SCP - Chapter 3 - The challenge: Australia needs to fill the workforce gap, remove startup barriers and strengthen research and development

Despite the recent growth in Australia’s core cyber workforce, a substantial number of positions remain unfilled because companies can’t find the right talents

3.1 Overview

Four major challenges are detracting from the growth outlook for Australia’s cyber security sector:

• A shortage of job-ready workers
• A lack of focus in research and commercialisation
• Barriers to growth and export for smaller local cyber security providers
• A lack of robust measurement of the sector’s development and economic impact.

The severe shortage of job-ready cyber security workers is a key challenge. It is estimated that Australia may need around 16,600 additional cyber security workers for technical as well as non-technical positions by 2026.

But despite the recent growth in Australia’s core cyber workforce, a substantial number of vacant cyber security positions remain unfilled because companies can’t find the right talents. In a promising sign, the education system has begun to mobilise, with a large number of universities and TAFE colleges launching new cyber security degrees and courses. However, it will take time before this pipeline of graduates is ready to enter the workforce, and even then they may face obstacles because of outdated hiring practices.

In the meantime, Australia’s cyber security sector will need to draw heavily on workers with transferrable skills from other industries, such as the broader IT sector. There are signs that companies could offer stronger training pathways to accelerate the transition of workers from outside the sector into cyber security roles. The section Make Australia the leading centre for cyber security education in Chapter 4 outlines the most promising ways to address these bottlenecks, including stronger partnerships between training institutions and businesses.

Strong research and development (R&D) is the backbone of a thriving cyber security sector. Customers in cyber security, more than in other industries, rely on technological innovation to effectively protect their digital assets from adversaries. Australia’s public spending on cyber security R&D and efforts to foster research collaborations between universities and businesses – viewed as crucial for a vibrant, innovation-driven industry – lack focus and lag other leading cyber nations such as the US and Israel. There are also signs that Australian cyber security startups face greater difficulty to commercialise innovative ideas than their global peers, due to a lack of early-stage venture capital. The section Growing an Australian cyber security ecosystem in Chapter 4 offers some solutions to overcome this challenge, including concentrating Australia’s cyber security research efforts on a small number of topics that match existing strengths and support the three focus segments.

The third challenge is overcoming market barriers that hamper local companies in their efforts to scale their operations and become leading exporters. Many startups lack a clear understanding of customer needs. Many also lack the credibility to win government agencies or large private businesses as anchor customers. GovPitch, an initiative by AustCyber launched in 2017, is removing some hurdles for small companies to become government contractors. However, complex procurement processes in the public and private sector may prevent smaller companies from scaling their operations. The section Exporting Australia’s cyber security to the world in Chapter 4 outlines a range of strategies to tackle these issues, such as relaxing current procurement procedures.

Measuring the cyber security sector is emerging as another important challenge to its continuing development. Despite the growing recognition that cyber security is an essential pillar of the modern economy, there is a significant gap in our understanding of the size and development of the sector, as well as its impacts across the economy at large. This blindspot is due to the twin challenges of poor-quality data and the analytical difficulty of measuring cyber security capabilities embedded within many organisations across all sectors of the economy, in addition to those firms in the ‘vertical’ cyber security sector itself. The section Provide robust measurement of the sector’s development and impact on the Australian economy in Chapter 4 outlines some actions to tackle these issues over the short and long term, such as launching a measurement program that is both credible and easily repeatable.

3.2 Skills and workforce gap

Strong cyber security skills and capabilities are a key driver of economic activity across the Australian economy and are critical for Australia’s future prosperity.

‘Cyber literacy’, or knowing how to effectively protect digital assets, is not only relevant for professionals working in the cyber security sector, it is also becoming a must-have skill for every Australian worker in the digital age, regardless of occupation. All Australian organisations that rely on the internet to conduct business today need a ‘cyber-literate’ workforce that can secure it against routine cyber risks. A robust education in cyber literacy is a foundation for workplace security, and several national initiatives are already helping to raise the cyber literacy of the broader workforce.

This Sector Competitiveness Plan focuses on the specialised professionals working in the cyber security sector. In Australia, this core cyber security workforce continues to grow. However, current growth is insufficient to cover the rapidly increasing demand for cyber security specialists.

Analysis undertaken for AustCyber’s inaugural Sector Competitiveness Plan in 2017 indicated that Australia is facing a severe shortage in specialised cyber security workers.¹

New analysis for this updated 2019 plan reveals that the cyber security skills gap is larger than initially anticipated and is costing both the sector and the broader economy

New education programs are critical for filling the skills gap in the long-term. Over the past year, universities and vocational training providers have accelerated efforts to launch new cyber security courses and degrees. Partnerships with employers are helping to improve the quality of cyber security education by focusing curricula more on industry needs and facilitating more on-the-job training opportunities.

However, the cyber security skills shortage in Australia will remain severe in the medium-term unless employers start offering better pathways for workers to transition from other industries into cyber security roles. Most workers currently taking up roles in the Australian cyber security sector have previously worked in broadly similar roles in IT and other industries. But to develop strong cyber defences, Australia needs to build a more diverse workforce with both technical and non-technical skills. Improving the gender balance will also help the cyber security workforce grow and mature.

The Australian cyber security workforce is growing, but skills shortage still severe

Every workplace requires a cyber-literate workforce. All-employees, including managers and board members, need a basic ability to implement cyber hygiene in the workplace (daily practices and routines to keep online information secure), as seen in Figure 17. Ensuring every Australian worker acquires basic cyber literacy is fundamental to securing Australian workplaces, large and small, from malicious cyber activity.

Public health provides an analogy. A healthy population has a balanced diet, exercises regularly and minimises risky behaviour like smoking and excessive consumption of alcohol. Similarly, in a cyber-literate workforce all workers use strong passwords, can identify suspicious online activity such as phishing emails, and minimise risky online behaviour, including oversharing personal information or using public WIFI without Virtual Private Network (VPN) protection or other adequate defences.

Several national initiatives have been launched to help equip every Australian with the cyber literacy required to thrive in the digital age. This includes programs aimed at improving company directors’ understanding of cyber security.²

The Australian Industry and Skills Committee is currently reviewing the cyber skills workers will need in the future, to develop new common training units across multiple industry approved training packages.³ The intention is to ensure all people skilling or re-skilling through vocational education and training in Australia, regardless of their field of study, will acquire at least a basic competency in cyber security.

Still, at times even the most cyber-literate workers will require expert help from specialised cyber security professionals. Just like the medical profession has different specialists for different ailments, Australia’s core cyber security workforce now consists of a range of specialists.

Many organisations in Australia have begun to build designated teams with specific cyber security knowledge, skills and abilities. These are mostly larger organisations, including big banks, with an in-house requirement for workers with a dominant function and role in cyber security. They are typically lead by a CISO. Organisations may also outsource their cyber security needs and contract cyber security professionals from external specialist providers, such as software or services companies.

Cyber security skills are therefore essential for both:

• a general cyber-literate but non-specialist workforce
• a specialised workforce with technical and non-technical professional cyber security skills (see Figure 17).⁴

Figure 17 – Cyber skill needs in a typical Australian workplace

Growth is not sufficient to meet demand

Latest data indicates that Australia’s core cyber security workforce is growing strongly, but not sufficiently to fill the substantial short-term demand for cyber security professionals.

Australia’s core cyber workforce has increased 13 per cent to around 20,500 workers over the past three years (see Figure 18). While government, industry and educational institutions have all undertaken a range of initiatives to strengthen workforce growth (see Chapter 4 for details), the inevitable delay in any skills system means that the impact of these efforts is yet to be fully realised. Workforce growth has been driven by workers transitioning from adjacent sectors such as IT. Graduates and skilled migration – the two other key sources of supply – have so far contributed relatively little to Australia’s cyber security workforce growth.

Figure 18 – Cyber security workforce

Most workers based in the eastern states

Australia’s core cyber security workforce is concentrated in the eastern states, with New South Wales hosting the largest number of cyber security professionals, closely followed by Victoria (see Figure 19) then Queensland. The Australian Capital Territory (ACT), though small in population, has experienced the fastest growth in the cyber security workforce. Between 2015 and early 2018, the ACT’s core cyber security workforce increased by more than 60 per cent. This is likely a consequence of the Government’s focus on strengthening the cyber defence capabilities of government agencies. The workforce growth is set to continue as the Australian Defence Force (ADF) and other departments continue to expand their cyber teams.⁶

Roles becoming increasingly diverse

As employers adapt their business practices to the digital economy, their requirements for an increasingly diverse range of cyber security specialists has become more apparent. It is no longer useful to think of the cyber security occupation as one uniform job role or skill set.

Today, cyber security comprises a range of technical roles from architecture to operations and newer, multidisciplinary, non-technical roles that incorporate elements of law, risk, communications and psychology.

While the face of the cyber security workforce is changing fast, Australia has not yet adopted a widely accepted skills framework to describe the various cyber security work roles

Other countries have already taken action. For example, the US National Initiative for Cybersecurity Education (NICE) has developed a Workforce Framework to standardise the taxonomy of cyber security occupations (see Box 8). It is a comprehensive, skills-based categorisation of cyber security roles. Companies in the US and other countries are using the framework as a common nomenclature for identifying the skills required in the cyber security workforce.

Figure 19 – Australia's cyber security workforce by state

Structure of NICE Workforce Framework

For Australia, the NICE Framework offers a template to understand the skill needs of its cyber security workforce. This is particularly important for policymakers and company executives who are looking for ways to overcome the current skills shortage.

Using the NICE Framework, the makeup of the cyber security workforce can be explored in detail. As shown in Figure 18, most cyber security workers in Australia currently work in roles related to building, buying and operating secure IT systems (Securely Provision, Operate and Maintain, Protect and Defend). Meanwhile, workers tasked with cyber-related intelligence and law enforcement activities (Collect and Operate and Investigate) are occupying a niche. Overall, the composition of the Australian cyber workforce is broadly comparable with the US workforce, though with a greater emphasis on identification and mitigation of threats, and leadership and management of cyber security (Protect and Defend and Oversee and Govern).

There is a tendency to think that the cyber security workforce consists only of highly technical professionals. However, today’s cyber security workforce encompasses a variety of roles and responsibilities that require non-technical skills and abilities. For example, the Oversee and Govern category includes legal advice, cybersecurity management, strategic planning and policy, training education and awareness, and change management. Employers report in interviews that ‘soft skills’, including the ability to work in teams across an organisation and to communicate clearly (both verbally and in writing), are important across almost all cyber roles, and are often in short supply. These skills ensure that the cyber function within an organisation is able to effectively engage across other parts of the organisation and implement processes and practices that recognise and respond to the human dimension of cyber security.

Employers have also noted in interviews that cyber defences are most effective if an organisation employs a diverse team of cyber security specialists – people with different backgrounds and viewpoints, and a wide range of skills. Building real workplace diversity goes beyond pure skills. It also requires a balance of cultures and gender among staff.

‘We need people from more diverse backgrounds, a diversity of thought is essential for our cyber defences us.’
Cyber security manager of an ASX 100 company

Despite this acknowledgement, the gender diversity in the Australian cyber security sector remains weak. The share of women working as ICT Security Specialists has declined from 22 per cent to 19 per cent over the 10 years to 2016, according to the Australian Census of Population and Housing.⁸ Australia appears to perform better on this measure than global peers, with evidence suggesting only 14 per cent of cyber security professionals in North America and seven per cent in Europe are female.⁹ However, much more has to be done to improve the gender balance in Australia’s cyber security sector.

Job market indicators show employers are struggling to fill cyber security roles

The first version of this Sector Competitiveness Plan, published in 2017, noted that Australia’s cyber security sector is grappling with a substantial skills shortage – an assessment that relied largely on anecdotal and survey evidence. For example, in 2016, three out of four local cyber security professionals surveyed by the Australian Information Security Association (AISA) said their industry is facing a severe skills shortage, as shown in Figure 20. A similar survey, undertaken by the Centre for Strategic & International Studies (CSIS) and Intel Security across eight countries, paints an even more concerning picture. It reveals that the talent drought affecting the Australian cyber security sector is one of the worst in the world: 88 per cent of Australian cyber security professionals observe a skills shortage in their industry. Extensive interviews with cyber security users and providers in Australia support the survey results.

The talent drought affecting the Australian cyber security sector is perceived to be one of the worst in the world

Figure 20 – AISA survey (2016) and CSIS survey (2016)

Skills shortage more severe than expected

This updated Sector Competitiveness Plan provides further insight into the workforce, with an estimate of the severity of Australia’s cyber skills shortage. New research, undertaken exclusively for this plan update, draws on a range of job market data to show that the skills shortage in Australia’s cyber security sector is more severe than expected and is already creating real economic costs.

Despite the recent growth in Australia’s core cyber workforce, companies have been struggling to fill a substantial number of vacant cyber security positions. Figure 21 aggregates data across wages, recruitment failure rates, the time to fill a position, and the size of the potential candidate pool (job market depth). All indicators strongly point to a substantial skills shortage in the Australian cyber security sector.

Wage premium: Wages are high across the cyber security profession with a $12,000 average wage premium paid for a cyber security worker over an IT worker. Cyber security workers in all but one NICE category (Operate and Maintain) earn more on average than the average IT salary. Roles in management and leadership, and involving design and build of cyber systems, are currently commanding the highest salaries, with average wage premiums of more than $20,000 above general IT. This may partly reflect more acute shortages, but also the level of experience and specialisation required to perform these roles.

‘We are offering workers $100k plus, who are getting their first job in cyber.’
CISO, large Australian company

Recruitment failure rate: Labour market research on IT professions from the Australian Department of Jobs and Small Business shows that 42 per cent of ICT Security Specialist vacancies in Australia went unfilled in 2015 – significantly more than the average recruitment failure rate of 33 per cent across the broader IT sector.¹⁰ The research also found there were on average only 1.7 suitable applicants per vacancy for ICT Security Specialists, which was the lowest number across all IT professions studied.

Recruitment time: Recruitment difficulties appear widespread in the cyber sector. Interviews with industry participants suggest it takes 20 to 30 per cent longer to fill a cyber security role compared with roles in the IT sector.

‘We can find the right people, but it can take much longer than for other jobs, it can take two or three months of searching.’
Cyber security manager, large Australian company

Job market depth: Job market depth is defined as the number of people employed in an industry per job ad, which is used as a proxy measure for worker supply. The job market for cyber security has less depth than either IT or the broader economy, with less than seven people employed in the sector for every job ad.

Any of these job market indicators, when looked at in isolation, would not provide conclusive evidence that Australia’s cyber security sector is facing a skills shortage. However, the fact that all four indicators point in the same direction – significantly tighter conditions than either the wider IT sector or the workforce as a whole – clearly demonstrates that cyber security is facing major labour market constraints.

Figure 21 – Skills shortage indicators in cyber security

The skills shortage is costing the sector and the wider economy

Measuring the precise size of a skills shortage is difficult because of the dynamic nature of labour markets. Calculations using a range of methodologies, based on a combination of the job market indicators described above, suggest Australia’s cyber security sector was short 800 to 2,300 workers in 2017. That is equivalent to roughly 4 to 12 per cent of the total Australian cyber workforce in that year (see Figure 22).¹¹ This is likely to be a conservative estimate because it is based on only observable labour market behaviour and does not account for depressed growth expectations as a result of the perception of the shortage. In other words, employers know it will be difficult to find cyber workers at wages they can afford, so they never create or advertise positions they might like to fill.

The workforce shortfall has significant economic consequences. The cyber security sector is estimated to have forfeited up to $405 million in revenue and wages in 2017, which it could have generated if companies had been able to find the cyber security workers to fill existing vacancies.

The cyber security sector is estimated to have forfeited up to $405 million in revenue and wages in 2017

This loss of revenue and wages only represents the direct cost to the cyber sector. The cost to the wider economy is likely many times greater because the skills shortage in the cyber security sector has a ripple effect throughout the economy that would propel the true economic cost far higher. As the cyber sector is a critical enabler of broader economic activity, workforce constraints can curtail revenue growth in the wider economy. For example, a lack of security staff could make an organisation more prone to cyber attacks, which would undermine business and consumer confidence and lower the productivity of workers because of service downtime. It is difficult to accurately estimate the indirect economic costs of the skills shortage due to limited data on the economic benefits of cyber investments and, conversely, the consequences of cyber breaches (see Size of the prize in Chapter 2 for further discussion). However, anecdotal evidence suggests the shortage of cyber skills is already causing organisations to slow their digital transformations.

Figure 22 – Estimated cyber security workforce supply shortage

Lack of skilled workers is not the only cause of the skills shortage

The apparent lack of skilled workers is not surprising given cyber is a young and emerging profession that has faced rapid demand growth and limited educational pathways. It is also a product of the increased need for cyber security experts and broader cyber security awareness and literacy among all workers in a period of rapid digitisation in a fast-moving technological landscape.

In addition, there are signs that employers’ hiring practices may be exacerbating the lack of skilled workers. For instance, two-thirds of information and cyber security professionals surveyed by the Australian Information Security Association in 2016 cited management’s failure to understand skills requirements as a key driver of the current cyber skills shortage, while just over half said employers were reluctant to recruit and train entry-level candidates for cyber security roles.¹²

‘HR writes position descriptions based on things that they know how to assess, like qualifications and experience. The new cyber security workforce doesn’t yet have these qualifications or experience.’ CISO, large Australian company

An analysis of cyber security job ads supports the survey findings. As shown in Figure 23, employers advertising cyber roles tend to demand more work experience from cyber security professionals compared with other workers in the broader IT and professional services sector. On average, one-third of cyber security job ads request more than eight years of experience. In some roles (for example, in the NICE Collect and Operate category), almost half (49 per cent) of all job ads demand such extensive experience.

Figure 23 – Breakdown of job ads by experience requested

With continued strong demand forecast, the shortage is likely to persist

Demand for cyber security workers is set to remain strong in coming years, meaning the skills shortage will not ease without consistent efforts to increase supply. As shown in Figure 24, the sector could require up to 16,600 additional workers by 2026.

This estimate is made up of several components:

• The first Sector Competitiveness Plan in 2017 identified an additional 11,000 workers would be needed by 2026 just to meet the current growth of cyber security needs in Australia (business-as-usual demand). There has been some progress over the past 2 years, with around 1,700 workers added to the sector.
• However, the current skills shortage of up to 2,300 cyber security workers still needs to be filled.
• Up to 5,000 more workers could be required if the cyber sector significantly lifted its performance in three key areas identified in Chapter 2.

Australia's cyber security sector could require up to 16,000 additional workers by 2026

Figure 24 – Forecast additional cyber security workers in 2026

Australia’s education system is mobilising, but faces risks

Education and training providers play an important role in supporting the expansion of Australia’s cyber security sector. Companies will only be able to draw on new cyber security talent if TAFEs and universities offer a wide variety of cyber security qualifications that are attractive to students and relevant to employer needs. Encouragingly, the education system has begun to mobilise over the past several years. A significant number of TAFEs and universities are now offering courses or degrees in cyber security.

However, there are risks to this mobilisation that Australia needs to address.

• Student demand will need to grow strongly to fill the new courses being created. Improving the cyber security talent pipeline needs to start in primary and secondary schools. The more schools encourage students to consider a career in cyber security, and the more they foster early skills, the higher the quality of students in the tertiary education system will be. This means schools should place greater emphasis on developing cyber security skills in curricular and extracurricular programs as pathways to higher education.
• High schools and tertiary education providers must find ways to encourage more female students to pursue cyber security related programs to help improve gender diversity in the industry.
• Shortages of teaching staff are affecting universities and TAFEs.
• There is lack of funding for the required technical infrastructure, like cyber ranges (virtual or physical spaces for simulating real-world scenarios) and cyber labs, to train the next generation of cyber security workers.
• Rapid growth in educational programs poses a risk to course quality. Yet high-quality education that matches industry needs is essential to ensure graduates acquire the right skills to find a job.

Universities and TAFEs are launching new cyber-specific courses

TAFEs and universities around the country have rapidly expanded their cyber security program offering in recent years, often in close partnership with industry. Approximately half of all universities in Australia are now offering cyber security as a specific degree or as a major in IT or computer science university qualifications. Another quarter offer at least some cyber security course units. As of March 2018, only 20 per cent of Australian universities do not yet offer any cyber security units or courses. This led total enrolments and completions in university courses classified as security science to almost double between 2012 and 2016.¹³

Approximately half of Australia’s universities now offer cyber security as a specific degree or a major in IT or computer science qualifications

Multidisciplinary cyber courses are becoming increasingly common in Australia. The University of Western Sydney now offers a Bachelor in Cyber Security and Behaviour, which focuses on the human and technical sides of cybercrime and includes a number of units in psychology. The University of New South Wales Canberra now offers a Master in Cyber Security, Strategy and Diplomacy in the School of Humanities and Social Sciences. This interdisciplinary course focuses on the interplay between cyber security, strategy and diplomacy. Latest course trends reflect the evolution of cyber security education outside its traditional home in ICT faculties and departments as well as the growing demand from employers for graduates with strong policy writing, risk management and strategy skills to work in cyber security related roles in their organisations.

The vocational education and training sector is also increasing the emphasis on cyber security education. Leading TAFEs around the country joined forces in late 2017, coordinated nationally by AustCyber, to play a greater role in providing nationally consistent cyber security training. Box Hill Institute in Victoria has been paving the way with the development of two new cyber security certificate and diploma-level courses that are now being taught across the country. These offerings help to diversify the range of education pathways into the cyber security sector and provide a high-quality vocational cyber security training option that is in high demand by Australian employers.

Together, the new cyber-specific degrees and courses will have a strong positive impact on Australia’s future cyber security workforce supply. It is expected that even without the addition of further courses or new institutions teaching cyber, current plans could see the number of cyber graduates increase from around 500 per year in 2017 to about 2,000 a year in 2026. Assuming the quality of graduates remains strong, this growth will make a significant contribution to closing the skills shortage and meeting employer demand for cyber security workers in the long-term.

Together, the new cyber-specific degrees and courses will have a strong positive impact on Australia's future cyber security workforce supply. It is expected that even without the addition of further courses or new institutions teaching cyber, current plans could see the number of cyber graduates increase from around 500 per year in 2017 to about 2,000 a year in 2026. Assuming the quality of graduates remains strong, this growth will make a significant contribution to closing the skills shortage and meeting employer demand for cyber security workers in the long-term.

Risks to the quality and sustainability of cyber education need to be addressed

Despite the push by various education providers to increase cyber security study opportunities, the projections of strong growth in high-quality graduates will not be realisable without addressing a range of risks.

The education system’s success in generating a sufficient amount of work-ready cyber security graduates to meet the market demand depends on three key factors:

• student demand for cyber courses
• the sustainability of cyber education
• the quality of the courses in generating job-ready graduates.

Student demand for cyber courses: The number of training places in cyber security education has expanded rapidly and is forecast to continue to grow strongly. To fill these places, student demand also needs to increase significantly and remain of high quality.

A critical barrier complicating efforts by universities and TAFEs to increase the number of skilled graduates is the low level of awareness of cyber security careers among school students. For example, surveys suggest that many Australian secondary students, unlike peers in the UK and the US, are not aware of cyber security careers pathways and job options. Unless this is remedied, post-secondary student demand for cyber security education may not increase fast enough. Tertiary education providers need to ensure cyber security is seen as a desirable study option to attract the best and most motivated students (see Figure 25).

Figure 25 – Students noting cyber being mentioned in schooling

Cyber security should be explicitly taught as part of the Digital Technologies component of the National Curriculum. By not doing so, Australia is failing to seize an opportunity to strengthen the cyber security talent pipeline. The next update of the Curriculum is due in 2020. In the meantime, the Curriculum could be enriched by adding cyber-specific learning and teaching resources to the ‘Digital Technologies Hub’, which supports the Curriculum with practical lesson plans, case studies, advice and activities to be included in relevant classes. An increased focus on cyber security in the National Curriculum will help build interest in cyber careers and will the cyber literacy of all students, which is critical for improving cyber hygiene and understanding in the broader Australian workforce.

Cyber security challenges play an important role in developing and testing practical skills while generating interest in cyber security careers. For example, the ‘CyberPatriot’ program in the US is a competition where teams of high school students can experience the work day of IT professionals with responsibility for managing the network of a small company. Teams are tasked with identifying cyber security vulnerabilities and increasing the robustness of the system. Successful students earn both national recognition and scholarship money for further studies. The competition has proven to lift the profile and awareness of cyber security careers. Implementing a similar competition in Australian high schools would almost certainly have the same affect.

Implementing more focused cyber security competitions and awareness programs is as vital as improving the gender diversity in the industry. TAFE data shows that female enrolment in the new vocational cyber certificates and diplomas is as low as 9 per cent, and as high as 20 per cent at best. Unless targeted measures encourage more girls to opt for a career in cyber security, the core cyber security workforce will not develop the diversity it needs to ensure quality and relevance. School programs need to explicitly address this gender challenge in their design. Scandinavian research shows that girls, on average, start to lose interest in STEM subjects at the age of seven and most have lost interest by the age of 14. While no comparable research exists for Australia, the study highlights the importance of school education for future career paths.

Sustainability of cyber education:The increase in cyber security courses over the last few years will only be sustainable with sufficient teaching staff and a stable financial model for providers. Most education providers are reporting difficulties in attracting and retaining skilled cyber security teachers, largely because high-quality cyber security teachers are demanding above-average pay. In some cases, salaries for cyber security professionals in teaching roles are more than 45 per cent lower than salaries for other cyber security practitioners (see Figure 26). Education providers will likely continue to compete for skilled cyber security staff, as the number of cyber security teachers required to meet the skills shortage may triple over the next five years.

‘Salary is a real issue for us. We can’t pay anywhere near what industry can pay.’
TAFE program manager

Vocational institutions appear particularly limited to pay higher wages because of financial constraints and enterprise agreements. The problem could worsen if wage growth in the cyber security sector remains strong and demand for teaching staff expands as expected.

Universities are also feeling the pressure. They are not only competing with industry, but also with universities around the world, which can often offer higher salaries and more prestige. Some cyber security professionals are also discouraged from teaching in universities because they are not interested in an academic role or lack the aptitude for academic research.

An increased focus on cyber security in the National Curriculum will help build interest in cyber careers

Figure 26 – Average salary range in the cyber industry and in cyber education

Some institutions are investigating new ways of online education and synchronous remote teaching (through video-conferencing and online chat) to use their existing teachers most efficiently. However, e-learning may have an adverse effect if students fail to obtain the practical, hands-on skills that employers demand. Partnerships with industry have allowed course providers to draw on guest lecturers to supplement their permanent teachers – for example, cyber security staff from Commonwealth Bank of Australia have been guest lecturers at University of New South Wales – but to date this approach is only operating at a relatively small scale.

Many education providers also struggle to pay the establishment and maintenance costs of launching new cyber security courses and degrees. Cyber security education can involve significant upfront investments in teaching infrastructure, including cyber security labs, cyber security ranges (virtual or physical spaces for simulating real-world scenarios), and specialised computer hardware and software. In most other disciplines, the technical infrastructure required for the practical delivery of programs has built up over a longer period of time. Education institutions delivering cyber security programs are therefore on the back foot. They need to be able to rapidly deploy and maintain the technical infrastructure required to produce world-class graduates.

‘We could train 300 to 500 people, but we cannot afford to pay for all the infrastructure. Government expects that industry will pay for it, but this is not happening.’
Vocational Education and Training manager in cyber security

Course fees are typically not sufficient to cover these large infrastructure costs, particularly in vocational education and training courses. While both New South Wales and Victoria have supported the new nationally consistent Certificate IV in Cyber Security by placing it on their state skills shortage lists, total fees (government subsidy and student payable fee) for that course are around 9 per cent lower than total fees for a comparable Certificate IV in Information Technology.¹⁴

Universities are facing similar challenges but can usually draw on larger financial resources. Several Australian universities have also been able to attract industry support for investments in educational infrastructure. For example, the Commonwealth Bank of Australia’s partnership with University of New South Wales has provided funding for a new lab for experimental, hands-on teaching. Edith Cowan University and Melbourne University have also received additional funding for their cyber security education and research through the Australian Government’s Academic Centres of Cyber Security Excellence program – a total commitment of $1.9 million over four years. There is a risk that without a more strategic approach to investment in cyber security teaching infrastructure, the hands-on skills development will not meet these needs of employers.

Course quality: The current expansion of cyber security courses in Australia is healthy and necessary. However, maintaining course quality is essential. A flood of new cyber security education providers will heighten the competition for teaching staff, who are already in critically short supply. This poses a considerable risk to the quality of graduates.

Education providers may also struggle to build a curriculum that is responsive to market changes. Cyber security is a fast-evolving industry where technology and industry needs are continuously changing. Courses need to be flexible and responsive to these changes and designed with ongoing input from industry.

At present, there is no accreditation model in Australia designed specifically for cyber security courses. This is in contrast to the US and UK, where governments have established accreditation programs.¹⁵ The Australian Computer Society (ACS) already accredits IT education programs using the ICT Profession Core Body of Knowledge (CBOK). The Academic Centres of Cyber Security Excellence model could play a role similar to accreditation, but to date only two universities have received support under the program and there are no plans for further rounds.

Strong partnerships between education providers and industry have helped to shape curricula that meet employer needs. However, it will be hard to keep industry involved as more education providers enter the market with their own cyber security offerings. Industry, especially large financial companies and telecommunications companies, are likely to concentrate their time and resources on a few high-performing institutions. This will likely leave some education providers struggling to be responsive to the changing needs of industry and technological progress.

Employers are looking for verifiable proof that new hires have the skills required to do the job. A cyber security challenge model can help them identify talented individuals suited to a career in cyber security. Companies around the world, including Barclays, are increasingly running and sponsoring such challenges to identify and recruit the next generation of cyber security professionals.¹⁶ In Australia, CySCA – Cyber Security Challenge Australia, a partnership between government, business and educational institutions – is the preeminent program for TAFE and university students. Cyber Security challenges could be used as part of an accreditation process. They offer employers an opportunity to identify the best performing educational institutions and the best performing students.

Interviews suggest that the quality of cyber security courses can suffer if work-integrated learning opportunities are missing. Work-integrated learning is embedding meaningful industry projects or placements into an academic program of study. It has been shown to improve graduate employment outcomes by developing more job-ready skills. Research for the Office of the Chief Scientist finds that less than half of IT students in Australian universities have an opportunity to do an industry placement.¹⁷ Work-integrated learning is particularly important in the cyber security sector because there is a greater need for employees to think strategically beyond technical IT tasks.

Various models of industry placement could easily be adapted to cyber security education in Australia. For example, industry-funded scholarship programs, known to some universities as ‘co-op’ scholarships, have been used effectively in disciplines such as information systems, accounting and engineering. The UK has improved the availability of work-integrated learning by developing professional apprenticeships, including in cyber security, where students combine employment with part-time study to achieve a diploma or bachelor-level qualification. Australia is currently piloting higher apprenticeships with one stream of IT apprenticeships.¹⁸ The pilot program has been running since 2016, and 200 apprentices will complete the program at the end of 2018. AustCyber has commenced discussions about setting up a cyber security apprenticeship stream in this program.

It is critical to enable more workers to transition into cyber security

Given the time lag for the formal education system to graduate students from specialist cyber security qualifications, workers with applicable skills-sets who may want to transition into a cyber security work role will be very important to grow the cyber security workforce in the near-term. While graduate supply is now accelerating and provides a clear path to close the gap between demand and supply in cyber security skills, it will take some time until the supply pipeline of graduates is large enough to fully meet workforce demand (see Figure 35). To close the cyber security skills gap in the short- and medium-term, workers from the broader IT sector and other industries with relevant knowledge, skills and abilities will need to transition into the cyber security workforce.

Figure 27 – Cyber workforce demand and supply

As detailed in Figure 28, a breakdown of the IT occupations most relevant to the technical roles required in the cyber security workforce reveals a large stock of IT workers with potentially transferable skills. People in IT occupations who are highly suited for a career shift to cyber security include Software and Applications Programmers, IT Support Technicians, and IT Managers. Workers from other industries with experience in risk oversight, regulatory management and incident response could also potentially transition into cyber security. This may include lawyers, people in risk management, and communications professionals.

There is a significant opportunity to adapt the skills of existing IT professionals to enable them to take up more specific cyber security roles

Between 2011 and 2016, more than 70 per cent of workers who became IT Security Specialists (the only cyber security-specific occupation classification currently tracked by the Australian Bureau of Statistics) came from other IT occupations. This is a strong sign that there is a large pool of workers currently employed in the broader IT sector with transferrable skills and who could transition into more specific cyber security roles. Most of those who transitioned between 2011 and 2016 were IT and Telecommunications Technicians, followed by IT Network and Support Professionals, and Systems Analysts Programmers.

However, it is also evident that there is a lack of workers transitioning into the cyber security sector from industries outside IT. This is largely because current recruiting practices still place strong emphasis on technical skills. This is despite the well-acknowledged need to improve the ‘soft skills’ and diversity of workers in the sector. There is also a lack of public understanding of the range of different career paths spanning technical and non-technical cyber security roles.

Figure 28 – Employment in the top 5 occupations relevant to cyber security

The new national vocational training curriculum in cyber security is opening up new pathways for workers from other industries to transition into the cyber security sector. Early evidence suggests that students opting for the new vocational cyber security training are older than the average vocational education and training student. At two of the institutions offering the courses, more than half this student cohort was over 30.

‘The average age is 30 to 35 in our courses. Students are coming from diverse backgrounds wanting to develop skills in cyber security.’ Vocational education and training manager

Ensuring training options for transitioning workers, while critical, is not sufficient. A number of other enablers need to be in place to support workers to transition into the cyber security sector.

Employer-led transition is currently limited to larger organisations

Interview evidence suggests that at the moment the greatest emphasis on transition into cyber security is employer-led, or within organisations. This is a critical mechanism to facilitate transition, as employers are well-placed to guide and fund workers through the transition journey. Large employers (for example, banks and government) in particular have the greatest capacity to transition their workforces as they have the scale and resources necessary to offer internal mobility to their workers. Transition within small to medium-sized organisations is more limited but could be boosted if these companies have access to clear transition models that help them identify target workers, assess what additional skill-sets they require, and find the means internally or externally to skill them appropriately.

Large organisations that are already successfully training workers from various backgrounds to shift into cyber security roles have identified five steps for effective workplace transitions:

1. Map out the cyber workforce needs of the organisation over the next two to three years, using a skills framework if helpful, and identify roles that can be effectively filled with transitioning workers.

2. Identify sources of high potential, non-cyber employees who could transition to cyber. Key functions to look for within the organisation are IT, risk management, communications and legal.

3. Offer an attractive opportunity to potential cyber employees including a clear career path, training opportunities, good salary and engaging job tasks/activities. The fast growth of cyber may also offer faster progression to management opportunities than other functions within the organisation.

4. Train and support transitioning workers through internal mentoring and on-the-job training, and private internal or external short-course training programs, such as SANS or micro-credentials. Many organisations are using executive education courses instead of full university degree courses to train workers in transition. This is because university degrees tend to take longer and cost more than executive education.

5. Leverage the newly transitioned workers to provide mentoring to the next ‘tranche’ of potential cyber employees, allowing rapid scaling of the workforce.

Further developing these steps into a model for employer-led transition that small to medium-sized organisations can quickly apply, and socialising through industry associations will support improved flow of workers through employer-led transition programs.

Worker-led transition requires better access to information and training, and more support from employers

Worker-led transition is also a key mechanism to help bridge the cyber security skills gap. It has substantial potential to scale (as it draws upon a wide pool of potential workers across the economy) but it is more complex that employer-led transition. Workers must independently move through several stages, as illustrated in Figure 29. They must independently gather information on transition, undertake training, and find employment in the cyber security workforce, bearing the full burden and costs of transition themselves.

A worker’s progress through the transition journey relies on several enablers at each stage. For example, at the beginning when a worker considers transitioning they require information on the cyber security sector – what it is, why it matters, the wages offered and potential career paths. Further down the transition journey, they need an understanding of their skills match, training requirements, access to training places and job placement services.

Figure 29 – The transition journey – worker-led transition

The most critical enabler to facilitate transition is access to information (such as cyber careers and pathways), training access, training affordability, and employer attitudes.

Information access: Currently there is very limited information available to those outside the cyber sector on cyber careers and the sector more broadly. The available information is scattered, not necessarily cyber-specific, and not tailored for people unfamiliar with the sector. There is an opportunity to build on existing platforms for example, the Government’s JobOutlook website hosts information on IT occupations – including ICT Security Specialist.¹⁹ This includes information about average weekly pay, future growth, and degree levels required. Enhancing this to include information on career pathways and broader work roles that require cyber security skills would assist people considering a transition to the sector.

In addition, there is no clear source of information to help potential workers understand the training requirements for different cyber roles. This increases uncertainty around the transition process and amplifies risk that workers who could transition into a cyber security role will not have the required information to make an informed decision.

Workers considering a career change into cyber security need a centralised source of information about pathways into the sector. Cyberseek, funded by NICE in the US, is a good example.²⁰ It provides up-to-date data on supply and demand in the US cybersecurity job market via interactive visual tools, including heat maps that show worker demand and supply per state. The website also outlines cyber security career pathways and offers key information such as average salaries, required skills/certifications, and the number of job openings. Australia could explore implementing a similar tool to Cyberseek.

Figure 30 – Costs of different cyber training programs

Affordability of training: Training affordability is also a key issue for worker-led transition. While course numbers and places have grown rapidly in recent years, the majority of cyber training places are still concentrated in longer, more expensive courses, such as bachelor’s or master’s degrees, which can cost $30,000 to $55,000 (see Figure 30).

Even though these course fees can usually be deferred through FEE-HELP, accumulating transition-related debts could be a barrier to workers shifting to cyber. More intensive, shorter courses of good quality would ease the transition burden for potential workers and help stimulate the supply of cyber workers in the short- to medium-term. This would also minimise the costs to employers from employer-led transition, as training costs would be lower, workers would not need to take as much time away from work to retrain, and they would transition faster.

Universities and TAFEs are not the only institutions with a role to play. There is scope for select high-quality private providers of niche cyber security education and training to supplement the selection of short courses currently on offer. Private sector training organisations such as Ionize and UXC Saltbush provide training for the Australian Signals Directorate’s Information Security Registered Assessors Program (IRAP). Overall, however, there is still plenty of scope for high-quality training providers as well as universities to broaden their course offering to include shorter, more targeted cyber security training to help with the transition process.

Employer attitudes: Industry interviews suggest that employers, especially small to medium-sized organisations, are still reluctant to hire transitioning workers. Employers perceive these potential workers as risky prospects, lacking experience and job-readiness. To help resolve the cyber skills gap, employers need to broaden their hiring strategies. Instead of relying on rigid ‘check-box’ recruiting that focuses heavily on work experience, employers need to look for translatable skills for specific cyber security work roles as a way of identifying promising candidates.

To help resolve the cyber skills gap, employers need to broaden their hiring strategies.

A transition model for employers could help in this respect. A clear transition blueprint for companies of different sizes would minimise the risks associated with identifying suitable workers and training them appropriately.

Placement services could also have a role in changing attitudes within the sector. Given their intimate knowledge of recruiting and their relationships with companies, they could be influential in challenging the prevailing recruitment methods, which over-emphasise technical skills and experience. Some placement services are already using unorthodox approaches to change employer perceptions, pitting their transitioning cyber candidates against in-house cyber teams of major companies in hackathons to demonstrate their capabilities.

The section Make Australia the leading centre for cyber security education in Chapter 4 lists a range of actions that could help Australia build a strong, high-quality cyber education system, including support for educational infrastructure and expansion of school programs to build a talent pipeline.

3.3 Research and commercialisation

Cyber security companies are operating in a competitive and rapidly changing market environment, in which technology is a key ingredient for success. The growing sophistication of cyber adversaries forces security providers to constantly stay ahead of the curve by developing ever-more innovative products. Australia’s cyber security research capability is strong. However, several factors undermine the country’s innovative strength. Australia lacks nationally coordinated and collaborative R&D in cyber security. Another major problem is the difficulty for many researchers to turn new and innovative technologies into marketable products that truly meet customer needs. To improve this technological transition, Australia needs to strengthen its pre- and post-R&D activities, such as supporting researchers to engage with industry to identify problems and reach out to potential investors.

Australia lacks nationally coordinated and collaborative R&D in cyber security

Competitiveness in cyber security is highly dependent on R&D

Australian cyber security providers can compete on price or on value – for example, by providing products that are easier to use or technically more advanced, or by offering stronger support services.

Australian providers can also compete on scope, for example, by offering a more comprehensive array of products and services. Analysis of the attributes that matter most to cyber security customers when choosing a vendor gives valuable insight into what makes a cyber security company competitive.

A survey of leading CIOs and CISOs for this Sector Competitiveness Plan reveals that customer appeal of cyber security companies largely hinges on technological leadership (see Figure 31). This is particularly true for software. Australian CIOs and CISOs overwhelmingly said they consider effective technology the most important factor when weighing the purchase of cyber security software.²¹

Figure 31 – Most relevant purchasing factors for organisations when selecting a cyber security products vendor, 2017*

‘Tech is essential, but it has to be effective and tailored to our problem. Many companies focus on technological edge without solving a real problem for their customers.’
Australian private sector CISO

Unearthing new ideas

Developing effective technologies is resource-intensive because it requires companies and research institutions to invest heavily in R&D and collaborate to unearth new ideas and commercialise them. Governments can support these efforts, either directly through research grants and targeted funding programs or indirectly via R&D tax incentives. For example, governments can provide funds to research institutions or government agencies with the aim of boosting R&D. Governments can also fund programs to improve research collaboration between universities and industry.

Translating ideas into products

Post-R&D activities are equally important. The most innovative idea will fail to make an impact if it finds no user. Researchers and inventors need strong support from government funding agencies and industry partners to improve the success rate of transitioning innovative cyber security technologies into real world products that customers want to buy.²² This will involve broadening the scope of transition activities and exposing new technologies and tools to a wider audience. Australia could do more to bridge the gap between researchers and vendors, sometimes described as a ‘valley of death’.

Leading countries in the global market for cyber security software, such as the US and Israel, are conscious of the link between technological innovation and market success, and invest heavily in R&D.

Figure 32 – Global cyber security software market share by company domicile

For example, the market power of American cyber security software companies coincides with a significant commitment to R&D. These companies are the leading vendors in the global market, generating 61 per cent of the US$26.4 billion of total cyber security software sales worldwide in 2015, as shown in Figure 32. They invest more than US$200 million each year to invent and develop new cyber security technologies. The US government adds further weight to the sector by providing additional R&D funding of more than US$500 million per year.

Israel, traditionally boasting some of the highest defence spending in the world, also provides strong government support for cyber security R&D. Israeli companies form the second-strongest vendor group in the global market for cyber security software, accounting for 18 per cent of total sales worldwide. Israel’s Office of the Chief Scientist is frequently cited as the country’s largest single investor in cyber security research, but official budget numbers are not readily available.

Several other countries have begun to catch up in recent years, but their R&D budgets for cyber security still appear modest compared to US and Israel. For example:

• The United Kingdom government has developed a Defence and Cyber Innovation Fund worth more than US$200 million (GB£165 million) to develop innovative cyber security technologies and products. The investment is part of the country’s National Security Strategy, which will inject the equivalent of US$2.37 billion (GB£1.9 billion) into the British cyber security sector through to 2021. Some of the money will fund ‘cyber startups and academics to help them commercialise cutting-edge research and attract investment from the private sector’.²³
• The Government of Singapore recently announced a five-year plan to build new R&D expertise and improve its cyber security capabilities. The National Cybersecurity R&D Programme is investing around US$20 million per year (equivalent to S$130 million over the five years) in cyber security research and innovation.²⁴
• The Australian Government has made cyber security a national priority for science and research. Current expenditure on cyber security R&D, as shown in Figure 33, is estimated to be approximately A$81 million per year, which excludes R&D support through the national R&D tax incentive and research block grants to universities.²⁵

Several potential sources of finance for cyber security research remain largely untapped

Cyber security research needs a stronger focus

Australian organisations undertaking cyber security R&D need to be more competitive for public research funding, for example, by better articulating commercialisation pathways and the potential for economy wide benefits. Similarly, funding agencies could improve their understanding of cyber security’s importance to the entire Australian economy, and how improving our cyber security R&D outcomes would make Australia a world leader. A breakdown of available grant schemes, as shown in Figure 33 indicates several potential sources of finance for cyber security research remain largely untapped.

Block grants to universities are generally the most important channel to directly fund R&D activities in Australia. In 2015, the Australian Government granted universities almost A$1.8 billion to support their R&D work. Block grants are awarded on a yearly basis based on a university’s performance in attracting research income and the successful completion of higher degree by research students. When awarded block grant funding, universities have complete autonomy in deciding how the grant is administered across its research portfolio.

However, due to difficulties in collecting block grant data, the extent to which these funding tools are currently used to finance cyber security R&D is unclear. It is fair to assume, however, that Australia still has scope to increase the use of university block grants for cyber security R&D funding A new industry-led Cyber Security CRC, announced in late 2017, will be critical to strengthening Australia’s cyber security R&D capabilities. The Australian Government will invest $50 million in the Centre over the seven years to 2024. This is in addition to about $90 million in funding from a consortium of 25 government, research and business partners led by the Cyber Security CRC. The CRC represents a coordinated research effort focused on delivering real-world cyber security solutions (Box 13).

Figure 33 – Existing and potential sources of funding for cyber security R&D in Australia ^#

The Department of Defence is another major potential funding source for cyber security research. In the fiscal year ending June 2017, the Department paid businesses, academia and research organisations an estimated A$160 million to help develop new, innovative technologies for military use.²⁶ The Department’s Defence, Science and Technology Group, the second largest publicly funded R&D organisation in Australia, just launched the Next Generation Technology Fund, which can invest over $730 million over the decade to June 2026 into emerging early-stage technologies of strategic value to Australia’s defence forces. Cyber security is one of the fund’s nine priority areas.

Cyber security researchers may also be able to make better use of the CSIRO Innovation Fund. This joint government-private sector initiative invests in startup, spin-off companies and existing small- to mid-sized enterprises, to improve the translation of publicly funded research into commercial outcomes and stimulate innovation in Australia.

Accelerating commercialisation is an area of focus across Australian Government with the aim of helping small and medium-sized businesses to commercialise novel products, processes and services. Around 180 companies received financial assistance between 2015 and early 2017 through a competitive grants process, with a total value of A$99 million.²⁷ Cyber security companies did not received any assistance from this program over that period, which may be due to a lack of quality applications.

Grants provided by the Australian Research Council (ARC) form the second largest source of direct R&D funding in Australia. Yet analysis of the ARC’s funding pattern over the past decade reveals that only a fraction – around 0.6 per cent of the ARC’s annual grant budget (A$744 million in 2016) – was used to fund research projects related to cyber security.²⁸ Postgraduate training centres and research hubs can apply for ARC funding through the Industrial Transformation Research Program (ITRP), which now lists cyber security as an Industrial Transformation Priority.

Australian Government invested $50 million over seven years

Almost $90 million contributed from a consortium of 25 industry, research and government partners

Figure 34 – Quality measures of Australia's research performance

Blockages to cyber security innovation in Australia

Australia is home to 43 universities. They carry out most of the foundational research and have access to a significant amount of funding relative to other OECD nations.²⁹ Cyber security research from Australia ranks highly in global comparison, Figure 34 reveals.

In terms of citation impact – an indicator of research quality – cyber security research papers from Australia are the most heavily referenced in the world, according to Thomson Reuters data.³⁰ Australian universities appear well placed to lead the knowledge creation and spearhead the invention of new technologies in cyber security.

Cyber security research papers from Australia are the most heavily referenced in the world

Many universities in Australia are already regarded as global research leaders in fields with cyber security applications, such as packet switching (a technology that breaks down data into smaller parcels before transmitting them), quantum cryptography, distributed computing and wireless security technology. The Australian National University and the University of New South Wales are already at the leading edge of global research into quantum computing and its potential applications for the cyber security sector.

Australia needs to more effectively commercialise its cyber research. An often-cited criticism, underpinned by OECD data, is that Australia struggles to translate its academic strengths into marketable solutions.⁴² The cyber security sector is no different. Several obstacles are blocking the innovation pipeline in cyber security and hampering the technological transition of high-quality research ideas into commercially viable products, as illustrated in Figure 35.

Figure 35 – Key stages of the cyber security research and innovation pipeline

Australia needs to more effectively commercialise its cyber research. An often-cited criticism, underpinned by OECD data, is that Australia struggles to translate its academic strengths into marketable solutions.³⁷ The cyber security sector is no different. Several obstacles are blocking the innovation pipeline in cyber security and hampering the technological transition of high-quality research ideas into commercially viable products, as illustrated in Figure 35.

There is a lack of focus in existing research efforts

At present, university R&D in cyber security is comparatively small in scale and fragmented. The distribution of competitive ARC grants, as shown in Figure 36, indicates that public funding for cyber security research has been scattered across 16 universities over the past seven years, with no apparent effort to concentrate funding on a few national research flagships that could champion the knowledge creation in cyber security.

Even the Australian National University, which has so far received the highest individual amount of competitive research money in cyber security, still only attracted 14 per cent of the total ARC cyber security funding.³⁸ While there is value in diversity, a more concentrated funding approach would allow a select few universities to rapidly expand their cyber security research capabilities, and could help accelerate the creation of new ideas and spur the development of competitive technologies. The section Grow an Australian cyber security ecosystem in Chapter 4 identifies actions to help improve the focus of Australia’s cyber security research.

Figure 36 – Distribution of competitive ARC research grants in cyber security

Collaboration between industry and research is weak

A rich exchange between academia and industry is necessary to help researchers validate the practical applicability of their research and ensure research ideas get translated into practical applications. University scientists who cultivate a close collaboration with companies would find it easier to identify and select knowledge with commercial relevance. Businesses that collaborated on innovation were twice as likely to develop 10 or more innovations in the fiscal year 2015, Australian Government research shows.³⁹ Despite this, OECD data shows the ties between academia and industry in Australia are the weakest in the developed world: only 3 per cent of surveyed businesses in Australia collaborate with universities and other research institutions – a sharp contrast to leading countries like Finland, where 69 per cent of large and 24 per cent of small companies work closely with external research organisations.⁴⁰

The ties between academia and industry in Australia are the weakest in the developed world

As noted earlier, some of Australia’s large companies in are acutely aware of the benefits of partnerships with local universities. For example, Commonwealth Bank of Australia has invested A$15 million to support researchers at UNSW who are part of the CQC²T network striving to build the world’s first silicon-based quantum computer in Sydney (see Box 13 for details on CQC²T).⁴¹

Quantum computing has potentially profound implications for cyber security, particularly through cryptography. The Commonwealth Bank of Australia’s investment comes on top of Australian Government funding worth A$26 million for the CQC²T, based at the University of New South Wales. An additional A$10 million of research funding for the project comes from Telstra, the nation’s biggest telecommunications company, which has assigned its team of data scientists to work directly with University of New South Wales researchers. ‘We can work together to put Australia at the forefront of global innovation,’ said Telstra chief executive Andrew Penn in 2015, when the company announced the investment.⁴²

Collaboration between industry and research is weak

A rich exchange between academia and industry is necessary to help researchers validate the practical applicability of their research and ensure research ideas get translated into practical applications. University scientists who cultivate a close collaboration with companies would find it easier to identify and select knowledge with commercial relevance. Businesses that collaborated on innovation were twice as likely to develop 10 or more innovations in the fiscal year 2015, Australian Government research shows.³⁹ Despite this, OECD data shows the ties between academia and industry in Australia are the weakest in the developed world: only 3 per cent of surveyed businesses in Australia collaborate with universities and other research institutions – a sharp contrast to leading countries like Finland, where 69 per cent of large and 24 per cent of small companies work closely with external research organisations.⁴⁰

The ties between academia and industry in Australia are the weakest in the developed world

As noted earlier, some of Australia’s large companies in are acutely aware of the benefits of partnerships with local universities. For example, Commonwealth Bank of Australia has invested A$15 million to support researchers at UNSW who are part of the CQC²T network striving to build the world’s first silicon-based quantum computer in Sydney (see Box 13 for details on CQC²T).⁴¹

Quantum computing has potentially profound implications for cyber security, particularly through cryptography. The Commonwealth Bank of Australia’s investment comes on top of Australian Government funding worth A$26 million for the CQC²T, based at the University of New South Wales. An additional A$10 million of research funding for the project comes from Telstra, the nation’s biggest telecommunications company, which has assigned its team of data scientists to work directly with University of New South Wales researchers. ‘We can work together to put Australia at the forefront of global innovation,’ said Telstra chief executive Andrew Penn in 2015, when the company announced the investment.⁴²

Meanwhile, US technology company Cisco Systems has been instrumental in developing the Security Research Institute at Edith Cowan University in Western Australia.⁴⁴ Cisco further committed to invest US$15 million in a newly established Internet of Everything Innovation Centre with R&D facilities across Australia. The centre, which Cisco co-founded with Curtin University and Woodside Energy, is a space where customers, startups, open communities, researchers, entrepreneurs and technology enthusiasts can work and brainstorm on new ideas and technologies, including in cyber security.⁴⁵ Others working on deepening research and innovation links between large companies, universities and startups in Australia include Data61 within CSIRO (see Box 15) and financial technology hub Stone & Chalk.

Smaller industry participants, however, have been slower to tap into university expertise to develop new products and services. Interviews with a wide cross-section of local cyber security startups reveal that only two out of more than 22 industry participants are currently working closely with universities.⁴⁶

In interviews, industry participants cited several barriers to greater industry research collaboration in Australia. Some executives admit they lack experience in engaging universities to leverage their knowledge. Some also say that the different planning horizons limit their close collaboration with academics – companies tend to focus on their immediate, short-term needs, while basic research occurs over longer timeframes. Some company executives are reluctant to deepen their ties with researchers who they feel lack understanding of practical industry needs. Researchers, in contrast, said some industry customers have unrealistic expectations about what their business can gain from basic academic research. Lastly, both researchers and businesses agreed that negotiating intellectual property agreements with universities can be time-consuming and costly.

There is scope for a more effective collaboration of researchers and businesses

Chapter 4.1 (Growing an Australian cyber security ecosystem) makes several recommendations for actions that could help deepen the links between universities and industry, including offering work placements for postgraduate students.

Access to capital to support innovation is limited

Venture capital funds investing in early-stage startups are currently scarce in Australia, noting some government assistance and incentives are available. This low availability blocks the country’s innovation pipeline because startups are locked out from the high-risk capital they urgently need to turn promising ideas into competitive, real-life technologies.

OECD data, as shown in Figure 37 shows that, measured as a share of GDP, there is 10 times less early-stage venture capital available in Australia (0.01 per cent) than in the US (0.1 per cent) and almost 30 times less than in Israel (0.27 per cent). Both these countries are considered leaders in the global market for cyber security products.

‘Cyber security is […] perceived as a risky and technically complex business. [Venture capital funds] in Australia are not interested in buying that extra complexity, particularly when they are in a medium-sized market that pushes them to be less specialised.’
Managing partner of large early-stage venture capital fund

Data compiled by the World Economic Forum, also shown in Figure 37 further highlight the difficulties Australian startups are facing when trying to tap venture capital funding.⁴⁷ On a scale from 1 (hard) to 7 (easy), Australian executives surveyed for the World Economic Forum’s Global Competitiveness Index rate access to venture capital in Australia at 40^th in the world, below the OECD average and well below our competitor nations.

This problem of access to early-stage venture capital funding is well-known and acknowledged in Australian Government assessments of the Australian innovation system.⁴⁸ Recent policy measures have attempted to address this through tax concessions. In 2016, the Australian Government also launched the CSIRO Innovation Fund, which aims to fill this funding gap by co-investing in spin-offs, startups and small to medium enterprises engaged in the commercialisation of early-stage innovations. CSIRO’s science and technology innovation Accelerator, ON, also helps startups commercialise promising cyber security ideas.

Figure 37

Collaboration between industry and research is weak

‘Pitching to early-stage [venture capital funds] in Australia was disheartening…They don’t have much clarity and visibility around cyber, and their valuations were much lower than those of [Silicon] Valley investors.’
CEO of major Australian company

Cyber security startups, however, might face bigger obstacles than their peers because they offer complex, highly technical products. Most Australian venture capital funds are generalists by necessity because of the limited market size – as opposed to the US where there are several venture capital funds with expertise in cyber security (such as ForgePoint Capital and Paladin Capital). Interviews with Australian cyber security professionals indicate that local venture capital fund managers perceive the cyber security sector as complex and risky. Many are reluctant to invest because of a lack of expertise in this field, although this is starting to improve.

Local venture capital fund managers perceive the cyber security sector as complex and risky

Incubators and accelerators play an important role for Australia’s cyber security ecosystem. They are part of the key infrastructure to foster business creation and innovation. While studies show that startups may be just as successful without that initial support, it is indisputable that accelerators and incubators help entrepreneurs learn a lot and improve their professional networks. There is also strong evidence that accelerators and incubators have a positive indirect impact, by ‘serving as beacons’ to unite a community and by increasing the diversity of interconnections in the ecosystem.⁴⁹ Focused incubators and accelerators that understand the cyber security ecosystem and its specific challenges should lead to a stronger performance of startups and their capacity to innovate.

Australia’s first dedicated cyber security incubator, CyRise was launched in 2017. CyRise was borne out of a partnership between Dimension Data (now NTT) and Deakin University and with funding support from the Victorian Government’s LaunchVic startup initiative. Australia could build on this great potential to develop an end-to-end network of cyber security infrastructure as a critical step towards a stronger domestic cyber security ecosystem.

‘Cyber security startups work in the deep tech space. It therefore takes longer to build the right product and get traction, so they need more support than others.’
Scott Handsaker, CEO CyRise

Various approaches to overcome these issues are discussed in the section Growing an Australian cyber security ecosystem in Chapter 4, including familiarising new investor groups, such as superannuation funds, with investment opportunities in the local cyber security sector.

3.4 Cyber security companies’ growth and export

Developing innovative products and services is crucial to building Australia’s competitiveness in cyber security, but that alone is not enough to ensure our companies succeed and our industry develops. Companies need to be able to effectively sell their products and services into a domestic marketplace where they can build scale, confidence and capabilities. With that local base in place, they can more effectively take on the challenge of exporting to global markets and connecting with global value chains.

Barriers to growth for small cyber security companies in Australia

Interviews with buyers and sellers of cyber security solutions show companies need to overcome three main hurdles to successfully establish and grow their business – they need to understand their customers, gain trust, and get to scale.

Figure 38 – Most relevant factors for customers choosing a provider of cyber security products (software and hardware)

Cyber security companies often fail to understand their customers

The AlphaBeta/McKinsey survey of CIOs and CISOs and local cyber security providers indicates many Australian cyber security companies undervalue aspects of their offerings that are critical for local customers. This mismatch is most evident for customer support, according to the survey results shown in Figure 38. When purchasing products, customers consider support to be an essential component of their purchasing decision, while local companies are more focused on providing a user-friendly service. A greater understanding of, and focus on, local customer needs would help Australian cyber security companies grow.

Additional survey results shown in Figure 39 reveal that cyber security users have widely differing needs, depending on the nature of their businesses. Those most at risk of being targeted by cyber criminals, such as financial-services companies or defence agencies, are typically investing in large in-house cyber security teams and only seek external help to complement their own capabilities. When they do engage external service providers, they generally choose those offering the greatest trust, best support and most effective technology.

Figure 39 – Most relevant factors for customers choosing a provider of cyber security products (software and hardware)

Customers with a moderate risk exposure, such as retail and healthcare businesses, tend to outsource more of their security needs to external cyber security providers. These mid-market customers are most interested in acquiring the best technology and support when choosing a cyber security vendor. The survey shows they are also more cost-conscious than other customers in the market.

Cyber security companies also need to consider if their product or service might be better targeted to an integrator, such as a Managed Security Service Providers (MSSP), rather than to end-user customers. MSSPs typically serve the needs of mid-market customers and usually bundle several products and services – from managed firewalls to vulnerability scanning and anti-virus services – into one integrated offering. Telecommunication companies are one example of MSSPs. Interviews suggest that MSSPs, on average, are most focused on offering their customers the best support, and least concerned about offering the widest range of solutions.

New companies often lack the trust to gain anchor customers

To inform this Sector Competitiveness Plan, a range of local cyber security companies were analysed to understand which factors – including funding, R&D collaborations and industry regulation – are most important for their development and success. The results, shown in Figure 40 highlight that acquiring an ‘anchor customer’ is the most commonly cited success factor for Australian cyber security companies.

Anchor customers can add material value to a small business

They often have clout in an industry and can become a catalyst for demand by adding credibility to a startup and its new products. Their reputation often helps startups acquire further customers. They can also act as a strategic partner, provide access to fresh capital, and give feedback on how to improve a startup’s offerings. Survey results show Australian cyber security companies most commonly relied on anchor customers from industry (relevant for approximately half the companies surveyed), while about one-quarter of the companies surveyed said a government contract was critical to their success.

Figure 40 – Success factors for Australian cyber security firms*

Cyber security companies often fail to understand their customers

However, acquiring an anchor customer is not easy and requires more than just a convincing product or service. A survey of CIOs and CISOs in leading Australian companies with the potential to act as anchor customers for cyber security companies reveals that trust is a crucial factor, particularly when selecting service providers.⁵¹ And while buyers of cyber security products, such as antivirus software or firewalls, are generally most interested in buying the most effective technology, Figure 41 shows that finding a trustworthy producer still ranks as the third-most important driver for their purchasing decision.

This customer preference for dealing with a trusted vendor particularly affects the early-stage cyber security companies in Australia. In this market, which is dominated by well-established and reputable foreign competitors, many local startups lack the credibility needed to win an anchor customer.

‘A common concern around local companies is that they need to go overseas to get their first sale…It’s in fact an issue on the maturity of the local market…the fact that we don’t realise that home-grown products can be world-class.’
CIO of an Australian bank

Figure 41 – Most relevant purchasing factors for customers choosing a cyber security provider, 2017*

Large potential customers may remain reluctant to engage if a company has no track record to indicate that a new product or service will deliver the promised outcome. Interviews with CISOs in Australia reveal many are hesitant to buy from smaller or newly established providers with no reputation, even if these companies offer technologically appealing products. Potential customers may also question the financial health of a cyber security startup and seek evidence that it will exist long enough to support its products and services well into the future.

In cyber security, a trust deficit can act as a stronger market barrier than in other industries. This is because buyers of cyber security products and services take a bigger risk with their purchases than buyers of other goods. As they invest in the protection of vast corporate IT networks with large amounts of sensitive data, they need a quality assurance and guarantee that what they buy will indeed shield them against cybercrime.

In cyber security, a trust deficit can act as a stronger market barrier than in other industries

One way for companies to overcome the lack of trust is to use one of several certification and accreditation programs available in Australia (see Box 17 for further details). Another, less obvious way to overcome local market barriers is to expand overseas. Some local cyber security companies have found it easier to penetrate the Australian market after acquiring an international customer first. In interviews, company executives said the fact that foreign customers can help increase the perceived trustworthiness of Australian cyber security companies illustrates the widespread risk aversion in the local market.

The section Growing an Australian cyber security ecosystem in Chapter 4 outlines actions that can assist cyber security startups in their search for anchor customers, including showcasing Australian cyber security products and services and coaching to help startups mature their business operations.

Procurement processes favour larger, established companies

Strict procurement rules oblige many government agencies and private-sector companies to engage only cyber security providers with a proven track record of fulfilling complex and sizeable security tasks. These internal procedures typically work in favour of large cyber security companies, while startups frequently miss out. Many small, emerging cyber security companies lack the resources to deliver large-scale projects, particularly when they cover multiple product and service areas as government contracts often do. Government agencies often search for providers who are capable of meeting a variety of security and other ICT needs at once – a tendency clearly reflected in the scope of government contracts, which are among the most valuable in the market.

An analysis of Australian Government tender agreements for the provision of cyber security services over the past decade, illustrated in Figure 42 shows that just one-quarter of all government contracts made up almost 87 per cent, or A$274 million, of the entire government spending on cyber security contractors over that period. Yet, only 8 per cent of these high-value government contracts were concluded with Australian grown and owned companies, as most are still too small to effectively compete against large foreign rivals in a government tendering process.

Missing out on the large-scale contracts commonly offered by Australian Government agencies – a median size of A$300,000 for the top quarter of contracts – is a significant barrier to entry for smaller Australian cyber security providers. In fact, large-value contracts are seen as the most important market hurdle for startups globally.

Figure 42 – Government cyber security-specific contracts*, 2007–17

‘Big organisations tend to hire big organisations.’ CIO of an Australian bank

Research shows, for example, that the share of small and medium-sized companies securing government tenders in European Union countries rapidly declines once the overall contract value rises above A$150,000.⁵² Tender processes could be made more accessible if governments divided their contracts into smaller parcels. Rather than contracting a few very large cyber security service providers, they could allow many small companies to service different aspects of their security needs. Given that purchasing from more providers could also make systems more complex and less integrated, any move to smaller contracts would need to be properly weighed against such potential complications.

Tender processes could be made more accessible if governments divided their contracts into smaller parcels

Other aspects of the public procurement process are also hindering cyber security startups from working more closely with government. Public agencies usually appoint a panel of suppliers for products and services they regularly acquire, referred to as Standing Offer Notices. These suppliers are pre-approved to do business with the government for a period of several years. While this offers convenience for procurement officers, it limits opportunities for new entrants. One example is the panel for ‘Consultancy and Business Services’, which comprises 170 suppliers and has been used to procure some cyber security-related contracts.⁵³ The current panel was appointed in 2013, and there will be no new opportunities to join this panel until it expires in 2019.

The Australian Government is trying to remove barriers to entry. Recently, it has added new features to its ‘Digital Marketplace’ – an online platform for buyers and sellers of various ICT products and services. It has opened up the Digital Marketplace to cyber security businesses, making it easier for them to work with Australian Government agencies. The Digital Marketplace uses a strict selection process for companies wishing to use the platform for their offerings. Similarly, cyber security services companies must demonstrate certain abilities and experiences before they can join the Digital Marketplace.⁵⁴

Importantly, the Digital Marketplace could also provide cyber security companies with access to state and local government buyers. In addition to launching its own marketplace for the cloud,55 the New South Wales government has already announced that the Marketplace complies with its procurement policies, and it will begin purchasing some ICT services through the new platform.⁵⁶ Some local governments have also joined as registered buyers. A uniform set of procurement requirements to access buyers at all levels of government will significantly reduce compliance costs for companies.

Many of these issues in public sector procurement are also common to private sector procurement processes, which are often deliberately designed to weed out startups and smaller companies through narrow evaluation and review criteria. The preference to work with larger players is particularly strong in cyber security, which affects highly sensitive aspects of the business. Lengthy procurement processes, usually lasting between three and six months, can additionally deter smaller providers.

Simplifying procurement procedures in the public and private sector would remove some of the substantial hurdles that cyber security startups are facing. Section Grow an Australian cyber security ecosystem in Chapter 4 has more details on actions to address this issue.

Cyber security companies traditionally struggle to access export markets

An analysis of the geographical spread of Australian cyber security companies reveals significant scope for the sector to export its products and services and connect to global value chains. While many Australian hardware and software providers are already engaging with global customers, most services companies in the Australian cyber security sector have not yet developed an export capability. In fact, Figure 43 reveals that only 12 per cent of Australian cyber security services companies surveyed have customers outside Australia, although anecdotal reports suggest this is growing.

Figure 43 – Most relevant purchasing factors for customers choosing a cyber security provider, 2017*

Not all cyber security services are equally exportable. Education is unique because it is relatively easy for a cyber security training provider to bring individual students to Australia to study. A data analytics company, however, might struggle to export its services due to country-specific laws around data privacy. Service providers offering advice and support on compliance issues might also find it difficult to export their work, as they require a deep knowledge of local regulations.

Some services exports require a local operating base in another country. Others can be delivered remotely, meaning jobs created are predominantly in Australia. The way companies design their service offerings can have a major impact on their exportability, and some Australian cyber security companies may need more support and guidance to develop the most exportable service possible. Still, some service providers may not yet have the staff, expertise and resources needed to serve customers abroad. In interviews, several cyber security services companies indicated that exporting is not a priority for them, because they already struggle to recruit enough cyber security professionals to meet strong domestic demand.

Chapter 4 lists several strategies that could help overcome some of the common export issues Australian cyber security companies are facing. Examples include intensifying Australia’s marketing presence for cyber security in key target markets and analysing remote delivery models for Australia’s existing services strengths.

3.5 Measuring growth and impact

A clear view of the state and size of the cyber security sector is essential for sustained growth. The lack of trusted sector measures and data can hinder cyber security’s growth trajectory. Good policy and future investments are contingent upon policymakers, entrepreneurs and investors having a clear picture of the sector on which to make informed decisions. Without a solid fact-base about the local sector’s demographics and performance, policymakers may fail to identify factors that both contribute to and prevent growth and productivity. Investors who cannot assess potential commercial opportunities in the sector due to a paucity of information will be unable to calibrate their investments in the sector. A lack of in-depth understanding of the sector’s value to the growth and outcomes of the economy overall, hampers the nation’s ability to assess with sophistication the global competitiveness of all sectors.

There are two main reasons why measurement of the sector has proved so challenging. Firstly, there is a dearth of quality data as new and emerging sectors like cyber security are not captured by standard government industry and occupation codes – nor are frameworks and codes particularly mature around representations of intangible assets of which cyber security is majority comprised. This is coupled with the fact that firms tend to be very reticent in disclosing any information related to security, whether it be their level of protection or their experiences of cyber threats. Secondly, the nature of the sector makes it difficult to segment and analyse as it consists of both a discrete vertical sector that sells cyber security goods and services, combined with a horizontal cyber security function across the economy.

It is also important to grow our understanding of the role of cyber security in the broader economy. This can best be understood through three elements, which have both direct and indirect considerations:

1. risk of malicious cyber incidents and cyber attacks;
2. protection offered by cyber security; and
3. benefits of that protection. Individuals and organisations can manage cyber risk with protective measures that include software, behaviours and services.

Understanding the cyber risk environment is vital as it directly informs firms about the level of protection required. Gauging overall investments in cyber defences establishes benchmarks and a basis for firms to judge whether their levels of protection are comparable to their peers.

However, cyber security does not only mitigate risk – its products and services, as well as its innovation and investment cycles and advances in workforce growth and maturity, also fuel economic growth. Improved trust in the digital environment accelerates digitisation across the economy and lowers barriers to information exchange, resulting in productivity gains and incentives to pursue innovative ideas. In this way, cyber security serves as an enabler of growth and prosperity especially as the economy continues to digitise.

Improving measurement of both the sector itself, as well as the its broader impact, is vital. In the short-term, there should be an annually updated robust estimation of the sector’s growth and development. In the long-term, cyber security should be incorporated into the Australian Bureau of Statistics’ (ABS) regular measurement program alongside other technology focused sectors. Existing measurements of cyber security risk and protection by government agencies should be enhanced, and economic analysis undertaken to better understand the broader benefits that cyber investments generate.

The Australian cyber security sector is not being adequately measured

Although there are broad estimates of sector revenue and spending on cyber security goods and services, such as those presented in this Sector Competitiveness Plan. There are no detailed, systematic measurements of the Australian cyber security sector yet.

Other sectors rely on the ABS, which undertakes regular measurements of Australian industries and occupations. These regular ABS measurements result in essential economic data, such as the national accounts, and form the authoritative description of Australia’s economy. However, the ABS’ industry measurements are based on the Australian and New Zealand Standard Industrial Classification (ANZSIC), which does not recognise cyber security; instead, the cyber security sector’s activities span several ANZSIC codes, with a mix of computer systems design and professional services (Figure 44). For occupations, the ABS relies on its Australian and New Zealand Standard Occupation Code (ANZSCO), which does refer to cyber security in a single category (‘ICT Security Specialist’). Besides the fact that one occupation code is insufficient to capture the range and variation of cyber security roles, the ICT Security Specialist designation is at the lowest possible level in the classification system, and most ABS measurements are not reported with that degree of granularity.

This problem of poor sector economic data is not unique to Australia. Currently, there are no robust and repeatable government measurements of the cyber security sector in any country, meaning that its economic characteristics are poorly understood. This is not because of ambivalence towards cyber security. Most developed economies have launched detailed national cyber security strategies, but neither their statistical agencies or governmental departments are carrying out sector measurement programs. The exception is the United Kingdom, where two government departments – one concerning business and industry and the other digital affairs – commissioned sectoral analyses in 2013 and 2018 respectively.⁶²

Figure 44 – Current industry and occupation classification standards for cyber security

Several aspects of sector development need to be measured

There are several dimensions to consider when measuring the cyber security sector. These can be organised according to descriptive and performance measures (Figure 45). Descriptive measures deal with basic, fundamental facts about a sector such as the number of firms operating, employment, and revenue earned. Governments can use this information to adjust policies aimed at developing the sector, such as planning for the sector’s employment and skills needs. More refined descriptors such as the age and size distribution of firms and workforce demographics are useful in answering more specific questions on sector maturity, the flow of talent into the workforce and workforce equity.

These basic descriptors provide the foundation for more complex performance measures to determine a sector’s overall contribution to the national economy. Key performance measures include gross value added (GVA), which directly informs national GDP calculations, and the value of exports from the sector. This information allows investors to calibrate their investments in the sector, and helps government understand the economic value of the sector and the impact of industry policy settings and efforts over time.

Figure 45 – Application of typical sector measurements to cyber security

Several possible approaches could be used to better measure the sector

While the optimal measurement of cyber security as a sector would be through its inclusion in the Australia and New Zealand Industrial Classification (ANZSIC), revisions of industry classification occur infrequently and are complex and costly. Statistical agencies are rightly cautious to revise their standards because any changes affect the continuity of historical economic data. ANZSIC, for example, was first released in 1993 as a replacement for the Australian Standard Industrial Classification and has only been revised once since then, in 2006. It does not capture the digital economy well. For example, it splits the ICT sector into two groups: an ICT group and a professional services group.⁵⁸

Statistical agencies have developed an alternative approach to measuring sectors which are not included as industries in national accounts. These are called satellite accounts and have been adopted for several industries. The most notable example is tourism, which is not a sector in ANZSIC because it consists of the provision of different types of goods and services – accommodation, food and beverage and souvenirs – to a common customer, a tourist. The ABS has published an annual satellite account for tourism in Australia since 2000–01. Satellite accounts have also been tested or used in various jurisdictions for transport, the environment and households.

The ABS could address the problem of cyber security measurement in the same way by assigning the sector its own satellite account or more ambitiously, as a component of an account that encompasses the digital economy. The ABS has taken some steps towards using these approaches for the ICT sector. It produced an ICT satellite account for 2002–03, but this was discontinued.⁵⁹ More recently, the ABS tested the application of an OECD/BEA framework for measuring the digital economy.⁶⁰ However, neither of these approaches explicitly included the cyber security sector.

Introducing a cyber security or digital economy satellite account would take time. The robust and rigorous approach of ABS studies necessitates a long measurement period and requires significant funding, which may be challenging to secure. If these feasibility challenges can be overcome, such a study would be highly credible, comparable to other sectors in the country and future measurements in other jurisdictions, and easily repeatable if it is treated as other satellite accounts.

Given the long lead time likely to develop a satellite account for cyber security, it will likely be necessary to implement an interim solution. Several private sector organisations have attempted to measure countries’ cyber security sectors. These private sector studies tended to choose from five main data sources to estimate descriptive and performance measures (Figure 46). These data sources each have benefits and drawbacks. For example, detailed government records of firms and proprietary databases would offer a great deal of insight into the sector, but these are difficult to access. In contrast, readily available public data sources can lack relevant and detailed information. The most successful of these measurements used multiple sources of data to compensate for the lack of government data assets such as tax records or granular national accounts data.

Two approaches to sector measurement are proposed in Chapter 4. The first is a long-term plan to incorporate the cyber security sector into the ABS’ regular measurement program, either as part of a revamped industry classification code or as a satellite measurement account alongside other technology sectors. The second is a short-term plan to plug the knowledge gap through an independent measurement of the sector drawing on various available data sources.

Figure 46 – Assessment of potential data sources for sector measurement

Cyber security’s impact on the broader economy can be understood through three elements – risks, protection and benefits

Studying the key indicators and descriptors of the sector is only half of the measurement challenge. Another important challenge to tackle is improving our understanding of cyber security’s role and impact on the broader Australian economy. This can be achieved by focusing on the elements of risk, protection and benefits. Firms and people respond to the risk of security breaches through implementing protection measures, which then confer benefits. Assessing each of these three elements of cyber security in a credible way is essential to understand how cyber security interacts with the broader economy (see Figure 47).

Risk is a measure of the degree to which organisations, individuals and the economy are vulnerable to attacks, as well as the consequences of a successful breach. This includes the financial costs of detection, data recovery, investigation, network restoration, training and customer or supplier retention. Damage to an organisation’s reputation is also costly and for government and national institutions, security compromises often have political implications at home and abroad.

Protection describes organisations’ use of up-to-date protective technologies and services and whether such protection extends to the entire set of a firm’s digital assets. These components are often summarised and reported as readiness indices which assess the overall level of protection. Cost of protection is also a key aspect when assessing protection – this includes the cost of products and services, as well as wages of in-house cyber security staff.

Cyber security benefits organisations in two ways. The first type of benefits are the losses avoided as a result of thwarted attacks. This benefit can be quantified according to the difference in the cost of offsetting cyber risk compared to the cost of a successful attack. The second type of benefits are those resulting from the protective or enabling effects of cyber security on economic sources of value. For example, digital activities such as e-commerce, online banking, and cloud computing are increasingly impossible without adequate cyber protection.

A range of risk measurements have been developed internationally, focusing on the costs of breaches and levels of cyber risk

Risk has typically been measured by quantifying the cost of a cyber breach to an organisation, or by assessing the incidence of cyber breaches for organisations or countries. While some governments have undertaken such assessments, limited government activity in risk measurement has prompted several private sector organisations – cyber security vendors in particular – to take a leading role. Given the commercial interest of vendors in emphasising the costs of inaction, this has raised concerns about the credibility and reliability of their risk measurements (see Box 18).

Two standout studies on risk were performed or commissioned by national governments. Statistics Canada, Canada’s national statistics agency, surveyed over 7,000 private firms on the incidence of cyber breaches as part of a broader study on cybercrime (Canadian Survey of Cyber Security and Cybercrime).⁶¹ In the United Kingdom, the Department for Digital, Culture, Media & Sport conducted an in-depth survey of more than 2,000 private firms and charities, asking about the number and cost of breaches, followed up by 50 interviews to add depth to the findings.⁶² In both these cases, the substantial sample size combined with a well-designed survey and robust interpretation resulted in more meaningful and interesting findings compared to private sector studies, which focus on estimating the average cost of a breach from a limited survey sample.

Figure 47 – Measuring cyber security’s impact on the economy

Protection measurements typically assess either readiness or spending on cyber

There are various existing methods and approaches to measure national and international levels of cyber security protection. Most of these are surveys seeking to estimate firm spending on cyber security and assess readiness to deal with threats. Much like studies on risk metrics, government studies on protection tend to be more robust than private sector estimates. For example, Statistics Canada and the United Kingdom’s Department for Digital included measures of protection as well as risk in their previously mentioned studies, where they examined readiness of firms to deal with threats as well as quantifying spend on cyber security products and services. Several international organisations and private firms have also formulated readiness indices. Most of these indices aim to assess how prepared countries are to meet cyber threats (although there were two indices that assessed the readiness level of industries and firms by IBM and Accenture respectively).^63,64

The other main area of protection that is sometimes measured is cyber security spending by organisations and at the country level. Again, this area presents data challenges because many organisations are understandably reluctant to disclose information on their cyber security expenditure given the value of that information to potential cyber attackers. Previously, the main source of information on cyber expenditure has been from market data providers such as Gartner and IDC, which sell international and national-level data on the values of sales in the cyber security or ‘information security’ market, both historically and as forward projections.^65,66 However, this data doesn’t capture the full value of organisations’ cyber security spending because it doesn’t include wages paid to internal cyber security teams. More recently, government studies in Canada and UK have begun estimating overall spending on cyber security products, services and wages.^67,68

Existing Australian measures of risk and protection have important limitations

Local measurements on risk and protection are undertaken by several government organisations: the Office of the Australian Information Commissioner (OAIC), ABS and ACSC within the Australian Signals Directorate. The OAIC releases a regular half-yearly national report on data breaches as part of its Notifiable Data Breaches Scheme, which monitors breaches of personal information across the nation as part of the federal Privacy Act. The ABS, as part of its annual survey on business use of IT (BUIT), enquires superficially about the cyber security incidences, readiness, and the impact of breaches. Finally, the ACSC is undertaking a survey of small to medium-sized businesses on the incidence of malicious cyber activity, their impact and the readiness of firms to deal with the consequences. The ACSC has also previously released a technical threat report which describes the proliferation of new methods and technologies being used by attackers as well as semi-regular surveys about readiness across both public and private sectors.

Thus, where government is required to have a clear role to play, relevant agencies do already measure most of the key metrics (Figure 48). However, the robustness of the metrics needs to be improved in order for the data to be informative and useful. This can be through using broader samples (as the ACSC has recently done), and also with better integration of different data sources across agencies. Government could also consider adding measurement of the cost of breaches in Australia.⁶⁹ Despite the methodological challenges associated with cost of breach studies, this information is important for organisations in evaluating their avoided losses from cyber investments and thus the impact of their cyber security investments. The work of Canadian and UK governments in this area has demonstrated that robust approaches are feasible.

Figure 48 – Cyber security in the broader economy – measuring risk

Figure 49 – Cyber security in the broader economy – measuring protection

In protection, there are more substantial gaps in the metrics that could be filled by government (Figure 50). The level of protection is touched on in the ABS’ survey on business uses of IT (BUIT), but not in great depth. The need for government to support measurement is especially urgent when it comes to assessing cyber readiness throughout the economy and in estimating the cost of protection. Assessing cyber readiness across industries and geographies can reveal gaps in Australia’s cyber defences whilst cost of protection studies provides benchmarks to which firms can compare their own levels of protection.

The economic benefits of cyber security have been analysed the least to date

Despite the obvious value of a stronger understanding of the benefits of cyber security in the economy, there is very little existing work to objectively measure or assess these benefits – either internationally or in Australia. This is likely a reflection of both the relative novelty of cyber security, but perhaps more significantly the methodological challenges of understanding and measuring benefits. Unlike some other types of investment, cyber security often does not generate a direct return and enables value creation in other ways.

There are two main ways through which cyber security benefits manifest. First, cyber security protects firms against losses from cyber security attacks. This is most applicable at the organisational level, where avoided attacks translate to avoided costs relating to dealing with and recovering from an attack. Second, cyber security protects and enables sources of economic value. There are a range of digital industries and activities, such as e-commerce, online banking and cloud computing, which have become prominent and indispensable features of the Australian economy. These activities are utterly contingent upon cyber security’s protection. That is, it would be impossible to conduct many important digital enterprises in cyber space that is not secure.

Cyber benefits have not been well studied to date. There are no Australian Government studies into these two aspects of cyber security benefits, and few private sector analyses. One of the few private sector reports which touched on benefits was by the consultancy BDO as part of a broader survey on cyber risk. BDO compared the incidence of attacks on surveyed firms with and without cyber security protocols which improved their risk visibility, finding that protected firms were less likely to experience malicious attacks.⁷⁰ This was a peripheral component of the report and although the survey covered nearly five hundred respondents, the sample of surveyed firms was not representative of the economy at large.

Two other measurements have focused on the enabled or protected value, including one analysis in Australia. Deloitte, a consulting firm, used CGE economic modelling to estimate the impact of firm investment in cyber security products and services on GDP, business investment, wages, employment, national revenue, and the terms of trade.⁷¹ The results claimed a 5.5 per cent lift in overall business investment across the economy as a result of cyber security products and services bought, however the underlying analytical assumptions are not clear. In 2015, the Atlantic Council in conjunction with Zurich Insurance Group released long-term modelling of the economic benefits and costs of various scenarios for global cyber security to 2030.⁷² While this analysis provides a powerful case for the economic benefits of cyber, it does not consider the implications of alternative cyber scenarios in different countries.

Cyber security benefits the economy through a range of different pathways

Cyber security protects and generates value for the economy through a range of different pathways and part of the measurement challenge is in understanding these pathways in more depth. For example, cyber protection supports digitisation. Confidence in their cyber security protection encourages firms to digitise their operations as well as collaborate digitally, thereby improving information exchange in the economy leading to improved productivity and creating the opportunities for innovation. Five example pathways are outlined in Figure 50 below, although there are undoubtedly other pathways that could be proposed. Each is worthy of further study.

A more unified approach to measuring the benefits of cyber security would be through estimating changes to economic value captured as a result of digital innovation. Such a measurement approach would directly demonstrate how investments in cyber security support economic growth. This could be done by developing counterfactual scenarios that model different levels of cyber security investment and estimate the resultant differences in economic value or output, at the level of the Australian economy. The approximate difference between the counterfactual scenarios roughly equates to the value protected by cyber investments.

Proposals to further develop measurement of cyber security risks, protection, and benefits are described in Chapter 4, including strengthening existing government measurements and trialling new approaches to analysing the impact of cyber security on the economy.

Figure 50 – Pathways for economic value of cyber security