Despite Australia’s everlasting cyber security skills shortage, graduates and industry newcomers are struggling to get a foot in the door.
AustCyber’s latest Sector Competitiveness Plan showed some 125,791 people were employed in the Australian cyber security workforce in 2022, with 51,309 of those workers in roles with a “dedicated focus” on cyber security.
Meanwhile, it’s estimated 85,000 dedicated roles will need to be filled by 2030 to meet the “evolving demands of the sector”.
Job market tracker AuCyberExplorer further estimates there will be a collective 16,734 job openings in the sector this year – though jobseekers are having a hard time finding them.
In September, Melbourne-based tech freelancer Jane Rathbone told Information Age about her experience as a graduate looking for a job in cyber security.
After retraining with a cyber security associate degree, Rathbone was repeatedly bounced back by employers and eventually told there was “no way” her degree would land her an entry-level job.
Bachelor of ICT graduate Munopa Rukure similarly applied for over 150 tech roles before eventually managing to get a position at Amazon Web Services.
Jed Gladwin, founder of cyber security recruitment agency StraightUp, told Information Age the experience is far too common.
“I personally get at least 10 to 15 people a week reach out to me while trying to break into cyber security – it's the same conversation all the time,” said Gladwin.
“They've done a degree, or an associate, or a second-tier certificate, often sold to them by a provider that doesn’t care.
“They’ve been told they’re going to land a job fairly easily, but when they go into the big bad world, it just doesn’t happen.”
Despite a shortage in cyber talent, it seems businesses don't want to train newcomers. Photo: Shutterstock
Gladwin said despite talk of a talent shortage, a lack of entry-level prospects leaves people struggling to start their career.
“Right now, there are far too many people competing for a limited number of opportunities,” he said.
“Companies generally want experienced security professionals for highly specialised roles.”
Indeed, it’s a tough market out there; one which is far more competitive than the messaging from government and industry figures would lead one to believe.
Still, there are many steps applicants can take to stand out, starting with the right education.
Courses and certifications
Richard Buckland, professor of cyber crime at the University of New South Wales’ (UNSW) School of Computer Science and Engineering, told Information Age when choosing a cyber security course or qualification, it’s important to consider your intended career path.
“Some of the messaging out there – there’s a whole lot of wishful thinking,” said Buckland.
“The idea of having a micro certification called ‘cyber security’ so that there'll be cyber security people – it’s like saying, ‘well, we need more doctors, so we'll have a micro-credential in being a doctor’.”
While 20 years ago, cyber security was considered a predominantly technical field, many workers today specialise in non-technical areas such as scam awareness, behavioural analysis and policy.
“Cyber’s a big field, it touches on everything.” said Buckland.
As such, it’s important to study for a clear, employable skillset with a few specific jobs in mind and look for a curriculum matching that career path.
“The issue is when you don’t know what you actually want to do,” said Linda Cavanagh, co-founder of industry advocacy organisation the Australian Cyber Network.
“More than just ‘getting into cyber’, it’s crucial to establish a clear cyber security pathway which is informed by what’s available in the sector.”
To excel at cyber security, you need to think like a hacker. Photo: Shutterstock
Buckland said rather than simply acquiring a “technician-level” education – such as studying encryption standards and network administration – cyber security students should look for courses which also foster fundamental analytical and investigative skills.
“Straight technical is no good,” said Buckland.
“The precise attacks and defences, weaknesses and strengths, tools and platforms will all be different in two- or three-years’ time.”
Buckland further emphasised the importance of “thinking like an attacker” and encouraged participation in studies which examine the mindset of cyber criminals.
“You definitely want a degree that teaches you attack skills and not just methods of attack or ‘script kiddie’ stuff,” he said.
“To be a defender, you need to understand how attackers think.”
UNSW, for example, will launch its Bachelor of Cyber Security next year, which will include facets of psychology, sociology and law in addition to technical skills.
Buckland added that cyber security tends to be a more social field than conventional IT.
He suggested people look for qualifications which focus on real-world scenarios and collaborative problem solving, and which offer mentorship from established people who are familiar with working as a team.
“You don't want to end up being the technician locked in the back room, arguing futilely to bring about this or that change.
“While it sometimes comes hard to us in computing, you want to be the leader that runs the team, who can communicate up and down, influence up and down, and work well with others.”
Buckland recommends keeping an ear to the ground when deciding on your studies.
Before applying, ask employers which qualifications are in demand and look at what students are saying online to gauge the quality of a course.
If you’re uncertain about where to specialise, it can be helpful to look at gaps in the job market by reading industry reports.
Read industry reports to learn where the gaps are. Photo: Shutterstock
For example, security firm StickManCyber recently reported there are only 200 penetration testers and 401 cyber governance risk and compliance (GRC) specialists in Australia, suggesting a shortage in both areas.
Kris Rosentreter, cyber security recruitment consultant at Decipher Bureau, told Information Age students should also look at graduate and associate programs, such as those at Suncorp, Cyber CX, and PWC.
For example, consulting giant Deloitte and the University of Wollongong’s Cyber Academy offers "earn as you learn" degree apprenticeships in cyber security.
As for technical certifications, Rosentreter advised looking at the tools and platforms used in your preferred area of cyber security so you can invest in the right ones.
“For example, if you’re doing cloud security, which is a huge thing in Australia now, Australia has a lot of Azure, so then you would obviously go and do a lot of the Azure certifications,” he explained.
While they can be time-consuming and expensive, Rosentreter said harder certifications like the OffSec Certified Professional are a good choice, as they can demonstrate your cyber security knowledge and dedication to a potential employer.
He also said anyone interested in cyber security should become familiar with relevant GRC frameworks, such as ISO 27001, NIST or Essential Eight.
Meanwhile, spaces such as SECedu, a network of educators and professionals founded by UNSW and Commonwealth Bank, can offer educational resources and networking opportunities for those studying cyber security.
Applying for jobs
Gladwin explained that while entry-level security roles are “few and far between”, most are found in security operations, security analysis and GRC.
He added that industries like telecommunications, banking and consulting are the largest employers of cyber graduates.
Kelli Dienhoff, director of people and talent at technology recruitment firm Hoff Talent Solutions, said applicants should understand what they have to offer in a given role.
Can you explain what you can offer in a cyber job? Photo: Shutterstock
“If people can come in with a bit of an understanding of what their strengths are, maybe even where their gaps are, there’s not much of a guessing game [for HR] as to what needs to be done.”
For a technical role, this might mean flexing your qualifications and portfolio in given software or methodologies, while someone working in risk or policy may benefit from demonstrating people skills and an understanding of relevant GRC standards.
A well-crafted, polished resume is also a must-have.
Due to the high volume of applicants, many hiring managers only look at the top half of a resume’s first page, Rosentreter explained, so it’s important candidates include a summary and put their most relevant information first.
“You need to put your best foot forward, so if you’ve only studied cyber security but you haven’t got experience yet, you want to put that at the top of your CV,” he said.
Candidates should also make sure they use relevant keywords.
“For instance, if the job ad mentions Microsoft, you know you have to put Azure on your application because they’re going to do a search for Azure,” said Rosentreter.
“If it shows up on your CV 17 times, it’s going to put you way ahead of someone who hasn’t included that at all.”
For interviews, Rosentreter advised candidates never to underestimate the value of dressing the part and coming prepared with some good questions.
“Ask them questions about the role, the company, the job, the progression,” he said.
This can demonstrate a candidate’s commitment, which is something cyber security employers are particularly interested in.
“You really need to prove yourself as a graduate that you’re there for the long term,” Dienhoff said.
Alternative pathways
According to Rosentreter, a smart alternative pathway is to find a role in a related field, such as system administration, technical support, or sales, with the goal of eventually moving across into security.
Gladwin also advised this strategy, particularly to those without a background in IT.
“The competition is lower, and this will give you some commercial technical experience,” he added.
There are ways to enter the cyber industry even if you don't have a formal IT qualification. Photo: Shutterstock
For those considering a career transition, Buckland said applying your existing capabilities is a great way to get ahead.
“If you already knew accounting and then you did a bit of cyber, that would be a great skill set,” said Buckland.
In practice, transitioning will often involve acquiring a cyber security degree or certificate before applying, though study isn’t the only pathway.
Gladwin said following the pandemic, his recruitment agency saw a lot of people with backgrounds in sales and marketing get into cyber security sales.
Rosentreter added applicants can approach startups, small businesses and local stores to get a foothold in local industry, while those seeking internships don’t always need to go through large businesses such as Deloitte or Suncorp.
This approach can enable on-the-job learning without necessarily requiring a new qualification from the outset – especially for those entering a human resources, marketing, or administrative role at a cyber security firm.
Networking and other ways to get ahead
With so much competition, Dienhoff said candidates looking to start a career in cyber security should be ready to go above and beyond.
She highly recommended networking with cyber professionals, adding job seekers are spoiled for choice with the sheer number of events on offer.
Dienhoff suggested candidates seek out webinars held by vendors, check out upcoming sessions on events platform Eventbrite, and attend events held by professional bodies such as the Australian Computer Society (ACS), the Australian Information Security Association and the Australian Women in Security Network.
“Follow people on social media, be on the right channels,” she added, pointing to social media platforms X and LinkedIn.
Rosentreter particularly recommended staying active on LinkedIn to make professional connections, find potential job opportunities, and stay up-to-date with industry news.
Posting regularly is a great way to raise your profile, he added, saying it doesn’t have to take much effort.
“Go to a meetup, take a selfie and post it with a caption like ‘this guy spoke really well today’,” he said.
“Or, when you finish a certification, post it on LinkedIn.”
List your completed cyber certifications on LinkedIn. Photo: Shutterstock
Rosentreter said it’s also a good idea for job seekers to pursue ongoing learning through activities like hackathons, capture-the-flags and challenge sites like Blue Team Labs, Hack the Box and Try Hack Me.
Cavanagh encouraged cyber professionals to get involved in “grassroots events” rather than only attending massive conferences.
She recommended Bsides – a community driven events outfit which encourages participation from first-time speakers, students, and new professionals – as well as not-for-profit discussions forum SecTalks.
"Grassroots events are where professionals meet connections they’ll actually have for a long time," said Cavanagh.
“They're usually the people who have been cyber professionals for a very long time, and have seen not just the ‘shiny side’ of cyber security, but are also really great with providing industry-informed guidance in regards to career pathways.”
Gladwin added such activities are a great way to demonstrate past experience on a resume, and suggested that jobseekers explore internships or volunteering opportunities with non-profit or charity organisations where available.
“The main thing employers want to see is that you’ve applied the theoretical knowledge they've learned,” said Gladwin.
“These methods are the next best thing to having had commercial work experience.”
Ultimately, when it comes to getting a job in cyber security, Dienhoff and Rosentreter said the trick is perseverance.
“If you’re not getting rejections, you’re doing something wrong,” said Dienhoff.
“Just keep going to events, adding to your resume, trying new things and meeting new people,” Rosentreter added.
“Eventually, you’ll get the break you need.”
ACS recently released a guide How to pursue a career in cybersecurity which outlines the multiple ways into the industry and the various roles that exist in this dynamic sector.