For most organisations, cyber security did not arrive with a bang. It crept in quietly. First as an IT concern. Then as a compliance issue. Now as a board-level risk that touches reputation, revenue, safety and trust.

Somewhere along the way, cyber security roles stopped being clearly defined. What was once a security analyst role now reads like three jobs in one. Engineering roles expect deep specialisation across multiple tools, platforms and frameworks. GRC roles are expected to understand business, technology, regulation and risk in equal measure. And organisations are left wondering why hiring feels harder than it ever has.

According to e2 Cyber Consultant Ben Rogalsky, the answer is not as simple as a talent shortage. It is a story of expectations, risk, budget pressure and an industry that has evolved faster than the way we hire for it.

From his vantage point inside the Australian cyber security recruitment market, Ben sees this disconnect play out every day.

“Everyone always says it’s understaffed,” he says. “And I would have to agree. But it’s not a shortage of new talent. There’s so many people coming through university programmes and trying to shift roles. Most of my conversations are with entry-level people trying to break into the space.”

The problem, he explains, is not interest. It is readiness. And more importantly, it is the way organisations define readiness.

The myth of the cyber skills shortage

Australia is often described as having a cyber security skills shortage. Government reports, media headlines and industry commentary reinforce the idea that there simply are not enough cyber professionals to meet demand.

Ben does not entirely disagree, but he believes the picture is more nuanced. “I think it’s the actual industry as a whole and the mission of the industry,” he explains. “The mission is to protect. So you need people on the ground hitting the ground running rather than other industries where they can take some time to learn and upskill.”

Cyber security does not lend itself easily to long ramp-up periods. When something goes wrong, it goes wrong fast. That reality shapes hiring behaviour.

Organisations want experience. They want certainty. They want someone who has seen it before and can handle it again.

The result is a market where junior talent struggles to get a foothold, not because they lack motivation or capability, but because very few organisations are willing or able to invest the time to develop them. “There’s not a lot of development of junior staff,” Ben says. “There’s not a lot of training. Everyone’s taking off each other and trying to get people who already have multiple years of experience.”

In other words, the industry keeps fishing from the same pond.

When roles evolve faster than hiring models

Cyber security roles have changed dramatically over the last few years. Yet job descriptions often lag behind reality, or swing too far in the other direction.

Ben sees both extremes. “Job descriptions are sometimes asking for a lot when people are just touching on certain points,” he says. “They’re asking for SMEs across multiple tools when in reality they need someone with a solid understanding who can grow into it.”

This is where misalignment starts to creep in. Hiring managers know their risk profile has grown. They know their environment is more complex. They know regulators, customers and insurers expect more. So, they respond by stacking requirements into a single role.

The unicorn problem is not new, but it has intensified

“Organisations are trying to find someone doing three roles instead of one,” Ben says. “They want someone extremely specialised, with zero leeway, and they don’t want to spend time training.”

From a recruitment perspective, this creates longer hiring timelines, higher salary expectations and ultimately frustration on both sides. “When people are determined on hiring a unicorn,” Ben explains. “That’s going to be a six-month search. And why would that person want to come work for you?”

Cyber security as a cost, not a revenue driver

One of the most persistent challenges in cyber security hiring is justification. Unlike sales, product or consulting, cyber security rarely generates direct revenue.

“If you’re in an internal team, it’s not a money maker,” Ben says. “It’s a money saver.”

Cyber security exists to reduce risk. To prevent incidents. To protect reputation. And those outcomes are notoriously difficult to quantify until something goes wrong.

This creates tension at the leadership level. “It’s hard to justify the cost,” Ben explains. “Because it leads into multiple areas like reputation. There’s not a direct dollar figure you can attach to it.”

That tension flows downstream into hiring decisions. Budgets are tight. Expectations are high. And roles become overloaded in an attempt to maximise value from a single headcount.

The irony, as Ben points out, is that under-investing in people often increases risk rather than reducing it.

The shift from shiny tools to optimisation

A few years ago, cyber security teams were racing to implement new tools. Today, the conversation has changed.

“A lot of cyber in the technical space isn’t deploying new tools anymore,” Ben says. “It’s about getting the most out of their current tool set.” Budgets are tighter. Tool sprawl is real. And many organisations are sitting on overlapping platforms that do similar things.

“There’s a serious amount of money going into tech debt,” Ben explains. “Into tools they’ve already paid for that aren’t being fully used.” This shift has reshaped demand for cyber security roles.

Automation engineers, identity and privileged access specialists, and security engineers with deep platform expertise are in high demand. Cloud security remains critical. Core monitoring tools like Sentinel, Defender, Splunk and CrowdStrike continue to anchor many teams.

What organisations want now is not someone who can introduce something new, but someone who can make what they already have work better. That requires depth, not breadth. Yet many job descriptions still ask for both. This is explored further in our previous blog: Cyber Security, from Compliance to Culture.

Technical versus non-technical cyber roles

Within cyber security, Ben draws a clear distinction between technical and non-technical roles.

On the GRC side, he sees a growing emphasis on fundamental technical understanding. “Ideally someone from an infrastructure or networking background helps,” he says. “It allows GRC people to actually understand the business and its endpoints, rather than just applying copied frameworks.”

This is where experience matters. Assessing risk requires context. Without understanding how systems actually work, governance becomes theoretical. At the same time, technical roles increasingly require communication skills.

“Cyber gets a rap for being very tech heavy,” Ben says. “But at the end of it, it’s people. It’s about reducing people risk with technology.”

This convergence of skills is another reason roles feel like they are expanding. Technical specialists are expected to communicate risk. GRC professionals are expected to understand technology. Architects are expected to bridge strategy and delivery.

The industry has matured. Hiring models have not always kept pace.

Are job descriptions telling the truth?

One question candidates frequently ask recruiters is whether a job description reflects reality.

Ben’s answer depends on how the role is sourced. “In agency roles, as I've mentioned, clients are often looking for unicorns,” he explains. “But the person might come in and only actually use 50 % of what’s in the job description.” "That's where we come in to offer critical consultation to communicate effectively".

In many cases, job descriptions become wish lists rather than accurate reflections of day-to-day work.

That said, Ben notes that he sees fewer cases now where people are trapped doing significantly more than advertised.

Part of that is due to better recruitment conversations. Part of it is due to the market pushing back.

“Culture fit is key,” Ben says. “Skills can be taught. Technologies can be learnt. But mindset and culture matter.”

Leadership expectations and market reality

One of the biggest sources of friction in cyber security hiring is leadership expectation.

“Some leaders have zero understanding of what the market’s like,” Ben says. “They don’t have good networks. They don’t understand how difficult it is to find the talent they’re asking for.”

This often results in unrealistic requirements paired with limited budgets. “They want everything,” Ben explains. “And they’re paying well under market.”

From a recruiter’s perspective, part of the role is education. Resetting expectations. Explaining trade-offs. Helping leaders understand that perfection is rare, and potential matters. But those conversations are not always easy. “Sometimes it falls on deaf ears,” Ben admits.

The real cost of not developing talent

One of the most important themes in Ben’s perspective is the lack of investment in early-career talent.

“It’s difficult to train someone for a year just for them to leave for an extra 10K,” he says. "It feels as though can’t compete with that.”

This fear is understandable. But the alternative is a stagnant talent pool where the same experienced professionals are stretched thinner each year. “Not everyone is developing talent,” Ben says. “It’s only a certain pool of organisations.” Those organisations bear the cost. Others reap the benefits. It's not hard to see how a more balanced system would benefit all.

The long-term risk is clear. Without consistent investment in juniors and career-changers, the industry creates its own bottleneck.

Burnout, retention and responsibility

As roles expand and teams remain lean, burnout becomes inevitable. “There’s always going to be burnouts,” Ben says. “Everyone’s trying to reduce risk with limited resources.”

Once again, leadership plays a critical role. “It’s on leadership to ensure staff are well maintained and looked after,” he says.

That means more than salary. Training, development, time to learn, and visible investment in people all matter. “People want to stay learning,” Ben explains. “They want to feel like they’re progressing.” In many cases, access to certifications and professional development outweighs cash. “Those certifications are worth double the money,” Ben says. “Because the business is showing they care.”

Salary pressure and the shape of the market

While overall job ads may be down, cyber security remains its own ecosystem.

“Cyber isn’t always advertised,” Ben notes. “The data isn’t always accurate if you’re just scrolling job boards.”

What he is seeing is salary pressure at the mid-level. “Salary expectations are higher,” he says. “Especially for people on the tools.”

Conversely, some senior and architecture roles are seeing rates soften, which is indicated in our latest cyber salary and rate guide.

Looking ahead, Ben expects increased hiring as programs of work are approved, but competition will remain fierce for specialists.

“The money is in niche roles,” he says. “People with key certifications and deep platform expertise.”

Why traditional recruitment models fall short

Cyber security recruitment does not reward volume. “There’s a lot of jargon,” Ben says. “You have to understand the mission.”

Traditional spray-and-pray recruitment approaches struggle in a market built on trust, referrals and reputation.

“Cyber recruitment is referrals,” Ben explains. “From candidates. From clients.”

AI has amplified this divide. “It’s easy to copy and paste a CV now,” Ben says. “But it takes human understanding to assess culture, drivers and fit.”

Cyber professionals are often excellent judges of people. They value authenticity. They remember bad experiences. Burning bridges travels fast in a small market.

The insurance analogy and why cyber is different

Towards the end of the conversation, Ben touches on an analogy that resonates deeply. Cyber security is often compared to insurance. A cost you hope you never need. But Ben sees a critical difference. “Cyber security functions are like insurance,” he says. “But it’s a reverse insurance.” You are paying to stop the incident from happening, not to be compensated after it does.

And unlike most forms of insurance, cyber incidents can have life-or-death consequences. “In OT environments, hospitals, defence,” Ben explains, “there’s an actual link to someone’s life.”

This reality raises the stakes of under-resourcing cyber teams. It is not just about data or money. It is about safety.

Building capability, not just filling roles

For organisations serious about long-term cyber capability, Ben’s advice is clear.

“Find a company or leadership team that will support you beyond the interview,” he says. Support must be real. Not just promised.

Leadership must advocate for their teams. Balance budget pressure with reality. Set priorities.

“Sometimes everything needs to be done,” Ben says. “But you have to rank it.”

Culture truly sits at the centre of it all. “Invest in people,” he says. “Invest time. Understand their lives. Get buy-in and loyalty to the mission.”

DEI and untapped talent

Ben is a member the organisation’s DEI working group, and he sees inclusion as both a moral and strategic imperative.

“Some smaller organisations miss out on great talent because they’re so single-minded,” he says.

Cyber security has always attracted diverse thinkers. Neurodiversity, different problem-solving styles, and varied backgrounds are strengths, not risks. Closing the door narrows the pipeline further, and overlooks some of the best suited and skilled talent on the market.

What candidates are really prioritising

For mid-level cyber professionals, the decision is rarely just about money. “Flexibility is number one,” Ben says. “Then training and development.”

Work from home options, family flexibility, learning opportunities and meaningful work consistently outrank marginal salary increases. “Money matters,” Ben acknowledges. “But flexibility and growth matter more.”

If nothing changes, what happens next?

If organisations do not invest in developing talent, Ben sees a challenging cycle ahead. “The current people will just have to do more,” he says. “More work. More projects.” Burnout increases. Attrition follows. Hiring becomes reactive rather than strategic. “The industry will still be short for five to ten years,” Ben predicts. It does not have to be that way. But change requires risk, investment and patience.

The path ahead

For individuals navigating roles that keep expanding, Ben’s advice is grounded and human.

“Life’s very short,” he says. “You’re spending most of it at work.”

Find managers who shield you from unnecessary pressure. Look beyond small salary bumps. Protect your reputation.

“Cyber is about reducing risk,” Ben says. “Don’t take a massive career risk for a little bit of money.”

Reputation matters. Relationships matter. And in the niche world that is cyber security, they travel with you.

Final thoughts

Cyber security roles are evolving because the world they protect is evolving. Technology, regulation, risk and expectation are all moving fast. Hiring models, however, are still catching up.

The gap between what organisations want and what the market can realistically provide is widening. Closing it will require better education, more flexible thinking, and a renewed commitment to developing people, not just hiring skills.

At e2 Cyber, these conversations happen every day. Not just about filling roles, but about building sustainable cyber security capability for Australia. Because the future of cyber security will not be solved by AI and unicorns alone. It will be built by people, and derived from all skills and backgrounds.

Keen to explore what's in store for you or your team with our dedicated cyber recruitment specialists?