Blog | e2 Cyber

TOP CHALLENGES HIRING MANAGERS FACE IN CYBER SECURITY RECRUITMENT

Thu, 23 Apr 2026 04:36:30 GMT

The Tough Realities of Hiring Top Cyber Security Talent

It’s no secret that the cyber security landscape is under immense pressure. With breaches escalating in scale and frequency , organisations across Australia from government agencies to private enterprises are scrambling to strengthen their defences. In a recent blog, e2 Cyber Director Jacob Bywater outlined practical steps organisations needed take to prepare for 2026. Yet behind every strategic uplift, every new SOC capability, there’s a hiring manager quietly fighting a different kind of battle which is finding the right people.

Cyber security recruitment in Australia has become one of the most complex, competitive, and resource‑draining challenges facing organisations today. And while the headlines focus on the threat actors, the real story often lies in the struggle to build the teams capable of defending against them.

In this blog we explore the realities hiring managers face across the country and why solving these challenges requires more than just increasing headcount. It demands a rethink of how we attract, assess, and retain cyber talent in a market that’s under significant strain.

A National Cyber Skills Shortage That Shows No Signs of Slowing

Australia’s cyber skills shortage isn’t just a talking point but a national challenge. Despite government initiatives, university programs, and industry partnerships, the demand for cyber professionals continues to outpace supply. Why the shortage persists:

Digital transformation has accelerated across every sector.
Threat actors are becoming more sophisticated, requiring deeper expertise.
Education pipelines can’t keep up with emerging specialisations.
Migration slowdowns have reduced access to international talent.
Entry‑level cyber pathways remain limited, leaving graduates underprepared.

For hiring managers, this means roles stay open for months, candidate pools are shallow, and competition is fierce. And in cities like Adelaide, where the talent pool is smaller and many roles require security clearances, the challenge is amplified.

Security‑Cleared Limitations for Cyber Talent

While major cities with large head offices will always require strong cyber teams, demand for security‑cleared cyber professionals continues to outpace supply across Australia, particularly in defence, aerospace, and critical infrastructure as we are seeing in Adelaide. Organisations are expanding faster than the cleared talent pool is growing.

Challenges in hiring security‑cleared cyber talent include:

The overall pool of cyber professionals with active NV1, NV2, or higher clearances is limited.
Clearance requirements immediately narrow an already competitive market.
Security clearance processes can take months, making rapid hiring difficult.
Candidates with active clearances are typically already employed in secure environments.

As a result, hiring managers often find themselves competing within a heavily saturated markets where they are vying for the same small group of candidates against organisations that may be offering higher salaries, greater flexibility, or higher‑profile projects.

Budgets Aren’t Keeping Up With Market Reality

While cyber security is widely recognised as a national priority, hiring budgets don’t always align with its importance. Budget challenges include:

Cyber budgets are not being prioritised, despite rising threats.
Funding approval for new roles can take months, delaying recruitment.
Budget constraints lead to multiple roles being merged into one, creating unrealistic “unicorn” job descriptions.
Cyber salary bands often don’t reflect current market expectations.

The mismatch between organisational expectations and market reality creates frustration on all sides. Hiring managers can often understand what the market demands but they’re often not given the resources to compete for the talent needed for the role.

Unicorn Roles: When One Job Becomes Three

One of the most common consequences of tight budgets is the creation of hybrid roles that no single person can realistically fill. As Ben Rogalsky outlined in our recent blog, the unicorn problem isn’t a new one, but it has definitely intensified as cyber roles evolve faster than we can hire .

A single job ad might ask for cloud security expertise, incident response experience, governance and risk knowledge, DevSecOps capability, strong stakeholder engagement skills, and hands-on security architecture experience all wrapped into one role. This isn’t a job description; it’s a wish list. And the impact on hiring managers is significant. Strong candidates often self‑select out because the role appears unrealistic, while the recruitment process drags on as the “perfect” candidate fails to materialise. At the same time, internal stakeholders tend to push for additional requirements rather than fewer, and salary bands frequently do not align with the level of expertise being requested. The result is that unicorn roles not only slow down the hiring but run the risk of damaging employer credibility.

Candidate Competitiveness and Salary Inflation

Cyber professionals in Australia are in high demand, and they know it. Candidates often receive multiple offers, counteroffers, and recruiter outreach weekly. Hiring manager therefore face candidates with salary expectations that are higher than ever before, while organisations with deeper pockets such as banks, telecos and global consultancies can outbid smaller players. At the same time, the rise of remote work has enabled international employers to hire Australian talent at global rates, intensifying competition even further. Beyond pay, candidates are also placing equal weight on culture, flexibility, and career development, making it more complex for employers to attract and retain the right people.

This competitiveness forces hiring managers to move quickly, negotiate strategically, and sell the role more aggressively than ever.

Value for Money in Contractors Becoming Harder to Justify

Contractors have long been a lifeline for cyber teams, particularly when permanent hiring moves slowly, but the contractor market has changed significantly in recent years. Rates have risen sharply as demand has increased, and some contractors choose to move between roles in search of higher pay. This has led organisations to question whether they are receiving real value for money, especially as securing budget approval for contractors is often more difficult than for permanent positions. Adding to the challenge, contractors may not remain in a role long enough to develop deep institutional knowledge, limiting their long-term impact.

Hiring managers must balance the need for immediate capability with the long‑term cost and sustainability of contractor-heavy teams.

Why Slow Internal Approvals Cost You Top Cyber Talent

Funding approval delays can bring hiring momentum to a complete standstill. Even when a hiring manager identifies a strong candidate, internal processes often intervene and slow everything down. Time is lost while teams wait for budget sign‑off, headcount approval, HR or procurement checks, or executive endorsement. In a market where strong candidates disappear in days rather than weeks, these delays can be decisive. By the time final approval comes through, the candidate has frequently accepted another offer, forcing the organisation back to square one.

Speed in decision‑making can make or break a hire, particularly in cyber recruitment. The organisations that consistently secure top talent are those that act decisively and remove friction wherever possible. Slow decisions lead to losing candidates to faster competitors, damaging the employer brand, repeatedly restarting recruitment processes, and increasing workload pressure on already stretched teams. Hiring managers are often acutely aware of the need to move quickly, yet internal approval mechanisms often prevent them from doing so, undermining their ability to compete in a highly competitive talent market.

Cyber Hiring Needs Cyber Experts (Like Us!)

Talent Acquisition teams play a critical role in building cyber capability, yet many lack the technical understanding required to recruit effectively for specialist cyber roles. This gap often leads to misalignment between TA and cyber teams, poorly written job advertisements that fail to reflect the true nature of the role, and strong candidates being screened out due to misunderstandings around skills and experience. Too much emphasis is frequently placed on certifications rather than real capability, while slow hiring processes can emerge because the urgency and risk profile of cyber vacancies are not fully understood. As a result, hiring managers are forced to rewrite job ads, rescreen candidates, or spend valuable time educating TA teams on what the cyber function actually needs. Partnering with cyber recruitment agency specialists like e2 cyber helps bridge this gap, bringing deep technical insight, market awareness, and speed to the hiring process, ensuring roles are accurately defined, the right talent is identified, and organisations secure cyber professionals who can genuinely protect and enable the business.

Culture Is the Real Deal Breaker for Cyber Talent

Cyber professionals are not simply searching for another role, they are looking for a workplace where they feel genuinely valued, supported, and empowered to do their best work. Today’s candidates expect flexible work arrangements, modern and fit for purpose technology, strong leadership support for cyber, clear career pathways, and a culture that prioritises wellbeing. They also want to be part of a team environment that is collaborative rather than toxic or burnt out. When an organisation’s culture does not align with these expectations, candidates are quick to walk away, even when the salary on offer is competitive.

What It Takes to Beat the Cyber Talent Shortage in Australia

These challenges are very real, but they don’t have to be barriers. The organisations succeeding in the Australian cyber talent market are the ones that do a few key things differently:

Prioritise cyber budgets and workforce planning by recognising cyber as a business critical risk, not simply an IT cost, and funding it accordingly.
Stop creating unicorn roles and instead focus on hiring for realistic capabilities, then build well balanced teams with complimentary individual strengths.
Build stronger collaboration between Talent Acquisition and cyber leaders, as a shared understanding of needs and priorities leads to better hiring outcomes.
Move quickly and remove unnecessary steps, because speed isn’t just helpful, it’s a true competitive advantage.
Invest in developing your internal talent, as upskilling existing employees is often faster, more cost effective, and more sustainable than hiring externally.
Focus on building and fostering a culture that cyber professionals genuinely want to be part of.
Benchmark salaries regularly by utilising your internal data, networks and industry cyber salary and rate guides .

Hiring cyber security talent in Australia can certainly be challenging, but it is also an opportunity for organisations to think more strategically about how they build and grow their capability. Hiring managers are navigating a competitive market, balancing the need for specialised skills with long term value and team fit, all while cyber risk continues to rise in importance across the business.

The good news is that with smart strategies, clear expectations, and the right internal support, organisations can successfully attract and retain strong cyber talent. And if you need the support of a cyber recruitment agency partner, we’re always here to help. Get in touch with the e2 cyber team.

CONTRACTOR OR CONSULTANT? MAKING THE RIGHT CALL IN AUSTRALIAN CYBER SECURITY.

Tue, 14 Apr 2026 01:37:51 GMT

As Demand for Cyber Talent Grows, Australian Organisations Need to Know Exactly What They're Buying

Two Words. One Costly Confusion.

They arrive in briefs, in job ads , in boardroom conversations - often used in the same breath, occasionally in place of each other entirely. Contractor. Consultant. In Australian cyber security, the distinction between the two is not simply semantic and is one of the many challenges hiring managers face . It shapes how organisations build capability, how they allocate their budget, and whether the outcome they are chasing is the one they actually achieve in the end.

The confusion is understandable. Both models bring external expertise into an organisation. Both carry a cost. Both are, at some point, temporary. But the purposes they serve, and the conditions under which each performs at its best, are meaningfully different. And in a threat environment as pressured as Australia's right now, the wrong call is an expensive one.

According to the ASD's Annual Cyber Threat Report 2024-25 , the Australian Signals Directorate responded to more than 1,200 cyber security incidents in the last financial year, an 11% increase from the year prior. Cybercrime reports averaged one every six minutes. The average cost of a cybercrime incident to a small business rose 14% to $56,600. Against that backdrop, the question of who you bring in - and in what capacity - is not a procurement decision. It is a risk decision. We sat down with Jacob Bywater, Director at e2 Cyber , to cut through the confusion

What Each Model Actually Is

Strip away the job ad language, and the difference between a contractor and a consultant becomes clearer.

A cyber contractor is a subject matter expert - deep in a particular domain, technology, or framework - engaged for a defined period to achieve a specific outcome. They arrive with precision rather than breadth. Their value is in doing, not advising. When the objective is met, they leave.

A cyber consultant , by contrast, arrives with perspective. They are engaged when an organisation does not yet have full clarity on what the outcome should be, let alone how to get there. A consulting firm typically deploys multiple people across an engagement, bringing a cross-disciplinary view of business, technology, and risk. They build the map. The contractor helps execute the journey pathways.

Jacob frames it this way: "A contractor is a true SME within a skill set that is bought in for a specific purpose or outcome. A consultant would come in and advise around what the objective would be, how you should get there, what you should do with it."

Both are legitimate. Neither is inherently superior. The question is always which one the situation calls for.

Why the Lines Have Blurred

Australia's cyber security market has grown fast enough that the vocabulary has struggled to keep pace. Roles get titled on instinct rather than definition. Briefs go to market before the actual need has been properly stress-tested. And organisations under pressure to shore up their security posture default to reaching for the closest available resource rather than the most appropriate one.

There is also a shift in sentiment, particularly in government and defence, that has tilted the market. Several years of scrutiny around the cost and conduct of large consulting firms have prompted many organisations to pull strategic direction in-house and look to contractors for targeted implementation support instead. The preference for owning the outcome - knowing who is making decisions and why - has driven demand for contractors who execute within a clearly defined brief rather than consultants who shape the agenda.

At the same time, the pace of change in cyber security creates its own complication. As Bywater notes: "The technology and cyber security world is just moving so fast right now that the advice you get in January could be completely null and void come February, March, April." The shelf life of a consulting engagement is shortening. That does not make consulting redundant but it does raise the bar for what a consulting relationship needs to deliver to justify its cost.

When a Cyber Contractor is the Right Answer

The cyber contractor model earns its place when the objective is clear, the timeline is defined, and the required skill set is one the permanent team does not hold. This is not a reflection of the team's capability. It reflects the reality that no organisation can maintain deep expertise across every platform, framework, and emerging threat vector on a permanent basis.

A useful illustration: an organisation invests in a new SIEM platform . The internal team understands what a SIEM does and why the business needs one. What they may lack is the hands-on depth with that specific tool to configure it effectively, stand up the right use cases, and embed it into operations with confidence. That is the contractor's role. They come in, build it right, document everything, train the permanent team, and hand over. If something shifts six months later and a further uplift is needed, they can return for another defined engagement.

"Once it's up and running and goes into operation, the idea is that your SME contractor creates your operational manuals, sets up your SOPs, does the handover to your permanent team and they manage from there," Bywater explains.

The contractor model also suits organisations moving through a transformation program at pace, where specialist knowledge needs to be applied quickly and the timeline does not allow for a lengthy onboarding or training curve. For project-based cyber work , the ability to hit the ground running is not just useful, it is the point.

When a Cyber Consultant is the Right Answer

The consultant is most valuable when the organisation does not yet know what it needs to know. That sounds circular, but it is actually a precise and common situation. A business understands that it wants to be more secure. It may know, broadly, that it wants cloud-based infrastructure, AI integration, and a safer operating environment. What it does not know is what that actually requires, in what order, at what cost, or with what dependencies.

This is where a consulting firm earns its place - not by implementing, but by building the picture that makes implementation coherent. For smaller and mid-sized organisations that do not have the internal headcount or breadth of experience to map the full landscape themselves, engaging a consultancy provides the structured thinking that the business lacks and genuinely needs.

Bywater reflects on e2 Cyber's own experience: "We engaged a security consulting firm to help us work out what plan we want, why we're trying to achieve it, and the best way forward. We essentially had a small group of leaders who liked the idea of being more secure but didn't quite understand how to get there from a deep technology and cyber security implementation point of view. That guidance was invaluable."

The candour matters. Even those who work in and around cyber security daily recognise that there are moments when outside perspective, with no internal stake in the answer, is the most useful thing money can buy.

The Cost Question and Why it is Being Asked Incorrectly

Budget is the first thing most organisations look at when evaluating contractor versus consultant. It is rarely the most instructive lens.

Contractors typically cost between 30% and 80% more per day than an equivalent permanent hire when expressed as a day rate. Over a short engagement for a specific purpose, that premium is generally justified and often less expensive than it appears when set against the full cost of a permanent hire - recruitment fees, induction time, training, benefits, and the months it takes for a new employee to reach full productivity. Over a three-year horizon for the right permanent employee, the economics shift substantially.

The real cost calculation is not rate versus salary. It is outcome versus expenditure. An organisation that engages a contractor for three months to stand up a capability that then runs effectively for three years has made a sound investment. An organisation that engages a consultant at significant cost and receives advice that is operationally impractical, or that becomes outdated before implementation begins, has made a poor one.

As Jacob puts it: "If you see this as a cost to your business, you'll essentially rise to the bottom. And the bottom doesn't always mean the outcome that you want to achieve."

The investment framing also applies to how organisations think about talent development more broadly. The cyber security skills landscape in Australia is not simply constrained. According to the Australian Computer Society's 2025 Digital Pulse report, an estimated 54,000 additional skilled cyber security professionals will be needed by 2030 . Treating external expertise as a cost to be minimised rather than a capability lever to be used strategically is a mindset that consistently produces underwhelming results.

Running Both Models Simultaneously

There are many situations where a business genuinely needs both a contractor and a consulting engagement operating in parallel - or in close sequence. A consulting firm sets the strategic direction. Contractors implement it. The permanent team absorbs the outcome and runs it forward.

This is workable. It is not always tidy. The risk is in the spaces between the models, where accountability blurs, where decisions fall through the gaps between what the consultant recommended and what the contractor was briefed to build.

Bywater is direct on this: "Whenever you have multiple stakeholders involved in any sort of project, there needs to be a clear chain of command. Everyone needs to know who's making the decision at the end of the day. Everyone needs to play fairly in the sandpit and understand what line they're in."

That clarity needs to be established before the engagement begins, not negotiated in the middle of it. Reactive governance in a multi-stakeholder cyber program is one of the more reliable routes to expensive outcomes and diffuse accountability. Define ownership early. Write it down. Make sure every party - consulting firm, contractor, internal team - understands not just their own scope but how it connects to everyone else's.

Planning and preparation, in other words, is not administrative overhead. It is the work.

The Role of Expertise Over Algorithms

One aspect of this decision-making process that deserves plain acknowledgement is the growing temptation to use AI tools to shortcut the thinking. Cyber security capability decisions - whether to hire permanently, contract, or engage a consultant - involve nuanced context that changes with every organisation, every threat environment, and every budget cycle. They are not problems that yield to a prompt.

Bywater is an advocate for AI as a tool and sees genuine value in what the technology offers. But the distinction he draws is an important one: "I would be careful to not let AI direct your decision-making processes above using SME-based skills and knowledge around this space, whether it be who to utilise, contractor or consultant, what they say is right or wrong. The tools aren't quite at the point where they're advanced enough to be making those decisions without actually engaging with industry."

The people who understand the Australian cyber market - who know what is moving, what is stalling, where the genuine skill gaps are, and what specific organisations actually need, versus what they think they need - hold knowledge that no algorithm can replicate or replace. That expertise is the thing worth truly investing in, and to be prioritised above the AI tools that can support it.

Choosing a Career Path: Contractor or Consultant?

For those navigating this question from the other side of the table, the choice between a contracting and a consulting career is one that shapes not just day-to-day work but the arc of professional development.

Contracting rewards depth. The contractor who builds genuine mastery of a platform, framework, or domain - who goes home and experiments in a home lab because they are genuinely curious, who attends industry events because they want to rather than because they feel they should - finds that the market consistently seeks them out. Passion in this space is not a soft quality. It is a commercial one.

"The people I've had the pleasure of working with in contracting over the years are truly passionate about a particular technology or domain," Bywater says. "They enjoy it outside of work hours. If you're not genuine about what you do, that'll be found out no matter which career path you go."

Consulting rewards breadth, commercial acumen, and the ability to communicate with a wide range of stakeholders - from a CFO to a user experience team to an education function. Consultants who move well across those conversations, and who bring genuine business understanding alongside their technical or governance expertise, build careers that open into directions a pure contracting path does not always offer.

Neither path is better. They suit different people, different temperaments, and different definitions of what a fulfilling working life looks like. For anyone uncertain early in their career, Jacob's advice is worth sitting with: "If you're unsure, do a year on both sides and see what you think. Get a couple of mentors - one on each side of the fence."

The ability to move between the two models, understanding both from the inside, is itself a significant professional asset.

What Happens When You Don't Know Where to Start

The most honest piece of guidance for any organisation approaching this question is the simplest one: start with the question before you start the search.

Why are you doing this? What has prompted it? What does a successful outcome actually look like in twelve months? What does your internal team currently hold, and where are the genuine gaps?

These questions belong before any brief goes to market. They belong before a job title is written. They belong before a rate card is requested or a consulting firm's capabilities deck is reviewed.

"I always ask why, and what's prompted it," Bywater says. "And I'd much rather be sending an invoice for a service that a customer genuinely sees value in. Sometimes there are avenues they haven't even thought of that could be done at very minimal cost."

For organisations that have worked through those questions and know a consulting engagement is the right next move, Zaleo Consulting is worth knowing about. As a sister brand, part of the Emanate, Group and already recognised as APAC VMware Partner of the Year for Consulting Services by Broadcom , Zaleo brings focused expertise across modern infrastructure, data, AI and cyber - a new name in the market, earning its reputation quickly and for the right reasons.

For clients who know what they need, e2 Cyber helps them find it. For those who are still working out the right question, that conversation is just as welcome

Final Thoughts

The contractor versus consultant question does not have a universal answer. It has a right answer for each organisation, at each moment in time, in the context of each specific challenge. The variables are numerous: budget, timeline, internal capability, strategic clarity, risk appetite, and the particular texture of what needs to be built or changed.

What the question does demand is that it be asked properly. Defined clearly. Answered honestly. And revisited as circumstances shift, because the threat environment that frames this decision in Australia right now is not static. As the ASD makes clear, the pressure on Australian organisations to build and sustain real cyber capability is accelerating, not plateauing.

The businesses that navigate this well are not necessarily those with the largest budgets. They are the ones who understand what they are trying to protect, who they need to protect it, and in what form that expertise is best delivered.

Contractor or consultant? The right answer starts with knowing what question you are actually asking.

Looking to work through which model is right for your organisation, or to understand where your career fits within the contractor and consulting landscape? Contact our team of cyber security specialists today.

RETHINKING CYBER RECRUITMENT: ACCESSIBILITY DRIVING WINNING TEAMS

Wed, 11 Mar 2026 00:35:09 GMT

Inclusion in Cyber Security Recruitment: From Awareness to Action in Australia

As we recognise Neurodiversity Celebration Week this month, it is an important moment to talk about neurodiversity. But if we stop there, we miss the bigger opportunity.

Inclusion in cyber security recruitment cannot sit within a single awareness week or focus on one cohort alone. Neurodiversity is a critical part of the conversation, but so too are physical disability, chronic illness, mental health conditions, cultural background, gender diversity, First Nations representation and non-traditional career pathways.

The Australian cyber sector faces two realities at once. A persistent skills shortage, one of the many challenges hiring managers face , and a workforce that does not yet reflect the diversity of the community it protects. According to the national strategy led by the Department of Home Affairs, Australia’s vision is for a flourishing cyber industry enabled by a diverse and professional workforce. The Inclusive Cyber Security Recruitment Guidance , developed with the Behavioural Economics Team of the Australian Government, provides evidence based actions to help get there.

At e2 Cyber, inclusion is not a side initiative. It is a commercial and strategic imperative. Recruitment systems shape who enters the industry, who progresses and who leaves. If those systems are narrow, the workforce will be too.

This blog explores what broader inclusion means in cyber security recruitment, why it matters, where barriers still exist and what practical action looks like in Australia today.

Beyond Neurodiversity: A Broader View of Inclusion

Neurodiversity is often the entry point to discussions about inclusive hiring in cyber security. And rightly so. Cognitive diversity aligns strongly with many cyber capabilities such as pattern recognition, structured thinking and analytical depth.

Inclusion in cyber security is often discussed through a single lens at a time. One year the focus may be gender diversity, another neurodiversity in cyber , another disability inclusion. While each conversation is important, viewing them in isolation risks overlooking the reality that people do not experience identity in silos.

The cyber workforce is made up of individuals with layered experiences, skills and perspectives. Some professionals may be entering cyber through non-traditional career paths after working in policing, intelligence, finance or the military. Others may bring lived experience navigating disability or chronic health conditions. Still others may come from culturally diverse backgrounds or regional communities where access to the cyber sector has historically been limited.

When organisations design recruitment systems that recognise this complexity, they unlock a far broader spectrum of capability.

A truly inclusive recruitment approach therefore considers a wide range of lived experiences and structural barriers, including:

Physical disability and accessibility
Chronic health conditions
Mental health and psychological safety
First Nations representation
Gender diversity
Cultural background and intersectionality
Socioeconomic barriers
Non-traditional pathways into cyber

In practice, these factors often overlap. An individual may be neurodivergent and First Nations. Or managing a physical disability while balancing caring responsibilities. Inclusion must account for complexity rather than assuming a single identity.

The core message we are seeing is that recruitment should be inclusive by default. That means designing processes that reduce bias and friction for everyone rather than implementing reactive adjustments once a barrier becomes visible.

The Commercial Case for Inclusive Cyber Recruitment

Australia’s cyber skills shortage is well documented. Threat actors are adaptive, persistent and increasingly sophisticated. Organisations require diverse thinking to defend against them.

Cyber security is ultimately about anticipating the unexpected. Attackers do not think in uniform ways. They exploit blind spots, assumptions and predictable patterns of behaviour. Teams built from similar backgrounds, training pathways and thinking styles can unintentionally replicate those same blind spots.

Inclusive hiring is therefore not just a workforce initiative. It is a defensive strategy. Diversity of thought increases the likelihood that risks will be spotted earlier, interpreted differently and challenged constructively before they escalate.

Inclusive recruitment delivers tangible benefits:

Wider and more dynamic talent pipelines in a constrained market
Reduced attrition through better role alignment
Increased innovation and risk detection
Stronger employer brand
Access to broader client and community trust

In cyber security, diversity is not symbolic. It is operational.

For example:

Professionals with lived experience of disability may bring heightened sensitivity to accessibility risks in digital platforms.

First Nations professionals may offer unique community perspectives relevant to public sector cyber initiatives.

Individuals from non-technical backgrounds may identify human vulnerabilities overlooked by purely technical teams.

Neurodivergent professionals may detect anomalies others miss.

Simply put, inclusion expands capability.

Where Recruitment Processes Still Create Barriers

Most exclusion in cyber recruitment is unintentional. It is embedded in habit.

Most hiring managers do not set out to exclude talent. In fact, many organisations genuinely want to build more inclusive teams. The challenge is that recruitment systems are often inherited rather than designed. Job templates, interview structures and assessment methods are reused from previous roles without asking whether they truly measure the capabilities required.

Over time, these inherited practices can unintentionally filter out capable candidates long before they have an opportunity to demonstrate their skills.

Overloaded Job Ads

Cyber job ads often contain extensive lists of skills, certifications and years of experience. Research shows that certain groups are less likely to apply unless they meet nearly every listed criterion. Excessive requirements shrink applicant diversity before assessment even begins.

Clear distinction between essential and desirable criteria is critical.

Ambiguous and Jargon Heavy Language

Phrases such as “excellent communication skills”, or “must thrive in a fast-paced environment” are vague. They may discourage capable candidates who interpret language literally or who do not identify with stereotypical workplace narratives.

Plain English and outcome focused descriptions benefit all applicants.

Inflexible Assessment Methods

Unstructured interviews often reward confidence and rapid social responses. They may disadvantage:

Neurodivergent candidates
Individuals with anxiety
Candidates from cultures where self-promotion is less common
Professionals with communication differences

Cyber security roles frequently require technical precision rather than conversational fluency. Assessment methods should reflect that.

Lack of Consideration for Accessibility

Assessment environments and locations may not account for:

Physical access
Sensory load
Fatigue management
Time zone differences for remote candidates
Accessibility should be considered proactively rather than reactively.
Fear of Disclosure

Many professionals living with disability or mental health conditions choose not to disclose due to fear of bias. If adjustments depend on disclosure, some candidates will never access them. Normalising conversations about working preferences reduces stigma and protects privacy.

Designing Inclusive Recruitment by Default

The encouraging news is that inclusive recruitment does not require radical transformation. Many improvements involve relatively small adjustments to how roles are described, how candidates are assessed and how conversations about working preferences are approached.

The guide developed by the DHA with the Behavioural Economics Team of the Australian Government emphasises a principle known as inclusive design by default. Rather than waiting for individuals to request adjustments, organisations can design processes that reduce barriers for everyone from the outset.

The following four structural pillars provide a practical starting point.

1. Design Accessible Job Ads

Before interviews begin, you shape who applies. Practical actions include:

Identifying and listing only essential requirements
Removing unnecessary years of experience criteria
Using clear, outcome-based language
Avoiding gender coded or exclusionary wording
Including flexible work options explicitly
Describing a typical day in the role
Encouraging applications from diverse backgrounds

For example, instead of stating “must have strong stakeholder engagement skills,” a clearer description might be “able to present technical findings to non-technical audiences and respond to their questions clearly.”

Clarity reduces ambiguity and cognitive load.

2. Offer Structured and Flexible Assessments

Assessment should evaluate capability, not conformity. Consider:

Semi structured interviews with consistent questions
Sharing interview questions in advance
Using scoring rubrics aligned to selection criteria
Offering work sample tests or technical challenges
Allowing reasonable time flexibilityBeing transparent about format and expectations
Providing options does not reduce rigour. It increases fairness.

In cyber security, simulated tasks can often provide stronger evidence of skill than conversational interviews alone.

3. Shift from Cultural Fit to Cultural Add

Hiring for cultural fit often reproduces existing team demographics and thinking styles. Cultural add asks what perspective a candidate brings that strengthens the team.

For example:

Does this candidate bring a different threat modelling lens?
Do they offer experience from adjacent industries?
Do they challenge assumptions constructively?
Structured panel discussions and diverse interview panels help reduce unconscious bias in hiring decisions.

4. Normalise Conversations About Working Preferences

Rather than singling out individuals, organisations can ask every candidate:

“What does a working environment look like when you are performing at your best?”

This allows candidates to share:

Communication preferences
Flexibility needs
Environmental considerations
Support structures

Framing adjustments as performance enablers rather than accommodations removes stigma. Universal design supports everyone.

Retention: Inclusion Beyond Recruitment

Recruitment is the gateway. Retention determines impact.

Inclusive retention strategies may include:

Structured onboarding processes
Clear pathways for progression
Ongoing conversations about working styles
Flexibility embedded in cyber team culture
Awareness of cultural and cognitive load
Support for employee resource groups
Ensuring remote staff are not disadvantaged

Cyber security can be a high-pressure environment. Sustainable inclusion helps reduce burnout and protects institutional knowledge.

Neurodiversity Celebration Week (and every day)

Neurodiversity Celebration Week provides a platform to talk about strengths-based narratives around cognitive diversity. But the broader inclusion agenda must extend beyond one week.

This week presents an opportunity for organisations to honestly reflect on how inclusive their recruitment systems truly are, and make the adjustments needed.

Practical starting points include:

Auditing your latest cyber job advertisement
Reviewing interview structures
Examining panel diversity
Downloading and reviewing the Inclusive Cyber Security Recruitment Guidance
Engaging with community organisations
Encouraging internal conversations about bias and barriers

The Role of e2 Cyber as Recruitment Partners

At e2 Cyber, inclusive recruitment is grounded in practice and we are on a constant learning and growth journey to improve practices. That means:

Challenging unnecessary selection criteria
Advising on structured interviews
Encouraging flexible assessment pathways
Advocating for reasonable adjustments
Protecting candidate confidentiality
Educating clients on cultural add over cultural fit
Recognising transferable skills from non-traditional pathways
Using these practices internally in our own hiring

We do not position inclusion as charity or compliance. We position it as strategic advantage and encourage others to do the same to supercharge their teams.

And we certainly don't position ourselves as the experts - we do align ourselves with them and put in the time and effort to absorb as much as we can, to then use in practice and share with our community as we are in this piece.

Our commitment extends to all those benefiting from more accessible work environments. It includes physical disability, mental health, cultural diversity and intersectional identity and more. Cyber security requires complexity of thought and recruitment must reflect that.

A Practical Call to Action for Australian Cyber Leaders

If you are a hiring manager we recommend:

Removing non-essential criteria from your next job ad
Clarifying outcomes and responsibilities
Structuring interviews with inclusion in mind
Offering work sample alternatives
Discussing flexibility openly

If you are building cyber teams at scale :

Invest in panel training
Standardise scoring criteria
Track diversity metrics
Evaluate retention data
Review progression pathways

If you are a candidate:

Know that alternative communication styles are valid
Ask about assessment format
Consider what environment supports your best performance
Seek cyber recruiters who are open to understanding and advocating for inclusive practice

Strengthening Cyber Security Through Inclusion

Cyber security is about anticipating risk, identifying blind spots and protecting systems from failure.

Recruitment systems are no different.

When hiring processes favour one communication style, one career pathway or one interpretation of professionalism, organisations risk overlooking individuals whose perspectives could strengthen their security posture.

Inclusive recruitment challenges those assumptions and asks a more important question: are we measuring the capabilities that truly matter for the role?

Inclusion is not about lowering standards. It is about removing irrelevant barriers so standards can be met by a broader group of capable professionals.

As Australia continues to build its cyber resilience, the workforce must reflect the diversity of threats, technologies and communities it serves.

The Road Ahead

Australia’s cyber security sector is entering a pivotal decade. Threat environments are expanding, technology ecosystems are becoming more complex and the demand for skilled professionals continues to outpace supply .

Meeting this demand will require more than simply producing more graduates or recruiting from the same established talent pools. It will require widening the lens through which capability is recognised.

Across government, industry and academia there is growing recognition that cyber talent does not follow a single pathway. Some of the most effective cyber professionals have backgrounds in psychology, law enforcement, intelligence, software development, linguistics or mathematics. Others bring lived experience that shapes how they perceive risk, resilience and human behaviour.

Inclusive recruitment therefore plays a critical role in shaping the future cyber workforce.

The conversation is finally moving from awareness to implementation. Organisations are increasingly asking practical questions about how their hiring processes can evolve to reflect the diversity of skills required in modern cyber operations.

For employers, the road ahead involves moving beyond statements of intent and embedding inclusion into operational processes. That means examining job design, assessment structures, leadership behaviours and progression pathways. It also means recognising that inclusion is not a one-time initiative. It is an ongoing capability that must evolve alongside the industry itself.

For the cyber workforce, this shift opens the door to a more accessible and dynamic profession. One where talent is recognised not just through conventional credentials, but through problem solving ability, curiosity, resilience and analytical thinking.

If Australia is to build the cyber capability required for the coming decade, expanding who can participate in the sector will be essential.

Final Thoughts

Cyber security is fundamentally about identifying vulnerabilities before they are exploited. It requires curiosity, scepticism and the ability to view systems from multiple angles.

Recruitment systems should embody the same principles.

The conversation sparked by Neurodiversity Celebration Week reminds us that cognitive diversity is a powerful asset within cyber teams. But the broader lesson extends beyond neurodiversity alone. Physical accessibility, cultural diversity, mental health awareness and non-traditional career pathways all contribute to a more resilient workforce.

Inclusion, when approached thoughtfully, does not dilute standards. It sharpens them by focusing hiring decisions on genuine capability rather than convention.

For organisations across Australia’s cyber ecosystem, the challenge now is to translate intent into practice. That may begin with something as simple as rewriting a job description, restructuring an interview or asking candidates how they work best. Small changes at the recruitment stage can have long lasting impacts on team performance, retention and innovation.

At e2 Cyber, we believe the future strength of Australia’s cyber security workforce will depend on how effectively the industry embraces this broader view of talent.

The threats facing organisations are diverse, adaptive and constantly evolving. The teams defending against them should be just as diverse in their thinking, experiences and approaches .

Inclusive recruitment is not just good policy. It is good security.

Looking to build a diverse team and want to be supported? Contact our dedicated cyber recruitment agency specialists.

WHY CYBER SECURITY ROLES ARE EVOLVING FASTER THAN WE CAN HIRE

Wed, 04 Feb 2026 05:24:22 GMT

How Risk, Budget and Expectations are Reshaping Cyber Security Roles

For most organisations, cyber security did not arrive with a bang. It crept in quietly. First as an IT concern. Then as a compliance issue. Now as a board-level risk that touches reputation, revenue, safety and trust.

Somewhere along the way, cyber security roles stopped being clearly defined. What was once a security analyst role now reads like three jobs in one. Engineering roles expect deep specialisation across multiple tools, platforms and frameworks. GRC roles are expected to understand business, technology, regulation and risk in equal measure. And organisations are left wondering why hiring feels harder than it ever has.

According to e2 Cyber Consultant Ben Rogalsky , the answer is not as simple as a talent shortage. It is a story of expectations, risk, budget pressure and an industry that has evolved faster than the way we hire for it.

From his vantage point inside the Australian cyber security recruitment market, Ben sees this disconnect play out every day.

“Everyone always says it’s understaffed,” he says. “And I would have to agree. But it’s not a shortage of new talent. There’s so many people coming through university programmes and trying to shift roles. Most of my conversations are with entry-level people trying to break into the space.”

The problem, he explains, is not interest. It is readiness. And more importantly, it is the way organisations define readiness.

The Myth of the Cyber Skills Shortage

Australia is often described as having a cyber security skills shortage. Government reports, media headlines and industry commentary reinforce the idea that there simply are not enough cyber professionals to meet demand.

Ben does not entirely disagree, but he believes the picture is more nuanced. “I think it’s the actual industry as a whole and the mission of the industry,” he explains. “The mission is to protect. So you need people on the ground hitting the ground running rather than other industries where they can take some time to learn and upskill.”

Cyber security does not lend itself easily to long ramp-up periods. When something goes wrong, it goes wrong fast. That reality shapes hiring behaviour.

Organisations want experience. They want certainty. They want someone who has seen it before and can handle it again.

The result is a market where junior talent struggles to get a foothold, not because they lack motivation or capability, but because very few organisations are willing or able to invest the time to develop them. “There’s not a lot of development of junior staff,” Ben says. “There’s not a lot of training. Everyone’s taking off each other and trying to get people who already have multiple years of experience.”

In other words, the industry keeps fishing from the same pond.

When Roles Evolve Faster than Hiring Models

Cyber security roles have changed dramatically over the last few years. Yet job descriptions often lag behind reality, or swing too far in the other direction.

Ben sees both extremes. “Job descriptions are sometimes asking for a lot when people are just touching on certain points,” he says. “They’re asking for SMEs across multiple tools when in reality they need someone with a solid understanding who can grow into it.”

This is where misalignment starts to creep in. Hiring managers know their risk profile has grown. They know their environment is more complex. They know regulators, customers and insurers expect more. So, they respond by stacking requirements into a single role.

The Unicorn Problem is Not New, But it Has Intensified

“Organisations are trying to find someone doing three roles instead of one,” Ben says. “They want someone extremely specialised, with zero leeway, and they don’t want to spend time training.”

From a recruitment perspective, this creates longer hiring timelines, higher salary expectations and ultimately frustration on both sides. “When people are determined on hiring a unicorn,” Ben explains. “That’s going to be a six-month search. And why would that person want to come work for you?”

Cyber Security as a Cost, Not a Revenue Driver

One of the most persistent challenges in cyber security hiring is justification. Unlike sales, product or consulting, cyber security rarely generates direct revenue.

“If you’re in an internal team, it’s not a money maker,” Ben says. “It’s a money saver.”

Cyber security exists to reduce risk. To prevent incidents and safeguard their reputation, organisations are first considering whether a contract or consulting model best suits their needs. When consulting is the preferred choice, cyber consulting services such as our sister company Zaleo Consulting enable access to broader expertise and related services in a more strategic and cost‑effective way.

This creates tension at the leadership level. “It’s hard to justify the cost,” Ben explains. “Because it leads into multiple areas like reputation. There’s not a direct dollar figure you can attach to it.”

That tension flows downstream into hiring decisions. Budgets are tight. Expectations are high. And roles become overloaded in an attempt to maximise value from a single headcount.

The irony, as Ben points out, is that under-investing in people often increases risk rather than reducing it.

The Shift From Shiny Tools to Optimisation

A few years ago, cyber security teams were racing to implement new tools. Today, the conversation has changed.

“A lot of cyber in the technical space isn’t deploying new tools anymore,” Ben says. “It’s about getting the most out of their current tool set.” Budgets are tighter. Tool sprawl is real. And many organisations are sitting on overlapping platforms that do similar things.

“There’s a serious amount of money going into tech debt,” Ben explains. “Into tools they’ve already paid for that aren’t being fully used.” This shift has reshaped demand for cyber security roles.

Automation engineers, identity and privileged access specialists, and security engineers with deep platform expertise are in high demand. Cloud security remains critical. Core monitoring tools like Sentinel, Defender, Splunk and CrowdStrike continue to anchor many teams.

What organisations want now is not someone who can introduce something new, but someone who can make what they already have work better. That requires depth, not breadth. Yet many job descriptions still ask for both. This is explored further in our previous blog: Cyber Security, from Compliance to Culture .

Technical Versus Non-Technical Cyber Roles

Within cyber security, Ben draws a clear distinction between technical and non-technical roles.

On the GRC side, he sees a growing emphasis on fundamental technical understanding. “Ideally someone from an infrastructure or networking background helps,” he says. “It allows GRC people to actually understand the business and its endpoints, rather than just applying copied frameworks.”

This is where experience matters. Assessing risk requires context. Without understanding how systems actually work, governance becomes theoretical. At the same time, technical roles increasingly require communication skills.

“Cyber gets a rap for being very tech heavy,” Ben says. “But at the end of it, it’s people. It’s about reducing people risk with technology.”

This convergence of skills is another reason roles feel like they are expanding. Technical specialists are expected to communicate risk. GRC professionals are expected to understand technology. Architects are expected to bridge strategy and delivery.

The Industry Has Matured. Hiring Models Have Not Always Kept Pace

Are job descriptions telling the truth?

One question candidates frequently ask recruiters is whether a job description reflects reality.

Ben’s answer depends on how the role is sourced. “In agency roles, as I've mentioned, clients are often looking for unicorns,” he explains. “But the person might come in and only actually use 50 % of what’s in the job description.” "That's where we come in to offer critical consultation to communicate effectively".

In many cases, job descriptions become wish lists rather than accurate reflections of day-to-day work.

That said, Ben notes that he sees fewer cases now where people are trapped doing significantly more than advertised.

Part of that is due to better recruitment conversations. Part of it is due to the market pushing back.

“Culture fit is key,” Ben says. “Skills can be taught. Technologies can be learnt. But mindset and culture matter.”

Leadership Expectations and Market Reality

One of the biggest sources of friction in cyber security hiring is leadership expectation.

“Some leaders have zero understanding of what the market’s like,” Ben says. “They don’t have good networks. They don’t understand how difficult it is to find the talent they’re asking for.”

This often results in unrealistic requirements paired with limited budgets. “They want everything,” Ben explains. “And they’re paying well under market.”

From a recruiter’s perspective, part of the role is education. Resetting expectations. Explaining trade-offs. Helping leaders understand that perfection is rare, and potential matters. But those conversations are not always easy. “Sometimes it falls on deaf ears,” Ben admits.

The Real Cost of Not Developing Talent

One of the most important themes in Ben’s perspective is the lack of investment in early-career talent.

“It’s difficult to train someone for a year just for them to leave for an extra 10K,” he says. "It feels as though can’t compete with that.”

This fear is understandable. But the alternative is a stagnant talent pool where the same experienced professionals are stretched thinner each year. “Not everyone is developing talent,” Ben says. “It’s only a certain pool of organisations.” Those organisations bear the cost. Others reap the benefits. It's not hard to see how a more balanced system would benefit all.

The long-term risk is clear. Without consistent investment in juniors and career-changers, the industry creates its own bottleneck.

Burnout, Retention and Responsibility

As roles expand and teams remain lean, burnout becomes inevitable. “There’s always going to be burnouts,” Ben says. “Everyone’s trying to reduce risk with limited resources.”

Once again, leadership plays a critical role. “It’s on leadership to ensure staff are well maintained and looked after,” he says.

That means more than salary. Training , development, time to learn, and visible investment in people all matter. “People want to stay learning,” Ben explains. “They want to feel like they’re progressing.” In many cases, access to certifications and professional development outweighs cash. “Those certifications are worth double the money,” Ben says. “Because the business is showing they care.”

Salary Pressure and the Shape of the Market

While overall job ads may be down, cyber security remains its own ecosystem.

“Cyber isn’t always advertised,” Ben notes. “The data isn’t always accurate if you’re just scrolling job boards.”

What he is seeing is salary pressure at the mid-level. “Salary expectations are higher,” he says. “Especially for people on the tools.”

Conversely, some senior and architecture roles are seeing rates soften, which is indicated in our latest cyber salary and rate guide .

Looking ahead, Ben expects increased hiring as programs of work are approved, but competition will remain fierce for specialists.

“The money is in niche roles,” he says. “People with key certifications and deep platform expertise.”

Why Traditional Recruitment Models Fall Short

Cyber security recruitment does not reward volume. “There’s a lot of jargon,” Ben says. “You have to understand the mission.”

Traditional spray-and-pray recruitment approaches struggle in a market built on trust, referrals and reputation.

“Cyber recruitment is referrals,” Ben explains. “From candidates. From clients.”

AI has amplified this divide. “It’s easy to copy and paste a CV now,” Ben says. “But it takes human understanding to assess culture, drivers and fit.”

Cyber professionals are often excellent judges of people. They value authenticity. They remember bad experiences. Burning bridges travels fast in a small market.

The Insurance Analogy and Why Cyber is Different

Towards the end of the conversation, Ben touches on an analogy that resonates deeply. Cyber security is often compared to insurance. A cost you hope you never need. But Ben sees a critical difference. “Cyber security functions are like insurance,” he says. “But it’s a reverse insurance.” You are paying to stop the incident from happening, not to be compensated after it does.

And unlike most forms of insurance, cyber incidents can have life-or-death consequences. “In OT environments, hospitals, defence,” Ben explains, “there’s an actual link to someone’s life.”

This reality raises the stakes of under-resourcing cyber teams. It is not just about data or money. It is about safety.

Building Capability, Not Just Filling Roles

For organisations serious about long-term cyber capability, Ben’s advice is clear.

“Find a company or leadership team that will support you beyond the interview,” he says. Support must be real. Not just promised.

Leadership must advocate for their teams. Balance budget pressure with reality. Set priorities.

“Sometimes everything needs to be done,” Ben says. “But you have to rank it.”

Culture truly sits at the centre of it all. “Invest in people,” he says. “Invest time. Understand their lives. Get buy-in and loyalty to the mission.”

DEI and Untapped Talent

Ben is a member the organisation’s DEI working group, and he sees inclusion as both a moral and strategic imperative.

“Some smaller organisations miss out on great talent because they’re so single-minded,” he says.

Cyber security has always attracted diverse thinkers . Neurodiversity, different problem-solving styles, and varied backgrounds are strengths, not risks. Closing the door by not adopting an inclusive cyber recruitment strategy narrows the pipeline further, and overlooks some of the best suited and skilled talent on the market.

What Candidates are Really Prioritising

For mid-level cyber professionals, the decision is rarely just about money. “Flexibility is number one,” Ben says. “Then training and development.”

Work from home options, family flexibility, learning opportunities and meaningful work consistently outrank marginal salary increases. “Money matters,” Ben acknowledges. “But flexibility and growth matter more.”

If nothing changes, what happens next?

If organisations do not invest in developing talent, Ben sees a challenging cycle ahead. “The current people will just have to do more,” he says. “More work. More projects.” Burnout increases. Attrition follows. Hiring becomes reactive rather than strategic. “The industry will still be short for five to ten years,” Ben predicts. It does not have to be that way. But change requires risk, investment and patience.

The Path Ahead

For individuals navigating roles that keep expanding, Ben’s advice is grounded and human.

“Life’s very short,” he says. “You’re spending most of it at work.”

Find managers who shield you from unnecessary pressure. Look beyond small salary bumps. Protect your reputation.

“Cyber is about reducing risk,” Ben says. “Don’t take a massive career risk for a little bit of money.”

Reputation matters. Relationships matter. And in the niche world that is cyber security, they travel with you.

Final Thoughts

Cyber security roles are evolving because the world they protect is evolving. Technology, regulation, risk and expectation are all moving fast. Hiring models, however, are still catching up.

The gap between what organisations want and what the market can realistically provide is widening. Closing it will require better education, more flexible thinking, and a renewed commitment to developing people, not just hiring skills.

At e2 Cyber, these conversations happen every day. Not just about filling roles, but about building sustainable cyber security capability for Australia. Because the future of cyber security will not be solved by AI and unicorns alone. It will be built by people, and derived from all skills and backgrounds.

Keen to explore what's in store for you or your team with our dedicated cyber recruitment agency specialists ?

AUSTRALIA'S CYBER SECURITY SHIFT - THE DEFINING 2025 MOMENTS STEERING 2026

Thu, 11 Dec 2025 01:29:40 GMT

An Honest Reflection on the Turning Points Shaping Capability, Investment and Risk

As 2025 draws to a close, Australia’s cyber security landscape has faced mounting challenges. Shifting threats, increasing pressure on infrastructure, evolving talent shortages, and the growing role of artificial intelligence have made this one of the most testing years for cyber security in recent memory. Jacob Bywater, Director at e2 Cyber , reflects on how the year unfolded for government, business, and everyday Australians, and outlines the practical steps organisations and individuals must take to prepare for 2026.

A Year of Wake-Up Calls

Jacob sums up 2025 simply: “We’ve been going really hard and really fast at a lot of implementation, adding tools and deliberately trying to improve and get better across the country in all industries and all sectors.” He explains that the rapid investment in cyber security was never going to be sustainable indefinitely. “We’re starting to realise that budgets do have caps, and a lot of businesses really are asking questions around the value they are getting out of the products and what they’ve implemented in the last two to three years.”

That tension defined the year. From large enterprises to small businesses, organisations shifted from a rapid deployment mindset to one focused on resilience, sustainability, and operational maturity. “2025 saw a big drive into operational security, looking at what is actually required every single year within cyber security, opposed to things that may have been done as projects,” Jacob says. For many, cyber security stopped being a “project” and became part of the everyday business function.

The shift has required organisations to look beyond the shiny new tool and focus on the ways people interact with technology. “We started to see the organisations that were succeeding were those that made security part of culture, rather than something imposed from above,” he explains. This mirrors observations in our blog on transitioning from compliance to culture , where embedding security as part of everyday business practice improves both adoption and effectiveness.

The shift could not have come at a more pressing time. The 2024–25 Annual Cyber Threat Report from the Australian Cyber Security Centre ( ASD ’s ACSC ) shows why. Over the year, the Centre responded to over 1,200 cyber security incidents, an increase of 11% from the previous year, and issued more than 1,700 notifications of potentially malicious cyber activity, up 83%.

The Real Threat Landscape

While high-profile breaches make headlines, most risks come from the basics. “We see a lot of incidents trace back to misconfigurations, improper deployments, incorrect user settings, and poor identity hygiene. Human error is often the starting point,” he says.

Jacob adds that threats are broad and evolving. State actors and cyber criminals alike are increasingly targeting organisations of all sizes. “It’s not just about technology; it’s about people, processes, and the way organisations prioritise risk.” For example, during 2025, several organisations experienced breaches due to improper implementation of cloud configurations, highlighting how human oversight often has larger consequences than sophisticated attacks.

Smaller organisations often underestimate the risks they face. “A breach in a small business can be just as devastating as in a large enterprise,” he explains. This aligns with what we have seen and reported on cyber security salaries , where market pressures and limited resources mean smaller businesses may struggle to retain skilled staff capable of managing complex threats.

What Worked in 2025

One of the key lessons from 2025 was the value of maximising existing tools. “Organisations are looking at what they can get out of what they already have,” Jacob explains. Many have seen success simply by using platform features and device protections more effectively, coupled with improved configurations and awareness.

Automation and AI-enabled tools also proved valuable. “We’ve seen good outcomes when technology is combined with well-trained humans who know what to look for and when to escalate. You can’t automate judgement”.

Success often comes from integrating security with business operations rather than keeping it isolated. “Security teams that collaborate with finance, HR, and IT operations have much better visibility over risk and can respond faster,” he observes. By aligning cyber security with broader organisational goals, teams can prioritise resources more effectively and reduce unnecessary duplication of effort.

Fundamentals Still Matter

Even basic controls, applied consistently, can significantly reduce risk. Multi Factor Authentication, strong passwords, software updates, and regular backups remain crucial. “A control doesn’t have to be complex to be effective,” Jacob notes.

Organisations that prioritised workforce awareness and education also saw measurable benefits. Jacob highlights the importance of creating a culture where cyber security is everyone’s responsibility . He gives a practical example: in one client organisation, improved staff training on phishing scenarios led to a measurable reduction in click rates on suspicious emails, proving that human behaviour remains central to defence.

Talent Pressures and Market Dynamics

The cyber workforce remained under pressure in 2025. Jacob points out that Australia faces a supply shortage rather than a skills shortage. “There are plenty of people with training and willingness, but the number of genuine entry-level roles is limited. Many trained individuals never get meaningful entry opportunities.”

The year also saw organisations favouring specialist contractors over permanent hires, particularly for roles in cloud, identity, compliance, and AI oversight. “Roles that were considered essential two years ago are now seen as nice-to-haves,” Jacob notes.

Despite this, demand remains strong for mid-level professionals with 3–10 years of experience who can adapt across multiple domains. “Flexibility, adaptability, and the ability to translate technical expertise into business outcomes are now more important than any single certification or tool knowledge” which shows how experience and skill versatility often dictate opportunities and remuneration.

There is a renewed importance of nurturing emerging talent. “We cannot rely on senior professionals alone; we need structured entry-level pathways , apprenticeships, and mentorships to sustain the workforce into the next decade.” Investment in developing staff is not only a pipeline solution but also a risk mitigation strategy, as skilled and aware employees reduce vulnerability across the organisation.

With that said, there are no magic wands to fix the broken pipeline, it’s going to be an industry wide solution that will truly manage this industry wide problem.

The Role and Limits of AI in Defence

AI and automation accelerated in 2025, but Jacob cautions against overreliance. “AI has increased the ability to access information if you want to go looking for it, but it is not a silver bullet. Without human expertise, it is very hard to validate what is credible and what is not.”

The future of cyber defence will be a partnership of human judgement and machine scale. “Technology amplifies us, but it cannot replace the context, nuance, and ethical decisions humans bring.” Jacob believes the most effective teams are those that combine AI-driven analytics with human-led interpretation and prioritisation. For example, AI can flag anomalies, but humans must decide whether those flags constitute immediate risk or require escalation.

Looking Ahead to 2026

There are several lessons from 2025 that will guide preparation for 2026:

Focus on effective use of existing tools rather than chasing novelty.
Prioritise human-centred security through training, awareness, and culture.
Maintain visibility and controls over third-party risk.
Adopt AI strategically to support human judgement.
Strengthen pathways for entry and mid-level talent to sustain the workforce.

“Cyber security in 2026 will demand foresight, adaptability, and integration across business, technology, and human factors. Those who combine strong fundamentals, smart technology, and empowered people will be the ones who not only survive but thrive.”

Jacob highlights that regulatory pressure and AI-driven threat evolution will continue to challenge organisations. “Businesses that take a proactive, strategic approach will be in a far stronger position than those that react to incidents as they happen,” he notes. This reflects our ongoing research into shifting skill demands and the importance of integrating security into business strategy.

e2 Cyber: Turning Lessons into Action

For e2 Cyber, 2025 reinforced that resilience comes from combining strong fundamentals, operational insight, and human expertise. “Our role is to ensure businesses are not only responding to immediate threats but building long-term resilience. Technology is essential, but without the right people, processes, and understanding, even the best systems can fail.”

Throughout the year, e2 Cyber has supported organisations by optimising investments, strengthening workforce capability, and embedding strategic practices that reduce risk. From improving identity and access management to embedding cyber-aware cultures, these actions translate lessons learned into sustainable practices. Such approaches allow teams to focus on higher-value work, while still mitigating everyday risks that often generate the most impact.

Looking forward, e2 Cyber will continue partnering with businesses to navigate the evolving threat landscape. By combining human judgement with technology, providing insight into market trends, and supporting talent development, e2 Cyber helps organisations turn lessons from 2025 into practical advantage.

Jacob concludes, “Resilience is built incrementally, through deliberate practice, continuous learning, and collaboration across teams and sectors. We help ensure organisations are prepared for both the known and the unexpected, creating a foundation for long-term security success in a world where cyber risk is unavoidable but manageable.”

Final Thoughts for 2025

For e2 Cyber, 2025 has been a year of reflection, learning, and recalibration. “What we have seen is that resilience is not built overnight. It comes from combining strong fundamentals, operational insight, and human expertise, and embedding security into culture rather than treating it as a separate function.”

The year reinforced that technology alone cannot secure an organisation. Success depends on people, processes, and an awareness-driven culture. By focusing on human-centred security, practical use of existing tools, and proactive workforce development, organisations can reduce risk and build long-term strength.

Looking ahead to 2026, Jacob emphasises the importance of anticipation and adaptability. “The threats are evolving, AI is becoming more sophisticated, and regulatory expectations are increasing. Organisations that combine strategic foresight, empowered people, and smart technology will be the ones that not only survive but thrive.”

For e2 Cyber, this means continuing to partner with businesses to turn lessons from 2025 into actionable advantage. From developing talent pipelines to strengthening operational practices, the focus is on enabling organisations to manage risk confidently while preparing for the challenges ahead. Jacob concludes, “2025 has taught us that cyber security is never static. Continuous improvement, collaboration, and a people-first approach are what allow organisations to meet today’s threats and anticipate tomorrow’s opportunities.”

From all of us at Team e2 Cyber, thank you for being part of our 2025 journey and here’s to a successful and secure 2026!

Keen to explore what's in store for you or your team with our dedicated cyber security recruitment specialists?

EXPLORING AISA CYBERCON 2025 - AND WHAT'S AHEAD IN AUSTRALIAN CYBER

Mon, 10 Nov 2025 06:10:42 GMT

CyberCon 2025 Insights and Takeaways with Payton Vercoe

Every year, the Australian Information Security Association (AISA) Cyber Conference brings together Australia’s brightest minds in technology, government and industry to explore what is shaping the future of cyber security. This October, Melbourne attended and spoke at CyberCon 2025 , and for e2 Cyber Consultant Payton Vercoe , it was more than a professional event. It was an opportunity to immerse himself in the pulse of an industry that is constantly evolving, adapting and redefining what protection and resilience mean in a digital world.

“It’s the one week where the entire industry stops to take stock of itself,” Payton reflected. “You get to see not only where cyber is heading, but how the people in this field are thinking, learning and leading change.”

The conference brought together thought leaders, researchers and practitioners from across Australia and abroad. The diversity of attendees created an environment where perspectives clashed, converged and inspired new ways of thinking about security challenges. For Payton, the most powerful takeaway was not purely technological, it was human.

Shifting the Focus of Security

Over the three days in Melbourne, sessions and keynotes spanned the full spectrum of modern cyber security. Payton highlighted that while tools and frameworks remain indispensable, the human element is increasingly the true differentiator in organisational resilience.

“There’s this old perception that cyber is all about code, firewalls and software,” he said. “But at CyberCon, what really stood out is how much emphasis is now placed on the human element, on culture, communication and collaboration. Technology moves fast but people are what make it meaningful.”

A recurring theme across the conference was behavioural cyber security, the idea that organisations need to understand human behaviour, not just system behaviour, if they are going to defend effectively against phishing, social engineering and insider threats. Payton observed that the sessions which blended technical insight with real-world behavioural analysis made the most impact.

“The workshops on human-centric risk weren’t just theoretical,” he explained. “They showed how small actions by staff can prevent a breach or, conversely, how an overlooked behaviour can create a critical vulnerability. It’s a reminder that security isn’t a tool or a system, it’s a practice embedded in every decision people make.”

He also underscored the role cyber leadership plays in cultivating that awareness, “Cyber is no longer just a technical concern. It’s strategic, cultural and emotional . Leaders who can connect the technical side with human behaviours are shaping the future.”

Workforce Evolution: The New Cyber Professional

One of Payton’s biggest takeaways from CyberCon was how the workforce landscape in cyber security is changing , not just in volume, but in composition and expectation.

“There’s a definite shift happening. We’re seeing more people from non-traditional backgrounds entering the industry, teachers, psychologists, veterans, analysts, and they’re bringing a diversity of thought that’s reshaping what a ‘cyber professional’ looks like,” Payton said.

This was evident in the Careers Village, one of the conference streams designed to connect talent, employers and mentors. The focus wasn’t just on recruiting people who already tick boxes, but on enabling people who have curiosity, adaptability and behavioural intelligence to contribute.

“People don’t just want to work in cyber, they want to grow in it. They want to understand the impact of their work and to contribute to solutions that matter. That’s a huge shift from the past, where roles were more about maintaining systems and ticking boxes,” he explained.

Payton also noted that mentoring and professional development were hot topics at the event. Organisations are recognising that cultivating curiosity and capability internally is just as important as recruiting externally.

“The workforce of the future isn’t defined solely by certifications or years of experience. It’s defined by a mindset, one that embraces learning, resilience and adaptability in an industry that changes daily.”

AI, Automation and the Trust Factor

Artificial intelligence and automation dominated many discussions at the conference. However, the narrative was measured and pragmatic, rather than hype-filled. Payton emphasised that technology is amplifying people, but not replacing them.

“AI isn’t replacing people, it’s amplifying them,” he said. “But it’s also forcing us to re-evaluate what we trust and why. Just because a system flags an alert doesn’t mean the right action has been taken. Humans are still making the judgement calls.”

In sessions focused on AI’s role in threat detection , incident response and even offensive security , Payton observed that while machines can process vast amounts of data with speed, understanding context, intent and consequence still requires human insight.

“There’s a balance between efficiency and ethics,” he explained. “Everyone’s excited about AI’s potential, but there’s also a realisation that the more autonomy we give to systems, the more careful we need to be with governance, bias and transparency.”

He was particularly struck by conversations around AI explain-ability and accountability. As AI systems start to make decisions, organisations need to ask: Who is responsible? How do we audit a process that evolves continuously?

“Trust isn’t just about the technology working correctly. It’s about understanding how decisions are made and ensuring accountability remains,” he said. “This is going to be a major focus for the industry over the next five years.”

Policy Meets Practice: A Conversation Maturing

A further major theme at CyberCon was the alignment of policy, governance and operational practice. Payton walked away with a strong sense that the gap between regulation and execution is narrowing.

“There’s always been a gap between policy intent and operational reality,” Payton noted. “But this year, it felt like those worlds were finally starting to talk to each other. The conversations weren’t just about what regulations say, but about how organisations can actually apply them in a meaningful way.”

Sessions included government representatives, regulators and industry leaders discussing frameworks like the Australian Cyber Security Strategy 2023–2030 , APRA CPS 234 and the Essential Eight maturity model . The conference theme “Transform to Evolve” was clearly playing out in how these frameworks were being referenced, not simply as compliance checklists but as foundations for capability building.

He stressed that collaboration is now a cornerstone of resilience. Organisations are being encouraged to move beyond compliance and toward building capability.

“The approach is less about ticking boxes and more about creating lasting, measurable security improvements,” he said. “It’s a shift from defensive thinking to proactive partnership, and that is a critical evolution in Australia’s cyber landscape.”

Culture First: Embedding Security into Business DNA

If there was one consistent message threading through the conference, from keynote to workshop, it was that technology and frameworks alone are not enough. Payton emphasised that culture is where resilience lives.

“Technology can only take you so far,” he explained. “At the end of the day, breaches exploit behaviour. People are both the greatest strength and greatest vulnerability in any system. Building a security culture is about turning awareness into action, and action into habit.”

He highlighted examples shared in sessions where organisations successfully transformed their security culture : cross-department exercises, scenario-based simulations and internal communications campaigns that framed cyber security as part of professional identity rather than a checklist.

“What stood out is how leaders can influence culture by showing up visibly, reinforcing behaviours and rewarding good practices,” Payton said. “It’s not about more policies. It’s about making security part of how people think and act every day.”

This cultural lens also has direct recruitment implications. Organisations are now seeking individuals who do more than execute tasks, they want people who can model the behaviours they want, engage teams and contribute to a broader security narrative.

e2 Cyber at the Conference: Presenting and Connecting

At CyberCon Melbourne this year, e2 Cyber didn’t just attend, we actively contributed. Our consultants, Matt Kiss and Ben Rogalsky , led a sessions in the careers village which focused on CV structuring and candidate readiness.

Payton reflected on their session and its value.

“Matt and Ben did phenomenal presentations around CV structuring and how to best position yourself as a cyber candidate ” he said. “It was excellent to have the opportunity to see them present as e2 Cyber. Then the three of us sat down for a little bit of extra time at the end during our lunch break and helped a number of candidates structure their CV in a way we would expect to see them presented as recruitment consultants.”

This aligns directly with e2 Cyber’s philosophy. Recruitment in cyber security isn’t just about ticking boxes. It’s about helping individuals show their value, shape their narrative and connect with cyber roles where they can thrive. Payton noted:

“Seeing candidates in that environment and helping them refine what they bring to the table, that was as powerful as any keynote.”

Emerging Threats and Strategic Imperatives

CyberCon Melbourne 2025 also served as a stark reminder of the pace and sophistication of cyber threats. From deepfakes and AI-driven reconnaissance to supply chain attacks and identity exploitation, virtually no corner of the landscape was untouched.

“It’s easy to get overwhelmed by threat reports,” Payton said. “But what I took away is the importance of prioritisation and preparation. The organisations that succeed are not the ones that try to do everything, but the ones that understand their risks, build resilience and empower their people to act.”

He noted a compelling line of argument from presentations that even as perimeter defences remain relevant, much of the risk is internal or infiltrated via trusted supply-chain relationships.

“Teams that communicate clearly, understand their roles and have trust in leadership can respond faster and more effectively than those that rely solely on tools or processes,” he said.

Industry Leaders and Workforce Architecture

Several high-profile sessions cited at CyberCon Melbourne reinforced the strategic shift in workforce architecture and enterprise security. Among them:

Luke McGrath , Assistant Director at the Department of Home Affairs, spoke about the 2023-2030 strategy review and the embedded role of the National Cyber Office in providing constant feedback loops with enterprise and building a cyber workforce roadmap

Jacqui Loustau , Executive Director at AWSN, outlined how to build teams with “diversity by design” to avoid echo chambers and address the pipeline of 30,000 unfilled roles

Martina Mueller , Head of Cyber at Coles Group, presented how embedding cyber into workforce architecture and culture is becoming non-negotiable even for large retail organisations

Jakub Zverina , Program Manager at Cyber CX, shared insights into root causes of vulnerabilities including development security, identity lifecycle and configuration and patch management

Tim Brown , CISO at SolarWinds, shared lessons from the SolarWinds supply chain breach, emphasising cross-functional collaboration, active leadership presence, and the creation of a “Secure by Design” culture. He highlighted how rapid response, transparency, and workforce resilience are critical in managing high-impact, time-sensitive cyber incidents.

These sessions strengthened the trend Payton observed, workforce design, role prioritisation and embedded security across business functions are now central to enterprise cyber strategy.

Practical Pathways for Employers and Hiring Managers

Based on Payton’s reflections, e2 Cyber recommends employers and hiring managers act on the following pathways:

Design role families and career lattices

Build advertised roles that show progression, training and development pathways rather than rigid requirements that filter out entry-level talent.

Hire for diversity of thought and background

Look beyond traditional cyber experience. The most effective teams now include analysts, researchers, educators, veterans, neurodiverse talent , and people who bring lived experience and diverse ways of solving problems.

Embed AI literacy but maintain fundamentals

Role descriptions should incorporate practical AI tool use, but not treat it as a substitute for identity management, secure development and configuration hygiene.

Embed security into product and operational teams

Cyber security cannot live solely in a central security team. It must be woven into engineering, operations and business functions so that secure design becomes standard practice.

Prioritise incident readiness and communications skills

Senior hires should be assessed on how they perform during crisis scenarios, as well as their ability to communicate technical risk to non-technical stakeholders.

Partner with education and build internal development

Align job role design with partnerships with tertiary education, TAFE and training providers. Build cadetships, internships and structured on-job learning so entry-level talent can transition into roles.

These pathways reflect the shift Payton witnessed, from compliance frameworks and technical boxes to cultural adoption, capability building and people-centred security practice.

Implications for Candidates

For those seeking roles in cyber security, Payton’s message is clear:

Clean up your online footprint

In a live session, Payton used ChatGPT to discover how much was publicly available about him. “It was a wake-up call,” he said.

Build demonstrable project experience

Contribute to open source, volunteer in a small business or do realistic capture-the-flag work that you can discuss in interviews.

Practical identity and access experience matters

Organisations are hiring for identity lifecycle work, not just MFA checkboxes.

Upskill in AI tools and explain your application responsibly

“Show examples where AI assisted your work without replacing your judgement.”

Prepare your CV to emphasise outcome, not just tools

Payton noted in the session run by our team the importance of clear, recruiter-friendly CVs that highlight impact and value.

At e2 Cyber, Payton described how the recruitment conversation is evolving:

“Clients are asking questions about culture, adaptability and communication as much as technical expertise. The workforce of the future will need to bridge gaps between governance, technology and people. That’s where we see huge opportunities for both candidates and employers.”

Looking Ahead: Security as a Living Practice

As CyberCon Melbourne 2025 drew to a close, Payton left with a renewed sense of purpose and optimism. The themes of trust, adaptability and human connection were woven through every session and conversation, signalling an industry that is not just advancing technologically but maturing culturally.

“If there’s one thing I took away, it’s that cyber is not standing still,” he reflected. “We’re not just defending systems anymore, we’re building environments where security is part of how we think, communicate and innovate.”

He noted that optimism was a defining sentiment of this year’s conference. After years of pressure and rapid change, the industry’s focus is shifting from reaction to reinvention.

“There’s a lot of talk about burnout and pressure in cyber, but what I saw was energy, curiosity and collaboration. People are leaning in again, they’re excited to be part of the solution.”

For e2 Cyber, Melbourne reinforced a simple but powerful principle, cyber security is ultimately a people business. Technology, policy and strategy matter deeply, but the true differentiator will always be the professionals who drive culture, innovation and resilience.

“As the industry looks to 2026, the focus is crystalised. Organisations that embed security in their culture, invest in their people and balance technology with human insight will lead the way. That’s what CyberCon 2025 made abundantly clear,” Payton concluded.

Keen to explore what's in store for you or your team with our dedicated cyber security recruitment agency specialists?

CYBER SECURITY IN TRANSITION: FROM COMPLIANCE TO CULTURE

Tue, 14 Oct 2025 04:45:53 GMT

Shifting Focus to Compliment Cyber Compliance With Cyber Culture

Cyber security in Australia has been undergoing a fundamental shift. Once seen as a back-office issue managed through policies, checklists and external audits, compliance is no longer enough. The reality of modern threats, combined with increased regulatory scrutiny and evolving expectations from boards, customers and partners, has made cyber security a whole-of-business responsibility. The journey from compliance to culture is complex, but essential for organisations that want to build trust, meet legal obligations, and reduce risk in a sustainable way. This is turn shows that rather than a lucrative commercial initiative itself, cyber security can be the single defining factor that sees a business thrive fiscally in an uncertain future.

As e2 Cyber Director Jacob Bywater highlighted in his recent blog on cyber security as a top-to-bottom business priority , the conversation has moved well beyond technology. It is about leadership, accountability, and the ability to adapt to a landscape where breaches are inevitable but resilience is achievable. Building on that perspective, this article draws on insights from Ben Rogalsky, cyber security recruiter , who has worked closely with organisations navigating the challenge of turning compliance frameworks into genuine cultural change.

Compliance as a Starting Point

Australia’s regulatory environment has strengthened considerably in recent years. Businesses are now required to meet obligations under legislation such as the Security of Critical Infrastructure (SOCI) Act , the Privacy Act , and standards like APRA CPS 234 . Guidance from the Australian Cyber Security Centre (ACSC) , including the Essential Eight , provides further benchmarks that companies are expected to align with. These frameworks set minimum standards of accountability, requiring organisations to ensure the confidentiality, integrity and availability of their information systems.

According to Ben, compliance should be viewed as the baseline, not the goal. “Meeting regulatory requirements is critical, but it does not in itself make a business secure. Compliance is a snapshot in time. Threats evolve daily, and unless security is embedded into how people work, organisations risk falling behind the moment the audit is finished.”

Tick-the-box compliance, in other words, is no longer sufficient. Regulators themselves recognise this. The Office of the Australian Information Commissioner (OAIC) has consistently emphasised that compliance with the Privacy A ct goes hand in hand with a proactive approach to governance, risk and accountability. Similarly, APRA has stressed that CPS 234 is intended to ensure security is part of an organisation’s DNA, not just a report filed away.

The Push Towards Culture

The move from compliance to culture is driven by recognition that people are both the greatest strength and greatest weakness in any cyber security program. Attackers exploit human behaviour through phishing, social engineering, and business email compromise. No policy or framework is effective unless employees understand their role in protecting information.

Ben explains, “The organisations that are getting this right are those that talk about cyber security in the same way they talk about workplace safety. It is not a checklist you pull out once a year, it is part of daily behaviour. People feel personally accountable, and leaders are visible in their support for secure practices.”

Embedding culture means shifting from rules-based compliance to values-based practice. Employees are encouraged to report incidents without fear of blame, to share responsibility for safeguarding data, and to see security as enabling rather than obstructing business. This cultural approach is harder to measure than compliance, but it delivers resilience that frameworks alone cannot provide.

Why Culture Matters More Than Ever

The shift matters because the threat environment has never been more active. Australia has experienced high-profile breaches in sectors including healthcare, telecommunications and government. Public trust has been shaken, and regulatory responses are becoming more stringent. Penalties for non-compliance with the Privacy Act have increased, and directors are facing greater accountability for security lapses under corporate governance rules.

In this context, culture acts as a force multiplier. When employees treat cyber security as part of their professional identity, organisations are able to respond to incidents faster, detect anomalies sooner, and recover more effectively. Compliance frameworks alone cannot achieve this outcome.

Ben notes that this is particularly true for mid-sized organisations. “Large enterprises often have teams dedicated to compliance and security. Smaller businesses sometimes struggle to keep up with the pace of regulatory change. For them, building culture is a way to compensate. You cannot always outspend the threat, but you can build resilience by ensuring every employee is part of the solution.”

Practical Pathways to Cultural Change

Building culture does not mean ignoring compliance. Instead, compliance can be used as the foundation on which culture is built. Organisations can align regulatory obligations with internal engagement strategies that make security relevant to employees at all levels, often supported by cyber security consulting to guide implementation and change.

Some practical steps include:

Leadership visibility: Boards and executives should not only sign off on security budgets, but also communicate openly about the importance of cyber resilience.
Clear policies translated into behaviour: Documents should be backed by practical examples, training, and reinforcement of expected behaviours.
Positive reinforcement : Celebrating employees who identify risks or prevent incidents helps reinforce the desired culture.
Regular communication: Cyber security updates should be integrated into company meetings, newsletters and intranet platforms, not treated as an occasional compliance exercise.
Scenario-based exercises: Tabletop simulations and phishing awareness campaigns bring abstract risks to life, reinforcing cultural change.

These actions build on the minimum expectations of frameworks like the ACSC Essential Eight, turning compliance into a living, breathing culture of responsibility.

The Recruitment Perspective

The transition from compliance to culture has direct implications for the cyber security workforce. Organisations are not just seeking technical experts who understand frameworks and controls. They are also prioritising candidates who can influence behaviour, communicate effectively, and help embed cultural change.

Ben observes, “When we talk to hiring managers, the skills that are in demand are no longer limited to technical certifications. There is strong demand for professionals who can bridge the gap between governance and people, who can engage with staff at every level and translate compliance requirements into meaningful action.”

This shift is also creating more opportunities for professionals with backgrounds in risk, governance, and communication , alongside traditional technical specialists . It highlights the need for recruitment strategies that identify not just technical skills, but also cultural leadership potential.

Challenges Along the Way

Transitioning from compliance to culture is not without challenges. Resistance to change, budget constraints, and competing priorities can all slow progress. For some organisations, especially those in highly regulated sectors such as finance or healthcare, the volume of compliance requirements can feel overwhelming. This can make it difficult to move beyond a defensive, reactive stance.

Ben stresses that while the journey is challenging, it is achievable. “The key is to start small and build momentum. Culture does not change overnight, but consistent reinforcement, visible leadership, and aligning compliance with business objectives can create lasting impact.”

Another challenge is measurement. Compliance is straightforward to track through audits and certifications. Culture, however, is harder to quantify. Organisations need to develop indicators that reflect employee engagement, incident reporting, and behavioural change. These metrics help demonstrate progress and keep momentum going.

Regulatory Landscape: An Australian Context

Australia’s regulatory approach continues to evolve. The SOCI Act has expanded its scope to include a wider range of critical infrastructure sectors, placing greater responsibility on organisations to report incidents and meet mandatory risk management obligations. The Privacy Act is undergoing significant reform, with increased penalties and stronger rights for individuals. APRA continues to enforce CPS 234 , requiring regulated entities to demonstrate information security capability proportionate to the size and complexity of their operations.

The ACSC has reinforced the importance of adopting the Essential Eight maturity model, recognising that adversaries exploit the most basic vulnerabilities. For boards and executives, the message is clear: cyber security is not optional, and cultural adoption is the only way to sustain compliance in a rapidly changing environment.

Looking Ahead

The future of cyber security in Australia lies in bridging the gap between regulatory compliance and cultural adoption. Organisations that embed security into their identity will not only meet their legal obligations, but also strengthen trust with customers, partners and regulators. This is an investment in safety that cannot be underemphasised, whilst it can appear costly upfront with no obvious commercial benefit, however, the pitfalls of getting it wrong, are catastrophic.

For employees, the message is that security is part of their role, regardless of job title . For leaders, the message is that visibility, accountability and communication are as important as technical controls. For regulators, the message is that cultural adoption is the surest way to achieve compliance outcomes.

As Ben concludes, “The organisations that thrive will be those that treat compliance as the foundation and culture as the structure built on top. When cyber security is truly part of the way people think and work, compliance follows naturally.”

Final Thoughts

The transition from compliance to culture is not a one-off project. It is an ongoing journey that requires commitment from leadership, engagement from employees, and alignment with regulatory expectations. Australian organisations have a strong framework to work with, but success will depend on their ability to embed these obligations into culture.

Cyber security is no longer just about meeting the requirements of laws and standards . It is about creating a resilient business environment where every individual plays a part. As Australian regulators continue to raise expectations and the threat environment intensifies, the organisations that succeed will be those that view compliance as a foundation and culture as the path to resilience.

For recruitment, for governance, and for resilience, the message is clear: compliance matters, but culture is the future of cyber security in Australia.

Want to know more? Reach out to cyber security recruitment experts to discuss how to implement a cyber culture:

CYBER SECURITY - A TOP TO BOTTOM BUSINESS PRIORITY

Tue, 26 Aug 2025 05:07:05 GMT

Cyber Security: A Business-Wide Priority or a Business-Wide Risk.

Cyber security has never been more critical for Australian businesses. As cyber threats grow in complexity and scale, the perception of cyber security must shift from being an isolated IT concern to a whole-of-business responsibility. Jacob Bywater, Director of e2 Cyber , recently sat down to share his thoughts on where businesses go wrong, how they can better prepare, and what the future of cyber hiring looks like.

Why Cyber Security is Everyone's Problem

"Cyber security is a business-wide problem in the sense that everyone plays a part," says Jacob. "No matter what your role is, you're contributing to either the resilience or the risk of your organisation."

This sentiment reflects a growing consensus in the industry. While security tools and technologies are crucial, most breaches are still caused by human factors. According to the Australian Cyber Security Centre (ACSC), phishing remains one of the most common cybercrime threats affecting Australian businesses.

"If we're not taking our people along on the security journey, then we're missing a critical factor."

Education and awareness are not optional. Businesses that embed security behaviours into everyday practice are more resilient than those who rely solely on technical solutions.

Starting Small: Practical Security for SMEs

Small businesses often lack the resources for full-time security teams, but Jacob is quick to point out that good security doesn't have to be expensive.

"There's a lot of free and easily available resources to guide people on basic security principles," he says. "And there are specialists out there who offer short-term engagements or consulting packages tailored for small to medium businesses."

For example, the ACSC's Small Business Cyber Security Guide outlines practical steps that any organisation can take, such as enabling multi-factor authentication (MFA), backing up data regularly, and securing their physical environment.

"If you're not sure where to start, just ask. There will be an answer. You just have to want to go looking for it."

Jacob notes that e2 Cyber is regularly approached by businesses looking to understand how to make the first move. Sometimes, just entering into a short form, single consultation can make a big impact, helping teams identify vulnerabilities and improve their security posture without draining the budget.

Scaling Securely: Leadership is Key

As businesses grow, the complexity of their technology and processes increases. But that doesn't mean security has to become unmanageable.

"Scalable security isn't as complex as people think," Jacob explains. "It comes back to basic principles and leadership."

Leadership must make cyber security a priority from the top down. It is not just about compliance, but about embedding a mindset of security-first across every level of the organisation.

"Things like MFA, physical access control, and staff education go a long way. Yet so many businesses overlook these steps because they're not seen as urgent."

The ASD Essential Eight is a well-known framework in Australia, offering guidance on prioritising risk reduction strategies. Jacob urges businesses to take these seriously, particularly when they begin to scale.

The Role of Recruitment in Building Resilience

While e2 Cyber is not a technical security consultancy, Jacob is clear about the unique value cyber recruitment agencies can offer .

"We solve the problem differently. We're not configuring firewalls, but we do help put the right people in the right environments."

Some security professionals thrive in large, structured organisations. Others are best suited to fast‑paced SMEs. Many neurodiverse candidates bring exceptional strengths that shine in the right environment. Matching the right personality, cognitive profile, and experience to the right context is what sets specialist cyber recruiters apart. "We also make connections with no strings attached. We're invested in the long-term success of the community, not just in making a placement."

This community-first attitude, combined with an inclusive cyber recruitment strategy is essential in a sector where collaboration often matters more than competition.

We understand that some clients prefer to use the end-to-end solution of an IT consulting agency over contract recruitment. That’s why we work very closely with our sister company, Zaleo Consulting to ensure our clients are supported in the way that suits them best for each project and initiative.

What Hiring Structures Are Working

According to Jacob, the current economy has shifted how companies approach cyber security hiring.

"We're seeing a lot more outcome-based, short-term engagements," he explains. "Instead of locking someone in for twelve months, businesses are bringing in deep specialists for focused projects."

This aligns with broader trends. Cyber security is increasingly viewed as an operational cost, not a project expense. Regulatory frameworks like the Security of Critical Infrastructure (SOCI) Act now require ongoing compliance, making cyber security a continuous obligation rather than a one-off project.

"We are also seeing an evolution from project work into long-term operational capability, particularly in government and large enterprise."

Where Larger Organisations Go Wrong

Even well-funded organisations fall into traps. One of the most common mistakes Jacob sees is a mismatch between perceived and actual needs.

"What is needed and what is budgeted for are often two different things. And if an organisation hasn't suffered a breach, it's harder to justify the investment."

This disconnect often stems from leadership's failure to fully grasp the impact of a potential cyber event. The ACSC’s Annual Cyber Threat Report 2023–24 states that the average cost of a cybercrime for a small business is tens of thousands. For medium businesses, it climbs even higher.

"A lot of businesses don’t act until they’ve been hit. But that’s like waiting until after a car accident to install airbags."

Defining a Strategic Cyber Function

When asked what a strategic cyber function looks like, Jacob draws on his own business experience.

"You have to start by admitting what you don’t know. Then engage the right experts to help you get there."

This approach means investing time, money, and energy into building a culture of security. He recommends starting with the basics from trusted sources like the ACSC or ASD, and then layering more advanced support as needed.

"Sometimes that means embedding a full-time person. Sometimes it means using a third-party partner. It depends on the context."

Navigating the Talent Shortage

The talent shortage in cyber is well known. However, Jacob says that more applicants are not always the solution.

"There's definitely a lot more people applying for cyber roles , but more applicants doesn't always mean better outcomes."

This highlights of the challenges hiring managers face , with many overwhelmed by volume rather than talent and struggling to assess real‑world capability, cultural fit, and cyber maturity under tight timeframes and increasing business risk.

He warns that hiring the wrong person can be more costly than spending more upfront to find the right one. Using a specialist recruiter alongside internal hiring processes ensures a broader and more qualified candidate pool.

"You need to properly assess where your gaps are, then find the right capability to fill them. That could be technical, policy-driven, or operational."

Jacob also notes that hiring strategies must adapt to the context of each organisation. What works for one company may not work for another, especially when budgets and maturity levels vary.

How COVID Changed the Game

"COVID changed everything," Jacob reflects. "Remote work is here to stay, and it brought with it a new set of security concerns."

From unsecured home networks to shared devices and sensitive data access, flexible working has introduced more complexity into cyber security management.

"People overlook things like who has access to a home laptop. Are they running updates? Are they logging off each day? These little things matter."

He advocates for ongoing staff education , regular security training, and practical check-ins to ensure secure practices are maintained across hybrid workforces.

The Importance of Cross-Functional Collaboration

Cyber security is no longer siloed within IT departments. It requires collaboration across HR, operations, legal, finance, and leadership.

"We all have something to learn from each other. Culture is built through collaboration. If you’re not talking about security in every team, you’re missing the point."

He gives the example of simple questions becoming part of office culture.

"Did you log off? Who locked the door? Are we sharing that document securely? These questions start to change behaviours."

More engaging training options are also helping shift attitudes. Gone are the days of dull PowerPoint presentations. Specialist providers now offer interactive sessions tailored for all kinds of teams, from frontline workers to executives.

The Three Steps Every Business Should Take This Year

To wrap up the conversation, Jacob offers three practical actions any business can take today to move toward cyber maturity:

Change your mindset - Assume a breach is possible. Stop thinking it won't happen to you.
Solve the basics - Enable MFA, run your updates, log off daily, and secure your physical premises.
Get a cyber check-up - Bring in a trusted expert for a short assessment. This could be a cyber consultant, a managed provider, or a trusted cyber recruiter who can connect you to the right person.

"Like going to the doctor for a check-up, you don’t need to be sick to get a health assessment. A cyber health check might cost a few hundred dollars, but it could save you tens of thousands."

According to the latest ACSC report , more than 87,400 cybercrime reports were filed in 2023–24. With 20% of Cyber Crimes hitting business being email fraud. Small and medium businesses remain among the most frequent targets as these crimes get ever more sophisticated and hard to detect.

Final Thoughts

Cyber security is no longer a luxury, nor is it something that can be left to “one day”. It is a necessity that affects every employee, customer, and stakeholder in your organisation, and it is happening right now. As Jacob Bywater makes clear, a proactive, strategic approach to hiring, training, and leadership can help your business stay ahead of the curve.

"Don’t wait until you’re a headline. Build your defences now, start with the basics, and ask for help when you need it. We’re all in this together."

For more insights or help finding the right talent with a specialist cyber security recruitment agency , get in touch with e2 Cyber today.

STATE OF CYBER SECURITY JOB MARKET AUSTRALIA: 2025 AND BEYOND

Wed, 06 Aug 2025 06:58:36 GMT

A 2025 Cyber Security Market Update

The Australian cyber security market in 2025 is under intense pressure, but also brimming with potential. A convergence of regulatory shifts, evolving threats, and deepening digital transformation is accelerating demand for cyber professionals across nearly every sector. While certain pockets of the market slowed during the federal election period, a renewed sense of urgency is taking hold as organisations push forward on critical infrastructure and data protection programs.

We sat down with Matt Kiss, Talent Consultant at e2 Cyber , to unpack what’s really going on in the industry, where the opportunities lie, and how professionals and businesses alike can navigate the changing tides of cyber security.

A Market That Refuses to Stand Still

Cyber security in Australia has been on a consistent growth trajectory. In the the most recent ASD report, the Australian Cyber Security Centre (ACSC) recorded over 87,400 reported cyber incidents, with an average cost of more than $49,600 for small businesses and up to $63,600 for large businesses.

This consistency in attacks has increased awareness at the executive level, pushing organisations to reprioritise their cyber strategies. Still, the market has not been without friction.

“There was a slight lull in activity during the federal election,” says Matt. “We saw delays in hiring, especially in the government sector. But confidence is returning now. From late July into August, we expect things to ramp back up, especially across Canberra and federal agencies.”

e2 Cyber’s own market insights reflect this pattern, and the dip in hiring activity was temporary. With budget resets underway and key programs restarting, the second half of 2025 is likely to see renewed demand, especially in governance, technical architecture, and threat intelligence.

Changing Expectations and Strategic Hiring

The biggest change in the market is not just volume, but intent. Companies are shifting from reactive threat response to proactive, long-term investment in cyber resilience .

“Organisations aren’t just ticking compliance boxes anymore, they’re hiring for strategy. That includes risk leaders, GRC specialists , technical architects , and advisors who can help align cyber priorities with broader business goals.”

This demand is strongest in sectors dealing with highly regulated environments or sensitive data. Government departments, financial services, healthcare providers, and education institutions are particularly active. They’re hiring across a spectrum of roles, from security operations and incident response to policy and privacy advisory positions.

In this more mature environment, there is also increasing pressure on cyber professionals to communicate effectively with non-technical stakeholders. As the gap between technical operations and executive decision-making closes, those who can translate risk into business language are rising in demand.

Future-Proofing Organisations and the Cyber Roles Driving It

The last year has marked a significant turning point in how organisations think about cyber. Threats are becoming more complex and less predictable, and businesses are responding by building depth into their teams and infrastructure.

“There’s been a strong push towards automation and predictive analytics,” Matt says. “Cyber professionals are now tasked with not just protecting systems, but with building intelligence into the way those systems behave.”

AI is one of the key factors behind this change. On one hand, attackers are using generative AI to write better phishing emails, mimic speech, and evade detection. On the other, defenders are using AI-powered tools to automate detection, classify threats, and trigger real-time responses.

The professionals at the centre of this evolution are those who can operate between tools, technology, and strategy. Skills in cloud-native security, Zero Trust design , and threat intelligence are growing rapidly. Yet it’s the ability to embed these practices into broader governance and resilience frameworks that makes a cyber expert indispensable.

Market Trends: Opportunity and Risk for Professionals

Matt is clear on one point: the opportunity in cyber security is vast, but not without risk.

“There’s a lot of noise in the market. People are chasing new tech, and that’s fine, but the fundamentals still matter. The real pitfall is over-reliance on tools without a strategy.”

Some of the most promising trends professionals should keep an eye on include:

Growing demand for Zero Trust architecture skills, particularly in large enterprises.
Increased focus on cloud-native defence, especially in multi-cloud and hybrid environments.
Strong momentum behind threat-led defence models, including purple teaming and adversary simulation.
Rising investment in ethical hacking and red-teaming , particularly among critical infrastructure providers.

However, there are risks too. Burnout remains a major issue. According to the AustCyber Competitiveness Plan , a vast number of cyber professionals in Australia report moderate to high stress levels, often driven by unrealistic expectations and under-resourced teams.

“People leave when they don’t feel supported,” Matt says. “That’s especially true in high-pressure SOC environments . Retention is going to be just as important as recruitment in the coming years.”

Certification, Learning and Staying Relevant

As cyber threats evolve, so must the professionals defending against them. That’s why continuous education is a cornerstone of career success in this industry.

“Certifications like CISSP, CISM, and CRISC are still valuable. Especially for cyber leadership jobs or GRC analyst roles ,” according to Matt. “But what really matters is ongoing learning. Tools change. Threats change. Your skills need to change with them.”

Government and defence employers also place a high premium on certifications such as IRAP and experience with the ASD Essential Eight. Meanwhile, micro-credentials in niche areas like operational technology security, secure coding, and AI ethics are gaining popularity.

He also encourages professionals to make space for informal learning, whether through industry events, peer mentoring, or participation in local cyber communities. Cyber events like BSides , and large-scale conferences like CyberCon , remain key touchpoints for staying connected and informed.

Privacy-Driven Growth and Regulatory Pressure

The regulatory environment in Australia is one of the defining forces in the cyber market. Following major breaches from 2022 until today, there has been sustained pressure on the government to tighten legislation and improve enforcement.

The 2024 Privacy Act Review is driving fundamental change in how businesses think about data protection. Proposals include significantly increased penalties, a broader definition of personal information, and enhanced notification requirements.

“These changes are reshaping the market,” he says. “Organisations are building privacy teams, embedding risk assessments into project design, and hiring professionals who understand both security and compliance.”

Cyber and privacy roles are no longer distinct. In fact, many employers now expect candidates to have a working knowledge of both. This is creating hybrid opportunities in areas like data governance, privacy engineering, and cyber risk management.

Australia’s Unique Position Globally

While global themes such as ransomware, supply chain attacks, and critical infrastructure protection are consistent worldwide, Australia’s cyber environment carries distinct traits.

“Regulation is a big differentiator,” says Matt. “Australian organisations face tighter controls and higher expectations, particularly in sectors tied to national interest.”

Australia’s adoption of the Security of Critical Infrastructure (SOCI) Act and the Essential Eight framework gives it one of the more prescriptive cyber standards globally. This helps raise the baseline, but it also puts pressure on organisations to act quickly and decisively.

This also has implications for the workforce. Professionals in Australia need to be familiar with local legislation, threat reports from the ACSC, and governance requirements that align with the federal government’s protective security policy framework.

The Role of Contractors in a Changing Market

Contractors continue to be essential to the cyber security workforce, particularly in delivering major transformation programs. Their ability to hit the ground running is especially useful when timelines are tight or specialised skills are required.

“Contractors give organisations flexibility and speed,” he explains. “But they’re not a replacement for long-term capability. The best outcomes come when contractors work alongside well-supported internal teams.”

In recent years, there has been an uptick in contract-to-permanent transitions, as employers try to secure critical skills on a longer-term basis. This trend is especially visible in Canberra, where contract roles often evolve into key permanent positions for those aligned with public sector missions.

Small Business and the Fight for Talent

With cyber security salaries climbing, many small businesses worry they can’t compete for top-tier talent. However, Matt is optimistic about the options available to them.

“You don’t have to match Big Four salaries to hire great people,” “What matters more is the experience you offer. Flexibility, purpose-driven work, remote options, and career development all carry weight.”

Smaller organisations often have flatter hierarchies, which gives cyber professionals more responsibility and visibility. For many mid-career candidates, that autonomy is worth more than a pay bump.

Investing in training and mentoring is another way small businesses can differentiate themselves. Candidates are increasingly looking for employers who will support their growth, not just fill a seat.

In Conclusion: What It Means for the Industry

The cyber security market in Australia is dynamic and demanding. Threats are increasing in volume and sophistication. Regulation is tightening. Talent is in short supply. Yet these pressures are also driving innovation and long-term thinking.

Organisations are investing in cyber not just because they have to, but because they understand what’s at stake. Professionals are stepping up, too, developing new skills and shifting from reactive defence to strategic leadership.

The Australian market is not simply growing. It is maturing, and that maturity will define the industry’s next chapter.

Final Thoughts

As we throttle through the second half of 2025, cyber security will remain a cornerstone of Australia’s digital future. For professionals, the opportunities are vast, but only if they stay curious, capable, and collaborative. For organisations, success will depend not only on the tools they buy or the frameworks they adopt, but on the people they trust to make it all work.

Matt Kiss summed it up well: “ Cyber isn’t a niche anymore. It’s woven into every part of a business . The professionals who thrive are the ones who understand that, and who never stop learning.”

The team at e2 Cyber will continue to support both professionals and employers as the market evolves. If you're hiring, looking for your next role, or trying to understand where your cyber journey could take you, we’re here to help as Australia's cyber security recruitment experts.

If you’re looking to engage the top professionals in cyber security , or a cyber security professional seeking to propel your career further, it’s always the right time to commence discussions, our expert team look forward to connecting with you.

HOW WILL CYBER SECURITY JOBS BE AFFECTED BY AI

Tue, 10 Jun 2025 05:35:29 GMT

AI and Cyber Security: Navigating the Evolving Landscape

Artificial Intelligence (AI) is rapidly transforming the cyber security landscape, reshaping not only how organisations detect and respond to threats but also how professionals manage their day-to-day responsibilities.

From security operations to governance, risk, and compliance (GRC ), the influence of AI is being felt across all levels of the cyber workforce.

This blog explores how AI is reshaping the industry, the skills professionals need to thrive, and where the human touch remains irreplaceable.

AI is Changing Day-to-Day Roles But Not Replacing Them

For cyber security professionals, particularly in Security Operations Centres (SOCs) or GRC teams, AI is removing much of the manual, repetitive work that previously consumed hours each day. This shift is being driven by tools like Microsoft Sentinel , Splunk Enterprise Security , and CrowdStrike Falcon , which use machine learning to automate log analysis, triage alerts, and surface actionable risks.

As a result, roles are evolving. Instead of combing through logs or chasing false positives, analysts are increasingly focused on interpreting the output of AI systems, conducting deeper investigations, and making strategic recommendations. In the GRC space, professionals are using AI to streamline compliance assessments, cross-map controls, and generate reports, freeing them to focus on risk leadership and stakeholder engagement.

This pivot from operational execution to strategic oversight is one of the most profound shifts AI is ushering in.

AI Strengthens Threat Detection, But Has Limits

AI's ability to parse enormous datasets at speed makes it ideal for detecting threats at scale. By analysing behavioural patterns, network traffic, and historical indicators of compromise, AI can identify risks far faster than human teams alone. According to IBM’s 2024 " Cost of a Data Breach " report, 2.2M USD is the global average cost savings in million for organisations that used security AI and automation extensively in prevention versus those that didn’t.

However, there are well-documented limitations. AI models are generally trained on known threats and historical data. They can struggle with zero-day attacks, novel malware, or advanced social engineering tactics designed to slip past algorithmic defences. Attackers are now engineering exploits that evade AI detection which is a form of adversarial AI.

AI also lacks contextual understanding and intent analysis. While it might flag suspicious behaviour, it cannot always discern whether that behaviour is malicious or benign without human input. For example, a legitimate employee accessing an unusual system after hours could be flagged as a threat which would be a false positive best resolved through human judgement.

This reinforces the value of human-AI collaboration: AI for speed and scale, humans for nuance and strategy.

What Tasks Will AI Automate in Cyber Security?

Tasks ripe for automation include:

Log and event analysis: AI can scan millions of events in real time, filtering out noise and identifying key patterns.
Phishing detection: Machine learning models can analyse emails for linguistic cues and anomalous behaviour.
Vulnerability prioritisation: AI can assess patching requirements based on asset criticality and exploit availability.
Incident triage: Basic alert response and classification are increasingly handled by AI-enabled SOAR (Security Orchestration, Automation and Response) platforms.
Compliance checks: AI is being used to automate audit trails, regulatory mapping, and policy enforcement.

Yet AI is not about eliminating jobs. It’s about elevating them.

Professionals remain essential for roles involving:

Regulatory interpretation
Threat hunting
Architecture design
Business engagement
Crisis response

Coinciding with the shift of organisations using AI in cyber security, the majority of major adopters still report needing more skilled professionals, not fewer.

Skills Cyber Security Professionals Need in the Age of AI

To thrive, cyber security professionals must develop a dual focus: deepening their human skills while gaining fluency in AI-enabled tools.

Key Human Skills:

Critical thinking: The ability to question AI outputs, investigate anomalies, and challenge assumptions.
Communication: Translating complex risk insights into language stakeholders can understand.
Ethical reasoning: Making value-based decisions when AI outputs conflict with company culture or regulation.
Collaboration: Working cross-functionally across tech, legal, risk, and executive teams.

AI Literacy:

Understanding how AI algorithms work (e.g., supervised vs unsupervised learning ).
Vast education on where AI excels and where it falls short.
Using AI tools as part of an integrated cyber defence strategy.

Courses such as Microsoft’s AI-900 and the ISC2 AI in Cyber Security certificate are strong starting points. Even free platforms like Coursera and edX offer accessible, industry-relevant AI learning paths.

Ethical Considerations in AI-Driven Cyber Security

With great automation comes great responsibility. AI raises challenging ethical questions:

Accountability: If an AI tool misclassifies a threat or enables a breach, who is liable?
Bias: AI models trained on biased data may make unfair decisions, potentially flagging activity disproportionately.
Transparency: Black-box AI models that make decisions without explain-ability can undermine trust.

Organisations need clear policies around AI governance, including:

Human-in-the-loop oversight for all critical decisions
Transparent documentation of AI model training and assumptions
Regular audits for fairness, accuracy, and compliance

The OECD AI Principles provide emerging guidance on ethical AI use. Locally, the Office of the Australian Information Commissioner (OAIC) has released guidance on how the Privacy Act 1988 applies to AI decision-making.

Future-Proofing a Career in Cyber Security

The best way to prepare for an AI-shaped future is to stay adaptable. That means:

Continuous learning: Enrol in AI-focused short courses or micro-credentials.
Stay industry aware: Subscribe to AI and cyber threat intel from leading bodies like ACSC , ISACA , and SANS .
Work on cross-functional projects: Exposure to areas like legal, audit, and compliance builds broader skills.
Join professional networks: Stay connected through groups like AISA , ISC2 , or AWSN .

Above all, focus on becoming a translator between technology and business. That will always be a high-value role, regardless of how advanced automation becomes.

Deep Dive: The Evolution of Cyber Threats and AI’s Response

To understand why AI is so transformative in cyber security, it’s important to recognise how cyber threats have evolved. Threat actors have grown more sophisticated, leveraging automation themselves to conduct widespread phishing attacks, ransomware campaigns, and even AI-generated social engineering scams. According to the Australian Cyber Security Centre (ACSC), cybercrime reports fell by 7% in the 2023-24 financial year, however there is still one report made approximately every 6 minutes which remains unchanged from the following year.

This consistency in threat volume and complexity means traditional human-centred defence models alone are no longer sufficient. AI’s capacity to scale, learn, and adapt to emerging attack vectors is an essential element for maintaining security in a hyperconnected world.

The Role of Generative AI in Cyber Security

One of the most disruptive developments in the past year has been the rise of generative AI. Tools like ChatGPT, while useful for writing code, automating documentation, or generating security use cases, can also be misused by malicious actors.

For example, threat actors have used generative AI to:

Write more convincing phishing emails
Automatically generate polymorphic malware
Clone voices or fabricate video content (deepfakes) for social engineering

These capabilities present new challenges for cyber security teams. Defenders must not only understand how generative AI tools work but also develop detection techniques for AI-generated threats.

Cyber Security Vendors and AI Integration

Many leading cyber security companies have embedded AI into their platforms:

CrowdStrike uses AI-driven behaviour analytics to detect anomalies in endpoint behaviour.
Palo Alto Networks employs machine learning in its Cortex XDR product to correlate threat signals across network, endpoint, and cloud environments.
Darktrace has built its entire value proposition around AI, using unsupervised learning to model “normal” behaviour in an organisation and detect deviations in real time.

These types of tools are no longer optional for modern cyber security teams as they are quickly becoming the foundation of an effective defence posture.

AI in Incident Response and Forensics

In incident response, AI is enabling faster root cause analysis and smarter playbook execution. Security Orchestration, Automation, and Response (SOAR) platforms integrate AI to automate routine containment steps, isolating compromised systems, disabling credentials, or collecting forensic data while escalating complex cases to human analysts.

AI also plays a growing role in digital forensics. Tools can now automatically parse memory dumps, reverse-engineer malware, and identify lateral movement patterns across systems. These advancements reduce the time it takes to investigate breaches and restore systems.

AI and the Cyber Security Talent Gap

One of the most compelling arguments for AI in cyber security is its ability to ease the ongoing talent shortage. ISACA’s 2024 State of Cyber Security report found that 57% of organisations have unfilled cyber roles and 55% report increased turnover in cyber teams. AI can alleviate burnout by reducing manual workloads, allowing professionals to focus on high-impact tasks.

Rather than replacing jobs, AI changes the profile of what a “cyber professional” looks like. Demand is growing for:

Cyber risk advisors with SME AI literacy
Threat intelligence analysts who can validate AI findings
Compliance leads who understand automated governance tools
Product security specialists who can secure AI models against adversarial manipulation

Real-World Case Studies: AI in Action

Banking Sector: Major Australian banks have adopted AI for fraud detection. Westpac , for example, uses AI models to monitor customer transactions and flag suspicious behaviour in real time, improving fraud prevention without compromising customer experience.

Government: The Digital Transformation Agency has flagged the need for secure AI adoption in government services, highlighting the use of AI in digital identity verification while also acknowledging the importance of oversight and transparency.

Health Sector: Healthcare providers are using AI to protect sensitive medical records. AI monitors access logs, detects unauthorised access attempts, and helps ensure compliance with strict privacy laws.

Looking Ahead: AI Regulations and Cyber Security Policy

As AI adoption grows, so does regulatory scrutiny. The European Union’s AI Act , set to become law in 2025, will impose risk-based rules for AI systems. In Australia, the government is consulting on frameworks to manage AI safety, with the Department of Industry, Science and Resources leading discussions on responsible AI.

Cyber security professionals must stay alert to these developments, especially those working in regulated industries. GRC teams should begin mapping how AI use intersects with laws such as the Privacy Act, CPS 234 (for APRA-regulated entities), and critical infrastructure legislation.

The Human Factor Remains Central

Despite all this progress, the human element in cyber security remains vital. AI is a tool not a decision-maker. Human oversight ensures:

AI outputs are ethically and legally defensible
Contextual factors are considered in risk decisions
Organisational values are upheld

As cyber threats become more agile and machine-enabled, human defenders must be equally agile. This means working with AI, not against it.

Conclusion: AI as a Co-Pilot, Not Competitor

The intersection of AI and cyber security marks a profound shift in how we defend against threats. But it is not the beginning of the end for cyber jobs. Instead, it is a transformation of purpose. AI will do more of the grunt work. Humans will do more of the high-order thinking.

For cyber security professionals, the mission is clear: embrace the tools, sharpen the soft skills, and lean into a strategic role. The industry doesn’t need fewer people because of AI, it needs smarter, more adaptable people who can work alongside it.

As Jacob Bywater , Director at e2 cyber, puts it: “The future of cyber security isn’t AI versus people, it’s AI with people. The smartest tools still need the sharpest minds behind them.”

Final Thoughts

The AI/cyber security relationship is one of augmentation, not replacement. At e2 cyber, we see AI as a tool that can amplify human expertise, not diminish it. Cyber security professionals who understand this dynamic will not only remain relevant, they will lead the industry forward.

Whether you’re just starting in cyber or are a seasoned CISO, the message is the same: evolve, upskill, and stay curious . The next chapter in cyber security won’t be written by AI alone. It will be written by professionals who know how to wield AI wisely.

Full list of resources

If you’re looking to engage the top professionals in cyber security, or a cyber security professional seeking to propel your career further, it’s always the right time to commence discussions, our expert cyber security recruitment agency team look forward to connecting with you.

WHAT INFLUENCES CYBER SECURITY SALARIES IN AUSTRALIA?

Fri, 18 Apr 2025 03:20:04 GMT

How Skills, Sector, Experience and Location Shape What You’re Paid

Across Australia, cyber security salary expectations are influenced by far more than just job titles or years of experience. From technical engineering roles to non-technical governance paths, from private sector agility to public sector structure, a diverse set of forces are shaping what cyber professionals earn today and what they can expect tomorrow.

Understanding these dynamics is critical not just for professionals navigating their careers, but for hiring managers and decision-makers tasked with building competitive, high-performing teams . In this article, we break down the key drivers behind cyber security salaries in Australia : the impact of skillsets, the divide between technical and non-technical roles, how government and private sectors compare, and the roles that experience, certification, and location play in determining value.

Let’s delve into what’s really going on behind the numbers.

The Technical vs Non-Technical Divide, and Why Both Matter

Cyber security is not a monolith. It’s a rich ecosystem of roles and responsibilities, broadly split into technical and non-technical domains. The salary dynamics between the two are shifting, and not always in ways you might expect.

Technical Roles: Depth, Complexity, and Specialisation

Technical professionals — the engineers, architects, pen testers, and analysts — are the builders and breakers of cyber. They write scripts, deploy controls, chase vulnerabilities, and safeguard endpoints, cloud environments, and networks from compromise. In Australia, technical cyber roles have historically been seen as the “core” of cyber, and with good reason: without them, there’s no defence.

What’s changing, though, is the premium placed on specialisation. A generalist security engineer may command a decent salary, but an identity specialist who can navigate the nuances of Azure Entra ID (previously active directory), SSO , MFA enforcement, and modern access architectures? That’s a rarer beast, and they’re being paid accordingly.

At the top of the tree are those with deep cloud security expertise — particularly across AWS, Azure, or GCP. With so much infrastructure moving to the cloud, businesses and agencies are scrambling to secure it. If you can design secure-by-default architectures and implement guardrails with code, there’s serious earning potential.

Likewise, penetration testers with OSCP (or equivalent) are in demand, especially those with real-world offensive experience who can move beyond scan-and-report.

In short: technical roles are still highly paid, but depth, niche expertise, and real-world delivery are what separate the $130K candidates from the $200K+ players.

Non-Technical Roles: Rising Relevance in a Regulatory Age

On the other side of the fence are the non-technical roles — GRC specialists, risk advisors, security policy leads, awareness consultants, and compliance managers. For a long time, these roles were seen as "less technical, therefore less critical." But the tide has turned.

With APRA CPS 234, ISO 27001, IRAP, the PSPF, Essential Eight, and now growing momentum behind mandatory incident reporting, the ability to interpret, implement, and report against frameworks is no longer a ‘nice-to-have’. It’s essential. Organisations can no longer afford to wing it and those who can articulate cyber risk in business terms are in high demand.

In fact, some of the highest-paid cyber professionals in Australia today are not engineers, they’re risk leaders and compliance specialists in financial services, critical infrastructure, and government advisory roles. Their value lies not in coding, but in enabling business continuity, audit readiness, and strategic risk posture.

Private vs Government Sector: Two Worlds, Two Models

Whether you work in the private or public sector can dramatically shift your earning potential and the path it takes to get there.

The Government Market: Canberra, Clearance, and Consistency

Let’s start with government and more specifically, Canberra, the beating heart of federal cyber investment. In this market, security clearance is currency. If you hold NV1, NV2, or TSPV, you’re already in a select group. Layer on solid experience, and your day rate could well exceed $1,200, especially in roles requiring systems accreditation, IRAP knowledge, or architecture of classified environments.

Government contracting offers structure, predictability, and volume. Frameworks are defined. Project scopes are relatively stable. But it can also be procedural, and for some, slower-paced. Salaries, especially on contract are excellent, but typically reserved for those with specialist skills and clearance. Permanent government salaries, while steady, don’t always match the private sector, but they offer stability, job security, and superannuation perks that balance out the package.

If you’re technically strong, cleared, and enjoy working within frameworks like ISM , PSPF, and Essential Eight , government can be a lucrative and meaningful path. But breaking into it without clearance or public sector exposure can be difficult.

The Private Sector: Fast, Varied, and Commercial

In contrast, the private sector is where the pace is faster, the problems more diverse, and the salaries more performance-driven.

Here, your value is often measured by your impact: did you reduce risk exposure? Close audit findings? Enable secure DevOps? Reduce third-party risk?

Technical professionals in this space, particularly those working in financial services, cloud-native environments, or consulting, can command salaries well above $200K, especially in Sydney and Melbourne. Equally, senior GRC leads overseeing regulatory compliance across multinational businesses are earning in that same ballpark, especially if they can manage complex vendor ecosystems and translate cyber risk into strategic business decisions.

The private sector also tends to reward communication skills more explicitly. If you can liaise with executives, run workshops, and influence outcomes across technology and business teams, you’re more likely to reach the higher pay grades — regardless of whether you sit in a SOC or a boardroom.

City-by-City Salary Trends

Let’s talk location. Yes, remote work has blurred some lines, but geography still plays a role — especially when tied to client requirements, cost of living, and clearance needs.

Canberra: The Capital of Clearance

Canberra leads in terms of average cyber salary especially for contract roles. This is thanks to a concentration of government demand, heavy regulatory obligations, and the clearance premium. NV1 or above can add tens of thousands to your annual earning potential. That said, breaking into this market without existing clearance or public sector experience is difficult, and many roles are limited to Australian citizens.

Sydney & Melbourne: Corporate Cyber Central

Sydney and Melbourne remain the go-to cities for corporate cyber, home to major banks, insurers, telcos, and tech firms. Salaries here are strong, especially in financial services, where APRA and internal audit functions mean GRC professionals are in high demand. Technical security engineers, particularly those with cloud and identity experience, are earning upwards of $180K. Senior GRC leaders are comfortably above $200K, especially if managing regulatory or board-level risk.

Brisbane: Growing and Gaining Ground

Brisbane is growing rapidly, especially across healthcare, energy, and tertiary education. Salaries are marginally lower on average (around 10–15%) than Sydney/Melbourne, but the gap is closing. We’re seeing increased demand for GRC roles in state government, and a steady uptick in cloud and security engineering hires across private enterprise.

Experience: The Ultimate Accelerator

Experience is, unsurprisingly, one of the strongest predictors of cyber salary — but not all experience is equal.

Early Career: Building the Foundation

At the entry level, salaries range from $70K–$100K, depending on whether the role is more technical or compliance-focused. Graduates who complete internships, cadetships, or industry placements tend to command the higher end. Home labs, Hack The Box, and self-directed GitHub projects also impress, especially when combined with certifications like CompTIA Security+, Azure Fundamentals, or GRC courseware.

Mid-Level: Proving Your Value

Once you’ve moved into mid-level territory (3–7 years’ experience), salaries sit between $110K and $150K — often higher for cleared candidates or those with in-demand specialisations. This is where many professionals begin to niche: cloud, risk, identity, red team, compliance, or architecture. It’s also when certifications become more meaningful, not because they guarantee competence, but because they unlock certain clients, tenders, or roles.

Senior Roles: Strategy, Leadership, and Scale

At the senior end, those leading security functions — CISOs, Heads of Risk, Security Managers — can command anywhere between $180K and $300K, sometimes more in large organisations or with P&L responsibility.

But it’s not just tenure that gets you there. It’s leadership, adaptability, stakeholder management, and strategic thinking. If you’re the one who briefs the board, manages incidents, and shapes enterprise risk posture, you’re in prime position to negotiate top-tier compensation.

Certifications: Necessary, But Not Everything

There’s a long-standing debate in cyber circles: do certifications really matter?

The answer is: it depends.

In government contracting, certifications are often table stakes especially those tied to frameworks or mandates. IRAP assessors, ISO 27001 implementers, CISSP holders, these certifications are not just desirable, they’re billable. Many agencies can’t put you forward without them.

In the private sector, it’s a bit more nuanced. Certifications like CISM, CISSP, CRISC, CCSP, and even vendor-specific credentials (AWS Security Specialty, Azure SC-300) carry weight especially in hiring decisions. But what seals the deal is how you apply that knowledge. Can you actually deliver? Can you bridge tech and strategy?

What certifications do well is signal intent. They show passion, discipline, and a desire to learn. For junior and mid-level professionals, they’re often the thing that gets your CV in the ‘yes’ pile. But they won’t carry you across the line alone.

Career Paths That Lead to High Salaries

Now for the big question: what path should you follow to earn the most?

There’s no single answer but there are patterns.

One common route is to start in a GRC or SOC analyst role, gain hands-on experience with risk frameworks or detection tools, earn certifications (CISM, CISSP, IRAP, CCSP), and specialise either in cloud security, risk governance, or architecture.

Another lucrative pathway is through cyber consulting, either in the Big Four or a boutique firm. Here, exposure to multiple industries, stakeholder environments, and compliance regimes can accelerate your learning (and earning) rapidly. Many of today’s high-earning CISOs and Heads of Security started this way.

Alternatively, sales and pre-sales engineering roles can be hugely lucrative. If you have technical know-how and commercial acumen, cyber security vendors are paying significant bonuses and commissions for those who can translate capability into closed deals.

The takeaway? Pick a niche that excites you, master it, and build a reputation. The money will follow.

What Makes a Cyber Role ‘Secure’ in the Long Run?

“Where’s the job security?” is a question we hear more often these days and it’s fair. The sector may be growing, but restructures, AI shifts , and project funding cuts have made even cyber feel unpredictable.

So what gives you the best long-term prospects?

The answer isn’t a specific job title, it’s adaptability and relevance.

Roles in GRC and risk management tend to be evergreen, especially in regulated industries. Cloud security, too, shows no signs of slowing and those who can navigate multi-cloud governance are well positioned. Identity, data privacy, and supply chain security are also strong bets.

But ultimately, the most “secure” professionals are those who don’t rest on their current skill set. They stay curious, track emerging threats, update their knowledge, and broaden their impact.

What Sets the Top Candidates Apart?

With so many smart, qualified people in the field, what makes someone truly stand out?

It’s rarely just technical brilliance. More often, it’s a blend of:

Proactivity: You’re not waiting to be told what to learn or where to go — you’re already on your way.
Community Engagement: Speaking at meetups, mentoring others, joining panels, sharing insights. You’re visible.
Continuous Learning: Whether it’s a new cert, a course, or just devouring threat intelligence reports, you’re always building.
Communication: You can explain complex ideas clearly to technical and non-technical audiences. That’s gold.
Resilience: You manage stress, learn from incidents, and support your team. You’re reliable, and that matters.

When hiring managers talk about “top candidates,” these are the traits they name again and again.

Final Words: Salary is a Signal, Not the Whole Story

Let’s be honest, money matters. It reflects how your skills are valued, and it enables freedom and choice. But it’s also just one signal of success.

If you’re early in your career, don’t chase salary at the expense of learning. If you’re mid-level, get strategic about your next few moves, build depth and influence. And if you’re senior, invest in legacy, in mentoring, shaping the culture, and enabling others to rise. No matter the stage, always be partnered with top recruiters that can offer you real time market intel such as our salary and rate guide and a competitive advanta ge for your application.

The Australian cyber security market is healthy, growing, and filled with opportunity. But it's those who align passion with performance, learning with leadership, and delivery with depth that will see the greatest rewards.

If you’re looking to engage the top professionals in this field, or a cyber security engineer seeking to propel your career further, it’s always the right time to commence discussions, our expert team look forward to connecting with you.

NEURODIVERSE TALENT: A GAME CHANGER IN CYBER SECURITY

Mon, 17 Mar 2025 02:27:32 GMT

The cyber security domain continues to evolve rapidly, with increasingly sophisticated threats requiring innovative solutions. A valuable, yet underutilised asset in this field is neurodiverse talent. Individuals with neurodivergent traits, such as Autism Spectrum Disorder (ASD), ADHD, and Dyslexia, often possess cognitive strengths that make them well-suited for cyber security roles. Their natural abilities in hyperfocus, pattern recognition, and problem-solving allow them to excel in threat detection and response, making them integral to modern cyber defence strategies.

To mark Neurodiversity Celebration Week , we interviewed Senior Cyber Security Consultant with AUCyber, Emily, who shared her personal experiences both as a neurodivergent professional, and how, as a leader, she has committed to taking a proactive approach to inclusion in the cyber security industry.

Why Do Neurodiverse Minds Excel in Cyber Security?

Being neurodivergent is often synonymous with having an inquisitive mind, and in Emily’s opinion, it aligns nicely to the cyber security industry in that “ it’s still so relatively new and it’s also very broad so there’s literally endless opportunities for learning and following different rabbit holes. ” Some of the more specific alignments include:

Hyperfocus and Attention to Detail

Many neurodivergent individuals can hyperfocus, immersing themselves deeply in tasks for extended periods. In cyber security, where identifying minute anomalies in vast amounts of data is crucial, this ability can be a game-changer. Threat actors often rely on small changes in code or network behaviour to breach systems undetected. Neurodivergent professionals, with their ability to concentrate and notice subtle irregularities, significantly enhance an organisation’s defensive posture.

Pattern Recognition and Analytical Thinking

Cyber threats often follow patterns, and recognising these patterns early can prevent potential breaches. Many neurodivergent individuals, particularly those with ASD and Dyslexia or Dyspraxia, have an exceptional ability to detect patterns and anomalies that others might overlook. This strength is invaluable in security analysis, penetration testing, and incident response, where recognising unusual behaviours and deviations is key to mitigating cyber threats.

Problem-Solving and Creative Thinking

Cyber security is an ever-changing battlefield requiring out-of-the-box thinking to stay ahead of attackers. Dyslexic individuals, for instance, often have strong problem-solving skills and a unique ability to approach challenges from different angles. This creative thinking helps devise new strategies for cyber defence, identify vulnerabilities, and counteract evolving threats.

Perseverance and Commitment

Many neurodivergent individuals display an intense drive to solve problems and find answers. This tenacity is particularly valuable in cyber security roles that demand persistence, such as digital forensics, incident response, and penetration testing. The ability to stay engaged with a problem until a solution is found makes neurodivergent professionals highly effective in defending against cyber threats.

Neurodiverse Talent in Cyber Security Roles

Different cyber security roles align with various neurodiverse strengths. Some individuals thrive in technical, isolated roles such as Security Operations Centre (SOC) analyst or penetration testing , while others excel in problem-solving and collaborative roles. For Emily, being able to “ problem solve - understand how things work and put all the puzzle pieces together is what makes things for me. And I also get to talk to people! ” While each person is different, it comes down to what you’re drawn to and what makes you want to be there? Anyone in cyber will tell you it’s a 24/7 job where you’re fully immersed in the industry. Some roles that potentially align with neurodiverse talent include:

Threat Hunting: A field where attention to detail and hyperfocus help identify vulnerabilities before they escalate.
Incident Response: Neurodivergent individuals’ quick decision-making skills enable efficient handling of security breaches.
Red and Blue Team Operations: Their ability to predict hacker behaviour makes them valuable in both offensive (red team) and defensive (blue team) security.
Auditing and Risk Assessment: The methodical approach of neurodivergent individuals is particularly useful in auditing processes and risk assessments, where detail-oriented thinking is essential.
Security Research: Continuous learning and inquisitiveness make neurodivergent professionals ideal candidates for security research roles, where staying ahead of emerging threats is crucial.

Challenges and the Need for Inclusion

Despite their strengths, neurodivergent individuals often face challenges in the cyber security industry, from workplace stigma to the pressure of 'masking' their traits to fit in. According to Emily “ in the broader sense, the cyber industry is more forgiving of people’s individual quirks and accept them. But at the same time, there’s a lot of people that expect you to fit the “regular” mould. ” Addressing these challenges requires a proactive approach to inclusion:

Advocacy and Awareness: Promoting understanding of neurodiversity in cyber recruitment and fostering an inclusive culture.
Psychological Safety: Creating a work environment where neurodivergent professionals feel comfortable being themselves.
Flexible Work Arrangements: Allowing variations in work schedules to accommodate different cognitive and energy patterns.
Transparent Communication: Providing clear instructions and expectations to support neurodivergent employees in excelling in their roles.
Workplace Flexibility: Recognising that productivity fluctuates and allowing employees to work when they are most effective.
Personalised Feedback and Communication Styles: Understanding how individuals prefer to give and receive feedback to enhance collaboration.

Ensuring an inclusive cyber recruitment strategy and embedding these into the workplace culture benefits not only neurodivergent employees, but the entire organisation. People excel in an environment where they are encouraged and supported to be their genuine selves. “The big lesson I learnt was to stop masking. You get burnt out so quickly because you’re trying to put on a mask while you’re already doing a stressful job.”

Strategies for a More Inclusive Workplace

Organisations in Australia such as Westpac , Microsoft and IBM have recognised the immense value neurodiverse professionals bring to cyber security and have launched targeted hiring programs. However, a review of the workplace culture, policies and procedures needs to take place well before the actual hiring can begin. “ If organisations want to launch targeted programs for neurodiverse talent, they first need to make sure that the (working) environment they’re bringing them into is the safest it can possibly be. ” Practices to foster a more inclusive culture include:

Encouraging Transparency: Open discussions about working preferences, such as the "Story of Me" initiative, can foster understanding. Emily described "The Story of Me" as a team tradition she implemented where, during a new member's first team meeting, the team shared (where comfortable) how they liked to work—their preferences, needs, and personal circumstances. This included things like work setup (earphones in when concentrating for example), communication styles, family responsibilities, or anything else that shaped how they worked together. It helped everyone understand each other better from the start, fostering a more inclusive and supportive environment.
Prioritising Well-being: Recognising the risk of burnout and ensuring proper support systems are in place.
Inclusive Leadership Practices: Creating initiatives that allow employees to communicate their work styles and personal needs openly.
Genuine Effort in Understanding Employees: Leaders should make a sincere effort to learn what works best for each employee and adapt accordingly.
Rewriting Job Ads: Avoiding rigid requirements that deter neurodivergent individuals from applying.

The Future of Cyber Recruitment

By embracing neurodiversity, the cyber security industry can strengthen its ability to combat cyber threats with innovative, detail-oriented, and resilient professionals. As cyber risks continue to evolve, so must our approach to hiring to ensure we are reaching the full scope of talent in the market. But it starts with creating an environment where all professionals, including neurodiverse talent can thrive.

If you would like some guidance to proactively attract, retain, and support neurodivergent talent, reach out to the e2 Cyber team to have a conversation about how we can support your organisation.

About Emily

Emily is a proud Wiradjuri woman, mum of two, and Senior Cyber Security Consultant with AUCyber. She's a passionate advocate for preventing Tech-Facilitated Family Violence and Abuse especially in First Nations communities and encouraging more diversity across the Cyber industry. When she's not getting excited about Cyber GRC in her day job, you'll find her (or won't), running and hiking around Canberra.

BUILDING A CAREER IN CYBER SECURITY ENGINEERING

jacob@emanatetechnology.com.au (Jacob Bywater) — Tue, 04 Mar 2025 02:50:33 GMT

Building a Career in Cyber Security Engineering: Insights, Challenges, and the Road Ahead

The Australian tech landscape is shifting, with cyber security engineers being the force driving the evolution. As digital threats continue to escalate, these professionals are the guardians, defending organisations from a rising tide of cyber-attacks. But excelling in this role requires more than just technical know-how. It demands adaptability, curiosity, and an actual desire to learn and evolve.

So, what does it truly take to build a thriving cyber security career in Australia?

What Does a Cyber Security Engineer Actually Do?

The term " cyber security engineer " might sound straightforward, but the role is far from simple. It's a blend of technical defence and strategic thinking. One day you could be designing firewalls, and the next, hunting down advanced threats. Common responsibilities include:

Conducting security audits and penetration tests
Developing incident response protocols
Monitoring systems for suspicious activity
Collaborating with developers to integrate security into applications
Staying ahead of evolving threats

It’s a fast-paced and sometimes chaotic environment, but for those who love solving complex problems and protecting others, it’s incredibly rewarding.

Certifications: The Starting Point, Not the Finish Line

While certifications are often seen as the gateway into cyber security, they’re only the beginning. Cyber security engineering qualifications not only validate your technical expertise but also show your commitment to the craft. In Australia, some of the most valued certifications include:

CISSP : A must for those looking to step into senior roles, covering everything from risk management to security architecture.

CEH : Perfect for penetration testers, it hones offensive security skills.

AWS Certified Security – Specialty : With cloud adoption surging, this certification is quickly becoming indispensable.

OSCP : The gold standard for hands-on penetration testing.

However, certifications alone won’t make you successful. Without practical application, they’re just paper. The real value comes when you take what you’ve learned, experiment, and push boundaries. This hands-on experience is what separates good engineers from great ones.

The Shifting Expectations of Certifications and Programming Languages

As the cyber security field continues to transform , so too do the expectations for qualifications. The certifications you pursue depend largely on your career trajectory. For vendor-specific roles, certifications like Splunk Enterprise Certified Architect can be crucial. But for broader, more respected credentials, CompTIA and SANS certifications are still top of the list. These show both foundational knowledge and specialised expertise, making them valuable assets for any aspiring cyber security engineer.

When it comes to programming, certain languages consistently stand out. Python is essential for automation and threat analysis, PowerShell is a must for Windows environments and incident response, and Java is widely used in security applications, particularly in large enterprise systems. Mastering at least one of these languages will give you flexibility and a competitive edge.

The Skills That Set You Apart

With an estimated 30,000-worker shortfall in the cyber security sector by 2026 , Australian businesses are crying out for skilled professionals. But not all skills are in equal demand. Some of the most sought-after include:

Cloud Security: As over 59% of Australian businesses (as of ABS reporting in 2022, and growing rapidly) rely on cloud platforms, this is a critical skill.
Incident Response & Threat Hunting: The ability to spot, contain, and neutralise threats is invaluable.
Governance, Risk & Compliance (GRC ): Familiarity with frameworks like the Essential Eight or ISO 27001 is a huge advantage.
Programming (Python, PowerShell, Bash): Automation is essential for scaling security measures.

But technical expertise alone isn’t enough. The most successful cyber security engineers possess a rare blend of technical skills, communication, empathy, and strategic thinking — they know how to translate complex technical risks into a language that resonates with stakeholders, building trust and driving the necessary action. They create collaborative relationships across teams, bridging the gap between security and operations, and subtly shape security culture from within through influence and leadership. The ability to not just articulate risks but to inspire change is invaluable. In a field where threats evolve rapidly, the engineers who can unite people around a shared vision of resilience and guide organisations with confidence are the ones who truly stand out. Soft skills are not just complementary, they are often the defining factor that sets exceptional engineers apart from the rest.

The Evolution of Employer Expectations

A few years ago, cyber security was largely seen as a technical challenge—something solely for the IT department to manage. But that mindset is changing. Security is now a board-level issue , and organisations want engineers who think beyond just the tech. Today’s employers value:

Strategic Thinking: Can you align security initiatives with business goals?
Continuous Learning: Are you proactive in keeping your skills sharp and staying up-to-date with the latest threats?
Adaptability: Cyber threats are always evolving—can you pivot quickly and respond?

In this era, employers are looking for partners in resilience, not just technical gatekeepers. If you can combine both expertise and vision, you’ll be unstoppable.

Advice for Cyber Security Engineers

Whether you're just starting out or looking to level up, hands-on experience is key. Spin up virtual labs, join bug bounty programs, and practice in environments like Hack The Box. Building a strong network by attending local security meetups like AISA or SecTalks can also help you connect with industry professionals (make sure you also keep an eye our for e2 Cyber events held across the country too). And never stop being curious - read up on threat reports, follow security researchers, and explore new technologies. The best cyber security engineers are those who don’t wait for permission to learn; they tinker, experiment, and constantly push themselves.

The Cyber Road Ahead

Cyber security in Australia is not just a growing field, it’s becoming an indispensable pillar of national and organisational resilience. With escalating digital threats, evolving regulatory landscapes, and increasing government investment in critical infrastructure, the demand for skilled cyber security engineers will only intensify. These professionals will be the architects of digital defence, safeguarding sensitive data and fortifying systems against an ever-changing threat landscape. It’s a career that demands insatiable curiosity, adaptability, and a commitment to lifelong learning. Yet, for those who rise to the challenge, it offers something rare: the chance to make a tangible impact, protect what matters most, and contribute to the collective security of businesses, communities, and the nation. It’s not just a job — it’s a calling, filled with purpose, responsibility, and endless opportunities to shape the future.

YOUR GUIDE TO SELLING YOURSELF FOR SUCCESS

Mon, 03 Feb 2025 21:50:33 GMT

How to Sell Yourself for Success in the Cyber Security Industry

What do I mean by selling yourself for success? Simply put, it’s the way you communicate your skills, abilities, and motivations to a potential employer. There are many ways to sell yourself outside of communication. It can start with what you’re wearing, your posture, maintaining eye contact, the CV you send, and your overall tone of voice, to name a few. For the purpose of this blog (and in the interest of not taking too much of your time), I’m going to be focusing on WHAT you are communicating to the employer; what you should do, what you shouldn’t do, with the aim of providing some assistance to help you succeed and to give you something to think about in your next interview preparation .

Find the Balance in Cyber Security Recruitment Jobs

Selling yourself usually goes one of two ways in an interview. You either oversell or undersell. The success comes in the middle. When you oversell yourself, you create doubt in the interviewer. Did they really do all that? Can this genius cyber security engineer really recite the ENTIRETY of ISO27001?! I may be dramatising, but the point remains. You can't do it all, and everyone knows that.

Usually, when you oversell these elaborate stories, they end up being about a project that an entire team delivered that, at the end of the day, doesn’t mean a thing to the person interviewing you. They don’t care what the team did; they want to know what YOU did. They want to know how you encountered a problem and the steps YOU took to overcome it.

Otherwise, it goes the other way. The CCIE network architect comes across to the interviewer as someone who may or may not have set up a home lab at some time in the past year, or seven. The IRAP assessor who has produced thousands of reports seems like they don’t even know what the Essential 8 is….

If you approach selling yourself in either of these two ways, chances are you aren’t getting a call with an offer, whether you’re applying for a chief information security officer role or a cyber security contract job.

How to Sell Yourself in Cyber Security Recruitment

So, how do you sell yourself? There’s a fine line between confidence and capability. You have to know that any skill, tech, or project you mention, you have a real example of how you implemented, utilised, or contributed. Otherwise, you risk seeming less capable and overconfident.

Always back what you say with examples of what you, yourself, did in projects, how you implemented a certain tool or how your skills meant that you configured the firewall faster than expected.

Use the STAR method . Seems obvious, but it's proven.

The STAR method is broken into four steps:

SITUATION – What was the context? What did you need to achieve? What was the outcome you were working towards?
TASK – How were you going to achieve this outcome?
ACTION – Outline the steps you took to get to the outcome. Highlight the issues you faced and how you overcame them.
RESULT – What did you achieve? How did this compare to the initial situation? Did you save the business money? Did you reduce timeframes? How did you do this?

Using this method ensures that you convey to whoever you are interviewing with that you understood what you needed to do, how to do it, and what the final result was. This is how you sell yourself for success in any cyber security jobs in Australia , whether it’s in cyber security architecture , GRC , or offensive security . Read more about the STAR method and other resources on our interview preparation page .

Know Your Strengths & Showcase Your Career

Now, there are a heap of ways for you to sell yourself. The key to doing this correctly is knowing your strengths, weaknesses, and what you are looking for in your next role. This allows you to speak (using STAR) to these strengths. Bringing relevant examples of where you showcased your skills, and in some cases, where your weaknesses were highlighted and the steps you took to overcome them.

Don’t be the person who oversells and claims to know it all. Similarly, don’t be the person who has been in the industry forever and seemingly doesn’t know anything. Be the person in the middle, use the STAR method and showcase your skills in a way that demonstrates you knew what you were achieving and how you got there.

Remember, more than likely, you aren’t the unicorn that knows it all and that’s okay! There’s a reason cyber security specialists exist across so many specialist fields. But if you are the unicorn that knows it all, send me your CV .

Ready to secure the skills to protect and defend your business? Or looking for your next exciting cyber role? Whether it's for long or short-term contracts or a permanent role, we are Australia's top Cyber Security recruitment agency, committed to providing the best talent and expertise to meet your needs.

NEW ROLE FOR 2025? START YOUR CYBER JOB SEARCH NOW!

Mon, 04 Nov 2024 03:23:56 GMT

READ THE SNAPSHOT:

Beginning your cyber job search now reduces competition, increasing the chances of your resume being noticed and landing interviews.
The tech market often slows down in early January, meaning job searches can extend into February. Starting now helps you avoid this seasonal lull, with a chance to secure a role by early January or even earlier.
End of year networking events provide valuable opportunities to make connections in the cyber industry.

How to Start Your Cyber Job Search

As we draw closer to the end of the year, you might find yourself among the many who are already considering resolutions for 2025. At the end of each year, many people reflect on the year gone and set themselves new goals, whether for fitness, health, or even finding a new role. But, why wait for January? Jumping on to your cyber job search now can put you ahead of the game, giving you an advantage over the masses that will start looking after the holiday break.

Starting your cyber search now, rather than waiting can offer you benefits, making it the perfect time to focus on your career goals. These are our compelling reasons why:

Less Competition in the Cyber Market

The flood of new candidates typically starts in January, meaning that if you get your cyber job search started now, you’ll face less competition. With potentially fewer applicants, your resume is more likely to stand out, and you may have a greater chance of landing interviews. Give yourself the best chance at standing out by reviewing your resume format – you can download our CV template to see how it stacks up. And you want to make sure you highlight all the important information such as being detailed around your responsibilities/achievements for each position you have worked and listing all relevant certifications. Hiring managers are also interested in seeing your commitment to the cyber industry so showcase non-paid activities such as your participation in CTFs, Hackthebox , TryHackMe etc. And to pull it all together, include a well written and appealing cover letter to bolster your application and outline why you’re interested in both the role advertised and the company you would be joining.

Avoid the Post-Holiday Tech Market Slowdown

The phrase, “The market doesn’t return until Australia Day,” is commonly heard at the start of the year. If you wait until January, you risk running into this seasonal lull, which can drag out the job search process well into February. By starting your cyber job search now, you’ll likely bypass the holiday slowdown, and if all goes well, you could begin the new year in your new role. Unlike some other areas of the IT market, the threat of cyber breaches doesn’t take a break just because Santa is coming! Cyber security teams are continually assessing and monitoring for potential breaches, which can make it advantageous to those looking to secure a role this side of Christmas, especially if you are happy to work the typical "shutdown periods".

Leverage End-of-Year Budgets

For companies that align their budgets with the calendar year, November and December can be a time for last-minute hiring. Cyber teams with remaining funds may be eager to bring on new permanent and contract talent before budgets reset. By actively looking now, you position yourself as a ready solution for companies wanting to make the most of their budget. They will be looking to lock in interviews before the end of year, especially if they are aiming for an early January onboarding or need a cyber professional to support the team over the Christmas break. Now is a good time to brush up on your interviewing skills so you’re prepared.

Make the Most of Cyber Networking Opportunities

The end of the year often comes with a calendar full of professional gatherings, from holiday parties to industry events such as the upcoming AISA CyberCon in Melbourne at the end of November. Use these to your advantage to connect with potential employers and expand both your cyber knowledge and your community. Networking during this time allows you to make genuine connections in a more relaxed setting and build relationships that could help with your job search.

Cyber Rules! Show You’re Proactive

Starting your cyber search now sends a strong message to potential employers: you’re not just another candidate waiting for the right time; you’re actively pursuing growth. Employers will appreciate your proactive approach and may see you as a very motivated candidate who takes initiative. If you’re contemplating a career shift, now is the time to act. Whether you’re planning to switch industries, climb the ladder in your field, or add to your team’s talent pool, starting early gives you a strong advantage.

Ready to Start Your Cyber Job Search Now?

If a new cyber role is on your radar, or you’re a hiring manager looking to secure new talent before year-end, let’s connect . Starting early can set you up for a smoother, more successful job search, positioning you for a dynamic start in the new year.

Ready to secure the skills to protect and defend your business? Or looking for your next exciting cyber role?Whether it's for long or short-term contracts or a permanent role, we are Australia's top Cyber Security recruitment agency, committed to providing the best talent and expertise to meet your needs.

GRC CYBER PROFESSIONALS: THE BIGGEST STRUGGLES & HOW TO OVERCOME THEM

Mon, 02 Sep 2024 04:52:04 GMT

READ THE SNAPSHOT

GRC professionals must continuously learn and adapt to rapidly evolving technologies like AI, with an emphasis on networking and ongoing education to stay ahead of emerging threats.
There is a need to balance the pressure to deliver quick solutions with the importance of strategic planning and thorough risk assessments to avoid compromising security measures.
Challenges in securing stakeholder support can be overcome by translating complex risks into financial terms to justify security investments and change the perception of security from a cost to an essential investment.

What Are The Biggest Struggles for GRC Cyber Professionals?

As a cyber recruiter , I speak with numerous candidates and clients daily and the one question I always ask is “what is the biggest challenge you face in the constantly evolving world of cyber”? Here are some of the most pressing issues I have observed, along with potential solutions.

1. Navigating New Technologies and Risks

With the rapid emergence of AI and other advanced technologies, GRC professionals are constantly tasked with understanding and managing new risks. This can be overwhelming, as the pace of technological change often outstrips the development of security frameworks. To overcome this, continuous learning is key in the form of both networking and education. GRC candidates should invest in ongoing education , seek out specialised training, and engage with professional networks to stay informed about the latest trends and threats. Being proactive in learning can help GRC specialists not only keep up, but to stay ahead of the curve. If you are experiencing certain issues, there’s a good chance someone else is facing the same challenge, and the cyber community is one that is very good at sharing knowledge and problem solving together.

2. Balancing Speed and Quality

In the high-pressure environment of cyber security, especially in the consulting space where you are working across multiple clients, there’s often a push to deliver solutions quickly. However, this can lead to compromises in quality, with the risk of incomplete or insufficiently vetted security measures. The solution lies in the initial discussion with clients and fostering a culture that values strategic planning and allows time for thorough risk assessments. Organisations should encourage a balance where GRC professionals are given the time needed to develop robust, well-considered solutions, even when under pressure to act quickly.

3. Remediating Identified Risks

Identifying risks is only part of the challenge; the real difficulty often lies in remediating them. GRC professionals may face resistance from other departments, limited resources, or the sheer complexity of the risks. Building strong cross-departmental relationships and advocating for adequate resources are crucial. By fostering collaboration and ensuring that risk management is a shared responsibility across the organisation, GRC candidates can more effectively implement the necessary solutions.

4. Changing the Perception of Security as a Cost

A common issue in many organisations is the view of security as a cost rather than an investment. This mindset can lead to underfunding and a lack of support for GRC initiatives. To change this perception, GRC professionals need to advocate for security as a fundamental part of the organisation’s success. Using clear, data-driven arguments and real-world examples to demonstrate the potential cost of not investing in security can help shift this perspective and secure the necessary support.

5. Engaging Stakeholders

Engaging internal stakeholders and decision-makers is another significant challenge for GRC professionals. Often, these stakeholders have limited time or understanding of the complexities involved in cyber security. Regular, concise communication is key. GRC professionals should focus on translating complex security concepts into language that is accessible and relevant to non-technical audiences. Demonstrating how GRC efforts align with broader organisational goals can also help in securing stakeholder engagement and support.

6. Quantifying Risk in Dollar Terms

One of the most challenging aspects of GRC work is translating abstract risks into concrete financial terms. Organisations often require a clear understanding of the financial impact of risks to justify the investment in security measures. GRC professionals can overcome this by using risk quantification frameworks and drawing on real-world examples to illustrate potential costs. By providing tangible evidence of the financial implications of risks, GRC professionals can make a stronger case for the necessary security investments.

While GRC professionals face significant challenges in their roles, understanding these struggles and adopting proactive strategies can lead to greater success. By staying informed, advocating for a balanced approach to risk management, and effectively communicating with stakeholders, GRC candidates can navigate the complexities of their roles and contribute to building stronger, more resilient organisations. Are you a GRC professional looking for you next exciting opportunity ? Or an organisation ready to invest in GRC skills in your team? Chat to us about how we can support your cyber security goals and initiatives.

HOW TO BUILD AN EFFECTIVE CYBER TEAM

Mon, 05 Aug 2024 04:27:49 GMT

READ THE SNAPSHOT

An effective and therefore successful cyber team requires careful and considered planning and execution which starts at the top with a thorough understanding of the needs and goals of your organisation.
A strategic approach to recruitment, training and development and retention is needed for your team to be successful.
No amount of planning and execution will replace a team that fosters collaboration and inclusion.

Building an Effective Team in Cyber Security

Focussed solely on cyber security recruitment , we know and thing or two about building a robust and effective cyber team. To be successful in not only building, but maintaining an effective team, requires careful planning, a clear understanding of your organisation's needs, and a strategic approach to recruitment, training and retention. Here's our guide for your success:

Define Team Purpose and Scope

Scope and purpose are essential to enhancing team effectiveness as they provide clear direction, set boundaries, and everyone has the same information. This starts at the top, with a thorough understanding of the needs and goals of the organisation . These could include protecting sensitive data, ensuring compliance with regulations, or mitigating potential threats. Once these are determined at organisational level, it shapes the scope and purpose for your cyber security team. These drill down to specific areas to manage and maintain, such as threat detection, incident response, network security, compliance, and risk management.

Establish Key Roles and Responsibilities

Once you’ve established the purpose and scope of the team, each individual contributor needs clarity on their key role and responsibility, and how it fits within the cyber security team. As the manager of the team, your role is to set the strategy, ensure alignment with the organisation's overall goals and lead and coach the members of the team.

The team could be made up of cyber engineers , architects , network specialists, or offensive security roles such as penetration testers. You will most likely have internal GRC specialists and include some members at entry level to support the teams initiatives. However your team is structured, be clear in roles, responsibilities and chains of command.

Hire Talented Professionals

Getting the right mix of expertise in your team is essential to its success! Once you’ve defined the key roles and responsibilities, it is easy to pull together job descriptions that specify skills, qualifications and experience required for each role. Know what skills are essential to bring in, and what skills can be taught internally to upskill across the team. If managing the hiring process internally, use multiple recruitment channels, such as job boards, your cyber network, and partnerships with universities to find your candidates. For the more niche skills in cyber, lean on the expertise of a cyber specialist recruitment agency like us! However you go about your recruitment, it is important to have a targeted and efficient process with an inclusive recruitment approach to secure top talent.

Invest in Training and Development

Keeping the team’s skills up to date will not only support the outcomes of the team, but will also feed into your retention plan. Provide opportunities for continuous education, whether that be internally with workshops, or leaning on external platforms such as cyber conferences , or certification programs like CISSP, CISM, and CompTIA A+. Encourage knowledge sharing and on-the-job training and coaching to foster skill development, ensuring the team are given time to dedicate to this. You could also conduct regular penetration testing and red team/blue team exercises or participate in CTF’s to practice incident responses and improve the team's resilience.

Foster a Collaborative Culture

You can’t have a successful team if there’s no collaboration – as they say, there’s no “I” in TEAM! Promote open communication and collaboration and encourage a proactive approach to problem-solving and innovation. Provide support and mentorship to help team members grow in their roles, and to develop professionally. And don’t be afraid to call out behaviour that doesn’t foster collaboration and inclusion.

Implement Effective Tools and Technologies

Your team needs to have the right tools and technology to be able to effectively perform their roles. Implement Security Information and Event Management (SIEM) tools for real-time monitoring and analysis of security alerts. Deploy advanced endpoint protection solutions to safeguard devices and use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to detect and prevent unauthorised access. Ensure that sensitive data is encrypted both in transit and at rest to protect it from potential threats.

Develop and Enforce Policies and Procedures

Developing and enforcing comprehensive security policies and procedures ensures both the team and the organisation understands their part in defending and improving the cyber security posture. These should align with industry standards and best practices. Create an incident response plan that is regularly updated to quickly and effectively handle security breaches and ensure ongoing compliance with relevant laws, regulations, and standards.

Regularly Assess and Improve Cyber Skills

To maintain a strong cyber security posture and be an effective team, regularly assess and improve your strategies and processes. Establish key performance indicators (KPIs) to measure the effectiveness of your cyber security team and ask for 360 feedback to learn where you as the leader can improve and grow. Conduct regular security audits and risk assessments to identify and address vulnerabilities, keeping updated with the latest cyber trends and technologies, and continuously work towards improving your cyber security strategies.

Retain Your Cyber Talent

You’ve done all this hard work to pull together the right mix of people so you want to ensure you do everything you can to retain your top talent for the stability and effectiveness of the cyber security team. Ensuring salaries and benefits remain competitive will support both attracting and retaining skilled cyber professionals, as will providing clear paths for career advancement and outlining professional development opportunities to keep them interested and motivated. Fostering a positive work environment that values and rewards hard work and innovation will contribute to the overall job satisfaction and retention of everyone in your team, including you!

By following these steps, you can build a highly skilled and effective cyber team capable of protecting, defending and improving your security posture. If you are looking to build out your own team or would like any cyber recruitment or workforce planning support, get in touch with our team for a chat.

LEVEL UP: HOW TO TRANSITION INTO A SENIOR CYBER SECURITY ROLE

Mon, 01 Jul 2024 02:10:52 GMT

READ THE SNAPSHOT:

Transition into a senior cyber security role requires a multifaceted approach to ensure you have the right mix of skills to lead and develop a team.
Focus on enhancing both technical skills through specialisation and certifications, and soft skills such as leadership and communication.
Immersing yourself in the cyber security community is essential to growing your career, not just by attending events and connecting with mentors but also by seeking regular feedback from those in your network to develop your skills and knowledge.

How to Transition into a Senior Role in the Cyber Security Industry

Making the move from a mid-level to a senior role in cyber security involves a combination of skill enhancement, practical experience, and strategic career planning. “Time on the tools’’ or longevity at an organisation does not automatically equate to a senior title. Here are some things to assist you to make the transition to that coveted senior role:

Tailor Your Technical Skills:

When you’re looking to level up to a senior role, you want to ensure your technical knowledge is thorough and you’re up to date with the latest cyber trends and technologies.

Specialisation: Focus on a specific area within cyber security that aligns with your career goals. Broaden your knowledge in an area of cyber that you are really passionate about, to become a true SME.
Certifications: Obtain advanced certifications such as CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or ones specifically related to your field such as AWS Certified Security for cloud security experts.
Hands-On Experience: Engage in complex projects that require in-depth technical skills. Work on projects that align with your speciality such as implementing new security frameworks, conducting penetration testing, or developing incident response strategies.

Master the Soft Skills:

Technical knowledge alone isn’t enough to secure a senior position, soft skills are equally important . The further you venture up the ladder, stakeholder engagement will become commonplace, meaning you will be required to translate technical terms and methodologies to non-technical stakeholders across the business to outline importance and value of a project or activity.

Communication: Learn how to communicate complex technical concepts to non-technical stakeholders in a way that can be easily digested and so the importance and value to the project or business is understood.
Leadership: While you might not yet be in a senior role, it doesn’t mean you can’t start to take on the role of a leader. Develop your skills on the job, attend workshops or courses or share your knowledge and support junior members in your team by being a mentor. You will learn valuable lessons about guiding and leading people while enhancing the wider skills and capabilities of the team.

Gain Practical Experience

Utilise your in-house opportunities to gain practical leadership and advance skills experience by volunteering to work on additional projects or other initiatives to uplift the cyber posture of your organisation.

Project Leadership: Put your hand up to take the lead on sections of an internal project or take the lead on the entire project. Taking on a leadership role will be a great way to showcase your abilities when it comes time to step up.
Innovation: Propose and lead innovative projects, such as the implementation of new security technologies or the development of a security awareness program.
Cross-Department Projects: Where appropriate, put your hand up for opportunities to support or provide guidance to other teams highlighting your ability to work effectively and collaboratively across the organisation.

Immerse Yourself in the Community

In an industry that puts a lot of emphasis on community, networking is an essential component of your cyber security career. Getting involved will not only expand your network, but will also keep you updated on latest trends and initiatives.

Professional Associations: Get involved in local and national community events such as AWSN , AISA , ISACA and more. Volunteer to speak on a topic that you are passionate about, spread awareness via LinkedIn and social channels, letting people know that this is not just a 9-5 and that you are truly passionate about improving the cyber industry.
Online Presence: Maintain an active presence on professional networks like LinkedIn. Share insights, participate in discussions, and connect with industry leaders.
Mentorship: Seek out mentors for every stage of your career. Their guidance can provide valuable insights and open doors to new opportunities.

Grow & Improve With Feedback

At every stage of our careers, seeking feedback and taking this on board to improve is essential for growth and development. This is especially important when leveling up to a senior role.

Regular Reviews: Most organisations have a formal review process in place, but this can often be just between you and your manager. Cast the net wider, seeking feedback from your colleagues or other manager to get a thorough understanding of your strengths and areas for improvement.
Personal Development Plan: Create a personal development plan with specific, measurable goals for your career advancement. Regularly review and adjust your plan to ensure you’re on track to achieve your objectives.

Showcase Your Expertise

As you work through expanding your skills, knowledge and capabilities, it is essential to document your achievements and expertise. If you’re working on projects it’s useful to update your CV and LinkedIn profile once it has been delivered so the outcomes and achievements are fresh in your mind.

Quantifiable Achievements: Break each role in your CV down into Duties (5 bullet points) and Achievements (3-5 bullet points) – Emphasise cost savings, revenue generated, time saved and any other relevant measurable.
Relevant Projects: Include details of advanced projects you’ve worked on, focussing on YOUR individual duties and how it contributed to the wider project. Remember your CV is about your achievements, not that of the team.
Continued Learning: List any recent certifications, courses, or workshops that demonstrate your commitment to continuous improvement and passion for the industry.

Whether you’re looking to be promoted in your current organisation or you’re exploring opportunities with an organisation that aligns better with your career aspirations, levelling up to a senior cyber role requires a multifaceted approach to ensure you have the right mix of skills to lead a team.

HOW I FORGOT EVERYTHING I THOUGHT I KNEW ABOUT RECRUITMENT!

Mon, 03 Jun 2024 04:48:55 GMT

Coffess, Candidate Catch Ups and How I Forgot Everything I Thought I Knew About Recruitment!

Wow, what a ride this has been. I came into recruitment with some expectations on the role and what I’d be doing, and for the most part, I wasn’t wrong. What I failed to realise was just how much is involved in the wide world of recruitment.

When you think of recruiters, you expect that a job comes in, you call a couple of candidates, have a few coffees and BAM! Role filled, everyone’s happy. Well, it is sort of like that, though, it’s much, MUCH, more…..!

From the moment I stepped in the front door I was told “Forget everything you know about recruitment….” (admittedly not hard seeing as I knew very little!) “….and follow the process”. So, this became my life. ‘The process’, simple enough and offers a fallback for when I inevitably overthink, and it goes like this:

Set Up the Role [Brief the Role > Set up job > Job description > Job Ad]
Source candidates
Conduct interviews
Collate final CVs
Client Submission
Update systems.

Easy right? But then, how do you set up the job? How do you source the candidates? You’re telling me it doesn’t all fall into my lap?! Where’s the coffee come into the ‘process’?!

Setting up the Role:

Starting with the brief, setting up the role is pretty straight forward. Discuss the role (in depth, CANNOT stress this enough) with the Consultant I’m supporting. Then using this information, create a job description, including role descriptions, benefits, what the candidate will be doing, and the main requirements needed for success.

Once the job is set up and the JD (Job Description) created, we use this to write the ad. Then post the ad and wait for the candidates to roll in…. well, sort of...

Candidate Sourcing:

You will always have people applying for to role, which is a good start but to consider the role ‘sourced’ correctly, we break it down like this:

Long list of 50-70
Short list of 8-16
Interview 4
Submit 2

There will be some in the applied list that meet all the client requirements and clearances but where do the rest come from?!

We conduct an extensive search to find the right match. It’s a deep dive into Seek, LinkedIn, internal databases and our network. Then reviewing CV after CV after CV until your eyes blur!

Finally you pull together your long list, so now what?

Candidate Calling:

Time to put aside your awkwardness (well, at least I needed to) and CALL THE CANDIDATES. Phone call, after phone call, now you’re learning, you get a feel for which candidates live in the right location, which candidates are probably not the right fit and which ones are exactly who you need. You overcome the awkward beginning of calling people out of the blue, you work out the best ways to approach the calls and you make the TERRIBLE jokes and see how they ‘land’ (bit of pun, just wait...), like:

Candidate: “sorry if you can’t hear very well, I’m driving past the airport”

Me: “Oh that’s okay! I’ll try not make this call too ‘plane’ for you then!”

So, yeah, there’s that, anyway, now you’ve made you calls and worked out which candidates were probably not the right ones and which candidate’s tick the boxes to meet and explore further. Finally, coffee time!

You meet your shortlist candidates face to face, dragging along your consultant for the show. Grab a coffee and have a chat for 30 mins to dig deeper into their experience and suitability. Do these 4 to 6 times - it’s a lot of coffee! Take notes and whittle this list from 4-6 to 2. After hours and hours of briefings, sourcing, calls, interviews, you finally have the 2 candidates which you vouch for above all others. The candidates that you submit to our client for the role.

And how long does all this take? 1 week. That’s right! All the sourcing, calls, interviews, and finalising for 2 candidates takes 1 week. Meaning you really only get 2 days of sourcing, and you’d want to be calling candidates from day 1 as you really only have 2 days to interview before submissions.

In a nutshell, that’s the role. That’s recruitment. Was it what you expected? Like I said from the start, it’s probably exactly what you expected, just, much, much more.

So, you’re probably wondering, how do I do it? How I you stop myself from getting overwhelmed? How do I keep sourcing when I’ve looked at 100 CVs and no one ticks the boxes to be right for the role. How do I stop from panicking when it’s day 3 and your ‘long’ list is 16 people?

I follow the process. I simplify it, break it down. Eventually you start to work it out. You get a better understanding about who suits and who doesn’t.

This crazy whirlwind of emotion you go through, from banging your head against the wall trying to find the right candidates, to getting the PERFECT recommendation from someone and it all seems to fall into place. This crazy whirlwind you go through, day after day, week after week. But the strangest part of it all? I LOVE it. And I know that all I have to do is….

Drink a lot of coffee and follow the process.

COMMON SECURITY OPERATION CENTRES (SOC) OBSTACLES & SOLUTIONS

Mon, 06 May 2024 01:00:27 GMT

READ THE SNAPSHOT:

Security Operation Centres (SOCs) face ongoing obstacles which hinder effective threat detection and response, leaving organisations vulnerable to cyber threats.
Strategic solutions are required to address these challenges which include leveraging technologies and tools to automate tasks and streamline workflows, and investing in talent development through recruitment, training programs, and certifications to bridge the talent gap and enhance SOC capabilities.
Continuous adaptation is required to ensure consistency and efficiency in incident response efforts.

What Are Common Security Operations Centres (SOC) Obstacles? And How to Solve Them

Security Operations Centres (SOCs) serve as crucial bastions, defending organisations against the relentless onslaught of cyber threats. These teams are on the front lines, tirelessly monitoring, detecting, and responding to potential breaches. However, even the most vigilant SOC teams face challenges that can impede their effectiveness.

Here are some common obstacles and strategies to overcome them:

Alert Fatigue:

One of the most pervasive challenges for SOC analysts is alert fatigue. The constant stream of alerts inundating analysts, often littered with false positives, can desensitise them to genuine threats. As a result, critical issues may slip through the cracks unnoticed.

Solution: Embracing Security Orchestration, Automation, and Response (SOAR) solutions can be a game-changer. These innovative technologies automate routine tasks, such as triaging alerts and conducting initial investigations, allowing analysts to focus their attention on high-priority incidents. By leveraging SOAR, SOCs can streamline their workflow and enhance their ability to detect and respond to real threats swiftly.

Talent Gap:

The cyber security industry continues to grapple with a severe shortage of skilled professionals. Finding and retaining top-tier talent remains a significant challenge for many organisations, limiting their ability to effectively staff their SOC teams.

Solution: Cyber specific recruitment agencies such as us can help here. At e2 Cyber, we provide access to the best talent in the market to defend and improve your security posture . We also recommend fostering internal talent through robust training programs and certifications for internal employees who demonstrate interest in forging a cyber career. Alternatively, contemplate outsourcing select SOC functions to bridge the expertise chasm either ongoing or until you are able to secure the skills internally.

Data Overload:

In our hyper-connected world, the volume of security data generated by various systems can be overwhelming. SOC analysts are tasked with sifting through mountains of logs and alerts to identify potential threats, a task that can quickly become unmanageable.

Solution: Security Information and Event Management (SIEM) tools provide a powerful solution to the data overload problem. These platforms aggregate and analyse data from disparate sources, providing SOC teams with a centralised view of security events. By harnessing the capabilities of SIEM tools, organisations can gain valuable insights into their security posture and quickly identify and respond to emerging threats.

Lack of Standardised Processes:

Inconsistencies in processes and procedures can lead to inefficiencies and errors during incident response efforts. Without clear guidelines in place, SOC teams may struggle to coordinate their activities effectively.

Solution: Establishing and enforcing Standard Operating Procedures (SOPs) is essential for ensuring consistency and efficiency within the SOC. These SOPs should outline protocols for incident detection, analysis, and response, providing a framework for SOC analysts to follow. Regular review and refinement of SOPs are necessary to keep them aligned with evolving threats and organisational needs.

Evolving Threats:

Cyber adversaries are constantly evolving their tactics and techniques, presenting a moving target for SOC teams. Staying ahead of emerging threats requires proactive measures and continuous vigilance.

Solution: Integrating threat intelligence into SOC operations is crucial for staying abreast of evolving threats. By leveraging threat intelligence feeds and conducting regular threat hunting activities, SOC teams can identify and mitigate potential risks before they escalate into full-blown incidents. Collaboration with industry peers and information sharing initiatives can also enhance threat awareness and resilience.

While SOC teams face multiple challenges in their efforts to protect organisations from cyber threats, proactive measures and innovative strategies can help overcome these obstacles. By investing in the right technologies, talent, and processes, organisations can strengthen their security posture and mitigate the risks posed by cyber adversaries. A robust SOC is not just a line of defence; it is a strategic investment in safeguarding business continuity and preserving customer trust in an increasingly digital world.

Looking to secure your digital frontline? Chat with us about how we can secure the talent to protect your business.

AISA CYBERCON CANBERRA 2024 WRAP

Tue, 09 Apr 2024 01:41:48 GMT

A snapshot of CyberCon from a local Canberra recruiters view.

I skipped the tech workshops on Monday morning to attend at the Australian Women in Security Network (AWSN) breakfast. I got to meet and greet with a room full of enthusiastic and motivated cyber professionals from all over Australia which was a great way to kick off 3 days of networking. After a piccolo and eggs, I found my lanyard, took a mandatory photo with the CyberCon sign and off we went to begin the day.

After the welcome to country, newly appointed National Cyber Security Coordinator Lieutenant General Michelle McGuiness addressed the room with her thoughts and perspective on the up-and-coming cyber industry and some of the real battles we face in our industry. From here I moved on to the exhibitors and went stall by stall, learning, talking, grabbing free merch, followed by some more talking. By the time I looked at my watch it was nearly 5.30pm and the day was gone!

Wednesday started the same way Tuesday finished, networking and talking. I listened to Dirk Hodgson from Cognito Digital present on digital twins which was super interesting to hear the use of digital twins in real world situations. I then went on to hear Ben Doyle deliver an excellent, interactive chat about being a CISO for 20 years with my key take away being “look after your mental wellbeing” in a highly stressful environment.

In my opinion, if you’re considering the investment in a cyber conference, CyberCon provides a great balance of interesting and thought-provoking topics and lots of networking opportunities. I loved the networking, meeting and seeing all the people that share a common focus of improving our cyber industry and cant wait for Melbourne, 26-28 November .

EMPOWERING WOMEN IN CYBER SECURITY: INSIGHTS FROM INDUSTRY LEADERS

Mon, 04 Mar 2024 01:55:16 GMT

READ THE SNAPSHOT:

We asked women across the cyber security industry to answer the following question: “What words of wisdom do you have for women starting their cyber security career?”
Common themes were found in their responses, incorporating community, networking, learning and believing in oneself.
By supporting and championing each other, we can create a diverse and inclusive industry that welcomes all newcomers keens to safeguard the digital landscape.

Insights from Female Cyber Industry Leaders

To celebrate International Women's Day , we asked women across the cyber security industry for their words of wisdom to share with those embarking on a cyber career . Their insights resonate with strength, resilience, and a deep commitment to fostering a supportive community.

Let Your Cyber Enthusiasm Shine

Genuine love for cyber security drives one's journey and is crucial for success and fulfillment in the field. It transcends merely finding a job, infusing your journey with purpose and driving you forward, especially when faced with challenges. It sustains motivation, turning obstacles into opportunities for growth and innovation.

Whether seeking mentorship or becoming a mentor, cultivating enthusiasm fosters continuous learning and drives progress within the industry. It's this shared passion among professionals that propels cyber security forward, leading to groundbreaking advancements and a meaningful impact in safeguarding digital landscapes.

Champion Continuous Learning

In the fast-paced world of cybersecurity, embracing continuous learning is essential for success. As echoed by industry professionals, staying updated with the latest trends and technologies is paramount. Don't hesitate to ask for help and seek opportunities to upskill yourself. Remember, knowledge is power, and in cyber security, it's the key to staying ahead of the curve. The field is ever-evolving, demanding adaptability and a hunger for knowledge. Seeking guidance and staying updated with the latest trends are crucial steps toward success.

Build a Supportive Cyber Network

Navigating the cyber industry can be daunting when you first start, but you don't have to go it alone. Finding a supportive network of peers and mentors is crucial for both personal and professional growth. Whether through networking events, online forums, or professional organisations, connecting with others in the field can provide invaluable guidance and encouragement. Together, we can lift each other up and create a more inclusive environment for all.

Cultivate Confidence and Resilience

Confidence is not always easily achieved, especially in a male-dominated field like cyber. However, it's essential to believe in yourself and your abilities. Recognise the value of your unique perspective and skills, as they are invaluable assets to the industry. Women, in particular, may wrestle with imposter syndrome despite their expertise, but it's essential to acknowledge and trust in one's worth and skills. Diversity is key to strengthening cyber security, contributing a distinctive viewpoint that enriches the field.

We mark International Women's Day with our commitment to championing women in cyber security, fostering a culture of support, empowerment, and inclusivity. Together, we can pave the way for a brighter future where every woman, and every person, feels valued and empowered. Recognising that collaboration and support are integral to success in this field, engaging with peers, attending events, and participating in discussions not only enriches knowledge but also cultivates connections that endure over time.

HOMELABS: CYBERS SECURITY'S SECRET WEAPON FOR SKILL ENHANCEMENT & CAREER DEVELOPMENT

Mon, 05 Feb 2024 01:53:31 GMT

READ THE SNAPSHOT:

Homelabs close the gap between theoretical knowledge and practical, hands-on experience in the professional world.
Regardless of the specific cyber path you take, homelabs are portrayed as a universal tool to showcase a love for learning and the cyber industry.
Homelabs take several forms including a home server, virtual environments, or online platform subscriptions. Whichever you use, the key is demonstrating a commitment to understanding the technical aspects of cyber.

How Homelabs Enhances Cyber Skills & Develop Your Career

In the constantly changing cyber landscape, staying ahead of the curve is essential. Your resume may boast a comprehensive list of cyber qualifications, but how do you demonstrate your practical knowledge and passion for continuous learning? This is where homelabs come into play, bridging the gap between theoretical knowledge and hands-on experience that could make all the difference in your cyber career journey.

Beyond the Binary: Homelabs for All Cyber Career Paths

Even if your career path doesn't tread the technical terrain, homelabs showcase a love for learning that is universally recognised. Take Governance, Risk, and Compliance (GRC) professionals, for example. While their focus may not be on coding or network configurations, a homelab demonstrates an eagerness to delve deeper into the intricacies of their field. It's about understanding the practical application of frameworks, transcending the theoretical knowledge confined within textbooks or training sessions.

Cost-Effective Cyber Security Mastery: Demystifying Homelab Myths

Contrary to popular belief, an effective homelab doesn’t have to break the bank. The emphasis lies in creating an environment that reflects your commitment to learning the technical aspects of cyber. The misconception that homelabs need to be expensive or resemble sophisticated laboratories is debunked by the reality that they can take various forms. Whether it's a home server, a virtual environment, or simply a subscription to an online platform, the key is to demonstrate a commitment to understanding the technical facets of your profession.

Hacking Wisdom: Online Platforms for Cyber Security Mastery

For those venturing into technical cyber security roles, explore the immersive world of platforms like HackTheBox or TryHackMe . Subscriptions to such services offer an interactive and engaging way to hone and sharpen skills. They also signal to employers your dedication to mastering the intricacies of cyber security and your passion for the industry as a whole and it sends a powerful message to prospective employers that you care about technology, and you have a tangible way to prove it.

Securing Your Future: Embrace the Benefits of a Homelab

Whether you're a budding ethical hacker or a compliance specialist, incorporating homelabs into your routine can be the game-changer that propels you to new heights in the dynamic world of cyber security. By investing time and effort into creating your homelab, you showcase a proactive approach to learning and adapting to the ever-changing demands of the industry. It's not about the expense or complexity; it's about the dedication to your craft and the tangible proof you can present to potential employers.

It might just be the catalyst that propels you into new and exciting opportunities, where your hands-on experience sets you apart in a crowded job market.

SECURING THE FUTURE: A RECAP OF 2023 CYBER SECURITY INITIATIVES

Mon, 18 Dec 2023 04:10:43 GMT

READ THE SNAPSHOT:

There has been multiple efforts made by the government in 2023 towards fortifying the Australian digital landscape.
The 2023-2030 Australian Cyber Security Strategy was launched in November, setting our nation up with six cyber shields to fortify national defence, emphasising the protection of citizens and businesses.
The collaborative efforts between the public and private sectors, investments in education and training, protection of critical infrastructure, and the embrace of emerging technologies collectively position Australia as a resilient and proactive player in the global cyber security landscape

2023 Cyber Security Initiatives Recapped

As we wrap up 2023, we wanted to reflect on the efforts the Australian Government has made towards in fortifying its digital landscape. The cyber security initiatives undertaken throughout the year have played a pivotal role in safeguarding our nation against the ever-evolving threats lurking in cyberspace.

Essential Eight Maturity Model

The Essential Eight Maturity Model (E8MM) is an annually updated framework by the Australian Signals Directorate (ASD) aimed at providing contemporary, purposeful, and practical cyber security advice. It assists businesses in safeguarding their internet-connected IT networks against common cyber threats. The updates are influenced by cyber threat intelligence, feedback from government and industry, insights from penetration tests, Essential Eight implementation assessments, and responses to ASD's annual cyber survey. The latest update emphasises areas such as balancing patching timeframes, promoting the use of phishing-resistant multifactor authentication, managing cloud services, and enhancing incident detection and response for internet-facing infrastructure.

Australian Signals Directorate Releases 2023 ASD Cyber Threat Report

The Australian Signals Directorate (ASD) has released its fourth ASD Cyber Threat Report , detailing the escalating frequency, cost, and severity of cyber threats in Australia. The report highlights a 30% increase in reported cyber security incidents affecting critical infrastructure during the 2022-23 financial year, with compromised accounts, assets, and denial of service attacks being major contributors. The same period saw a 23% rise in cybercrime reports, averaging one every 6 minutes and businesses experienced a 14% increase in cybercrime costs. The report includes comprehensive insights into the current cyber threat landscape and provides guidance, services, and uplift programs to enhance cyber security across Australia.

2023-2030 Australian Cyber Security Strategy

In November the Australian Government launched the 2023-2030 Australian Cyber Security Strategy , envisioning Australia as a global cyber security leader by 2030. The strategy introduces six cyber shields to fortify national defence, emphasising the protection of citizens and businesses. These shields include strengthening businesses and citizens, ensuring safe technology, fostering world-class threat sharing, safeguarding critical infrastructure, promoting sovereign capabilities, and cultivating a resilient region with global leadership. The strategy shifts the focus from a technical perspective to a holistic national effort, fostering public-private partnerships. The accompanying 2023-2030 Australian Cyber Security Action Plan details initiatives for the next two years, starting with Horizon 1, concentrating on strengthening cyber security foundations through collaboration between government and industry, ultimately aiming to enhance cyber resilience for a swift recovery post-cyber attacks.

Final Thoughts

The collaborative efforts between the public and private sectors, investments in education and training, protection of critical infrastructure, and the embrace of emerging technologies collectively position Australia as a resilient and proactive player in the global cyber security landscape. However, the ever-evolving nature of cyber threats necessitates a continuous commitment to innovation, adaptation, and international cooperation to ensure a secure digital future for the nation. Chat to our team if you're interested in chatting through these initiatives further.

AISA CYBERCON 2023 WRAP

jacob@emanatetechnology.com.au (Jacob Bywater) — Tue, 31 Oct 2023 22:18:57 GMT

A Review of AISA CyberCon 2023

WOW. I don’t know how I am supposed to cover our experience at the 2023 AISA Cyber Conference in words but I’m going to give it go!

Amelia, Tom, Ben and I, the entire e2 Cyber Warriors’ Team , have never been to this event before so in some ways, we didn’t have anything to compare to. But it far exceeded the expectations any of us had before we walked into a sea of passionate cyber professionals and advocates.

Tuesday was an early start for both Amelia and I flying into Melbourne from our respective cities. Once we rounded up Ben and Tom from the Melbourne office, we were on route to the Exhibition Centre. After signing in, we made our way to listen to Leanne Ngo speak about reimagining cyber security education and closing the skills gap. Key takeaways was the benefits of organisations collaborating with education institutions and the importance of promoting human skills in the industry.

After a parmi (yes parmi not parma – a hot debate amongst the team) we heard Nickleby Thane’s overview of the Aviation ISAC and how it protects our skies from cyber threats before listening to Colin Smith deliver a highly entertaining presentation on “Is Pen Testing a Scam?”. Key takeaways from this session was to focus on the business context, and if the risk is even an impact for business or is it raised because the cyber person thinks it’s a risk. He still didn’t answer the question though!

After a stroll through the extensive exhibitors and bumping into old and new friends, we rounded out our day with a cheeky burger and beer in preparation for Wednesday.

The biggest of the 3 days by far, Wednesday required caffeine and a divide-and-conquer prep talk for who was attending which sessions. Dan Maslin and Nick McKenzie delivered a great presentation on how Monash University has implemented the Bug Crowd tool with some very confronting real-world statistics and numbers. We landed back at the pub for lunch (sadly no parmi’s today) and then into the exhibition area to learn more about what is happening in the industry.

After a bag full of merch and some great conversations, we caught Glen Wither’s session on the human factors. He highlighted how social factors play a significant role in cyber security as they influence human behaviour and decision-making. The key takeaway was that the most important solution to reduce human risk is understanding your own organisation, with a great importance on the social factors to ensure you are one step ahead of the attackers. We followed this up with Colin Howe’s very interesting session on the psychology of cybercrime.

The keynote address was delivered by Olympic Gold Medallist Cathy Freeman and Tony Armstrong. Inspiring on so many levels, they covered topics such as work ethic, commitment, resilience and determination all being factors to their individual success. After a few cold drinks in the exhibition area, we headed off to the Block Party. This was crazy, a whole street closed off for the cyber community to eat, drink, dance and let our hair down. I had great conversations with people who inspire me in the industry (no names to keep egos under wrap – haha!) and got to finally meet a candidate I placed in his first role many years ago, having never met due to geographical challenges!

My Thursday alarm was “snoozed” a few times but with Chris Hadfield giving the keynote address, I secured a decent seat for the 9am start. For those who don’t know, Chris Austin Hadfield is a Canadian retired astronaut, engineer, fighter pilot, musician, and writer. The first Canadian to perform extravehicular activity in outer space (quote from Wikipedia). Pretty cool!

The “cyber wiggles” delivered a great view of what their personal experiences were moving into the cyber field, the challenges they faced and how they overcame them. Ben and Amelia begged to give “FIVE GUYS” burgers a go so that sorted us for lunch and then we finished the day with some chance meetings and a team pow wow.

After all of that, a delayed flight back home and a caffeine crash, let’s just say Friday was a slow day!

On reflection, we met some incredibly inspiring people, learnt more in 3 days then I have since I left school, and we truly experienced and enjoyed what the cyber industry is all about, PEOPLE. AISA knows how to put on an event and for anyone who didn’t get to the event in 2023, I’d suggest you don’t miss your chance in 2024!

I’ll definitely see you there ��

CRACK THE CODE TO CYBER INTERVIEW SUCCESS

Thu, 28 Sep 2023 03:29:13 GMT

How to Interview Successfully for a Cyber Security Job

In today's fast-evolving and dynamic cyber job market , a strong interview is crucial to securing your next cyber career move. Going beyond your qualifications on paper, the interview allows employers to assess your fit for both the role and organisation. It provides an opportunity for you to not only showcase your cyber skills, but also your personality, and enthusiasm for the role, which can make a significant difference in securing the offer. These strategies and tips will help you shine in your next interview.

Research, Research, Research

Thorough research is the foundation of interview success. To stand out in the cyber market, you need to demonstrate a genuine interest in both the company and cyber industry overall:

Crack the code on their mission, values, and culture.
Decrypt their recent achievements and challenges.
Analyse the role you're interviewing for and the required cyber skills.

Use this intelligence to tailor your responses during the interview, revealing that you've done your cyber security homework and are genuinely enthusiastic about the opportunity.

Resilience and Adaptability

With ongoing changes to cyber security and the continual threat of attacks, employers seek candidates who can weather the digital storm and adapt to evolving threats. Be prepared to share stories that showcase your ability to thrive in challenging cyber situations. Discuss how you've thwarted cyber adversaries, pivoted in the face of emerging threats, and contributed to your previous organisations' cyber security defenses.

Answer SMARTly

When replying to technical questions, use the SMART methodology : Specific, Measurable, Achievable, Relevant, and Time-bound. Be specific and concise, using measurable metrics to quantify your achievements. Explain how you reached your solutions to demonstrate problem-solving skills. Keep your responses relevant to the question, ensuring you don’t “waffle”. Finally, add a time dimension to show practical application. This structured approach will impresses potential employers and best showcase your technical skills.

Transferable Skills

As cyber threats evolve, you may find yourself applying your skills and expertise in different industries. Highlight your transferable skills – those digital competencies that transcend industries. These might include threat analysis, incident response, penetration testing, or cyber strategies. Emphasise how your cyber skills can fortify the prospective employer's digital defenses, regardless of your previous cyber battlegrounds.

Address Employment Gaps

Be ready to explain any employment gaps candidly and positively. Discuss how you've utilised time between roles to fortify your skills through certifications , workshops or ethical hacking practice to enhance your cyber security prowess.

Cultivate Your Growth Mindset

In the job search battlefield, a growth mindset is a potent weapon. Use the interview to showcase your unquenchable thirst for cyber knowledge and your commitment to fortifying digital defenses. Share instances where you've actively sought out new cyber skills through training or certifications, attended conferences, tackled advanced cyber threats, or embraced feedback to bolster your cyber prowess.

Cyber Inquisition: Ask Thoughtful Questions

At the conclusion of the cyber interview, you'll have the opportunity to deploy your strategic thinking. Ask thoughtful questions about the company's cyber resilience plans , how they are safeguarding their digital assets, and how the role you're vying for contributes to their long-term cyber strategy. This demonstrates your commitment to safeguarding the digital realm and your forward-thinking approach.

Interviewing in a dynamic market is an opportunity to demonstrate your cyber resilience, adaptability, and value as a cyber security guardian. By conducting thorough reconnaissance, showcasing your skills and mastering your SMART responses, you can position yourself as a standout cyber candidate. Remember that the right cyber opportunity is out there, and with the right preparation, you can defend the digital realm and emerge as a cyber champion in your career. Secure your future with these cyber insights or read more job search advice here . Good luck, cyber warrior! And remember if you have any questions, get in touch with a member of our team to chat .

CONTRACTING VS PERMANENT ROLES: NAVIGATING YOUR CYBER CAREER

Mon, 04 Sep 2023 22:00:01 GMT

READ THE SNAPSHOT:

While traditionally we see permanent cyber roles offered at either end of the career spectrum (junior, SOC and leadership roles) there is still opportunity for both contact and permanent roles across all cyber domains.
Permanent engagements offer stability, benefits, and long-term career prospects, while contract roles provide flexibility, diverse experiences, and the potential for higher income overall.
Understanding the differences between each engagement assists cyber professionals to make informed choices that suit their unique circumstances and aspirations.

The Difference Between Cyber Security Contracting and Permanent Jobs

As a cyber professional in today’s dynamic market, there a variety of employment options available to you. The two main choices are between contract or permanent roles with both offering unique advantages and considerations. Understanding the differences between them is crucial for making informed career decisions. While traditionally we see permanent cyber roles offered to junior professionals, Security Operations Centre (SOC) roles and cyber leadership opportunities , and contract opportunities more for cyber engineers , cyber architect and GRC roles , there is still an abundance of both permanent and contract opportunities across all cyber domains .

Here we outline the differences between contract and permanent roles and highlight the factors to consider when navigating your cyber career.

Employment Engagement

The most obvious distinction between contract and permanent roles is the actual nature of employment engagement. A permanent role refers to an ongoing, long-term position within an organisation. These typically include job security, employee benefits, and entitlements, such as personal and annual leave, long service entitlements plus professional development opportunities to advance your cyber career and progress within the organisation. In comparison, a contract role is a temporary engagement for a specified duration or project. Contractors are typically engaged to execute specific tasks or project work which can advance your cyber skillset across a variety of industries. In lieu of the employment benefits their permanent counterparts enjoy, contractors are offered a higher daily rate as compensation .

Employment Duration and Flexibility

Permanent roles are intended to be ongoing and long-lasting, with no defined end date where there can be opportunity to progress through the ranks. Alternatively, contract roles have a predetermined duration, sometimes with the potential of extensions given the nature of the project. Cyber contracts can range from several months to a year or even several years, depending on the requirements of the project or assignment. For employers, a contract engagement allows greater flexibility to adapt to changing business needs, while for contractors the flexibility of a contract give the opportunity to explore diverse projects, gain experience across multiple industries, and have the freedom to choose when and where they work.

Job Security

The security of your position is an important consideration when comparing contract and permanent roles. As a permanent employee you generally enjoy a higher level of job security as it includes more stable income and employment without an official end-date. In contrast, contract roles are temporary and hold a certain level of uncertainty. Contractors are engaged for specific projects or periods, and in most cases employment ends once the contract is completed. Notice periods to end an engagement are much shorter than in a permanent role and the eventuality of a project can be tied to factors such as funding which can be unpredictable. Contractors may find consistent work by securing successive contracts, in particular those that partner with a recruitment agency , however there is typically no long-term guarantee of stability.

Compensation and Benefits

Compensation and benefits vary significantly between contract and permanent roles. Permanent employees receive an annual salary along with additional benefits such as paid leave entitlements, long service leave accruals, training and development opportunities and funding, and in some instances, career progression and succession planning. These benefits provide a sense of security and stability in addition to progressing your cyber career.

On the other hand, contractors are typically paid on an hourly or daily rate. These rates tend to be higher than their permanent colleagues, tied to specialised skills or project-specific expertise, and the deadline driven nature of the engagement. However, as part of their higher rate Contractors are responsible for managing their own benefits and financial obligations including income tax, superannuation and long service entitlements. Some recruitment agencies such as e2 Cyber offer contracting services to ensure you meet all the legal requirements and enjoy benefits such as salary sacrificing and access to training platforms.

Career Development and Advancement

As outlined within benefits, permanent roles often provide more structured career development opportunities. Permanent employees can have access both internally or be offered a budget to participate in training programs, mentorship, and career progression planning. This allows them to build long-term relationships, develop expertise, and advance their careers within the company. In comparison, contractors may have less access to formal career development programs, as their focus is primarily on delivering specific outcomes. However, contractors can leverage their diverse experiences to build a broader skill set and expand their professional network, which can open up new opportunities for future contracts or permanent roles elsewhere.

Practical Comparison: Cyber Security Architect Role

To give you a good understanding of how a permanent and contract engagement would differ for a cyber security opportunity, we’ve broken down a Cyber Security Architect role based on the current market:

While comparatively there’s a $120k up-front difference in salary between the permanent role and the contract, the contract role is only guaranteed for 6 months of the year. When you factor in paid leave entitlements and training access, the financial gap between the opportunities reduces. In this example, regardless of engagement type, you would want to drill down into the type of organisation you are joining, whether you will be working with colleagues that can support your career development as an unofficial mentor and if you’re working on a project that could unofficially advance your skillset and therefore your career.

The differences between contract and permanent roles are significant and should be carefully considered when making career decisions. While permanent roles offer stability, benefits, and long-term career prospects, contract roles provide flexibility, diverse experiences, and the potential for higher income overall. To decide which engagement type is better for you and your career, carefully evaluate your priorities, risk tolerance, and career goals. And while one engagement type might suit one stage of your career, cyber expertise or lifestyle, it’s not necessarily always going to be the same! Preferences can change over time, seeing you transition between contract and permanent roles at different stages of your career. Entry level roles are more likely to be permanent opportunities where you can grow and develop with the support of a mentor. Mid level roles and having a project work focus could see you move into contract work while moving up the cyber ladder to a more experienced senior role could put you back into leading a team in an ongoing opportunity. Ultimately, being aware of the distinctions empowers individuals to make informed choices that suit their unique circumstances and aspirations.

SECURE THE CYBER LEADERSHIP ROLE: KEY INSIGHTS FOR SUCCESS

Fri, 01 Sep 2023 03:05:47 GMT

READ THE SNAPSHOT

At the senior cyber level, it’s important to shift focus from job titles to responsibilities, aligning your skills with business goals.
Craft a compelling CV that highlights leadership, team management, and project outcomes, emphasising results and contributions to business growth. And don’t forget to showcase your passion for the cyber industry by including your certifications.
Tailor interviews and build relationships. Customise examples to match the position, ask relevant questions, and cultivate connections with recruiters to position yourself for future opportunities.

How to Secure a Cyber Leadership Role

Recently I’ve working with a number of clients and candidates on various senior cyber positions and have gained some valuable insights from a hiring perspective. If you're a senior candidate or manager looking to excel in the cyber job market, there are some essential considerations that can significantly boost your success in securing your next career move.

Shift the Focus from Titles to Responsibilities

Rather than focus purely on job titles, it's crucial to shift your focus to the actual responsibilities and tasks involved in the role. Whether you've been a CISO, Director, or Head of Cyber, the underlying duties often overlap. Align your skills to effectively address the core business goals and challenges associated with the role.

Craft an Impactful CV

Creating an impactful CV is essential for senior cyber professionals. Highlight not just your leadership roles, but also your adeptness in team management , budget oversight, and project outcomes. Provide clear details about the projects you've led, including goals, team size, budget, and timeline. Equally important is showcasing results: Did you achieve set goals? Were projects completed on time and within budget? Did your team's work contribute to business revenue?

Tailor Examples During Interviews

While senior candidates often have varied cyber experience across roles, it is important to tailor your examples to the position you're applying for. Stay on point and avoid sharing irrelevant or vague stories. Directly relate your examples to the role requirements, demonstrating a solid understanding of its requirements and how your past experiences align.

Prepare Relevant Questions

Come prepared with 3-5 relevant questions about the role. Tailor your questions to expectations, business goals such as "What are you trying to achieve? What are the business objectives to be delivered?". Show a keen interest and enthusiasm for the company you are interviewing with and what they are trying to achieve.

Cultivate Relationships with Recruiters

Considering the senior nature of your role, job opportunities might not be as abundant as those for junior cyber candidates. Building relationships with recruiters is valuable, especially cyber specialists like us , even when there are no immediate openings. Proactively connect with recruiters and meet with them in person or virtually to have a conversation about your preferences and career goals. Maintaining these relationships increases the chance of being considered when suitable opportunities arise in future.

Leverage Cyber Security Certifications

In the realm of cyber security, particularly for managerial roles, relevant certifications set you apart, demonstrating your passion and commitment to the industry. Noteworthy certifications for cyber managers include Certified Information Systems Security Professional (CISSP) , Certified Information Security Manager (CISM) , Certified Cloud Security Professional (CCSP) , ISO27001 Lead Auditor , and NIST NCSP . Alongside this any focused technical certifications that delve into areas such as Cloud, SIEM and other areas of tech can be valuable. Some popular certifications would be any public cloud security certifications such as AZ-500 or AWS Certified Security.

Thorough Research is Key

Although you might be experienced in interviews with 5-10+ years of experience under your belt, don't become complacent. As a senior candidate with substantial experience, invest time in researching the company and the hiring manager. Thorough preparation is crucial for success.

Close the Interview Strongly

Before the interview wraps up, make sure to inquire about the feedback timeline and the next steps in the hiring process. Be direct with your questions - "How long should it take to get feedback on today’s interview?" and "What are the next steps in the process?". This ensures you leave the interview with a clear understanding of the process and your performance.

The job hunt can be challenging regardless of experience levels. By following these leadership insights , it will certainly enhance your chances of finding and securing your next role. At the cyber leadership level and looking to chat about your next steps? Reach out to any one of our team for a chat.

ELEVATE YOUR CAREER: ENTRY LEVEL NETWORK SECURITY CERTIFICATIONS

Mon, 31 Jul 2023 02:28:57 GMT

READ THE SNAPSHOT

The Network Security Engineering market is rapidly growing, with 5,200 jobs currently listed on Seek Australia wide.
If you are serious about a career in network engineering, we highly recommend that you earn one or more of the certifications listed in the blog to maximise your career opportunities.
When choosing a certification, you should consider both your career goals and your interests.
At e2 Cyber we’ve found the CCNA holds the greatest weight in the Australian market with 40% of Engineers holding a CISCO certification according to LinkedIn.

Certifications Recommended for Entry Level Network Security Professionals

The Australian Network Security Engineering market is rapidly growing, causing very high demand for qualified Network Engineers . There are currently 5,200 jobs Australia wide listed on Seek with opportunities across the country. If you are interested in a career in network engineering , there are multiple certifications that you can earn to improve your chances of getting a job.

In this blog post, we will discuss the best certifications for entry level network security engineering jobs in Australia. We will also provide some tips on how to choose the right certification for you.

There are numerous accreditations that are considered to be valuable for entry level network security engineering jobs in Australia. Some of the most popular certifications our clients highlight they look for in the perfect candidates include:

Network Specific Certifications

Cisco Certified Network Associate (CCNA): The CCNA is a foundational certification that covers the basics of networking. It is a good starting point for anyone who wants to learn about networking or who wants to start a career in network engineering.

HPE Aruba Certified Associate - Mobility (ACMA): This certification is designed for individuals who are new to networking and who want to learn about Aruba wireless networking. The ACMA covers the basics of wireless networking.

CompTIA Network+: The Network+ is another foundational certification that covers the basics of networking. It is similar to the CCNA and ACMA, but it is not as vendor-specific. Learn more or register now with a 15% discount using our partnership link here .

Juniper Certified Network Engineer (JNCIA-Junos): The JNCIA-Junos is a certification that is focused on Juniper networks. It is a good option for people who want to work with Juniper networks or who want to specialise in Juniper networking.

Red Hat Certified System Administrator (RHCSA): The RHCSA is a certification that is focused on Red Hat Linux systems. It is a good option for people who want to work with Linux systems or who want to specialise in Linux administration.

Firewall & Security Specific Certifications

Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET): This certification is for entry-level cybersecurity professionals who want to learn about Palo Alto Networks firewalls.

Cloud Network Specific Certifications

Designing and Implementing Microsoft Azure Networking Solutions (AZ-700): The AZ-700 is a certification that is focused on Azure. It is a good option for people who want to work in cloud environments or who want to specialise in Azure.

How to Choose the Right Certification for You:

When choosing a certification, it is important to consider both your career goals and your interests. Some of these certifications are very vendor specific, but often skills are transferrable between different networks. At e2 Cyber we’ve found the CCNA holds the greatest weight in the Australian market with 40% of engineers holding a CISCO certification according to LinkedIn. We also find most client’s employee CISCO or HP Networks.

Here are some factors to consider when choosing a certification:

Your career goals: What do you want to do as a network engineer? Do some research on the different vendors and find out which you want to work with; Cisco networks, HP networks, or other systems?
Your interests: What are you interested in learning about? Do you want to learn about the basics of networking, or do you want to specialise in a particular area?

The best certifications for entry level network engineering jobs in Australia vary depending on your career goals and interests. However, the certifications listed above are all valuable and can help you improve your chances of getting a job.

If you are serious about a career in network engineering, we highly recommend that you earn one or more of these certifications. They will demonstrate your skills and knowledge to potential employers and help you get your foot in the door. If you are still unsure on which is the right path for you, reach out to a member of our team to chat through your interests and career goals for advice that is specific to your situation.

ACCELERATE YOUR CAREER: JUNIOR CYBER SECURITY CONSULTANTS

Wed, 31 May 2023 00:32:41 GMT

How to Navigate Challenges as a Junior Entering the Cyber Security Field

You’ve decided a professional career in cyber security is the way to go. Whether you are creative, enjoy working in the back end, or love being in front of people chatting away, you’ve chosen a field that can facilitate endless pathways and growth opportunities!

Kickstarting your career in the evolving world of cyber security can pose its challenges. To ensure the best chance at success, you need to have a focused plan. These tips will help you navigate through the initial hurdles and set yourself up for success:

Embrace the Learning Curve:

It’s true, cyber security is an evolving and complex field that requires continuous learning. You won’t know all the answer right away and that’s completely fine! Take the opportunity to embrace the learning, soak up all the knowledge you can whether that’s through online courses, tutorials, books, and industry forums. Develop a solid foundation while building your expertise step by step.

Home Lab Practice:

While you may not have professional experience yet, you have to start somewhere. Think about creating a virtual home lab to gain hands-on experience. By setting up your own network, testing out what are security tools and how they work and practice different scenarios, this will only help your technical skills and will also show hiring managers that you are going that extra mile to stand out.

Volunteer and Collaborate:

This is a point that I see quite a lot of people miss. Look for volunteer opportunities or ways that you can collaborate on cyber security projects with like-minded people. There are non-profit organisations, open-source projects that welcome juniors to jump onboard. This will help you gain practical experience, expand your network, expose yourself to new challenges and boost your confidence.

Stay Informed:

Keep yourself up to date with the latest trends, news, and advancements in the cyber security field. Follow industry influencers, subscribe to cyber blogs , and participate in webinars and online communities. Staying informed not only showcases your passion but also helps you with valuable knowledge to discuss during interviews and networking opportunities.

Network, Network, Network:

Networking is crucial in any industry, and cyber security is no exception! Attend industry conferences , virtual seminars, join professional organisations, and engage with cyber security experts on platforms like LinkedIn. Building connections can lead to mentorship opportunities, job referrals, and valuable insights into the industry. Don't be afraid to reach out and connect with experienced professionals who can guide you along your journey.

Soft Skills Matter:

While technical skills are essential in cyber security, don't underestimate the value of soft skills . Showing you can effectively communicate, problem-solving, and have the capacity to work well in teams are highly sought after qualities. Focus on these skills alongside your technical skills, as they will set you apart as a well-rounded professional.

Connect with a Specialist Cyber Recruiter:

We might be a little biased, but when you work with a team like e2 Cyber , you will have someone who, in addition to you, will champion your career. Specialist recruiters understand not only the way the recruitment process works, but also the nuances within your industry. They will have all the skills and connections to guide and support you on all of the above points and more!

Remember, your journey as a junior entering the cyber security field may have obstacles , but every challenge gives an opportunity for growth. Be persistent, stay focused, and don’t take discredit or overlook the available resources around you to enhance your knowledge and skills.

WHY WORK WITH A CYBER SPECIALIST RECRUITER

Thu, 27 Apr 2023 05:57:43 GMT

Benefits of Partnering with a Specialist Cyber Security Recruitment Agency

Finding A+ cyber security skilled people is HARD! No doubt about it. With the recent surge in cyber improvements for business, you need people to do the work and when the roles are coming out faster than the candidate pool is growing, the competition to hire and retain people is extreme. Similarly, when you are looking for a job, the current markets nationally are flooded with opportunities BUT that doesn’t mean that you should consider all of them. We break down the benefits of partnering with cyber security recruitment specialists such as e2 Cyber for both businesses and candidates.

Why should businesses work with a specialist cyber recruiter?

As a business trying to compete for talent at all levels, there are some key things we believe you should do to give yourself the best chance to secure the right person.

Plan – “if you fail to plan, you plan to fail” which is so true for a recruitment round. You must be clear on absolutely everything. This includes commitment, budgets, process, EVP, timing, the list can go on. When executed properly a strong recruitment plan typically lands the right person for the role.

Speed – when candidates have multiple offers/interviews happening, speed to make decisions and run a process is vital. This comes back to planning but make sure your process isn’t prolonged as the longer it takes, the more likely the candidates will consider other opportunities and may be thinking you’re not that interested in them, losing the “excitement” for the role.

Be competitive – this goes for all areas of your business, but when people are considering a new role and comparing against current role or other roles, the main areas the majority consider is money, benefits, flexibility and the actual work/purpose of what they do. We have seen companies do these things well and seen the opposite too. Companies that see the recruitment process as a competition and at times “war on talent” typically win. The organisations that think because they have a standing desk and offer free apples in the lunchroom that they can get a top tier person for 20% less than market value usually miss out. On this point, we highly recommend researching what your competition is doing and adjusting to the changes that have occurred to the workforce in the past 3-4 years.

Be honest – the idea of “selling the dream” is gone. Be honest, transparent, and upfront. If you don’t, people will quickly catch on and will be very savvy when considering roles. If you do make a hire, and once they start they realise a lot of what was represented in the recruitment process wasn’t correct, they have other options and they will leave.

Work with a specialist recruiter – When you partner with a specialist team like e2 Cyber, you will be supported through all the above points and more. We provide guidance on the best recruitment process for success, realistic timeframes and the latest market information to assist you in making informed decisions.

Why should candidates work with a specialist cyber recruiter?

If you are on the hunt for a new cyber job , you may be overwhelmed by the number of roles, the number of recruiters and companies reaching out to you and often, not truly know your market worth and what you want in a new role. The key things we consult candidates on when making a change are:

Plan – same as the above “plan” point, make sure you know what you are trying to achieve. When looking to move, it’s paramount you know where you want to go, WHY, key things you need in addition to the things you want in a new role. By having a clear plan, you can pinpoint the right role and companies to apply for or consider, compared to considering everything available and struggling to stick to your plan.

Be open minded – sometimes the best outcomes come from the least expected places. During a search, we believe in being open minded to at least review what comes your way. If you know your plan and then something unexpected is thrown out there for you, you can review and compare it to your plan and if you think it might suit, then seriously consider it.

Get advice – do you know what your genuine salary and contract market rate is? What cyber certificates or training do you need to execute your plan? Advice when considering a change is vital and with correct advice, you may find yourself in a much better position than you originally thought.

Work with a specialist recruiter – again, we’re a bit biased here BUT by working with a team like e2 Cyber, you will be supported with all the above points and more. You have someone in your corner who’s committed to helping you secure the right role and achieve the best possible outcome. For many neurodiverse candidates , having a recruiter who understands their strengths, communication preferences, and support needs can make the entire job‑hunting process smoother, more empowering, and far less overwhelming. It’s a bit like the analogy “if you are sick, you go to a doctor or if your car breaks, you go to a mechanic”. Specialist recruiters are like the doctors of the healthcare or the mechanics in automotive - a true specialist that understands the topic of recruitment better than anyone else.

Regardless of whether you’re trying to secure top talent, or looking for your next career move, a specialist cyber recruiter is trained and skilled to guide and support you through al of the above points and more. We want to see business and individuals succeed in the recruitment process and help the eco system become better. When you partner with a specialist *cough, e2 Cyber, cough* you will find a true partner who cares and wants to help in all areas, and this can be the reason you win the fight for the best talent or land that dream role!

BENEFITS OF HIRING AT ENTRY LEVEL FOR CYBER SECURITY

Wed, 26 Apr 2023 14:12:20 GMT

What are the Business Benefits of Hiring an Entry Level Cyber Professional?

Why hire entry level for cyber security ? I find myself discussing this more and more with cyber clients and more broadly, in the technology realms. As the cyber security industry grows, as does the need for people to help deliver to the requirements. The issue is that, in the current Australian recruitment environment, finding skilled professionals is very difficult and people who are deemed to be SME level people are in demand. The time, effort and cost to run a full recruitment process and then miss out on the person who was deemed the best for the position is a tough one to swallow. We propose considering hiring entry and junior people to combat the talent short cyber market and be part of the solution to supporting and growing the cyber eco system.

When considering hiring an entry level person, I believe you need to implement a strategy for a successful hire. There is a difference between plucking people of the street and throwing them into a CompTIA course and expecting them to be your next “top employee”, as opposed to scouting the market and finding someone who is passionate about the industry, has demonstrated a thirst to learn and has the attitude to help them and you succeed.

When e2 hires at entry level, we focus on three factors to determine people who can both start and do well in the industry. Firstly, we want to know you are a good person with quality human skills. Secondly, they must have a drive and passion for the cyber industry and thirdly, we want someone who has demonstrated a drive to be better. Ideally, they have already been part of some form of learning (free or paid), follow industry news and have an idea of their career pathway. Now to find these 3 key attributes isn’t always easy BUT when you ask the right questions, look in the right places and have a process to enable the right interview conversation to happen, this can be an incredibly successful process to land the right entry level person to your business.

Why should a business hire entry level cyber roles?

As a business, when you hire at entry level, we have seen strong success when these areas are the focus:

Loyalty – when you give someone an opportunity, they typically show a better level of loyalty to the business that gives them a chance to get started. This is shown through extra effort, time in the company, promotion of the business to their networks and level of commitment to their role.
Output – an entry level person wants to “earn their stripes”. They have a point to prove as to why they were hired and given a chance. Again, they are typically more willing and wanting to put their hand up for all requirements to give as much as they can to the company and role.
Culture – having a diverse range of experiences, ages and skills helps build a better and well-rounded culture for any business. This opens up more dynamic conversations as a whole and creates a workplace where people feel everyone has voice and opportunity.
Cost – hiring junior people is cheaper than more experienced hires. The process to hire can be shorter, salary lower, output of hirer better and with a limited amount of people to choose in the cyber space, can mean you actually fill your needs.

I do fully believe all the above is true and the positives far outweigh the negatives of junior hires, however there are some risks associated with the plan of hiring at entry level and building them up. These risks can be mitigated with a proper recruitment process and then a clear, well-defined process and plan for when you hire junior people. I advise clients to make sure they have a recruitment process that is transparent on what the role is, how the company will support the hire, a clear-cut training pathway and to be honest about the challenges in the role. For candidates, I address the issues around needing to be fully committed, give it a real go through time and effort and to make sure they are confident they can be successful in the role. Again, this all comes down to planning and communication to make sure it works well.

In a very tight candidate pool of skilled resources, we have a need for people to help deliver to improve the cyber industry, combined with the number of entry level people who are desperate for a start in the cyber world, you can have success. Manage a strong recruitment process, outline clear pathways for new hires and ensure you get a commitment to the role, and the outcome can be more beneficial for all, sometimes even more so than trying to find a more experienced employee!

Ready to secure the skills to protect and defend your business? Whether you need long or short-term contracts or permanent roles, we are Australia's top Cyber Security recruitment agency, committed to providing the best talent and expertise to meet your needs.

E2 CYBER DOMAINS EXPLAINED

Wed, 26 Apr 2023 13:57:34 GMT

What are the e2 Cyber Security Domains?

In the 21-22 financial year, Australia saw an increase in cyber crime to over 76,000 incidents . This was a 13% increase from the previous year and is expected to continue trending in this direction for years to come. Due to the rapid growth of cyber crimes, the industry has been working to keep up with the ever-growing risk and need to improve. With these changes, e2 has seen the industry expand to a size where we believe breaking cyber security roles into domains is a must, not a want. This blog outlines how e2 define the domains and why it is important to understand them when hiring or looking for your next career move.

Entry Level Cyber Roles

This is the start of the “yellow brick road”. “Entry” level roles is a term often used very loosely and no doubt you have seen a meme associated with an entry level role requiring 5 years of experience. To e2, an entry level role is a position for someone who has not had, or who holds very limited professional exposure to the industry, may have completed a basic or fundamental training course and is pursuing a career in cyber. Normally, entry positions are offered in a SOC or GRC space pending the study or knowledge of the individual. At e2 Cyber, entry level recruitment means entry. No experience, limited skills BUT a desire and attitude to be in cyber.

Cyber Architecture Roles

The backbone to safe and minimal risk technology outcomes. Cyber architecture recruitment is a unique domain as it typically requires a person to be both technical and also very savvy to the industry required frameworks, legislation, requirements and technology best practices. A cyber security architect will typically come from a technology background, have strong stakeholder and communication skills and be passionate about improving the technical security decisions for an organisation or product. We find the best architects as “hands on” or at least run a lab to try and test ideas and solutions and are also typically certified in both GRC and technology areas.

Cyber Engineering Roles

The “doers”. The cyber engineering space is technical and “hands on”. Cyber engineers love implementing solutions and are driven to harden the environment with the best tech products in the market. People in this field often start in entry level ICT based roles and work their way through the ranks. They skill up in their chosen technologies and areas to engineer in such as Windows OS, then progress into software that works to protect and defend Windows based environments.

GRC (Governance, Risk and Compliance) Cyber Roles

The GRC space is unique as it seems people come from all walks of life into cyber GRC focused work. GRC is critical to the success of any technical decision and implementation. GRC professionals conduct reports, assessments and audits which typically are shared to the Board, C-suite and senior leaders to make decisions based on their risk appetite. These professionals are typically degree/university certified and have further studied in the GRC realms through industry recognised training. They have an interest in technology and may even be technical themselves, which is usually very desirable.

Cyber Network Roles

Have you ever tried to connect to wifi or a “network” and then tried to trouble shoot it yourself? It’s pretty complicated at the basic break fix level which is where highly skilled network engineers come into play. You have to go through a network to connect to the internet and every website on the internet has a network that it travels back and forth on. These skills are critical to any technology system working and being able to “connect” with the digital world. People in this field are certified and skilled with networking and have a deep understanding of network specific products such as CISCO or similar products. Most technical engineers have some exposure to networking, but a network engineer is a specialist , they can perform basic trouble shooting all the way through to creating designs and building networks that can be either physical or virtual.

Offensive Cyber Security Roles

The “cool” cyber guy from the movie. When most people think of cyber security they usually think about a guy in a black hoodie, “hacking” his way into a mega rich company’s bank account and taking all the money. Partially this is correct, but in our industry, they are the ones doing the right things with their skills (ethical hackers). Offensive security specialists are brought in to “attack” a network, application, infrastructure, socially or physically, to test the defence in place and provide an assessment to the organisation to make new defensive cyber decisions. People who work in this space are either self-taught, certified and trained or both. There are a number of well-respected certificates in this space, and usually are very difficult to obtain. This space is very small, typically the best people all know each other and due to the nature of the work, difficult to disclose their exact personal achievements in detail when recruiting an offensive security specialist.

Cyber Leadership Roles

The leader of all cyber. The CISO, CSO, Head of, Director, ITSA, Security Lead , SOC Manager, the list goes on. In a role where you lead a team, outcome, project or division, these roles carry immense pressure to get it right as a wrong decision can cause damage that cant be predicted, for example Optus and Medibank. To land a role like this, you typically carry years of experience and war stories in addition to the skills so you can mentor, guide and build the next wave of industry experts. These days, most leaders are certified but because the industry has only recently started pushing the certification requirement, some exceptional leaders have none but could pass and achieve majority with little to no issues. A cyber leader is normally motivated by the challenge of improving an organisations cyber posture, team and outcomes and care about the cause deeply.

Over time we expect each of these domains will grow. Potentially, we might even see the industry add in new roles as the risk against us continues to become more complex and sophisticated. Time will tell but until then, this is how e2 Cyber categories our cyber domains to support our client’s security and our candidate’s careers .

WHY CYBER? WHY NOW?

Wed, 12 Apr 2023 09:36:30 GMT

READ THE SNAPSHOT:

Over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year (Ref:1).
Cybercriminals can penetrate 93 percent of company networks (Ref:2).
Australia is also making an unprecedented investment of A$9.9 billion over 10 years in Australia’s  national intelligence and cyber capabilities , creating significant opportunities in the Australian cybersecurity industry (Ref:3).
These stats outline the importance for the changes required and the need to improve in the cyber space. This highlights the WHY behind the launch of e2 Cyber and WHY so many organisations, government and people now care about cyber security.

Why Have We Launched a Cyber Specific Recruitment Agency Now?

Why cyber, why now? I find this a question that is very easy to answer considering some of the major issues Australia has faced in the past 12 months. Optus, Medibank and now Latitude, our newsfeeds are filled with “breaches”. Seeing cyber issues like these so publicly discussed has raised the profile of the industry, the need to improve our security and expectations of Australians to feel protected in a cyber sense. I also believe the cyber industry used to be considered a “secret” and wasn’t a second thought for most people. Now however it’s fast becoming one of the most important industries within Australia (and globally) due to the changes in the cyber landscape and the progression of criminal activities using technology.

The relevance of why cyber, why now, is broken into three areas:

PEOPLE:

The “PEOPLE” aspect of security is one I am very interested, curious and passionate about. From a pure need of skilled people, Australia is expecting to have over 30,000+ requirements in next four years according to CyberCX research. The key drivers behind these sorts of stats are from the surge in cybercrimes and the increase from business and government to improve and deliver more cyber focused pieces of work (project and operational focused). It’s also the number of roles for skilled professionals growing faster than the industry and country can produce the people to perform the roles. Some of these challenges will need a multi-dimensional approach to improve from all groups within the cyber industry and to do this will be a goliath push which, as of right now, I am not sure can be done as fast as needed.

BUSINESS:

According to A CSC, there was a 14% increase of cybercrime against business in 20-21 compared to the previous fin year. Most of these attacks were on SME businesses who either hadn’t, don’t know they needed to, or choose not to invest and improve their cyber resilience. This comes as a huge risk to every Australian as most of us will have and will continue to shop, purchase and spend with these businesses. The other area I see requiring improvement is within the government sector where most cyber attacks have occurred. The government sector made up 24% of all attacks compared to the next sector at 9% , meaning more than twice as many attacks are directed at the government. This is a concern considering that the government holds all of Australia’s critical information on people, business and defence.

TECHNOLOGY:

Technology is the final area I believe has had the greatest impact on why cyber is now so important to us all. As tech advances, so does the criminal aspect. The problem is that, at times, the criminals are in front of the defence mechanisms in place and these days everyone uses technology, making it a lot easier to be attacked. According to Roy Morgan , in 2019 more than 18.5 million Australians owned a mobile phone. There is also data indicating the age of mobile phone users is lowering and increasing in the ages of 6-13 years of age with 46% of children in this group having a mobile phone . With so many people having access to technology and the internet combined with the lack of cyber awareness and training for users, the result is a growth of cybercrime and issues associated with technology.

Why cyber, why now? It’s been driven by the need for greater awareness, more skilled people and an improvement in the cyber industry. While there’s greater depth to explore in the three key areas that have driven the demand for a dedicated cyber specific recruitment agency , the overview outlines why it was time to launch e2 Cyber and what we are creating to ensure we are part of the solution as cyber recruitment specialist .