 2022 “When was your organisation established?”

26. ABS (2022), Accenture analysis

27. UK Government (2021)

28. Expert interviews, Accenture analysis

29. AustCyber’s Digital Census 2022 – “Throughout the 2021/22 financial year, has your organisation exported (or will your organisation export) any products and/or service? Who are your main competitors?”

30. Gartner Information Security Forecast, Worldwide, 2016-2026, 1Q22 Update, Statista (2022), Accenture analysis  

31. See Appendix A.4 for detailed methodology. Figures are not comparable to those published in the 2020 SCP due to a changed methodology and changed data sources. 

32. AUCyberExplorer (2022)

33. Deloitte Digital Pulse (2022)

34. Deloitte Digital Pulse (2022)

35. ABC (2021)

36. Department of Home Affairs (2022)

37. AFR (2022

38. See Appendix for detailed methodology. 

39. The Australian Government has selected future-focused priority sectors to promote immigration of highly skilled talent to Australia (Visa subclass includes 186, 187, 482, 494 and 858). 

40. Priority sectors represent a subset of all tech occupations 

41. ICT includes Quantum Information, Advanced Digital, Data Science.


42. Grattan Institute (2021), Accenture analysis