Australia's Cyber Security

Sector Competitiveness Plan

EXECUTIVE SUMMARY

Cyber security is emerging as one of Australia’s most promising growth sectors

A surge in demand for cyber security products and services globally – driven by the growing need of organisations to protect their digital assets and databases from malicious activity – bodes well for Australian security companies.

Market trends point to tremendous economic opportunity. Global annual spending on cyber security increased by 7.4 per cent to US$131 billion in 2017 and is expected to remain robust in coming years. The outlook for cyber security spending in the Indo‑Pacific region, which includes Australia’s immediate Asia‑Pacific neighbour states as well as China and India, is particularly strong. Australia’s innovative cyber security companies are gaining respect and success both at home and in international markets.

Cyber security is not only a dynamic sector offering a new source of economic growth and prosperity to Australia, it is also an enabler of growth through digital transformation in every sector of the economy. As businesses rely on the confidentiality and integrity of digital information, a strong domestic cyber security sector is critical for Australia’s competitiveness and international reputation as a trusted place to do business, and for the nation’s continued economic growth.

Australia is an ideal growth environment for cyber businesses

Australia’s cyber security sector has a strong reputation internationally. Australia ranks as the world’s seventh most committed cyber security country , according to the International Telecommunication Union’s 2017 Global Cybersecurity Index. Australia’s ‘cyber maturity’ is the second highest in the Indo‑Pacific, according to an annual survey by the Australian Strategic Policy Institute, which assesses how well governments worldwide invest in cyber security policies and legislative structures, business and digital economic strength, responses to financial cybercrime, military organisation, and social cyber awareness. The Global Open Data Index also ranks Australia second in the world for policies that support cyber security and allow government data to be openly available to the public.

Australia offers an ideal growth environment for cyber businesses, thanks to strengths in core research areas like quantum computation, wireless technology, trustworthy systems and niche high-value hardware. Further drawcards for investment include Australia’s large services economy, quality education system, sound governance settings, economic stability, low sovereign risk and high living standards. The proximity to the fast-growing and increasingly digitised Indo-Pacific region adds to Australia’s natural advantages.

These existing strengths put Australia in a favourable position to develop a vibrant and globally competitive cyber security sector. Economic analysis shows the sector has the potential to almost triple in size in coming years, with revenues soaring from just over A$2 billion in 2016 to A$6 billion by 2026.

To seize the extensive opportunity, Australia needs to act urgently

Several hurdles are making it difficult for Australia to fully exploit existing advantages and develop a sizeable world-class cyber security sector. To harness the enormous opportunity in cyber, Australia must address the skills shortage, focus efforts in research and development, improve the environment for incubating startups, and work to enhance access to global markets. Australian industry more broadly must reach a state where all businesses demonstrate sophisticated, robust and resilient cyber security culture. This will require a shift in mindset for decision makers within these businesses, as well as across the entire spectrum of employees and suppliers. More organisations will identify the value in investing in and supporting cyber capability when they view cyber security as about more than reducing risk, and understand its role underpinning economic growth.

Key findings

Tackling the cyber security skills shortage

New research, undertaken exclusively for this updated Sector Competitiveness Plan, draws on a range of job market data showing that the skills shortage in Australia’s cyber security sector is more severe than initially estimated and is already producing real economic costs.

Australia may need almost 18,000 additional cyber security workers by 2026 for sector to harnesses its full growth potential. The workforce shortfall has significant economic consequences. In 2017, the domestic cyber security sector is estimated to have forfeited up to $405 million in revenue, which companies could have generated if they had been able to find enough cyber security workers to fill existing vacancies.

The good news is education providers have sprung into action over the past year to cater for the growing demand for cyber security talent in Australia. Approximately half of all universities in Australia are now offering cyber security as a specific degree or as a major in IT or computer science degrees. The vocational education and training sector is increasing its emphasis on cyber security education. Leading TAFEs around the country joined forces in late 2017, coordinated by AustCyber, to play a greater role in providing nationally consistent cyber security training.

Together, these new cyber-specific degrees, certificates and diploma level courses will have a strong positive impact on Australia’s future cyber security workforce. It is expected that the number of cyber graduates could quadruple from around 500 per year in 2017 to about 2,000 a year in 2026, based on the current course offerings by cyber security education providers.

However, this still leaves a significant shortfall of workers in the medium-term. Analysis for this Sector Competitiveness Plan shows there are risks to this mobilisation in the education system, and more action is required.

Australia needs to nurture early interest in cyber security to attract the best and brightest to the sector, continue to ramp up cyber security education and training, create industry-led professional development pathways. We also need to help workers with related skills transition from the wider IT sector and other industries into the diverse range of cyber security technical and non-technical work roles required by employers.

More details are in the Spotlight on Australia’s cyber security skills shortage below.

Overcoming the research and development challenge

Australia continues to demonstrate excellent and world-leading cyber security research capability. However, there are signs that its system of research and commercialisation is less efficient than in other leading cyber security nations such as the US and Israel.

Scattered public funding for cyber security research and development weakens Australia’s ability to lead on innovation. Limited collaboration between the research community and the private sector further undermines the commercialisation of basic research ideas into marketable solutions.

In 2017 the Australian Government acknowledged that cyber security is a strategic priority and invested $50 million over seven years into a new industry-led Replace with Cyber Security Collaborative Research Centre (Cyber Security CRC). The Government funding adds to almost $90 million from a consortium of 25 industry, research and government partners, and will be critical to strengthening Australia’s cyber security research and development capabilities.

The Australian Research Council has also incorporated cyber security into its funding priorities for the Industrial Transformation Research Program. The scheme is intended to fund research hubs and research training centres. It also helps students in Higher Degree by Research and postdoctoral programs to gain practical skills and experience through placement in industry.

AustCyber’s Projects Fund provides a further $15 million over three years to finance industry-led projects aligned to the Knowledge Priorities outlined in this document. It encourages businesses to collaborate with academics to seed ecosystem-wide outcomes.

Australia needs to continue to improve research focus and collaboration to assist commercialisation – replacing the scattered approach to public research and development funding with a more targeted strategy that plays to Australia’s strengths – and make access to seed and early-stage venture capital easier.

Removing market barriers for small Australian cyber security companies

Australia is home to a growing number of globally successful cyber security companies. These companies have proven their ability to develop and commercialise innovative cyber security products and services. Yet many others, particularly startups, continue to face barriers to growth. They often lack the business acumen, established credibility and scale to win key contracts with large industry or government customers in Australia and abroad.

In 2017 AustCyber launched a new platform, GovPitch, where small businesses can present innovative cyber security ideas directly to public sector officials. The initiative is designed to help startups gain anchor customers and grow quickly by providing an alternative procurement pathway.

To better connect small businesses to the Chief Information Security Officers (CISOs) of ASX-listed companies, AustCyber and CISO Lens partnered on a new program called Sky’s the Limit.

Australia needs to continue efforts to help startups find their first customers, including analysing barriers and risks to government agencies and established businesses working with startups, promoting partnerships, providing coaching, showcasing Australian cyber security products and services to potential customers, and simplifying procurement processes.

An action plan to position Australia as a world-leading cyber security nation

The Sector Competitiveness Plan sets out strategies and actions that Australian governments, the private sector, training and research institutions, and AustCyber can undertake to ignite growth in Australia’s cyber security sector. Figure 1 provides an overview of the key elements of the Sector Competitiveness Plan.

Figure 1

figure 1

SPOTLIGHT ON… Australia’s cyber security skills shortage

This updated Sector Competitiveness Plan brings Australia’s cyber security skills shortage into sharper focus. New analysis of latest developments in the job market and education system paints a more accurate and detailed picture of the shape of the cyber security workforce and the skills shortage affecting the sector. The analysis – undertaken specifically for this plan – also highlights which actions are needed to unlock workforce growth.

The Australian cyber security workforce is large and increasingly diverse…

There are now around 19,500 cyber security professionals in Australia, across a wide range of different jobs. Using the US National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, these roles can be grouped into seven categories, ranging from cyber investigation (around 2 per cent) to operation and maintenance of IT security systems (around 21 per cent). A growing number of these roles are non-technical and require multidisciplinary skills from law, communications and psychology.

…but the skills shortage in the Australian cyber security sector is real and more severe than previously thought.

The detailed analysis of job market metrics undertaken for this plan reveals the sector may be short of 2,300 workers today, costing more than $400 million in lost revenues and wages. With strong demand forecasts, the pressure is unlikely to ease soon. The latest assessment indicates Australia may need up to 17,600 additional cyber security workers by 2026 to fill this gap and enable the sector to meet its potential.

The education system is responding effectively…

More than half of Australia’s universities offer cyber security qualifications, and many others teach cyber courses. TAFE colleges across the country are launching new standardised cyber security programs. Graduate numbers are rising and could reach around 2,000 annually by 2026.

…however, serious risks could slow this mobilisation.

Many universities and TAFEs are struggling to compete with the private sector to attract and retain teaching staff. Education providers need to keep attracting demand from the best and brightest students. High schools could help increase awareness of this career path by incorporating cyber security more strongly as a subject in their curricula. New cyber security courses should be industry-focused and include opportunities for work-integrated learning, such as apprenticeships, to truly prepare students for jobs.

If these risks can be addressed, the long-term outlook is encouraging.

Australia’s education system could produce enough cyber security graduates by 2026 to fill the skills shortage and meet growing demand, if the momentum built over the last few years is maintained. However, that still leaves a significant shortfall of workers in the medium-term.

To fill the medium-term gap, the sector needs to offer more transition pathways for workers to move from the general IT sector and other industries into cyber security roles. There are more than 250,000 workers in the IT sector who could easily move into similar roles in cyber security. However, the transition is too reliant on large employers. Opening up pathways for workers to independently transition, through better information about cyber careers and access to more low-cost training places, can improve that flow.

19,500 cyber security professionals in Australia

2,300 shortfall costing $400 million

17,600 more workers needed by 2026

More graduates may fill long-term gap

More transition pathways from other sectors needed to fill medium-term gap

Footnotes

  1. Australian Government Department of Industry, Innovation and Science (2017), Industry Growth Centres. Available at: https://industry.gov.au/industry/Industry-Growth-Centres/Documents/Industry-Growth-Centres-Overview.pdf.
  2. International Telecommunication Union (2017). Global Cybersecurity Index (GCI) 2017. Available at: https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf.
  3. Australian Strategic Policy Institute (2017). Cyber maturity in the Asia-Pacific Region 2017. Available at: https://www.aspi.org.au/report/cyber-maturity-asia-pacific-region-2017.
  4. Open knowledge international (2017). Global Open Data Index - Australia. Available at: https://index.okfn.org/place/au.
  5. Australian Cyber Security Growth Network (2017). Cyber Security Sector Competitiveness Plan.

Plan at a glance

VIEW

Executive summary

VIEW

Global outlook

VIEW

Growth opportunities for Australia

VIEW

Challenges to sector growth

VIEW

Building a competitive sector

VIEW

More about AustCyber

VIEW

Additional information

VIEW