How to cope with Australia’s coming cybersecurity talent shortage

Australia’s recent budget ushers in the nation’s ‘biggest ever’ cybersecurity spend, with $10bn pledged to see electronic spy agency Australian Signals Directory (ASD) double in size and ramp up its ability to launch offensive cyber operations. That’s great news for the IT industry, but the expansion is also likely to usher in a huge demand for cybersecurity jobs.

Where does cybersecurity scarcity come from?

Already, the increase of cybersecurity incidents has more than doubled the demand for cybersecurity professionals. Some sources state that around 3.5m cybersecurity jobs are likely to go unfilled between 2022-25. Considering the impact of cybersecurity incidents and the number of open jobs, why is it so difficult to staff cybersecurity professionals?

So let’s dissect the scarcity problem. On the surface, it seems as though there are not enough professionals to fill all the job requirements. But let’s dig deeper. By the end of 2021, it was estimated that there were 1,053,468 employed cybersecurity professionals and 597,767 job openings. Organisations often look for the following four cybersecurity roles:

  • Cloud Security: Focuses on managing the security of critical assets in cloud environments.
  • Security Analysis and Investigation: Focuses on in-depth analysis of threat intelligence and security event artifacts for proactive investigations.
  • Application Security: Focuses on developing and configuring mobile and web application code using secure coding best practices and monitoring.
  • Security Orchestration and Automation: Focuses on leveraging machines to help prioritise and drive process standardisation for cybersecurity operations.

It can be tough to find a suitable candidate with the right combination of skills, certifications , and experience. The practitioners that have the opportunity to raise skill levels and deploy creative solutions are sought out by some of the world’s top employers who can afford to offer higher pay and other benefits, making it hard for smaller organisations to compete.

This also leaves these smaller organisations struggling to fill available roles due to budget and resource constraints. But it’s also the case that employer expectations may be unrealistic.

What are the dangers of cybersecurity skills shortage?

Although numerous data and stats show the scarcity of skilled workforce in the cybersecurity industry, the hiring process is also to blame. Hiring managers and recruiters often miss collaborative opportunities to set realistic expectations, understand the technical discipline required, and post job descriptions that are tailored to suitable candidates.

Organisations should consider the skills gained through the personal pursuits and not only the years of professional experience. Furthermore, organisations prefer candidates with experience over potential and this is not scalable for our industry.

What will be the repercussions from the talent shortage? Open roles affect team members who are already at the organisation. As the complexity of cyberattacks increases, the complexity of deploying, configuring, and managing security solutions increases too.

These security solutions create multiple alerts, and if not tuned properly will flood teams with false positives and cause what we call ‘alert fatigue’. Alert fatigue is when member who is stretched thin may not be able to handle the influx and is likely to experience burnout.

How can firms fix the cybersecurity skills shortage?

Those burned out security practitioners will likely make more mistakes. Firms suffer at the hands of the problem they created. So how do we combat the cybersecurity skills crisis?

The crisis affects over 57% of firms. It’s challenging to fill the workforce shortage without changing the hiring strategy. The sizable ones should look for alternatives. For instance, a cybersecurity team member can provide guidance and develop a cybersecurity program.

Hiring managers can focus on assessing aptitude rather than testing skills. Some vendors might even offer interested candidates the opportunity to learn and receive mentorship outside of the workplace and provide continued education to new team members.

Organisations ready to take major steps toward filling open cybersecurity roles should:

  • Encourage cybersecurity education and provide required certification courses to support professionals at all job levels in the organisation.
  • Eliminate pay gaps and provide more flexible working conditions.
  • Diversify management and hiring team practices to provide guidance to candidates.
  • Promote and encourage women, minorities, and under-represented groups who have the required qualifications for leadership roles.
  • Implement cybersecurity automation to help reduce the daily workload.


Christopher Cochran is the  at Axonius.