Introduction

Australia’s cybersecurity industry has long operated on the assumption that better tools mean less vulnerability. Better threat detection, better endpoint protection, better monitoring. Yet, every year, the threat landscape widens faster than our defences can account for.

Recent issues emerging from the rapid adoption of AI tools have offered an uncomfortable reminder of just how exposed organisations can be when speed outpaces governance, and when the tools we trust become vectors for risk.

Research by ADAPT has found that three-quarters of Australian organisations do not feel well-prepared for AI. Only 23 per cent of mid-to-large organisations are running fully in-house security operations centres, with 41 per cent now fully outsourced.

As AI becomes more deeply embedded in enterprise operations, vulnerability is actually expanding in ways that legacy security frameworks were never designed to handle.

By the Numbers

84,700 cybercrime reports were submitted to the Australian Cyber Security Centre in FY24–25. That’s one every six minutes. The vulnerability is indisputably there, and it is not going to close itself.

While Australia’s attention is rightly focused on the threat, data is showing us why we remain so vulnerable. We simply don’t have enough people who know what to do when things go wrong. Outsourcing can be a response to a skills shortage, but it can’t be the entire strategy.

Australia is over-credentialed and under-experienced

For too long, Australia’s approach to building cyber talent has prioritised credentials over capability. We’ve produced graduates who can pass certifications but have never operated in live environments.

The reality is that cybersecurity is learned by doing. You have to break things. You have to work through incidents in real time. You have to develop the instincts that only come from exposure – and that can’t be replicated in the lecture theatre. That exposure matters. It builds judgment, resilience and the practical instincts required to respond under pressure.

Moving Forward

Initiatives like Edith Cowan University’s Work Integrated Learning (WIL) program, supported by industry partners including Slipstream Cyber, a business of Interactive – demonstrate a better model. Over five years, the program has placed 20 graduates directly into security environments, not as observers, but as practitioners.

Graduates like Tarquin Bick, who joined Slipstream Cyber as a Cyber Defence Analyst, progressed through to Team Leader and is now Penetration Tester, are proof that the grassroots pipeline works when industry commits to it.

The skills shortage won’t be solved by universities alone. It requires employers, large and small, to take a more active role in building security literacy across their organisations.

That will mean investing in practical training pathways. It will mean creating space for people to make mistakes safely and learn quickly. We ought to look beyond the traditional talent pool to regional candidates, to vocational pathways, to people who have the instincts for security but haven’t yet had the opportunity to develop them.

This reflects a broader shift across the market – a growing recognition that operational readiness, not just tooling, defines cyber resilience.

Our cyber unpreparedness is a talent problem, not a technology problem. Unlike the threat landscape, the talent pipeline is something we can control.

The question is whether Australian organisations are willing to act now – or wait until the next incident forces the issue.