AUSTRALIA'S CYBER SECURITY SKILLS GAP: WHAT THE NUMBERS DON'T TELL YOU.

Australia has a cyber security skills shortage. That much is settled. The data is consistent, the headlines are persistent, and the gap between demand and available talent has been widening long enough that it no longer surprises anyone in the industry.

What the headline figures tend to obscure, however, is the more complicated and more instructive story underneath. The Australian Bureau of Statistics placed the total number of database administrators and ICT security specialists at around 70,900 as of August 2025, up 3,300 over the year. Employment in this category is projected to grow 14.2% from May 2024 to 2029, more than double the national average rate. The Australian Computer Society's 2025 Digital Pulse report estimates that 54,000 additional skilled people in cyber security operations and management will be needed by 2030. A separate Per Capita and CyberCX analysis puts the shortfall of qualified professionals at up to 30,000 unfilled positions in 2026.

The numbers are significant. But numbers measure volume. They do not measure where the gap actually sits, who it's hurting most, or why the problem has persisted despite years of investment, commentary, and good intentions.

Matt Kiss, Consultant at e2 Cyber holds sight lines across multiple dimensions of this problem simultaneously. As a specialist cyber security recruiter working across government, defence, and private sector, he encounters the gap not as a statistic but as a daily operational reality. The picture he describes is more layered, more structural, and in some ways more troubling than the headline data suggests.

It's Not Simply About Numbers

The instinct when confronted with a shortage is to reach for the obvious remedy: more people. More graduates. More training pathways. More intake. But Kiss challenges the premise almost immediately.

"I wouldn't say there's a skill shortage per se," he says. "There's a lot of skilled individuals out there across a broad spectrum of cyber security. I think the biggest issue is around the amount of roles that are out there and the types of people applying for those roles."

This distinction matters because it reframes the problem entirely. If it were purely a volume problem, more university graduates and more TAFE completions would eventually close the gap. But the evidence increasingly points to a different kind of constraint - one that no certificate program can solve on its own.

The ISC2 2025 Cybersecurity Workforce Study reflects a similar shift in thinking globally. For the first time, professionals participating in the study prioritised the need for critical skills above the need for more people. The shortage, in other words, is less about headcount and more about the particular depth of capability that the market actually needs.

In Australia, that depth is concentrated in the middle of the experience curve. And that is precisely where the pipeline has broken down.

The Missing Middle

The structural flaw that Kiss identifies is one that many in the industry acknowledge but few have meaningfully addressed: there is no functioning transition pathway between entry level and the roles that employers actually need to fill.

"The mid-range role doesn't exist," Kiss says plainly. "There's a lot of keen individuals trying to break into cyber security. They're doing the right things - certificates, internships, all of it. But then it stalls. They've done the internship, they've done their initial training. There's no next step."

The market's response to this gap has been counterproductive. Organisations have responded to the shortage of experienced talent by applying increasingly demanding criteria to mid-level roles. Someone with two to three years of experience - which in most fields would constitute a genuine intermediate professional - finds themselves labelled junior. Meanwhile, those with five to seven years of experience, under pressure from contracting rate drops of up to 20% in some specialisations over the past two years, are applying downward for roles they are overqualified for, simply because the volume of available work has contracted.

The result is a compression that squeezes the middle out of the market entirely. An organisation advertises for someone with two years of experience and receives applications from candidates with five. They hire the most experienced person at a rate built for someone more junior. The person who genuinely has two years of experience gets passed over. And the cycle compounds.

"It just creates this hole," Kiss says. "You go from an internship to the next best thing being someone with five to seven years because companies think, well, if I can get someone with five to seven years, why am I asking for someone with two and paying them the same?"

The consequence for the pipeline is severe. The entry points that should be generating the next generation of mid-level and senior talent are being bypassed. And no amount of certificate programs addresses a problem that is fundamentally about the structure of the market, not the supply of willing participants.

The Roles that Feel the Pressure Most

Across the landscape of cyber security disciplines, the experience gap bites differently depending on the role. Kiss, drawing on e2 Cyber's placement data across the past twelve months, identifies three areas where the pressure is most acute.

Penetration testing represents the most extreme case. It is also, perhaps not coincidentally, the role that attracts the highest concentration of aspiring professionals. The appeal is understandable - it carries a reputation for technical sophistication and a certain cultural cachet. But the gap between aspiration and employability is vast. Penetration testers need to be trialled, tested, and trusted before they go near a live environment. The only way to become that person is to have done it, which creates a door that is genuinely difficult to open from the outside.

"Pen testing is probably the hardest to get into," Kiss says. "There's a lot of juniors. But the people you need on site need to have ten years of experience. So that's probably the biggest gap."

GRC (Governance, Risk and Compliance) is experiencing its own version of the same pressure, but for different reasons. The role has expanded in scope and complexity far faster than the number of people who can competently fill it. Simply knowing the ISM (Information Security Manual) and the Essential Eight is no longer sufficient. A capable GRC consultant in 2026 is expected to have working fluency across the PSPF (Protective Security Policy Framework), the DSPF (Defence Security Policy Framework), ISO 27001, and the ability to communicate findings credibly to senior executives and boards.

"It's not good enough just to know the ISM and the Essential Eight anymore," Kiss says. "You've got to know the PSPF, the DSPF, ISO 27001 in depth. You've got to be able to do audits, write reports, deal with senior directors, and stand up in a meeting and say this isn't right, we need to change the policy. You can't be doing that in your first two years."

This matters particularly in the context of Australia's regulatory environment, which has intensified significantly since the passage of the Security of Critical Infrastructure (SOCI) Act. The Essential Eight framework, IRAP assessments, and the expanding obligations tied to national security and data sovereignty have created demand for GRC professionals with genuine depth. The supply of people who can actually meet those expectations remains well short of what the market needs.

Security engineering is perhaps the least visible of the three gaps, but in Kiss's assessment, potentially the most consequential.

"Security engineering is a big skill set that seems to be lacking a lot of people, purely because there are so many things you can do in cyber that skirt around security engineering without actually being an engineer," he says. "SOC analysts, SIEM analysts, all those things are closely tied to it. You can be a SOC analyst for seven years but it doesn't mean you're an engineer. Whilst you're dealing with the same principles and tooling, you're not building anything."

The distinction is critical. Building security infrastructure - designing systems, architecting controls, standing up tooling from the ground up - requires a different kind of knowledge than operating and monitoring that infrastructure once it exists. Proficiency with Splunk or KQLA, or years of experience running analytics through a SIEM tool, does not automatically translate into the ability to design and build the environment in which those tools operate. The two skill sets are adjacent but not interchangeable.

When Soft Skills Become Hard Requirements

One of the more significant shifts Kiss identifies is the growing premium on communication, stakeholder management, and the ability to translate technical risk into language that non-technical decision-makers can act on.

This is not a new observation. The importance of soft skills in cyber security has been noted for years. What is changing is the scope of who needs them, and how non-negotiable they have become.

"As soon as you become a consultant, you have to know those soft skills," Kiss says. "It's not enough to just be really good at your job and really technical because you need to be able to talk to someone."

The structural reason for this shift connects back to the contracting market and government's increasing preference for consulting models over embedded contractors. Roles that once allowed a highly technical specialist to sit largely within a technology team and do focused implementation work are increasingly being delivered through consulting engagements. The moment that happens, the ability to engage across stakeholder levels - from a technology team to a CFO to an executive board - becomes a baseline expectation, not a differentiating quality.

This has implications for both how candidates develop their careers and how organisations think about hiring. A technically exceptional candidate who cannot communicate effectively across organisational levels is increasingly difficult to place in the roles that are actually available. And a hiring organisation that filters only for technical depth, without considering whether a candidate can function in a consulting context, may find they have hired for a model of work that no longer matches market reality.

For candidates and hiring managers alike, this points back to something that the e2 Cyber team has observed consistently: the roles that are evolving fastest in Australian cyber security are those that sit at the intersection of technical knowledge and business acumen. Neither alone is sufficient.

The Clearance Bottleneck

For anyone operating in or around Australia's government and defence cyber market, security clearances are an unavoidable structural constraint. And they represent one of the most significant compounding factors in the skills pipeline problem.

Australian citizenship is a firm prerequisite for a security clearance under the Australian Government Security Vetting Agency (AGSVA) framework. Baseline, NV1, and NV2 clearances are all tied to citizenship eligibility, with only narrow and rarely granted exceptions for permanent residents in exceptional circumstances. For the roughly 51% of Australia's cyber security professionals who were born outside the country, this creates a significant and in many cases insurmountable barrier to the most in-demand roles in the government sector.

Kiss is candid about both his personal position in this and the human cost of the current arrangement.

"I see a lot of candidates who are fantastic - someone who may have been in this country for five years but is not yet a citizen, which means they can't get a clearance. We miss out on a lot of skilled and highly talented individuals who come from other countries purely because we can't do anything for them until they get citizenship. Which can take around ten years."

Beyond the citizenship requirement, the process itself introduces delays that erode the talent pipeline in ways that are difficult to quantify but easy to observe. A candidate who waits eight months for a clearance decision and may ultimately be rejected with no ability to carry that outcome to other agencies is, in practical terms, effectively unemployable in government cyber security for the duration of that wait. The opportunities they might have had will have moved on. They may have found another path entirely.

"The process can take so long," Kiss says. "What happens to those people? They can't get a job in security. They can't do what they love and what they're really good at. So they settle for something else. And if you don't use those skills, you lose them."

The lack of standardisation across agencies adds a further layer of friction. The expectation that a clearance granted for one department translates automatically to another, or that an OSA (Organisational Suitability Assessment) process completed for one intelligence organisation removes the need to complete another for a different one, does not reflect the current reality. Kiss's view is that a cleared individual should carry a nationally recognised standard of vetting rather than an agency-specific determination represents a position that would find broad sympathy across the industry.

These are not problems that e2 Cyber can solve from the outside. But they are problems that any organisation thinking seriously about its cleared workforce pipeline needs to understand before going to market. For clients navigating this territory, understanding the hiring landscape before a brief is written is considerably more useful than discovering the constraints mid-process.

Breaking In: What Actually Works

For those looking to enter Australian cyber security, the advice that the market actually rewards tends to differ significantly from the instincts that aspiring professionals bring to the door.

The most common mistake Kiss observes is narrow focus combined with unrealistic early expectations. Cyber security contains multitudes - penetration testing, GRC, SOC analysis, security engineering, cloud security, identity and access management, incident response, digital forensics, and more. Candidates who decide before they have any real market experience that penetration testing is the only path worth pursuing, and who orient every certification and every hour of home lab work toward that single destination, are statistically unlikely to find what they are looking for quickly. The field is competitive at the entry level for pen testing precisely because the aspiration is so widely shared.

"People set their hearts on penetration testing because it sounds really cool," Kiss says. "And so do 100,000 other people. Then you become very narrow-minded. The reality is there's not many jobs coming out for a penetration tester, and you've pushed all of your time into one path that statistically you probably won't get into."

The more durable path is a broader one. Kiss's advice - to start somewhere like a service desk or a helpdesk role, build foundational understanding of how systems actually work across their full stack, and pursue study and certifications in parallel - reflects a pattern that e2 Cyber consistently sees in the backgrounds of the professionals they successfully place.

"Companies want to see people who have come up from the service desk level. They understand basic resolution. They understand conceptual resolution. They can speak on the phone. They can actually work out what a problem is. And you're doing the basics of consulting in an entry level job."

The pathway from service desk to systems engineer to network technician to cyber security specialist is longer than the direct-entry route, but it produces professionals with something that certifications and lab environments cannot: genuine understanding of how real systems behave, fail, and recover under real-world pressure.

"In a lab, there's no risk," Kiss says. "You can simulate something as best as you can, but it doesn't mean you can actually do it on site. The code doesn't look the same. The environment doesn't look identical. The real world is completely different."

For formal training, Kiss points to the value of free and low-cost platforms that are often underestimated - Microsoft Learn, AWS training, Google Cloud fundamentals, Fortinet's free networking curriculum, and VMware's virtualisation tools as a starting point for building practical environment experience. For those drawn to offensive security, platforms like Hack the Box provide a structured environment for building skills that are directly applicable to penetration testing careers, even if the results cannot substitute for live experience. Capture the Flag competitions, run by organisations across the Australian cyber security community, are another underutilised on-ramp.

Networking - the human kind - carries more weight than it is typically given credit for in career planning conversations. Organisations like the Australian Women in Security Network run events that are accessible and genuinely useful for people at all stages of a cyber security career. The people you meet in those rooms are not just contacts. They are potential mentors, collaborators, and future colleagues who may be the person who thinks of you when a role comes up that never makes it to a job board.

The AI Question

No conversation about the Australian cyber security workforce in 2026 is complete without addressing AI. It is reshaping the threat landscape, accelerating the sophistication of attacks, and beginning to automate functions that previously required human analysts. It is also, as Kiss observes, changing the nature of what a junior analyst's role looks like in ways that are not uniformly positive for people trying to enter the market.

"AI is a powerful tool to help speed up and automate processes internally," he says. "But it's going to make lazy people lazier. That's the danger."

The risks Kiss identifies are specific. Using AI to write code without understanding what the code does, or to automate security processes without understanding what the automation is built on, creates a superficial competency that may pass initial scrutiny but cannot sustain genuine professional performance. If a candidate uses AI to do their job, the honest question to ask is whether the company could simply use AI to do the job itself, removing the need for the candidate entirely.

This is not an argument against AI adoption. It is an argument for using AI in the way that genuinely capable professionals use any tool - as an accelerant for their own knowledge, not as a replacement for it. The professionals who are currently using AI to explore unfamiliar concepts, to pressure-test their understanding, and to extend the reach of their existing expertise are developing a working relationship with the technology that will compound over time. Those who are using it to skip the step of understanding are building on sand.

ISACA's 2025 State of Cyber Security report found that more than half of Australian cyber security teams are understaffed, with 58% of organisations reporting unfilled positions. Only a third of enterprises were actively training non-security staff to move into cyber roles. The gap is real, it is growing, and AI is not closing it - it is changing its shape.

Why the Pipeline Hasn't Improved

The cyber security workforce pipeline conversation in Australia is not new. The shortage has been discussed, documented, and debated for the better part of a decade. The question of why it has not improved is worth asking directly.

Kiss's answer is straightforward, and it connects to something that many people in the industry believe but rarely say plainly: no one is willing to be first.

"In a nutshell, no one wants to put in the time, the investment, and no one wants to be first," he says. "What does that look like if things continue to go wrong? We'll find more attacks, more things going wrong. The benchmark to get into cyber security is increasing, but the roles and the amount of roles available isn't keeping pace."

The structural change he would advocate for - requiring companies above a certain size to maintain a percentage of entry-level staff in active training programs, mandating that internships convert to genuine employment pathways, standardising what clearances mean across agencies, fast-tracking citizenship or PR for professionals working in critical security roles - would require government and industry to work in genuine alignment rather than in parallel.

That alignment has proven elusive. The Australian Government's 2023-2030 Cyber Security Strategy identifies workforce development as a priority. The intent is visible. The pace of implementation has been slower than the pace of the threat.

"The government itself needs to stand up and say, we are going to do this because we need to protect our digital footprint as Australians," Kiss says. "Everything has moved to computers. This is not a new concept. But they're not going to make it easier to create pathways to bring people in to protect that data until it's already too late."

What Good Decisions Look Like From Here

For organisations hiring in Australian cyber security right now, the practical implications of everything Matt Kiss has described come down to a few clear principles.

Define what you actually need before you write the brief. The tendency to conflate job titles with job requirements has contributed directly to the market distortions Kiss describes. A role titled Senior Consultant that actually requires a security engineer, or a GRC Analyst position that really needs someone with five years of framework-specific experience, produces a pool of applicants that does not match the actual need. Getting this right at the beginning costs very little. Getting it wrong costs significantly more.

Think in pathways, not just placements. The organisations that are building genuine cyber capability are not only filling the roles they need today. They are creating the conditions for mid-level and senior talent to emerge from within, which means investing in the entry-level and junior talent that currently cannot find a home in the market. The cost of this investment is real. So is the cost of not making it.

Consider the full range of engagement models. Some of the roles that Australian organisations are trying to fill on a permanent basis would be better served by a contractor brought in for a specific purpose, and vice versa. Understanding the distinction - and the conditions under which each model performs at its best - is foundational to hiring well in this market. e2 Cyber's earlier piece on contracting versus consulting covers this territory in depth for those working through the question.

Trust experience over credentials, where the two diverge. Certifications matter - CISSP, CISM, CRISC, IRAP, and the Essential Eight framework expertise that government and regulated-sector employers consistently prioritise. But certifications are a starting point, not a destination. The professionals who perform well in live environments are those who have built their credentials on a foundation of real experience, not alongside a substitution for it.

For those building a career in cyber security, the clearest version of Kiss's advice is this: go broad before you go deep, take the longer path if it is the one that builds real understanding, and do not mistake the map for the territory. The industry needs people who can do the work - not just describe it.

e2 Cyber places cyber security professionals across government, defence, and private sector organisations throughout Australia. For candidates and clients navigating this market, the conversation starts here. For organisations looking at consulting and managed capability as part of their security uplift, Zaleo Consulting - the Emanate Group's specialist consulting arm, and APAC VMware Partner of the Year for Consulting Services - brings targeted expertise across modern infrastructure, data, AI and cyber. For broader technology hiring needs, Emanate Technology rounds out the group's capability across the full technology sector.

Australia's cyber security skills gap is real, it is structural, and it will not be resolved by any single intervention. The data is clear on the scale. What Matt Kiss adds is clarity on the texture - where exactly the gap sits, which roles feel it most acutely, what the clearance system costs in lost talent, and what individuals and organisations can do to navigate the reality that exists rather than the one that should exist.

The pipeline problem will not be solved until government, industry, and education act with more coherence than they currently do. In the meantime, the organisations and individuals who understand the shape of the market - not just its headline statistics - are the ones best positioned to build something durable within it.

e2 Cyber specialises in cyber security recruitment across Australia's public and private sector. Whether you are hiring or building a career, our team understands the market from the inside. Reach out to our expert team and start the conversation.