Ineffective migration policies are hobbling Australia’s ability to build the skilled cyber security workforce it needs, according to an AustCyber analysis warning that Australia’s market lags international peers and faces a shortfall of 3000 cyber workers by 2026.

Skilled migration is expected to recover pre-pandemic levels by 2026 but longer processing times and a massive backlog of applications had driven a slump in new entrants to the market, the newly updated Australia’s Cyber Security Sector Competitiveness Plan (SCP) report found.

Despite recent changes to help employers better specify their requirements and an overall increase in the migration cap, cyber industry development firm

AustCyber noted that just 5 per cent of skilled migrant visas are being granted to cyber security workers – stymying efforts to increase the number of workers in a 47,000-strong sector where migration had become “essential” to the sector’s viability.

Just 2,400 new skilled migrants are expected to enter Australia’s cyber workforce by 2026, the organisation projected – yet even when added to the 8,300 domestic graduates and reskilling workers expected to enter the industry during that time, AustCyber noted, the number of entrants into the industry would barely compensate for the 9,500 workers projected to leave the cyber workforce in coming years.

Small net increases in worker numbers are “not fast enough to keep up with attrition from the sector and increased demand,” the report warns, flagging workforce shortages as one of three key issues that need to change to stop Australia falling further behind its global peers.

Also problematic is limited support for startups in Australia, where domestic cyber security startups are receiving 300 times less funding from the “immature” startup community than they do in leading countries like Canada and Israel.

A lack of access to export markets was the third key challenge, with only half of Australian security firms exporting their products and services – and those firms creating 60 per cent less revenue from exports than their UK counterparts.

Australia could add $800 million to its annual cyber security revenue by 2026 if it doubled down on support for research, innovation and startup development, AustCyber said.

Local firms should also bolster domestic procurement and export capability, and work to attract local and international talent by providing training incentives for school leavers and skilled workers.

Such incentives cannot, however, resolve cited shortages of mid to senior-level cyber security professionals – which, AustCyber noted, are “difficult to attract domestically”.

“Increasing the number of cyber security skilled migrants,” it recommended, “will mitigate short-term shortages.”

You can lead a horse to water…

The new SCP’s findings expose the problems with repeated recent changes in migration policy, with the Albanese Government promising migration reform even as it recently removed cyber security from its list of priority migration fields amidst dramatic expansion of the list of skills facing national shortages that have driven employers to offer top dollar and recruit overseas workers en masse.

The shortfalls pose chronic problems for a country that is currently “in the most pressing time of our cyber security history,” Michael Bromley, group CEO of AustCyber parent company Stone & Chalk, said in kicking off a national cyber security roadshow that he said would “encourage healthy national debate” on the industry’s future.

Yet even as the ongoing fallout from the Medibank, Optus, and other compromises push the government into action – this week, for example, saw a commitment to build an offensive cyber task force combining over 100 AFP and ASD officers – the sector faces other challenges as statistics confirm that high demand and salaries aren’t enough to stem attrition from what is often an extremely stressful field of work.

New cyber security workers often find they don’t like the sector and 64 per cent of Australian workers were already considering switching jobs or leaving the industry within a year of commencing work, according to new survey results from secure development tools firm Lacework.

New entrants rated the industry with a net promoter score (NPS) of -32 – well below the industry average of -9.4 – and were unlikely to recommend cyber security careers to others.

Those that had stayed into their second year were only slightly less likely to be considering an exit, with 44 per cent saying they are likely to leave.

Burnout – cited by 87 per cent of respondents – was by far and away the biggest reason cited for worker dissatisfaction, with overloaded staff struggling to use multiple security tools and 64 per cent of surveyed organisations admitting they aren’t even following up on all of the security alerts they receive.

“New, talented individuals are leaving the cyber security industry too fast,” warned Lacework ANZ area director Richard Davies.

“To retain crucial talent in a tight market, more needs to be done to reduce the workload and stress on all those in the industry, and particularly newcomers.”