How the Y2K 'Millennium Bug' Taught Me to Speak Up, and why History Repeats in the Cyber Security Professionalisation Debate.

I read a meme recently that said that the year 2050 is closer to us than the year 2000 was. This gave me pause to think back about how far technology has come, and how far it will probably go in the next 25 years.

It also made me think back to 2000, when I was halfway through a computer science degree. And it reminded me of the Millennium Bug, or 'Y2K'.?

I know that for many of you who follow me, you were still either very young or even a twinkling in your parent’s eye. So I’ll give you a bit of history here to help you understand what was going on at around that time.

What was the Millennium Bug?

In the years leading up to the year 2000, the tech world became obsessed with 'Y2K' and the so-called ‘Millennium Bug’. Companies scrambled to patch systems, governments braced for potential chaos, and a real and present sense of doom coloured every discussion about the future of digital technology. For those who remember it, the fear was palpable: headlines screamed of planes falling from the sky, power grids failing, and financial systems crumbling.

Yet, amid the rising tide of panic, there were voices urging calm, suggesting that the problem, while real, might be more manageable than feared. As a young undergraduate 3rd year computer science student in 1999, I found myself writing one such article. While I had been using computers since I was 8, I was just starting grasp the intricacies of computing at a binary level. I spent countless nights in the university’s computer lab, learning about programming languages, studying software design, and, of course, absorbing the details of how systems stored and processed data.

The Y2K issue, fundamentally, was simple enough for even a first-year student to understand: a vast number of older systems represented years with only two digits. “99” would be followed by “00,” and computers would think it was 1900 instead of 2000. The implications could be serious, especially in legacy systems that controlled critical infrastructure. And like always, the narrative quickly spun out of control.

My university, like many institutions, had Y2K remediation teams and teachers and lecturers who spoke on the issue regularly. Students were encouraged to discuss the topic in class and consider the potential impacts on their future careers. But as I dug deeper into the problem, reading both technical documentation and mainstream media accounts, a pattern started to emerge - while the technical explanations often outlined straightforward fixes: code audits, software patches, and, at the most extreme (but almost never) replacing noncompliant systems, the media and many industry figures painted a much darker picture—one where the Y2K bug wasn’t just a manageable technical hiccup but an existential threat to the modern world.

Writing my first thought leadership piece.

It was this disconnect that inspired me to write an article. My article, which I published via one of the early university hosted systems and shared online, sought to bridge the gap between the technical reality and the growing hysteria. I remember feeling that given I was in a fortunate situation to be learning the ins-and-outs of computers and IT, I had a duty to use my knowledge to quell some of the fears that were being propagated. Family and friends were genuinely concerned at the time, and throughout 1999, I remember telling someone at least once a day that ‘everything will be all right’.

In my article, I argued that while the problem was real and needed to be addressed, the scale of the potential consequences had been vastly exaggerated. I pointed out that many of the fixes were already well underway, that most companies were testing their systems thoroughly, and that the true risk of large-scale, simultaneous failures was diminishing as the countdown to January 1, 2000, continued. Additionally, I provided guidance to people reading the article to do their own tests on their own systems at home to see whether they were ‘Y2K Compliant’. This involved either tests as simple as changing the computer clock to some future date and seeing if the computer worked normally (it always did) or pointed readers to a bunch of free online resources that they could use to test their systems and get some reassurance that yes, everything would in fact be ok.

I remember thinking that the piece wasn’t particularly revolutionary—it was essentially a plea or rationality, a reminder that the tech world had faced challenges before and had overcome them. And there were ways to verify what I was saying.

The response to the article was almost unanimously met with ‘thank you!’ or ‘what a fantastic article’ replies. Words of support which made me feel appreciated, valued and respected. This was particularly big for me because as a (pretty sheltered!) 21 year old, I was extremely shy, introverted and putting myself out there like I had was a first.

But …. the article hit a nerve. In writing the article, I inadvertently trod on the toes of a controversial and very lucrative ecosystem. Many companies at the time had built a profitable business around Y2K consulting, selling compliance certifications, emergency preparedness plans, and even complete system overhauls. While there is no doubt that some of these services were necessary, others capitalized on exaggerated fears, charging hefty fees for solutions that were, in many cases, over-engineered or unnecessary.

It didn’t take long for the backlash to begin.

A few people were not happy at all...

I recall 2 very angry emails sent to me. The emails accused me of downplaying the issue. One of the emails, received from an individual working at a company that was making a lot of money from Y2K compliance work who had never received my email to begin with, accused me of using Y2K to promote myself so that when the ‘inevitable’ collapse of society happened, I would be the first to call.

When I read this email, I recall feeling angry. I felt angry that there would be someone out there who, having never met me and not knowing a thing about me, accused me of doing the one thing I was wanting people not to do. The intent was to calm and allay fears, to ensure people didn’t go out and waste good money on quack solutions to a problem that usually didn’t exist. I remember feeling quite upset about it too. Friends of mine suggested that 99% of the feedback was positive and that I should focus on that. But the human brain is engineered in such a way that it disregards the 99% of positive and focuses on the 1% that is negative.

What I didn’t realise in my na?ve youth was that Y2K remediation had become a business in itself. My article, while one small voice, challenged the narrative that sustained that business. By suggesting that not every system needed a complete overhaul, I was, in the eyes of some, undermining their efforts to sell solutions. I wasn’t intentionally trying to call out these companies, but the mere act of questioning the scale of the threat was enough to draw their ire.

The experience was eye-opening. I learned, perhaps for the first time, how deeply intertwined technology, business interests, and public perception can be. It wasn’t just about code or systems—it was about trust, credibility, and money. The companies making significant revenue from Y2K preparations had a vested interest in maintaining a certain level of public concern. And as a student, I had naively assumed that a rational argument based on the facts as I saw them would be welcomed or at least debated on its merits. Instead, I found myself embroiled in a conflict that was as much about economics as it was about technology.

The Impact it had on me.

Looking back, I am proud of the fact that an introverted 21-year-old who had never publicly spoken his entire life wrote that article. While I lacked the years of experience that some had at the time, many of which liked what I wrote, I believed my core message was correct: the Y2K problem, though serious, was solvable. And in the end, I was proven correct - the fears that planes would fall from the sky and power grids would collapse proved unfounded, thanks in large part to the diligent work of engineers and developers who addressed the issues before they could manifest. But the public narrative at the time didn’t always reflect the technical reality. Companies capitalized on that narrative, and my attempt to provide a more balanced perspective collided with their financial interests.

As I graduated and moved into the professional world, the Y2K incident stayed with me—not as a technical challenge, but as a lesson in the complexities of the tech industry. It showed me how easily a genuine issue can become distorted when fear and profit intersect. It taught me the importance of questioning prevailing narratives, even when it’s uncomfortable or unpopular. And it reminded me that, as technologists, we have a responsibility to not only solve problems but also communicate them clearly and honestly.

Which brings us to the present day.

A Proposal About Professionalising the Cyber Security Profession

Recently, I co-wrote an proposal for government and industry to consider how to potentially professionalise the Australian cyber security sector with Professor Jill Slay. My proposal was based on over 5 years of analysis, active engagement, research and discussion with stakeholders across government, industry, academia and education bodies that are prevalent in this space, both in Australia and across the world.

You can access this proposal in its full and unedited form at https://novera.com.au/wp-content/uploads/2025/01/A-Proposal-for-a-Professional-Recognition-Scheme-for-the-Australian-Cyber-Security-Profession-Tony-Vizza-and-Jill-Slay-AM-January-2025_C-1.pdf.

Now, I am the first to admit that I don’t think anyone knows for certain whether the proposal that Jill and I have indicated is perfect. I have been and continue to be happy with any constructive feedback or advice relating to my proposal and how we could operate a potential future Australian professionalisation scheme better.

The overwhelming majority of the feedback for this proposal by those who have read it has been positive. I have received literally countless private messages, texts, calls and support saying how much they like the proposal, how it makes sense, why professionalisation is needed etc

I have also received a very small amount of negative feedback (in fact, limited to 3 sources). That feedback has centered on three themes:

1 – that professionalisation is not needed, or more succinctly, ‘what is the problem we are trying to solve’.

2 – that supporters of professionalisation ‘should be shot’ (yes, these are the words verbatim)

3 – that I am advocating for professionalisation because I have a vested interest in seeing professionalisation.

Notwithstanding that I believe that many of those who have attacked my proposal have not read it in its entirety, I’ll address each of these themes one by one.

1 – ‘What is the problem we are trying to solve?’.

My proposal discusses this at length, but I’ll break the ‘problem’ down into five main areas:

• Lack of Standardisation. We also know that a large section of the industry lacks consistent standards for certifications, qualifications, and roles, leading to fragmented practices and again, resulting in individuals spending lots of money on training and certifications that result in little to no value. The outcome of this is that businesses often hire professionals whose skills don’t align with organisational needs, creating gaps in risk management and putting that organisation at risk. Its also one of the reasons why my proposal advocates strongly for internationally-recognised ISO/IEC 17024 aligned certifications and for certification providers to attain such an accreditation if they want to demonstrate the true value of their certifications. Im all ears if you think that standardisation is a bad thing.
• High Barriers to Entry. We know that entry into the field can be cost-prohibitive due to expensive certifications and the expectation of advanced degrees, often providing limited to no value to individuals who want to become cybersecurity professionals. This in turn limits the diversity and inclusiveness of the workforce, further exacerbating the skills gap. I can tell you countless stories of people over the years who baulked at entering the profession because of the costs of some of the programs that exist.
• Skill and Talent Gap: we know there is a global shortage of competent cybersecurity professionals in the world today. A lack of defined career pathways and qualifications contributes to this gap. This results in organisations struggling to protect themselves effectively, resulting in headline after headline related to breach, vulnerability, failed crisis management and harm.
• Fragmented Regulatory Environment. We also know that businesses are often unclear about which cybersecurity frameworks, standards, and regulations to follow, complicating compliance efforts, because there is no standardised guidance issued by accredited cybersecurity professionals. A professionalised industry with clear standards and expectations can better guide businesses in navigating compliance and reducing risks.
• Ethical Concerns and Trust: we know that there is an inconsistent level of professional ethics and practices, which undermines trust in cybersecurity professionals. This results in organisations wanting to ensure they are engaging with professionals who operate ethically and transparently in an industry where professional codes of conduct, backed by regulatory guidance, can foster trust.

Hopefully this should suffice when anyone asks 'what is the problem we are trying to solve'.

2 – That supporters of professionalisation ‘should be shot’

One individual has used a public forum calling for supporters of cybersecurity industry professionalisation to ‘be shot’. Notwithstanding that such a comment constitutes a possible criminal act (https://www.gotocourt.com.au/criminal-law/nsw/making-threats-offences/), it provides further clear evidence as to how critical it is that we professionalise the sector and stamp out this sort of conduct.

3 – that I am advocating for professionalisation because I have a vested interest in seeing professionalisation take place.

This is perhaps the most harmful and distressing theme and ties back to my story around Y2K and the toes I trod on over 25 years ago that didn’t like what I was saying.

I am aware of several online discussions taking place suggesting that the reason why I am an advocate for professionalisation is because I have some sort of vested interest in this.

The third-last page of my proposal (above) includes my bio and lists out all of my professional memberships and positions held in the past and today. Its all there - black and white.

I have made and make no attempt at disguising that I am a member of AISA, the ACS, ISC2, ISACA, PECB, IAPP and the Governance Institute of Australia.

I have made no attempt at disguising that I once worked for ISC2 and was on the board of AISA.

Truth is, there is a reason why I am a member of all of those not-for-profit bodies and why I support what they are trying to achieve – because they are aspiring to solve these challenges through ensuring that individuals are accredited in solving these challenges in a standardised way that has worked and continues to work for other industries.

I understand that my proposal to professionalise the cybersecurity sector may impact some who find the status quo to be profitable and favourable, however this is one of the main reasons why I so strongly advocate for professional standards in cyber security.

For too long, people have taken the piss with this industry at the expense of putting individuals and companies in grave danger of cyber breaches. I remember recently being at an event where an individual excitedly came up to me saying he owns a ‘cyber GRC company', who, when I asked if he did ASD Essential 8 maturity assessments, had never heard of the ‘ASD Essential Eight’.

And not too long ago, I had to plead with a network administrator to segment a LAN to create a separate network for the IP surveillance cameras he had plugged into a secure corporate LAN because they were a security risk, who told me that I had no idea what I was talking about - which I then discovered weren't password protected and had a litany of open ports to allow him (and presumably anyone else) to connect to remotely.

We wouldn’t put up with this in any other sector. If the pilot flying the plane taking me on a trip was any old Tom, Dianne or Harry who hadn’t gone through a professional accreditation scheme, I wouldn’t be flying that plane. Same with my accountant or engineer or doctor or nurse or electrician or plumber or mechanic or any one of a countless list of occupations.

And yet, here we are with cyber.

In Conclusion

I have no doubt that a government-supported and voluntary cyber security professionalisation scheme will help uplift cyber resilience in Australia just like it has in the US Government through the DoD 8140.01. Whether that professionalisation takes place now or in the future, I know it is coming and it will happen eventually. The stakes are simply too high not to have such a scheme.

I have been encouraged by the support of so many and emboldened by a tiny subset of the community who see professionalisation as a threat and rather than try to improve what I have proposed, needlessly attack it without suggesting any alternatives except for 'PrOfEsSiOnAliSaTiON BaD!!!1'

Finally, I will leave you with an image that I took a few years ago at an exhibit at the State Library of NSW that showcased the advances that the medical profession has made over the years. While professionalisation in that sector has not solved every single issue imaginable, it has helped enormously to solve some of the challenges that were identified back in 1887.

Stay rational, and stay safe.