SCP - Chapter 1 - The global outlook for cyber security

Key points in this chapter

  • Cyber security spending is soaring and set to increase by 86 per cent to US$270 billion by 2026
  • Indo-Pacific countries have emerged as significant buyers of cyber security solutions, adding to the market opportunity for Australian providers
  • Demand drivers include expanding threat of cyber attacks, mounting exposure to cyber risk, increased risk awareness and increased regulation
  • The cyber security market is diverse and sophisticated
  • Three fundamental security needs shape demand for products and services – core systems protection (the ‘protection stack’), security operations, and underlying processes
  • Technology reshaping the industry includes convergence of information technology and operational technology, mobile internet, artificial intelligence and big data, cloud computing and the Internet of Things
Disruptive technological trends will continue to evolve and, as a result, generate demand for new cyber security solutions

1.1 Overview

The world is abuzz with new connections. Cars, fridges, houses, factories – the list of things that can be controlled and monitored remotely grows daily. At the same time, more and more people around the globe have access to these new technologies and depend on them in their daily life. But the mass of interconnected things, referred to as the Internet of Things (or Internet or Everything), and technological innovation comes with a risk: it increases the number of potential targets for malicious cyber activity.

Malicious cyber activity is a growing challenge for organisations worldwide. It ranges from straightforward online fraud – such as scams using email, websites or chat rooms – to sophisticated cyber espionage and calculated cybercrime, used to steal secrets and other information stored digitally on systems and networks. Malicious cyber activities have the potential to seriously harm not just an organisation’s business and reputation, but also to compromise a nation’s security, stability and prosperity. The number of incidents has spiked in recent years, as perpetrators aggressively exploit flaws in digital infrastructure. This has catapulted cyber security to front-of-mind for business leaders, regulators and politicians who are anxious to shore up defences and improve resilience.

Cyber adversaries are constantly devising new ways to exploit vulnerable systems and networks. This is forcing organisations – from banks to energy companies, and from government agencies to charities – to strengthen their cyber defences. The growing security needs of organisations are expected to underpin the rapid evolution of the global cyber security sector, which provides a substantial opportunity for cyber security businesses in Australia.

Over the next decade, the industry will become more diverse and sophisticated, as businesses continue to refine their product offerings to meet their customers’ varying cyber security needs. However, the outlook for security needs and the main product types (hardware, software and services) is not uniform. It is driven by differences in current size, projected demand, export potential and ability to create more jobs.

The Internet of Things, Cloud Computing and the convergence of IT and operational technology (OT), are some of the current important disruptive technological trends that will contribute to the future demand of cyber security solutions. They will increase demand for all forms of cyber security, particularly software. These disruptive technological trends will continue to evolve and, as a result, generate new demand for new cyber security solutions.

1.2 Cyber security spending is growing fast

Demand outlook

Spending on cyber security worldwide is expected to soar over the next decade. The global cyber security market is currently worth around US$145 billion and is set to increase by 86 per cent to US$248 billion by 2026, as shown in Figure 2. Roughly three-quarters of the global expenditure on cyber security comes from cyber security ‘users’ (organisations and individuals seeking to defend themselves against malicious cyber activity) purchasing the products and services of external cyber security ‘providers’ (both specialist cyber security companies and IT or telecommunications companies with cyber security offerings). The remaining quarter of spending covers all internal expenditure on cyber security, mainly the cost of employing in-house teams with specialist cyber security skills.1

The global cyber security market is currently worth around US$145 billion and is set to increase by 86 per cent by 2026

Analysis based on available market data and expert interviews suggests this trend will accelerate in the future. While money spent on in-house or internal cyber security functions is expected to grow by around 7.2 per cent each year to 2026, global spending on external cyber security products and services is set to increase by 8.4 per cent annually over the same period.

The global cyber security market is currently worth around US$145 billion and is set to increase by 86 per cent by 2026

Figure 2 – Global cyber security spend

Figure 2

The demand outlook for Australia’s neighbours is particularly strong (see Figure 3). Cyber security spending in the Indo-Pacific region, which includes Asia Pacific nations as well as China and India, is expected to increase faster than the global average, with an additional US$40 billion in spend by 2026. This means Indo-Pacific countries have emerged as significant buyers of cyber security solutions, set to account for roughly one-quarter of global cyber security spending in 2026. The fast-rising demand from countries in Australia’s vicinity adds to the market opportunity for Australian cyber security providers.

Indo-Pacific countries have emerged as significant buyers of cyber security solutions, adding to the market opportunity for Australian providers

Figure 3 – Indo-Pacific (Asia-Pacific including China and India) cyber security spend

Figure 3

Demand drivers

Several trends support the growth outlook for cyber security spending:

  • Expanding threat of cyber attacks – Malicious cyber activity is on the rise, as criminals use ever-more sophisticated strategies to infiltrate systems and networks. For example, there were over 11.7 billion records and over 11 terabytes of data leaked or stolen in publicly disclosed security incidents in the three years from 2016 to 2018, according to the technology company IBM.2 Software provider Symantec Corporation discovered 670 million new unique pieces of malware in 2017 and just over 245 million in 2018. The frequency of so-called mega breaches, defined as the loss or theft of more than 10 million personal data records at once, has soared to record highs globally.3 But official numbers are likely only the tip of the iceberg, as more and more companies choose not to reveal the full extent of the data breaches they experience. Cyber threats have increased markedly in Australia too. During 2016–17, malicious emails alone caused businesses in Australia to report losses of more than A$20 million, an increase of over 230 per cent from the A$8.6 million reported the previous financial year.4 Again, this figure likely represents only a small percentage of total malicious cyber activity, due to both misreporting and underreporting.
  • Mounting exposure to cyber risk – The rapid expansion of internet-enabled economic activity and the number of connected devices and systems increase the likelihood of widespread malicious cyber activity. People in far corners of the globe are gaining online access, as the world becomes more digitised and interconnected. This is partly due to smartphone penetration, which has risen markedly in many countries. Everyday items such as watches, fridges and cars are now internet connected, as are important customer databases, power plants and government payment systems. This increases the volume and quality of information shared electronically, and widens the range of potential targets for perpetrators.
  • Growing risk awareness – Recent high-profile cases of malicious cyber activity and media coverage of data breaches have made companies and other organisations increasingly aware of the risks cyber adversaries pose to their businesses. Latest research from Telstra, Australia’s largest telecommunications provider, shows that 78 per cent of organisations surveyed globally, including 76 per cent of Australian respondents, have an incident response plan in place.5 As of February 2018, many businesses in Australia are now required to notify victims and the Privacy Commissioner of data breaches, which will drive further awareness and accountability. The growing awareness is increasingly driving companies to adopt frameworks including security audits, risk assessments, compliance tools and continuous end-user training.
  • Increasing regulation of cyber risk – Governments worldwide are increasingly concerned that cyber attacks could hit crucial economic sectors. Many are issuing new laws to ensure organisations bolster their cyber security controls. The expected growth in cyber-related regulation is likely to prompt organisations to increase their security spending. For example, increasing regulatory oversight has already forced banks and insurance companies to be more acutely aware of malicious cyber activity threatening their operations. The new data breach notification laws in Australia now require all businesses with an annual turnover of $3 million or more to publicly disclose any case where they believe personal data was compromised, or risk hefty fines. Similar laws have been in place in the US for years. In the EU, new data protection regulation, including privacy provisions, came into force in May 2018. Such mandatory standards will almost certainly lead to higher demand for new cyber security products and services – a recent survey shows that almost half of all Australian small and medium-sized businesses with an annual turnover of over $3 million do not consider themselves prepared for the new disclosure laws.6

1.3 The cyber security market is diverse and sophisticated

Cyber security is no longer just firewalls and off-the-shelf virus software. In recent years, it has evolved significantly to encompass a sophisticated range of products and services, as well as activities within organisations to build and operate their cyber security system.7 Cyber security today is best defined and understood as the collection of tools, technologies, processes

and practices that can be used to protect networks, computers and data from unauthorised access or attack. This broad definition, based on the definition used by the International Telecommunications Union, captures the multidisciplinary nature of cyber security practice today.8

Cyber security is no longer just firewalls and off-the-shelf virus software

Three fundamental security needs shape demand for cyber security products and services: the ‘protection stack’; security operations; and underlying processes. Matching the different security needs and product types, as shown in Figure 4, provides a helpful structure for understanding the diversity of the global cyber security sector.

Figure 4 – Examples of product security needs

Figure 4

Security needs

Three security needs drive demand for cyber security products and services:

  • Building a ‘protection stack’ – This is the basic infrastructure that protects an organisation’s IT networks and computer systems. It includes basic hardware, such as firewalls, routers and sandboxes, and a range of software tools including intrusion prevention systems (IPS). Organisations also need to protect software applications and systems that perform critical network tasks, and they need to ensure the endpoints of their network (such as user devices) are properly managed and secured.
  • Maintaining operational security – Once they have established a basic security infrastructure, organisations need to monitor and maintain their safety networks and systems. Some maintenance tasks are fundamental and ongoing, for example the security assessment and associated analytics to identify risks and detect attacks on their networks. Organisations also need to maintain their identification and access management systems to ensure only authorised staff enter their networks. When cyber security incidents do occur, organisations must have the capability to respond to the incident, fix weaknesses and restore their systems.
  • Strengthening underlying structures – To successfully fend off cyber adversaries, an organisation must create a strong culture of risk awareness. This includes clear rules for compliance, governance and risk management and ensuring all staff are well-trained and conscious of common cyber security threats.

Security needs of vary depending on an organisation’s size and the sector it operates in. Security needs also evolve over time depending on the maturity of an organisation’s cyber security strategies, changes in technology and the shifting nature of cyber threats. Most organisations meet these needs through a combination of internal capabilities and external cyber security providers.

Product types

An organisation can meet its cyber security needs through a combination of hardware, software and services. All three product types are embedded in distinct markets that vary in size and growth rate, exportability, potential for job creation and job quality (wage level and security of jobs). Technological trends also affect these three product types differently.

Dividing the cyber security sector into these three basic product types remains meaningful and useful for this analysis, even with some areas of overlap between product types. For example, software is increasingly delivered as a service rather than a standalone product, and hardware devices are often combined with proprietary software.


Hardware manufacturers build the physical devices, such as firewalls and encrypted USB flash drives, that help protect IT networks against malicious cyber activity.

  • Size – Hardware forms the smallest product type of the cyber security sector, accounting for roughly 10 per cent or US$10.6 billion, of external cyber security spending globally in 2018. It is most heavily concentrated in the protection stack, with the bulk of revenue generated by providing clients with core system protection and management. Outside the protection stack, spending on hardware is very limited (see Figure 5).
  • Growth – While the global demand for cyber security is projected to increase significantly over the next decade, hardware producers will receive a relatively small though focused share of the sector’s growth. The external global spending on physical IT protection equipment is estimated to increase by US$6.9 billion by 2026, equivalent to an average growth rate of 6.5 per cent per year. This represents only a fraction of the projected total industry external demand growth of more than US$98 billion over the same period.
  • Exportability – Cyber security hardware manufacturers have ample scope to export their products and compete in a global marketplace with relatively few barriers. The Wassenaar Arrangement may limit exports of some cyber security hardware products with potential use in defence. The Wassenaar Arrangement is a multilateral export control regime covering 41 states including Australia.9 It promotes transparency and information exchange to ensure the transfer of certain goods and technologies, particularly those with dual-use, does not enhance military capabilities that would undermine international and regional security and stability.
  • Job creation and quality – Hardware production supports an average of 4.6 full-time jobs per US$1 million of annual revenue generated, a labour intensity that ranks between software and services (see Figure 6). The quality of jobs in hardware varies widely from design (with high-skilled, high-wage jobs that are unlikely to be automated) to manufacturing (with lower skills required and higher susceptibility to automation).


Software companies within the cyber security sector create the applications that help organisations defend their computer systems and IT networks against intrusion and unauthorised use. Typical examples are applications for secure messaging, anti-malware, anti-spyware, identity management and network access control.

  • Size – Software represents the cyber security sector’s second-biggest product type. In 2018, it accounted for more than US$33 billion of the world’s total external cyber security spending, or around 30 per cent of the sector’s revenue, as shown in Figure 5. The use of software is currently concentrated around the protection stack, providing application protection, protection of endpoints and data at rest, and offering programs for the core system protection and management. It is also used in operational security, particularly for identity and access management.
  • Growth – The growth outlook for cyber security software is strong. In the seven years to 2026, external demand for cyber security software is expected to increase at an average annual rate of 9.5 per cent. This demand growth is forecast to be strongest in security operations, as users seek more effective solutions for security assessment and analytics, and identity and access management. Application protection, currently the largest security need in software, is expected to remain an area of focus.
  • Exportability – The market for cyber security software is strongly globalised, with relatively few barriers to trade. This has led to a concentration of market share in a small number of countries: companies domiciled in the US control 61 per cent of the global market, while Israeli companies dominate around 18 per cent.10 However, country-specific rules protecting intellectual property could act as a barrier to export software.
  • Job creation and quality – Figure 6 shows cyber security software tends to be less labour intensive than cyber security hardware or services, supporting an average of 4.0 full-time jobs per US$1 million of annual revenue. Cyber security software jobs are typically of very high quality and hard to automate, requiring high-skilled and well-paid staff.

Figure 5 – Breakdown of global cyber security spend

Figure 5

Figure 6 – Job intensity

Figure 6


Cyber security service providers meet a broad range of security needs for organisations. For example, they may help manage an organisation’s core computer system defences, assess network vulnerabilities or provide a security strategy plan. Some act as ‘first responders’ when an organisation has a security incident, while others offer specialised advice on risk and compliance issues.

  • Size – Services form the largest product type in the cyber security market, generating around 60 per cent, or US$65 billion, of the sector’s global external revenue, as shown in Figure 5. Demand is highest in security operations, and specifically in security management, assessment and analytics (a sub-segment of security operations). This includes, for example, setting up real-time monitoring systems for servers, endpoints and network traffic to rapidly detect any potential malware or data loss. Companies in the security operations segment attract almost 45 per cent, or US$29 billion, of the entire global spending on external cyber security services.
  • Growth – Services enjoy the strongest growth outlook within the global industry. From 2018 to 2026, the global spending on external cyber security services is expected to increase by 8.1 per cent per year. Growth is expected to be strongest for security operations, with an additional US$56 billion in demand forecast over the period to 2026.
  • Exportability – Cyber security services are exportable, but country-specific regulation and IT infrastructure can make the services trade more challenging. For example, companies that help configure and manage their client’s firewall may be limited in their reach by existing cross-border data regulations. Similarly, companies offering security management, assessment and analytics worldwide may require local offices to effectively service customers abroad. The assessment in Figure 7 shows that such factors affect exportability of incident recovery and response services the most, while application protection services and awareness, training and oversight are the least affected.
  • Job creation and quality – Figure 6 shows that, on average, services support 6.4 full-time jobs per US$1 million of annual revenue, marking the highest rate of job creation among the three product types. However, the quality of services jobs is less consistent and tends to be lower than cyber security jobs in the hardware and software segments of the industry. Services jobs in identity and access management, for example, typically require lower skills and pay lower wages than others. Automation is also more likely to impact services than other areas of cyber security, as advanced machine learning and artificial-intelligence (AI) software will continue to take over an increasing number of tasks. This trend is particularly acute in relation to monitoring threats.

Figure 7 – Assessment of the exportability of services to address different security needs

Figure 7

1.4 Technology is reshaping the industry

While technological change affects every industry, the cyber security sector is affected more than most. Several major trends are likely to unfold in coming years, which will shape the structure of cyber security markets. For some organisations, many of the looming technological changes will be disruptive. For others, they could work as a tailwind.

Analysis suggests that software companies generally appear best positioned to benefit from the following five major technological trends:

  • Convergence of information technology and operational technology – Historically, technologies used to control production plants and machines (operational technology, or OT) have differed from computer hardware and software technologies used to manage the an organisation’s general data flow. Over the last few years, however, operational technologies, such as sensors to monitor the temperature or water pressure during production, have become increasingly computerised. More and more companies are now equipping their machine-monitoring devices with IT-like features to integrate computer systems, save cost and speed up production. This convergence of OT and IT leads to increasingly complex networks, with multiplying endpoints and data types requiring more sophisticated cyber defences. The vulnerability of these merged systems generates fresh demand for most security product types.
  • Mobile internet – The number of people who own a smart device and use the internet continues to climb. A survey by US research organisation Pew Research Center found that, across 11 industrialised countries, a median of 68 per cent of adults owned a smart device in 2015, with even higher rates of smart device ownership in Australia (77 per cent) and South Korea (88 per cent).11 Smart devices are also on the rise in emerging and developing countries, where their penetration rate increased to 54 per cent in 2015, from 45 per cent two years earlier. Two thirds of adults worldwide use the internet, according to the research, and a growing share of them now use their mobile phones to go online. This rapid increase in smart device usage worldwide is multiplying the number of endpoints in networks and propelling demand for cyber security products. It is especially likely to drive investment in identity and access management.
  • Artificial intelligence and big data – Rapid improvements in artificial intelligence and advanced machine learning are changing the modern workplace. Increasingly, computers are used to perform tasks that rely on complex analyses, subtle judgments, and creative problem solving – a trend coined ‘automation of knowledge work’. McKinsey estimates that today’s available technologies could automate 45 per cent of activities that people are currently paid to perform.12 In cyber security, these advances are already starting to change the way threats can be identified, by reducing reliance on human network monitoring activities. This will benefit software developers, as companies increase their demand for applications to identify, analyse and manage cyber security threats. In the medium to long-term, service providers will be disadvantaged. However, the transition to greater automation will likely increase the demand for services in the short-term as cyber service providers support their customers to transition to more automated security systems.
  • Cloud computing – The evolution of cloud computing technologies is becoming a major driver of business efficiency. The ability to store huge amounts of data and bundle an array of IT solutions in one location is a powerful tool for companies to save costs and simplify their IT infrastructure. Increased use of cloud technology has moved the potential area of malicious cyber activity from the corporate network to cloud infrastructure managed by third parties. This is prompting companies to think differently about how to secure their operations. Several cloud computing providers are already offering network protection products and services through the cloud itself. This reduces the need for companies to purchase their own cyber security infrastructure, dampening the outlook for hardware producers but generating more demand for security operations to manage and monitor access to the cloud.
  • Internet of Things – The world of consumer products is turning into a network of interconnected things. Cars, buildings, fridges and countless other everyday devices are increasingly equipped with sensors, voice-control systems, internet access and data-processing features. Today, a smartphone can communicate with wearable devices to monitor a person’s health, while smart cars can sync with a user’s calendar to monitor petrol needs or plan routes. The growing number of interconnected devices, and the expansion in data types and volume, will increase the risks of malicious cyber activity. In turn this will generate new opportunities for providers of cyber security solutions. Software developers will particularly benefit, as new types of endpoints need to be secured.
The rapid increase in smart device usage worldwide is multiplying the number of endpoints in networks and propelling demand for cyber security products

Figure 8 summarises how these five major technological trends may impact the cyber security sector and its products.

Several other important technologies could also have profound implications for the structure of the cyber security sector. Two that are currently attracting attention are blockchain and quantum computing.

Quantum computing is considered a breakthrough technology still in development but that would spark a major upheaval in the current cyber security sector if it becomes a reality. Australian researchers are among the leaders in a global race to develop quantum computers, and home-grown startups like QuintessenceLabs are at the forefront of offering new quantum-safe encryption technologies (see Box 14).

Similarly, the disruptive power of blockchain technologies (digital ledgers of bitcoin or other cryptocurrency transactions) may bode well for Australia’s well-established financial services industry.

It is difficult to predict how these trends will end up impacting different segments of the cyber security sector, but the potential for Australia to seize a competitive edge in both blockchain technologies and quantum computing is significant.

Any analysis of potentially disruptive technological trends needs to factor in a high degree of uncertainty, but this uncertainty is particularly stark in cyber security. Unlike other industries in the broader ICT sector, cyber security evolves around the existence of an adversary: it has to constantly respond to highly unpredictable, destructive activities. Despite best predictions and preparations, it is not possible to know exactly where future attacks will come from and how the sector will reshape in response.

Figure 8 – Potential impact of technological trends on the cyber security sector

Figure 8

Box 1

Boomerangs: Australian-born successes expanding back home

Bugcrowd, Dtex Systems and UpGuard are three dynamic Australian-born cyber security companies that have successfully moved overseas and are now ‘boomeranging’ back home. Founders Casey Ellis (Bugcrowd) and Mohan Koo (Dtex Systems), together with Hamish Hawthorn (COO, UpGuard) are passionate advocates for cyber security and for Australia’s immense local talent. They agree that by encouraging the domestic market to invest in and procure Australian solutions, there is a significant opportunity to grow the nation’s capabilities for economic benefit and establish a globally attractive cyber security ecosystem.

There are common themes threaded through the journey of these companies. Years ago, all left Australia in order to access early-stage capital, be near business mentoring and growth support networks, and grow their customer base.

Bugcrowd is headquartered in San Francisco in the US, with offices in London and Sydney. UpGuard have head offices in the US and Sydney, with offices in Mexico, Spain and New Zealand. Similarly, Dtex Systems have headquarters in Silicon Valley whilst continuing to grow their Australian, US and European business with several offices in Australia and London. All companies built on their overseas success to establish business units in Australia, mostly in research and development, as well as sales support. All are optimistic about Australia’s future as a cyber security leader.

Bugcrowd’s Casey Ellis sees the Australian market improving for startups, as high-value talent and increasing levels of investor capital start to flow. Ellis recognises Australians have many strengths and that organisations, including Bugcrowd, want access to the ‘Australian DNA’ that makes the country’s cyber security professionals so attractive. ‘Australia is world-class at troubleshooting. The world knows it, but Australia doesn’t – yet,’ says Ellis. Establishing a presence in Australia is part of Bugcrowd’s continuing growth and a positive way to engage in the growing local cyber security ecosystem.

Mohan Koo from Dtex Systems firmly believes Australia is now able to seize opportunities in the global cyber security sector and this will generate economic growth for Australia over the next five to 10 years. ‘Australia can be a centre of cyber excellence for the region,’ says Koo. For this to occur, he believes the mindset of Australian businesses and government must evolve to be less conservative by encouraging innovation and buying local cyber security solutions. Koo also sees Australian universities playing a crucial role in fostering growth as part of maturing the ecosystem, with Dtex Systems planning to launch a Centre of Excellence in the new Australian Cyber Collaboration Centre in South Australia in 2020.

UpGuard’s Hamish Hawthorn is keen to see ‘less reliance by large Australian enterprises on traditional suppliers and vendors and a greater willingness to work with Australian technology companies who are solving problems in more innovative ways, in the face of a dynamic cyber risk environment.’ He says building a domestic capability is key to developing a vibrant cyber security ecosystem. Hawthorn attributes his time in Silicon Valley as beneficial to developing and strengthening the product UpGuard now offers, largely due to the intensity of the competition in the US market, but also the Silicon Valley ecosystem that encourages fast learning through iterative development of solutions. This process of innovation is something Hawthorn believes Australia can achieve through continued cultural change and greater risk tolerance for emerging technology.

bugcrowd, Dtext, UpGuard


Box 2

BlackBerry: Leveraging AI to help build a trustworthy digital economy in Australia

Australia has an opportunity to play a critical role in maintaining the integrity of communications in our data-driven world. To be globally competitive, the nation must embrace innovative technologies, big data and new skill sets. However, balancing that transformation against evolving cyber threats, data privacy laws and retaining skilled people is an ongoing challenge.

Australia is a key global market for BlackBerry, now a leading artificial intelligence (AI) security software company. BlackBerry is headquartered in Canada, one of Australia’s sister nations in the global ‘Five Eye’ (FVEY) intelligence-sharing alliance. Both nations also share expansive geographies, innovation hubs and rich natural resources – all underpinned by a common goal to protect data, people and industries, while fostering growth. This is a significant driver of BlackBerry’s investment in the region.

David Nicol, Managing Director of BlackBerry in Australia, says, ‘The intersection of our digital and physical worlds is influencing how Australian organisations approach cyber security and business continuity. Mitigating the human impact of a ransomware-attack in the health sector, for example, requires far more than good cyber policies. It demands fail-safe, secure, real-time communications when something inevitably goes wrong.’

BlackBerry has taken 35+ years of experience in securing millions of smartphones and is now delivering on its mission to secure billions of endpoints. Today, BlackBerry software protects half a billion endpoints globally and this is expanding at pace. To name a few, this includes 150 million vehicles, the NASA space station, traffic control systems, medical devices and power plants.

In Australia, the company helps to protect government and key industries such as finance, energy and education. Customers include: Macquarie University, which uses crisis communications technology to keep staff and students safe; and Melanoma Institute Australia (MIA) and Queensland Investment Corporation (QIC), which use encrypted file-sharing technology to accelerate workplace collaboration and comply with stringent data security and privacy laws. Put simply, BlackBerry provides intelligent security, everywhere, to help enterprises connect, protect and build secure endpoints users can trust.

An important milestone in the company’s transformation was the acquisition of AI-cyber security company, Cylance, in February 2019, further bolstering BlackBerry’s AI capabilities. Customers like the Sydney Opera House, Reece Group and state and federal government departments are taking advantage of BlackBerry’s predictive AI cybersecurity technology to mitigate against next-generation threats and automate tasks, allowing teams to focus on other priorities.

Leveraging new technologies and re-focusing resources is one way to address the cyber skills shortage in Australia, but more needs to be done. Collaboration between government, industry and educational institutions is imperative to foster talent and narrow the gap. That’s one of the many reasons BlackBerry was proud to partner with AustCyber for CyberTaipan in March 2019, helping to foster new skills for the next generation of cyber professionals that will lead our workforce.

Nicol’s says, ‘2020 will be a critical year for Australia to develop and implement a cyber policy and practices to effectively address the next generation of threats, boost skills development and accelerate growth. To build a trustworthy digital economy in Australia, we are helping our customers embrace innovation, focus skilled resources in the right areas and maintain data integrity so they can truly benefit from the prosperity that digitisation can bring to industry and society.’



  1. Internal expenditure on cyber security is more difficult to measure than external spending, as enterprises are often wary of disclosing their investment in internal cyber capabilities due to security concerns. While this plan focuses primarily on external spending, it proposes several actions (including skills development) that would strengthen both outsourced cyber providers and in-house cyber security teams.
  2. IBM Corp (2019). IBM X-Force Threat Intelligence Index. Available at:
  3. Symantec Corp (2019) Internet Security Threat Report. Available at:
  4. Australian Cyber Security Centre (2017), Threat Report. Available at:
  5. Telstra (2019). Telstra Security Report. Available at:
  6. HP (2018), HP Australia IT Security Study. Available at:
  7. This Sector Competitiveness Plan mainly focuses on the delivery of cyber security products and services to organisations. While individuals do purchase cyber security products, they account for less than 6 per cent of global demand. Gartner (2016), Information Security, Worldwide, 2014–2020, 3Q16 Update.
  8. International Telecommunications Union (2018), ‘Definition of cybersecurity’.
    Available at:
  9. Full title: Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
  10. International Data Corporation (2016), Worldwide Security Spending Guide 1H 2016 Update.
  11. Pew Research Center (2016), Global Technology Report, Available at:
  12. McKinsey Quarterly (July 2016). Available at: