The Australian Cyber Security Profession is Broken

Significant challenges in uplifting cybersecurity resilience will remain until the Australian cybersecurity workforce sector is regulated like other industries and professions.

It is often said by long-term cybersecurity practitioners that in order to solve the 'wicked problem ' that is cybersecurity, organisations need to consider three distinct (but highly interrelated) areas - people, process and technology.

Despite this rather uncontentious perspective, contemporary organisations will typically see cybersecurity as a technology problem first and foremost. Consider situations where organisations keep having cybersecurity incidents? Well, they will almost always throw some more tech at the problem to try to resolve it. Some more issues? Let's add a couple of more boxes with flashing lights. So on and so on until they are left with an unwieldly technology stack of things that are hugely problematic to manage.

You would think that all this tech would have solved the problem, right? Well ... no. Statistics keep illustrating that cybersecurity breaches often happen as a result of human error - be it accidental or deliberate. In fact, according to the Office of the Australian Information Commissioner , 96% of data breaches result either as a result of human error or deliberate (and malicious) human activity (the 2023 Jan/June report is available here ).

We know that human factors cause almost all cyber-related breaches. Logic dictates that solving the cyber challenge rests not in more and more tech, but in ensuring that the people who work in the sector are knowledgeable, skilled, experienced and educated enough to work in the cybersecurity sector - and that they can follow the appropriate processes to prevent, detect, respond, recover and remediate cybersecurity risks.

Given that cybercrime is projected to become a $10 TRILLION black hole of criminal activity by 2025, you would be forgiven for thinking that cybersecurity practitioners belong to a professionalised industry governed by a code of practice, code of ethics, minimum acceptable levels of competency and a requirement to keep your knowledge, skills, and experience fresh, the same way doctors, lawyers, engineers, accountants, nurses, allied healthcare professionals the trades and pretty much every single industry outside of IT is?

Well, what I am about to tell you may come as a bit of a shock to the system.

The Australian cybersecurity workforce today is completely unregulated.

It often astounds people when they learn that there are no industry-wide professional standards for cyber security practitioners that are formally recognised by any Australian regulatory body or government entity.

'What do you mean, Tony? Are you seriously trying to tell me that anyone can claim to be a cybersecurity professional? That there are no barriers to entry and that it effectively falls on the bullshit detector of an employer to determine if an individual claiming to be a cybersecurity professional is actually legit?'

Yes. Yes, that's right.

I was recently speaking with one my friends in the legal space about cyber skills. While we were speaking, I shared with them the fact that in the world of cybersecurity, there is absolutely nothing preventing an individual who has never used a computer from legally referring to themselves as a 'cybersecurity professional'. At first, my lawyer friend was speechless. Once they understood the full ramification of what I had just revealed, they replied with

'I find it absolutely insane that there are no professional standards for the cyber security sector today'.

Coming from a highly regulated profession with a clearly defined pathway for all practicing solicitors and barristers to undergo, this individual was incredulous that for persons who are working and protecting vast amounts of sensitive information, there was no such defined pathway for individuals to appropriately claim that they truly can refer to themselves as 'professionals' in this field.

Of course, this is a subject matter in which a Japanese government minister responsible for cyber security once proclaimed that he had 'never used a computer'. Maybe these things happen.

Surprise leads to harm

I have had similar conversations with individuals in other well-established professions. Accountants. Engineers. The trades such as electricians, plumbers and painters. There is always surprise.

A few of these non-cyber professionals, possessing the insight that you often have when you are not immersed in cyber security 24/7, have come back to me about a lack of professionalisation in the cyber workforce with insightful comments such as 'well, at least we know why there are all these data breaches all the time'.

The 'Wild West' never ended; it just went online...

They certainly have a point.

Professionalising the cyber security sector to bring it in line with almost all other industries makes sense.

There has been some discussion around professionalisation in the cybersecurity space; why we need it; what it could look like and why it's important for national security and even national stability.

While the vast majority of industry players in the space, including government, IT industry bodies and the academic sector have recognised that the current laissez-faire approach is not an option going forward, a handful of vocal dissidents have popped up - including a large association of cyber security practitioners, enthusiasts and students that professes to act on behalf of the industry as a 'peak industry body'.

Such dissenters have voiced 'concern' that any professionalisation scheme:

• could serve as a 'barrier to entry'
• could 'worsen diversity'
• could 'drive up resourcing costs'
• will incur costs for individuals who might want to seek professional status.

At an individual level, the most common objection I hear isn't really an objection at all. It's a perspective wrapped up in the form of a question. I get asked: 'what's the problem you are trying to solve when you tell me we need to professionalise the profession?'.

My instinctual reaction when I hear these objections is to roll my eyes and wonder which so-called 'industry luminary' the person asking the question is parroting. But rather than go with instinct and yell 'bullshit', I am going to tackle each of these, one by one.

Let's begin.

Objection 1: 'Professionalisation will create a barrier to entry into cybersecurity'

I'll address this statement head on and in the clearest and most direct way possible.

The claim that any government-recognised or endorsed professionalisation scheme will act as a barrier to entry into the cybersecurity field is both categorically FALSE and based on ZERO evidence.

Let me elaborate.

No one promoting professionalisation is looking to prevent any individual from seeking a gainful career in cybersecurity. In fact, proponents of professionalisation know that we NEED more people in the field. Study after study after study shows there is a skills shortage in the sector.

However, every individual I am working with who supports some level of professionalisation strongly believes that any individual referring to themselves as a 'cyber security professional' should have an adequately assessed level and independently accredited level of knowledge, skills, experience, competency and should meet an industry code of conduct and code of ethics. Additionally, levels of competency should remain current.

This might sound like a big list. However, it's no different to the expectation most people hold of any other recognised profession. We all want the pilot flying the aircraft we are on to be an accredited pilot. We all want the doctor performing surgery on us to be accredited doctors. We all want the electrician doing electrical work on our homes to be an accredited electrician. Ditto for plumbers, builders, engineers, nurses, teachers, lawyers and so on.

Some refer to accreditation as a 'barrier of entry'. This characterisation is false, misleading and disingenuous. You know what we can call it, though - a minimum level of professional standards that should be expected of any individual in any industry looking to call themselves a 'professional' in that industry.

Objection 2: 'Professionalisation will worsen diversity in cybersecurity'.

This claim is, frankly speaking, as misinformed as it is ridiculous.

The claim that professionalisation will 'worsen diversity' is a red herring designed to distract support away from any support by well-intentioned and well-meaning individuals who are working extraordinarily hard to ensure that the cyber profession reflects modern and contemporary Australia in terms of gender, racial, cultural and demographic diversity.

The cyber security sector already suffers from chronically low levels of diversity today, in an environment where professionalisation does not exist. Female participation languishes somewhere between 15 and 30 percent, depending on the study and the methodology used. These claims that professionalisation could lead to worsening in diversity have no credibility.

In fact, I would argue the opposite - having an official professionalisation scheme sponsored by government, accepted by industry and aligned to by academia would provide aspiring cyber professionals certainty as to what is required to be considered a 'professional', regardless of background. In fact, many women in cybersecurity report that they are discriminated against by men who have often directed disparaging and/or untrue comments about their experience. Such a scheme would be useful to dispel and demolish any such arguments that backward looking individuals in this sector could have about the experience required for cybersecurity professionals to call themselves that.

Objection 3: Professionalisation will 'drive up costs'

This assertion is an interesting one. The argument held by supporters of this belief centre on the reasoning that if you implement a professionalisation scheme, this will result in costs associated with attaining and retaining a professional designation.

The short answer to this is 'well, duh!'. However, I wouldn't be doing myself any justice if I didn't explain this a bit further.

Let's explore why 'driving up costs' may not be that big a concern for individuals or employers.

1. There are already a multitude of so-called 'cyber security courses' out in the market charging insane amounts of money with no backing in any standards-based approaches except for very slick marketing campaigns. A neighbour, considering a career in cybersecurity balked at the $14,000 cost of a 6-week course, a ridiculously insane amount of money that was being charged by a private provider which is ostensibly connected to a university. So, they decided not to pursue this avenue. It took a conversation and some education on my part on the multitude of low cost and standards-based resources available. Incidentally, the course my neighbour had investigated (and is now constantly getting hounded over by the provider to sign up for) is one of many, which commercial outfits calling themselves 'education providers' are flogging off with minimal to no industry recognition or value. If anything, professionalisation will drive down costs on this fact alone.
2. Salaries and remuneration in the cybersecurity sector already feature in the top 10 list of occupations by salary - convince me that charging $100-$350 a year for a professionalisation scheme will change this.
3. As described earlier, sectors which do have a professionalisation scheme, by and large, are no more or less 'costly' than others. Consider the average salary paid to registered nurses (between $80-90K), which have a stringent accreditation scheme and on the grand scheme of social importance, is an occupation that is hugely vital for the well-being of everyday Australians. The same for countless other professions which are regulated.

Again, I would argue that a lack of professionalisation is in fact what drives up cost. Have you ever had to get involved in remediating a cyber incident after an individual or company holding themselves out as 'a cyber security company' has and has completely botched the process? Have you ever had to argue with an IT guy that cameras and corporate devices should not be on the same logical network and been called an 'idiot' for saying that? I have. I can also tell you that their clients are the ones who paid the price. The individuals concerned just end up finding another account to sell things to - rinse and repeat (with minimal to no recourse for the client).

A viable proposal to professionalise the Australian cyber security sector exists.

Professionalisation is an area which I have been involved with for 5+ years. In my previous role as the Director of Advocacy at ISC2, one of my roles was to devise a proposed professionalisation model for the U.K. cybersecurity workforce, based on the U.K. chartered accounting model. This lengthy paper contributed to the formation of the U.K. Cybersecurity Council who have now developed a formal professional registration scheme for the U.K. cyber security sector.

Following the work I undertook for the U.K. ecosystem, I developed a proposal for a scheme to professionalise the Australian cybersecurity sector in collaboration with Professor Jill Slay. This proposal incorporated concepts devised for the U.K. scheme such as internationally accepted ISO-standards based recognition, incorporating considerations and attributes required for an Australian context.

It was on the back of the proposal that Jill and I developed that the federal government funded Australian Cyber Professionalisation Program was established. Phase 1 of this work was completed earlier in 2023. There is no doubt that with the pending arrival of the Federal Government 2030 Cybersecurity Strategy will consider this issue.

What can you do to assist?

It is in the personal and commercial interests of every single Australian cyber security practitioner and business to push to professionalise the industry. Professionalisation creates trust and confidence in our sector and gives the broader Australian business ecosystem the confidence to know that the cyber industry is operating responsibly, ethically and maturely.

I encourage you to push for a standards-based professionalisation scheme for cybersecurity professionals by doing the following:

• Let the Federal Government know you want to see professional standards in the cybersecurity ecosystem in any cybersecurity, privacy or risk management discussion papers released by Federal Government departments such as Home Affairs and DISR.
• Tell the board of directors at the Australian Information Security Association , an association that is purportedly seeking to advance the interests of the Australian security profession, that it needs to do a lot more in advocating for a professional standards scheme. AISA's own members agree in the majority that they want to see professional standards in cyber, yet it would appear the AISA board are functioning as a significant roadblock in this when AISA chose to withdraw from the ACSP.
• Educate the company you work with that a lack of professional standards in cybersecurity is a problem is significantly contributing to the deep skills and competency shortages we have in the sector.

In Conclusion

A lack of professional standards in the cybersecurity sector will continue to be problematic for the Australian economy. Developing and implementing a government-endorsed and promoted professionalisation scheme will go a long way to uplifting professional standards in the cybersecurity sector, address the skills and competency shortage in the sector, boost national resilience to cybersecurity threats and ensuring a safer and more cyber secure Australia.

Important Note

This article represents the views and opinions of myself as an individual and does not represent the views of any entity I am associated, affiliated or employed by.