SCP - Chapter 3 - Accelerating and sustaining growth

The cyber security sector has grown quickly, but must confront important challenges relating to innovation, customers and skills

The sector is well positioned to sustain its growth

The remarkable progress the sector has made reflects the importance of cyber security to the modern digital economy. Spending on cyber security has grown by nine per cent each year for the past four years, and in the three years between 2017 and 2020, the cyber security workforce added approximately 4,000 workers (for a total of 26,500 workers).

The demand drivers that have fuelled sector growth - a dangerous threat landscape, digitisation and regulatory demands from government - have been intensified by the effects of the COVID-19 pandemic.

The Australian economy will require sophisticated cyber protection to protect its assets. Risks to the operation of critical national infrastructure - such as power stations, healthcare systems and logistics networks - will grow as digital infrastructure continues to roll out. As online transactions and communications become more common, improper protection could erode digital trust.

Australian cyber security providers need to continue being globally competitive. A high-performing sector prevents Australians becoming overly reliant on foreign providers and enables the nation to capture valuable export opportunities. It also equips Australia with a competitive edge over peer nations in a capability that is critical for a modern digital economy.

As the sector seeks accelerated growth, it needs to overcome familiar challenges.

A survey of cyber providers revealed the following constraints:

  • Knowledge infrastructure: cyber providers are disconnected from an ecosystem of cyber-orientated professionals in finance, services, policy and education, which hinders innovation in the sector.
  • Market maturity and access: under-protected businesses and conservative procurement processes that favour established multinationals mean that many local providers struggle to gain traction in their own home market.
  • Investment: insufficient investor activity means that many providers are reliant on organic growth and do not have the fuel they need to expand their operations ambitiously.
  • Skills: the sector may struggle to maintain a sustainable, high-quality pipeline of skills which match employer needs.

To ensure these challenges are met, industry, policymakers, investors and educators must continue their proactive efforts to:

  • nurture the innovation environment by continuing to fund research, in turn helping to mature knowledge infrastructure and expand the investment pipeline for Australian entrepreneurs;
  • help providers and customers connect, by supporting new providers, scaling existing Australian providers, strengthening the sector's export-oriented outlook and supporting regulations that ensure the digital economy is cyber secure; and
  • sustain skills systems by continuing to build on the training packages and initiatives that have already been rolled out successfully.

The sector cites demand maturity, a lack of investment and limited access to skills as some of its top challenges

While Australia's cyber security sector is establishing itself quickly, it faces several challenges typical of a young, growing industry that has established a foothold but is looking to scale.

The challenges the sector faces relate to three broad themes:

  1. Innovation environment: the ability for organisations with problems to meet people with ideas and develop solutions.
  2. Market maturity and access: the quantity and quality of cyber security products and services demanded in the market, and how well local cyber providers can take advantage of that demand.
  3. Skills and workforce: cyber security businesses' ability to access the skills they need to innovate and grow.

These challenges have evolved over time and demonstrate the increasing maturity of the sector. In the past, issues such as limited access to cyber skills and lack of R&D funding have been more significant concerns. However, as the industry begins to make progress against these continuing challenges, cyber businesses are also facing new challenges such as the maturity of the businesses they sell to and the amount of early-stage funding available to them.

Figure 25

Top three challenges cited by Australian cyber security providers

Figure 25

Survey question: In your opinion, what are the key challenges facing the cyber security industry?

Source: AustCyber's Digital Census 2020

Although cyber security companies face common challenges in demand and investment, those growing fastest are focused on talent and collaboration

Dividing revenues by the age of the provider made it possible to separate responses from the fastest growing companies and those growing more slowly, painting a clearer picture of performance drivers in the sector.

The key growth enablers that fast-growing companies prioritise are gaining highly skilled talent dedicated to growing the company's capability, and harnessing collaborations and partnerships to drive growth. The major concerns shared by these companies include access to skilled talent and maturity of demand.

The slowest growing companies are preoccupied with startup barriers and access to finance. These barriers hold them back from taking up export opportunities and zeroing in on talent acquisition.

Overall, the fastest growing companies found it easier than the slowest growing companies to attract talent, engage in R&D, receive market support, gain access to export markets and secure finance. The largest difference in ease was in accessing export markets, suggesting that being able to take up international export opportunities is a key driver of growth.

Figure 26

Barriers and enablers cited by slowest and fastest growing companies

Top barriers and enablers

Figure 26

Survey questions: In your opinion, what are the key challenges facing the cyber security industry? What are the most important enablers of growth for your business?

Source: AustCyber's Digital Census 2020, AlphaBeta analysis

3.1 Innovation environment

As the cyber innovation ecosystem has matured over the past three years, CyRise, the Cyber Security Cooperative Research Centre (CRC) and cyber insurance market innovations have been important additions

Figure 27

Figure 27

Note: This diagram is non-exhaustive and indicative only. For example, some industry players are collaborating directly with researchers, so comparing dot size, investment or funding across the sub-sectors does not necessarily indicate the importance of each element.

Sources: Industry and expert interviews; AlphaBeta analysis

Cyber security research funding is growing in Australia, but must continue deepening to support sector innovation and growth

Between 2018 and 2020, cyber security research attracted approximately $64 million of federal government funding. This represents substantial growth from previous levels. During this time, the Australian Research Council (ARC) allocated more than three times the amount of funding compared to the previous three-year period.

For the first time, this level of funding is now on par with comparable economies such as Singapore and Canada, which allocated $61 million and $48 million respectively, also between 2018 and 2020.

An integral part of the recent growth in Australian cyber security research funding has been the establishment of the Cyber Security CRC. The Cyber Security CRC is the sector's central research organisation, and has a long-term focus on important issues such as critical infrastructure security and cyber security as a service. The CRC has more than 20 partners from industry, government and research, including six leading Australian universities, all of which are required to contribute funding.

Importantly, the Cyber Security CRC has improved the level of collaboration between universities and industry, with expert interviews suggesting that collaborative research approaches are becoming more prominent.

Australia must continue to develop its ecosystem of researchers and, as illustrated by the success of the Cyber Security CRC model, collaboration between academia and industry is key. Furthermore, the broader research sector should be alive to the ever-evolving scope and scale of cyber security discourse and address pressing matters in a timely manner for the benefit of the broader community. The UK, for example, hosts 19 Academic Centres of Excellence in Cyber Security Research and four government-supported cyber research institutes.1

Figure 28

Government funding directed to cyber security research between 2018 and 2020

A$ million

Figure 28

Note: Funding includes money allocated to universities or other research institutions. ARC figures include both Discovery and Linkage projects. CRC figures are based on $50 million of government funding over the seven years to 2025. Individual funding from the Cyber Security CRC's members is not included as this is not classified as government funding.

Sources: Australian Research Council, Cyber Security CRC, AlphaBeta analysis

Increasing numbers of cyber security companies are being established in Australia

Australia's cyber security sector is young, but growing quickly. The growth in number of companies is consistently higher than growth in the wider economy, as well as in comparative sectors such as the information, media and telecommunications (IMT) sector.

Between 2012 and 2019, the number of companies in the cyber sector grew by an average of 21 per cent each year, compared to just two per cent and one per cent each year for the IMT sector and the whole economy, respectively. 53 per cent of Australia's cyber companies were established in 2015 or later.

The growth rate in the cyber industry has also been more resilient to falls in overall activity. For instance, in 2013 when the wider economy experienced a decline across companies overall, the number of cyber companies continued to grow strongly, albeit at a lower level (see Figure 29).

The cyber security sector's company number growth rate is also more volatile than the wider economy's growth rate. This is characteristic of less-mature sectors that are still finding a dynamically efficient competitive equilibrium.

The decline in the growth rate in a number of companies throughout 2018 and 2019 may be explained in part by the Digital Census not capturing the newest companies in the sector, and by market consolidation in the formation of CyberCX and others.

Figure 29

Growth rate in number of companies by sector

Per cent per year

Figure 29

However, investment in cyber startups is lower in Australia than in peer economies

Lack of finance and investment continues to be a significant barrier to startup growth: nearly 50 per cent of survey respondents cited it as one of their top three challenges. This is borne out in the data: startups headquartered in Australia have generated less value in early-stage funding rounds in each of the last three years than those headquartered in Singapore, Canada or the UK. Two problems explain this relative underperformance:

  • Cyber startups struggle to effectively engage the venture capital (VC) community: investors are optimistic about the cyber industry, but startups often lack the commercial and sales capabilities to communicate and demonstrate the financial viability of their solutions. This leads to less engagement with the VC community as a whole.
  • There is a lack of depth in local investment opportunities: Australia's cyber startups have not yet generated the critical mass that would entice large funds specialising in cyber security. As a result, investors in Australia do not invest in cyber security because they cannot deploy the capital needed in Australia alone. This reinforces the need for Australian cyber providers to have a global outlook from their inception.

The overall result is that Australian cyber startups raise less capital than they need, which constrains growth and limits their ability to succeed.

Figure 30

Value of early-stage funding rounds

A$ million

Figure 30

Note: A small portion of funding rounds did not have fundraised amounts, due to confidentiality. These rounds were counted in the total number of rounds but not in the total amount raised. Where multiple investors were listed, fundraised amounts were attributed across each investor evenly. Where no investor was listed, the average ratio of Australia (or Singapore) versus overseas was applied to the total amount of funds raised

Sources: Crunchbase, PitchBook, AlphaBeta analysis

While Australia's cyber innovation ecosystem is growing, it could keep learning from international peers

Having a mature, entrepreneur-led innovation ecosystem is essential to ensure the sector's growth. The ecosystem provides a space where founders can meet mentors, clients and collaborators, while improving the sector's visibility and attracting more capital and customers.

There is widespread acknowledgement that although it is improving, Australia's cyber security innovation ecosystem still relies on 'everybody knowing everybody', rather than an underlying structure that can independently support growth. For example:

  • While startup-to-startup collaboration is strong and there are hubs that bring together researchers, startups and customers, there are few systematic pathways for technically strong cyber founders to connect with entrepreneurs that have commercialisation skills in capital raising, sales and marketing.
  • A small number of highly supportive private sector companies willingly test and validate cyber startup products and services, but broadly speaking there is a shortage of formal, low-cost ways for startups and customers to propose problems, test ideas and jointly solve challenges.

Figure 31

Cyber innovation ecosystems in peer countries

Figure 31a

Figure 31b

Figure 31c

Growing cyber security

Growing the cyber security sector will require maturing research funding, the innovation ecosystem and investment opportunities

Provide support

Provide ongoing support and funding for the development of cyber security research hubs that focus research efforts

  • Australia has increased its funding for cyber security research to approximately $64 million over the past three years, a level that is higher than in Singapore and in Canada in absolute terms, and more than in the UK in relative terms.
  • The addition of the Cyber Security CRC has improved the focus of Australia's cyber security research and provided a platform for collaboration between businesses and the research community.
  • However, for Australia to continue building its cyber advantage, it will need multiple research hubs and institutions, each focused on topics of strategic and competitive strength, that can bring together industry and researchers to compete in a global innovation landscape.
  • Stable government funding, along with industry support, will be essential to enable these hubs to grow and mature.
Mature the innovation

Mature the innovation ecosystem's infrastructure to provide better connectivity

  • The cyber security innovation ecosystem has developed quickly over the past three years with the maturing of AustCyber's programs, the launch of dedicated cyber security accelerator CyRise, the Cyber Security CRC, and new innovation opportunities in critical infrastructure.
  • Survey results also show there is some collaboration in R&D between providers, which indicates the strength of networks within the sector, but there is less evidence of collaboration between providers and customers.
  • For the sector to continue growing, its innovation ecosystem must mature and make stronger connections between technical experts, entrepreneurs, investment finance and customers.
  • A more mature system must help generate more opportunities for startups to test products and services with customers. Better and more frequent connections between startups and customers will ensure new products, services and innovation are customer-oriented.
Facilitate access to seed

Facilitate access to seed and early-stage VC through more practical policy supports and improved promotion

  • Debt and equity financing is crucial for any business to build its products and services, expand its customer base and scale its business.
  • While specific programs have unlocked finances, Australian startups access capital at lower rates than startups headquartered in peer economies. Interviews highlighted key barriers such as overcoming the funding gap in the seed and early-series funding stages, and in the scale-up phase.
  • Government support for early-stage funding must better match the needs of startups. Examples include capital contributions, rolling grants and seed funding that allow startups to thrive outside 12-month grant application cycles, as well as low-interest loans for R&D. Traditional tax credit schemes are less helpful for startups as they often make a loss or only break even when first being established.
  • In addition to increasing funding mechanisms, attracting investment in local companies requires showcasing local businesses to build depth and interest in the local market. This will also overcome hurdles for investors that are looking to find high-potential cyber investments in Australia in a highly competitive and globally mobile capital market.

3.2 Market maturity and access

Cyber security demand is maturing

Demand for cyber security products and services is maturing in three key ways. Firstly, consumption of cyber security products and services is spreading into more sectors. Historically, heavily regulated private-sector entities in banking and utilities - and Australian Government defence and national security agencies - treated cyber security as a serious risk. Anecdotally, other sectors saw it as a box to tick within the IT portfolio. But this is changing. Awareness is spreading beyond the ASX 20 through the ASX 200 and to similarly sized private companies about the importance of strong digital protections.

Secondly, companies are better understanding the products and services they require. Across the market, new buyers are realising they need minimum protections, while more established buyers increasingly choose higher-quality products and services.

Finally, companies are increasing their depth of spending on cyber security (see Figure 32).

Several factors drive this maturation in demand:

  • Businesses' own digitisation: as businesses digitise their own products and services and adopt more back-of-house technology, they increasingly realise the threats they can be exposed to.
  • Government regulation: the Australian Government and other industry regulators are mandating stricter minimum cyber security requirements. Globally, this is widely acknowledged as a key driver of demand. Examples include the USA Health Information Privacy Act (HIPA) and National Institute of Standards and Technology (NIST) regulations; the EU General Data Protection Regulation (GDPR); and other breach notification or minimum standard regulations in California, Singapore, Vietnam and the United Arab Emirates. Australian milestones include:
    • the Australian Government's 2020 consultation around expanding Critical Infrastructure and Systems of National Significance regulations in 2021;
    • the Australian Prudential Regulation Authority (APRA) providing cyber security prudential guidance in 2010 before legislating minimum standards in 2019;
    • the Australian Energy Market Operator (AEMO) adopting the Australian Energy Sector Cyber Security Framework in 2018; and
    • the Australian Government's data privacy breach notification laws, introduced in 2018.
  • Broader awareness-raising events: other public events such as the Prime Minister's speeches in 2020 about the rising cyber threat from cybercriminals or malicious state actors; media reporting of significant cyber security incidents at large companies; and more targeted initiatives such as the Australian Cyber Collaboration Centre's briefings and simulation programs for board members, the C-suite and executives.1

Cyber providers still express some frustration with the maturity of demand, ranking it the biggest challenge facing the sector. While it may still have some way to go, the factors driving maturity are only likely to increase as businesses transform their operating models and governments regulate to ensure confidence in the resilience of the economy.

Figure 32

Forecast cyber security budget changes FY2021-22

Figure 32

Source: Percentages have been rounded and will not equal 100 per cent. For full analysis, see the CISO Lens Benchmark 2020.

Collaboration between Australian providers is an effective way to boost competitiveness

Australian cyber security is developing a rich network of collaboration, particularly in product and service delivery, and commercial functions such as marketing.

Examples of collaboration include:

  • vertical collaboration where cyber security providers like Kasada build offerings on top of technology platforms like Amazon's cloud systems; and
  • horizontal collaboration between providers that have complementary capabilities and can offer a more holistic solution to customers.

Around 44 per cent of providers work together for service delivery and around 33 per cent partner on product delivery. Around 29 per cent of organisations in the sector work together to save on commercial functions, such as marketing.

This collaboration is characteristic of a sector that is growing quickly and in the process of consolidating and scaling. Collaboration can be a viable strategy for startups to initially add capabilities, save on costs, access more customers and compete in the broader market. However, as the sector matures and successful startups consolidate, this level of collaboration may no longer be necessary and could decrease.

Figure 33

Collaborative arrangements in Australia's cyber sector vs the rest of the economy

Percentage of providers

Figure 33

Survey question: Was your organisation involved in any collaborative arrangements during FY20? If so, what kind?

Sources: AustCyber's Digital Census 2020. Australian Bureau of Statistics (2020), 8167.0 Characteristics of Australian Business, 2018-19: Business collaboration.

However, government procurement remains a significant challenge for younger and smaller providers

Government procurement is widely recognised as a fast-acting, high-impact lever for driving sector growth. However, the Australian Government and state and territory governments continue to make conservative procurement choices that discourage competition and lock out new providers. For example, they often:

  • adopt exclusive tendering approaches such as panels, which are not transparent regarding the type of problem being addressed;
  • have complex and resource-intensive requirements for participation in tenders, including a heavy compliance and paperwork burden;
  • limit market information and competition by withholding the prices and details of contracts awarded; and
  • enforce expensive or time-consuming accreditation processes for the products and services of SMEs.

These policies hamstring local sector growth: only 55 per cent of providers aged between zero and five years are selling to the Australian Government or state or territory governments, compared to 81 per cent of providers aged between 11 and 20 years. This pattern is largely reflected when comparing providers by size: less than 60 per cent of providers with fewer than 20 employees are selling to the Australian Government or state or territory governments, compared to more than 80 per cent of providers with more than 20 people.

Australian governments recognise this, and are beginning to create opportunities for the local sector. Initiatives such as the NSW ICT/Digital Sovereign Procurement Taskforce and AustCyber's GovPitch are designed to facilitate the entry of Australian providers into supplying the public service. However, cyber providers must also play their part by adapting their offerings and proving their value to many governments that are justifiably risk-averse in their buying behaviours.

Procurement by large businesses is comparatively easier, and more providers count large businesses as their customers. However, younger and smaller cyber providers still sell less to large businesses than bigger and more established providers do.

Figure 34

Percentage of providers selling to government and large businesses

Percentage of providers surveyed

Figure 34

Note: Results are only representative of providers that responded to the survey. Large businesses are defined as organisations with more than 200 employees. Government includes state and territory governments, and the Australian Government

Survey question: Did your organisation provide cyber security products and/or services to any of the following customer groups in the last 12 months?

Source: AustCyber's Digital Census 2020

Building a single brand to showcase shared systems and a united mission

CyberCX has sought to provide local customers an Australian alternative to large multinational providers for complex cyber security services.

Launched in October 2019 and backed by private equity firm BGH Capital, CyberCX has brought together 15 (and counting) independent cyber security service providers over the course of the past year. Some of these providers are well known Australian names - including Shearwater, CQR, Sense of Security, TSS and Phriendly Phishing.

CyberCX's approach to scaling - by acquiring and consolidating existing providers who have proven capabilities and prior customer bases - means the organisation has been able to develop into a large and competitive provider within a short period of time.

CEO John Paitaridis said, "CyberCX took a structured and deliberate approach to integrate its group of portfolio companies into a single organisation, building shared systems and a united mission, under a single brand".

CyberCX's acquisitions reflect an ambition to unite a complementary set of cyber services. As recently as October this year, CyberCX acquired the publicly listed Cloudten and Decipher Works - who specialise in cloud and identity management, respectively - to meet growing demand around cloud services driven by the COVID-19 pandemic.

"COVID-19 has accelerated enterprises' cloud migration strategies and highlighted the need for robust identity management solutions," said Mr Paitaridis1.

Chief Strategy Officer Alastair MacGibbon has signalled that CyberCX will continue to scale further by expanding overseas in 2021. He said, "CyberCX plans to significantly grow our specialised cyber security workforce across the UK and US to deliver end-to-end cyber security services".

One of CyberCX's earliest acquisitions (CQR) had an existing presence across the UK which will help CyberCX scale its presence overseas. The organisation plans to double its cyber security workforce across New Zealand, the UK and US in the next year in an attempt to create a large, globally competitive, Australian cyber services alternative.

CyberCX

Although export performance is very promising for a young sector, cultivating clearer channels to market will help providers compete internationally

Cyber security is an inherently global sector. Because the threat landscape transcends national borders, so do the technological cyber security products and services that protect against those threats. Investment finance and the competitive landscape are also international for these reasons. In a world where threats and competition for cyber protection are global, Australia's sovereign capabilities must be equal to the best in the world.

A promising share (43 per cent) of businesses in Australia's young cyber security sector are already exporting, and the average revenue from exports across all SME cyber providers is around 15 per cent.

Australia's reputation as a highly capable, trustworthy and cost-competitive exporter is a key strength and trade enabler.

The most significant barrier to export is Australia's channels to market. Because Australia's strength is in services, accessing buyers relies on relationships and word of mouth much more than trade fairs. Local businesses need strong credentials and first-reference customers. Government also has a role to play in connecting local businesses to international buyers by leveraging its relationships with other governments and large businesses.

Figure 35

Status of key export enablers

Figure 35

Cyber business

Australia's cyber businesses need a competitive marketplace and support to scale and become globally competitive

Maintain and strengthen

Maintain and strengthen the sector's global, export-oriented outlook

  • The Australian sector already has a strong export orientation: 43 per cent of businesses are already exporting and there are trade links across most key markets.
  • Support for companies looking to go global through trade delegations, market research publications, training and introductions to customers has been critical to the success of Australian companies abroad.
  • Maintaining this support in target markets will be vital to the future of Australia's cyber security sector as a globally competitive and world-leading sector. Leveraging government-to-government connections and supporting Australian producers with international standards information and accreditation are two examples of ways to support the global outlook of Australia's cyber security sector.
Support businesses

Support businesses in the sector to mature and scale

  • Over the past five years, the cyber security sector has boomed: 40 per cent of Australian cyber companies have been born since then, and 66 per cent in the last 10 years. The innovation ecosystem is growing.
  • Collaboration in the sector is very high: between 33 per cent and 44 per cent of startups collaborate on product and service delivery; and 29 per cent collaborate to save on back-of-house costs like marketing. This is a valid strategy for startups and SMEs to compete in a sector dominated by large providers while they are still young and establishing.
  • The next stage of development for cyber security providers is to consolidate and scale so they can become mid-tier and large businesses capable of competing with global providers. Two particularly promising opportunities are horizontal mergers between businesses with complementary skills, and vertical integration into technology alliances or through supply chains via secure by design.
Improve the openness and competitiveness

Improve the openness and competitiveness of government procurement processes

  • More open and competitive procurement systems will allow local cyber companies to bid competitively and unlock more contracts.
  • While programs such as GovPitch and facilitated offshore business delegations have helped connect some providers with buyers, difficulty securing government and large business customers remains a large barrier for small businesses.
  • Several practical improvements to procurement processes could enhance competition and result in better quality and/or lower-cost products and services. These improvements could include:
    • exempting new providers and technology companies from anti-competitive panel requirements;
    • increasing market information and competition by publicly publishing prices and details of contracts awarded; and
    • increasing fairness of contract terms, including better intellectual property protections and more flexible pricing and commercial conditions.
Support data

Support data, privacy and other regulations that bring security and trust to the digital economy

  • The regulatory environment has evolved significantly over the past five years, with notifiable data breaches, encryption legislation and recent announcements on standards and critical infrastructure.
  • Continuing to regulate cyber security will help to maintain trust and confidence in Australia's digital infrastructure and businesses. Regulation helps mature demand and will increase the customer base for Australian cyber solutions. Consultation and co-design with industry and international partners is critical to support global competitiveness and assure the innovation that helps all organisations push back on malicious cyber actors.
  • One area where Australia's regulation is particularly underdeveloped is cyber insurance, which can help manage cyber risk and encourage investments in cyber security.

3.3 Skills and workforce

Since 2018, there has been a sharp increase in cyber security-specific training programs across Australia

Australia's tertiary education system plays a pivotal role in enabling the continued growth of the cyber security sector. Due to its rapid expansion, the sector has historically faced a talent shortage. However, Australian TAFEs and universities are mobilising to address this skills gap, with half of all Australian universities now offering cyber security as a specific degree or a major in information technology (IT) or computer science qualifications. The benefits will take time to flow through to providers, but there are positive signs, with more than 50 per cent of cyber providers surveyed being more confident about the talent pipeline than they were five years ago.

Importantly, there are now over 20 dedicated postgraduate programs (including graduate certificates and graduate diplomas) targeting people who may already have experience in IT or related fields. This is significant as interviews suggest that many Australian cyber security providers experience a shortage of talent at the more senior levels.

Although the rising number of cyber-specific programs is promising, it is vital that student interest in cyber security meets this growing supply. As such, securing the talent pipeline needs to begin in primary and secondary schools. Schools have an important role to play in educating our young people in cyber security skills, and exposing them to the possibility of an exciting career in cyber security. School-level initiatives to grow this interest have also expanded in recent years (see Figure 36).

Figure 36

Cyber security presence in tertiary education

Figure 36

Note: Displayed educational institutions are not exhaustive.

Source: Victorian Skills Gateway, AlphaBeta analysis of cyber security higher education offerings, expert interviews

The increasing availability of cyber security courses and qualifications in the university and vocational education and training (VET) systems is reflected in dramatic growth in course enrolments.

In just a few years, VET enrolments in cyber courses have increased from less than 500 students to around 3,800 in 2019. More than two-thirds of these students are studying at Certificate IV level, with the remainder undertaking a diploma or advanced diploma. Enrolments in undergraduate and postgraduate university courses have also grown rapidly.

Collaborative, industry-led programs have been key to this development, especially in the VET sector. Below are some major VET initiatives:

  • In 2018, Box Hill Institute developed two cyber security training products, funded by industry and supported by AustCyber, and launched the TAFECyber Initiative.
  • In 2020, the AustCyber Projects Fund was used to extend the work of the TAFECyber Consortium of ten TAFE colleges, to coordinate learning resources, training product development and professional development for educators.
  • Also in 2020, TAFE NSW and the NSW Cyber Security Innovation Node, supported by Hewlett Packard Enterprise, launched cyber security mini-modules online to help workers retrain through COVID-19.

While the growth in enrolments has been impressive, maintaining this momentum will be vital. The workforce is forecast to grow by 7,000 workers over the next four years and, factoring in natural attrition, the number of new workers required is likely to be closer to 10,000.

Figure 37

Enrolments in cyber-specific VET and university courses

Number of students

Figure 37

Note: VET system data only includes courses with 'cyber' in the title; VET 'courses on offer' includes both courses and skill sets (two skill sets were introduced in 2019), but institutions offering courses do not include skill sets, and there is no associated enrolment data to identify which registered training organisations deliver the training.

Sources: NCVER DataBuilder (2020), Total VET students and courses: course enrolments, Department of Education, Skills and Employment, University Statistics Section data request (2020), Student enrolments in cyber security, My Skills (2020), Training Provider Search

Building awareness in the classroom to enable the cyber workforce of the future, today

Understanding how our digital world works, how it is designed to protect us and how we can keep our information safe is critical for both adults and children to learn.

The University of Adelaide (UoA)'s Computer Science Education Research Group (CSER Group) have been operating digital technologies programs for Australian teachers since 2014.

"The entire CSER program, which includes eight MOOCs on various technology curriculum related areas, has attracted over 38,000 enrolments," said Dr Rebecca Vivian, CSER Project Lead.

This year, they partnered with AustCyber, CSIRO and Google Australia to develop free, self-paced Massive Open Online Courses (MOOCs) to build primary and secondary teachers' confidence and capacity to integrate the learning of cyber security and awareness into the classroom.

Two new courses - one for primary teachers (K-6) and one for secondary teachers (years 7-10) - contain practical classroom activity ideas and examples of career pathways. Both courses are aligned to the Australian Curriculum (Digital Technologies and ICT Capabilities) and focus areas include data security, encryption, cryptography, networks, information systems and safety, cyber security risks and security measures, and cyber ethics.

"The Cyber Security and Awareness MOOCs for Primary and Secondary Classrooms have been live since mid 2020, with over 770 teachers enrolled to date," said Dr Vivian. "Given there are over 288,000 teachers in Australia, we have many more to reach. Learning about cyber security not only enables students to adopt safe practices in their own use of technology, but importantly, can inspire a future cyber security workforce."

In today's digital world where children are exposed to social media and they consume large amounts of online content at an early age, the need for early and relevant cyber education is crucial. The UoA's MOOCs are an important tool for building cyber awareness. Nurturing cyber literacy amongst school students also helps grow the sector's talent pipeline by highlighting the various pathways available to students.

Over the past three years, there has been significant progress in the availability of cyber security courses and training. This momentum needs to continue to meet the growing demand for cyber security professionals, with the workforce estimated to increase to 33,500 by 2024.

Primary and secondary schools play a crucial role in ensuring this demand is met. If schools can encourage students to consider a career in cyber security, while also building early cyber skills, both the quality and number of students looking to undertake cyber security qualifications will improve.

The University of Adelaide
Training programs

New training programs and the upcoming launch of Cyberseek Australia ensures key enablers are in place to transition workers

Key enablers to transition workers into the cyber security sector

Transferring skills

1. Transferring skills

Are there workers with relevant skills in adjacent industries?

There is a continuing strong supply of high-potential workers with significant skills crossover.

Transferable skills include:

  • IT architecture, IT support, risk monitoring, software programming, application testing, data and pattern analytics, user testing, user experience, project management, strategy development, policy, law, investigations.

Adjacent sectors include:

  • software development;
  • systems engineering;
  • financial and risk analysis;
  • networking; and
  • security intelligence.
Attracting talent

2. Attracting talent

Is it attractive for workers to transition from other sectors into cyber security?

Expert interviews suggest that cyber security workers continue to receive a significant wage premium over their IT counterparts.

However, information about cyber security workforce opportunities has been more limited. In early 2021, a new market information tool called Cyberseek Australia will launch with support from AustCyber. It will provide information on:

  • cyber skills demand by region across Australia;
  • qualification and certification requirements for cyber roles;
  • indicative salaries; and
  • transition pathways and role progression.
Retraining at speed

3. Retraining at speed

Are there clear and accessible pathways to quickly retrain and upskill workers?

The availability and quality of transition programs has significantly increased across Australia over the past few years.

Short-term programs include:

  • 17 Australian universities offering six-month graduate certificates in cyber security;
  • 11 Australian TAFEs offering a 12-month Certificate IV in Cyber Security;
  • independent providers, such as WithYouWithMe and Soldier On, offering training courses to help transition veterans into cyber security; and
  • providers such as SANS, Cisco and the Australian Computer Society offering microcredentials in cyber security, which is a flexible option for rapidly upskilling in cyber.

NICE: A standardised framework to understand what cyber security professionals do

The US National Initiative of Cyber Security Education (NICE), led by the US Department of Commerce, is a partnership between government, academia and the private sector that seeks to improve the America's cyber security education, training, and professional development.1 The NICE program could serve as an example for Australia, which has yet to implement a comprehensive set of definitions to classify its cyber security workforce.

A critical part of the NICE program is a standardisation of cyber security roles, based on the skills, knowledge and tasks needed to perform them. By providing such a framework of professional role categories, NICE closes a crucial information gap at a time of a global shortage in cyber security skills. For example, many cyber security roles have not yet been well defined or understood, there is a lack of consistency among cyber training programs, and many potential employees don't know which skills are required in different cyber security jobs.

The NICE Framework enables organisations to identify their cyber security skill needs and assess the aptitude of their existing cyber security workforce. It can also be used to inform hiring practices and offers a common terminology to effectively communicate cyber security needs both internally and with stakeholders. In addition, education and training institutions can use the NICE framework to align their curricula with an accepted standard of cyber security knowledge, skills and abilities.

The NICE Framework is endorsed by AustCyber and is updated regularly to ensure it remains relevant as the nature of the cyber security workforce changes. Education providers and employers, both in the public and private sector, provide key information for the updates, allowing the Framework to continuously serve as a fundamental reference.

The NICE Workforce Framework consists of seven categories of cyber security work:

Categories

Description

Securely provision

Designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development

Operate and maintain

Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security

Oversee and govern

Provides leadership, management, direction, or development and advocacy so the organisation may effectively conduct cybersecurity work

Protect and defend

Identifies, analyses, and mitigates threats to internal information technology (IT) systems and/or networks

Analyse

Performs highly-specialised review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence

Collect and operate

Provides specialised denial and deception operations and collection of cybersecurity information that may be used to develop intelligence

Investigate

Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence

These categories are further divided into 32 specialty areas, 52 work roles and hundreds of tasks, skills, knowledge and abilities.

Cyber security teaching and resources

Cyber security teaching and resources are increasingly accessible to secondary school students

Figure 39

Timeline of cyber security programs in schools

Figure 39

Providers in NSW and Victoria are confident they can hire the workers they need, but those in other states are less positive

Overall, most providers report that they have more confidence in the skills system and their ability to hire the workers they need compared to five years ago.

Survey data shows that providers in NSW and Victoria feel more confident compared to providers in other states, and small providers are more confident than large ones.

Providers anecdotally report that the skills shortage is moving towards non technical skills. These include leadership skills; communication skills, especially in relation to helping providers get through to corporate boards and the C-suite; and commercial skills such as marketing and operations. The latter is especially valued among startups.

Figure 40

Provider confidence in ability to access skills they need compared to five years ago

Figure 40

Much more can be done to improve diversity and inclusion in the cyber workforce

The Australian cyber security workforce is roughly 73 per cent male and 27 per cent female. Anecdotally, the gender distribution in the sector has improved over the past five years, but interviewees and survey respondents still point to an unequal education pipeline, and cultural and workplace issues that act as barriers to a more diverse and inclusive workforce.

Having a more diverse and inclusive workforce brings many benefits. At a company level, diversity and inclusion is associated with higher revenue, a greater ability to attract and retain staff, and an enhanced reputation. Sector-wide, it is correlated with higher productivity and growth, and resilience to economic downturns. Companies that are more inclusive are more competitive. Additionally, anecdotal evidence shows they have been more resilient to COVID-19's negative effects and more capable of capturing its opportunities.

Below are ways to improve the diversity and inclusion of the cyber security workforce:

  • Talk about cyber security in a more accessible way: cyber security is a critical enabler for the economy, but much of the conversation around it relies on jargon that a layperson may find hard to understand. This contributes to unhelpful stereotypes of the sector such as 'hackers in hoodies' who work alone in dark rooms. The reality is that modern cyber security is a whole-of-economy endeavour that relies on a broad range of skill sets.
  • Give women leaders in cyber security a platform: making the presence of women leaders in the sector more prominent will help promote cyber security as a career to more women.
  • Support and connect women in the cyber security workforce: making concerted efforts to support women entering or already in the industry by facilitating networking, mentoring and community-building opportunities will help to grow the female cyber security workforce.
  • Broaden outreach efforts to discover talent: facilitating work experience (for example, by providing secondary school and tertiary work experience, internships and apprenticeships) for a wide variety of potential workers who are not in computer science will attract interest in entering the sector among a more diverse range of people. Work experience opportunities can help to bridge the gap for under-represented groups, increasing participation among people of different ages, genders and neurodiversity, and First Nations people.
  • Ensuring recruitment and workforce development processes are relevant and effective: implementing recruitment models that seek talent in under-represented groups, improving business cultures, and directing the attention of leaders to diversity issues will help the sector find talented workers who are currently overlooked.

Survey questions: What was the demographic make-up of your workforce in FY20? Please describe how AustCyber can assist the sector to boost women's participation in the cyber security workforce?

Sources: AustCyber's Digital Census 2020. Australian Government, Workforce Gender Equality Agency (2018), The Business Case for Gender Equality.

Figure 41

Average female staff by company age, 2020

%

Figure 41

Survey question: What was the demographic make-up of your workforce in FY20?

Sources: AustCyber's Digital Census 2020. Australian Bureau of Statistics (2020), Labour Force Survey, Quarterly, August 2020, Table 06, Information, Media & Telecommunications sector; EQ08 for following Australian and New Zealand Standard Classification of Occupations' four-digit occupations: 1351, 2232, 2252, 2600, 2610, 2611, 2612, 2613, 2621, 2630, 2631, 2632, 3100, 3130, 3131, 6212. Available here.

Figure 42

Cyber security workforce by gender, 2020

%

Figure 42

Growing and diversifying Australia's cyber security

Growing and diversifying Australia's cyber security talent pipeline and upskilling our leaders will ensure a strong sector and economy

Maintain momentum

Maintain momentum on growing the cyber security skills pipeline

  • Over the past three years, the availability of cyber security courses and training has significantly grown, and programs to attract top talent and create vibrant professional development pathways have dramatically expanded the cyber talent pipeline. The introduction of the VET curriculum has been a significant milestone for cyber security skills in Australia.
  • However, the pipeline needs to continue to expand to meet the sector's - and the economy's - growth needs. The workforce is estimated to increase to 33,500 by 2024, with around 7,000 workers requiring training over the next four years.
  • Maintaining and broadening efforts to attract and train workers in cyber security expertise will ensure the future quality of Australia's cyber workforce, especially as the short-term supply of skilled migrants will be limited due to the COVID-19 pandemic.
Lift the cyber security literacy

Lift the cyber security literacy of our leaders and the broader technology workforce

  • While the skills base of the sector has measurably improved in recent years, the next phase of cyber skills development requires training to improve the cyber security literacy of leaders and all technology workers.
  • Improving the cyber security literacy of leaders across business, government and the community will ensure an appropriate understanding of cyber security risks and related key behaviours. The Australian Institute of Company Directors' efforts to educate directors has demonstrated how this can be undertaken.
  • The Skills for Australia program, run by PwC Australia, has created cross-disciplinary VET units that have produced curriculum tools to lift knowledge. These units need to be placed in VET programs, and universities need to make similar efforts to provide cross-disciplinary cyber units of study across technology and related courses.
  • Further educating all business leaders and technology workers in cyber security and emerging technologies such as AI and quantum computing is vitally important for securing Australia's digital future.
Transform the workforce

Transform the workforce to capture the benefits of diversity and inclusion

  • While the workforce has rapidly grown, diversity remains a persistent challenge, with women comprising around one-quarter of the cyber security workforce.
  • Accelerating the presence of female, non-binary, neurodiverse and First Nations people's expertise in cyber security will help to plug workforce shortfalls and ensure the best and brightest take up opportunities in the sector.
  • Initiatives to support women entering and already in the industry are vital. Encouraging and incentivising women to pursue cyber security training will boost the pipeline of female talent. Leaders within the sector should also prioritise growing their pipelines of talent by making them more diverse.
  1. University of Bristol (2020), The Future of the UK's Cyber Security Research Position in the World. Available at: https://www.imperial.ac.uk/news/202413/the-future-uks-cyber-security-research/
  2. Lim, G C Chua, C L and V H Nguyen (2013), Review of the Australian Economy 2012-13: A tale of two relativities, Australian Economic Review, 46(1). pp1-13
  3. Survey question: When was your organisation established?
  4. Australian Bureau of Statistics (2020) 8165.0 Counts of Australian Businesses, including Entries and Exits, Jun 2011 to Jun 2015 and Jun 2015 to Jun 2019. Table 1: Businesses by Industry Division. Available at: https://www.abs.gov.au/statistics/economy/business-indicators/counts-australian-businesses-including-entries-and-exits/latest-release
  5. Australian Bureau of Statistics (2020) 8165.0 Counts of Australian Businesses, including Entries and Exits, Jun 2011 to Jun 2015 and Jun 2015 to Jun 2019. Table 1: Businesses by Industry Division. Available at: https://www.abs.gov.au/statistics/economy/business-indicators/counts-australian-businesses-including-entries-and-exits/latest-release
  6. 2020 includes funding rounds up to October 2020
  7. This number only includes fully dedicated cyber providers who list their primary HQ in Australia, It does not include providers who offer cyber as one part of a larger offering
  8. Lloyds Bank (2019), Commercial Banking Financial Institutions Sentiment Survey 2019. Available at: https://www.lloydsbankinggroup.com/Media/Press-Releases/2019-press-releases/lloyds-bank/financial-institution-2019-survey/
  9. Prime Minister of Australia's office (2020), Statement on malicious cyber activity against Australian networks, Australia's 2020 cyber security strategy. Available at: https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks
  10. For the economy-wide result, 'Service delivery', 'Product delivery' and 'Consortia project opportunity' are proxied with 'Joint production of goods and services'
  11. For the economy-wide result, 'Service delivery', 'Product delivery' and 'Consortia project opportunity' are proxied with 'Joint production of goods and services'
  12. For the economy-wide result, 'Service development' is proxied with 'Integrated supply chains'
  13. For the economy-wide result, 'Consortia contract opportunity' is proxied with 'Joint buying'
  14. For the economy-wide result, 'Service delivery', 'Product delivery' and 'Consortia project opportunity' are proxied with 'Joint production of goods and services'
  15. ARN (20 October 2020), CyberCX forks over $25M to buy Cloudten and Decipher Works
  16. Source: National Initiative for Cybersecurity Education (NICE). NICE Cybersecurity Workforce Framework. Available at: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework