Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
From AUSCERT Cyber Security Conference – KB On The Go | Ivano Bongiovanni
Learning & Education
First Aired: May 30, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with Ivano Bongiovanni, General Manager at AUSCERT, as he unpacks the evolving landscape of the cybersecurity profession. Ivano discusses the shift towards developing complementary skills beyond technical expertise, emphasizing the value of communication, stakeholder management, and project leadership alongside core technical abilities. He explores the concept of T-shaped professionals and advocates for hands-on, experiential learning to build these diverse skill sets. The conversation delves into the ongoing debate around the professionalization of cybersecurity, with Ivano highlighting the pros and cons of structuring the industry with formal certifications versus a more open, experience-based approach. He stresses the importance of open, constructive dialogue within the community to address these issues, ultimately focusing on the shared goal of strengthening cybersecurity and fostering a more mature, collaborative industry.

Ivano is a researcher, consultant, author, and speaker whose work focuses on the managerial and business implications of Cybersecurity.

He is the General Manager of AUSCERT, a not-for-profit organisation affiliated with UQ that delivers cybersecurity services to public and private sector organisations across Australia and New Zealand.

Ivano is also a Senior Lecturer in Cybersecurity Management with the UQ Business School and a member of UQ Cyber.

Ivano helps business leaders and executives make evidence-based decisions in cybersecurity. With a professional background in risk and security management, Ivano’s work bridges the gap between technical cybersecurity and its repercussions across organisations. He has advised ministers, policy-makers, board members, and senior executives on strategies, governance structures, policies, and training programs for effective cybersecurity management. Ivano is also an experienced facilitator in the fields of Design Thinking and Design-Led innovation, having run since 2015 more than 50 design-led workshops and longer projects for public and private sector organisations.

Prior to AUSCERT and UQ, Ivano worked as a Research Fellow with the Adam Smith Business School (University of Glasgow) and a Postdoctoral Fellow with the PwC Chair in Digital Economy (QUT). In this role, he worked with public and private sector organisations in projects aimed at facilitate their transition into the Digital Age. Ivano obtained his PhD from QUT in 2016, with a thesis on safety and security management in Australian airports. His academic career includes stints with Bocconi University and SDA Bocconi School of Management (Milan), where he worked as a faculty member and consultant for three years.

He also worked as a Deputy Venue Security Manager at the XX Winter Olympic Games – Turin 2006 and as a Police Officer for the Italian Ministry of Interior.

He has a double MSc in Management of Public Administrations and International Institutions (Bocconi University, Milan) and International Security (Sciences Po, Paris).

A father of one and an eager snowboarder, Ivano loves soccer, American football, and writing novels and poems.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

KB [00:00:10]:
Welcome to KB on the Go. And today, I’m on the go at AusCert’s annual conference in the sunny Gold Coast. I’ll be reporting on the ground here at the Star Casino. AusCert brings together cybersecurity professionals, academics, government representatives, and industry leaders to share knowledge, discuss emerging threats, and promote collaboration in the fight against cybercrime. So for this bonus interview, I have lined up AusCert’s general manager, Ivano Bongiovanni, so please stay tuned. So, Ivano, we’re here in the Gold Coast, the sunny Gold Coast, and you presented earlier today for the concert conference. And you mentioned a couple of things at the start of the day that I wanna speak to you more about. So you talk around what does this all mean for us as an industry? And a couple of the points you touched on with the future will encompass a range of professionals, including code and communicators, so coders and communicators, people who manage risk and manage relationships.

KB [00:01:10]:
So you’re sort of looking at one end of the spectrum to the other. So I’m curious. Let’s start there. What if you were to zoom out, what does that sort of mean to you when you look at all these professionals from both sides of the spectrum? Yeah.

Ivano Bongiovanni [00:01:23]:
I think it’s probably the the takeaway message there is really to look into developing complementary skill sets with people. I think in cyber, probably, we have been traditionally working quite in in isolation, if you want, from from that perspective. And the idea is that, obviously, we have developed subject matter expertise and kind of vertical skills from that perspective. But probably moving forward, I believe it would be very, very appropriate to have more complimentary skills. So if you’re familiar with the t shaped professional approach, I think we focused a lot on the vertical trait. We’re probably gonna need to look into within technically capable people also developing other skills such as, as I said, communication, project management, being understanding of businesses, and so on and so forth.

KB [00:02:09]:
So just to build that a little bit more, one thing historically, the industry is always focused on is the techno and the companion. But what I noticed today, the legitimate coders, communicators, and then managing the risk, but then managing the relationships. Are we starting to see the industry move towards, and I hate to say it’s soft skill, that would be more hard skills because, you know, configuring and file will probably inherently easier than configuring human being that has emotions. So what’s your view from an ulcerp perspective on to your earlier point t shaped professionals? Are you focused now on building that communication piece and the relationships and managing projects rather than, yes, the core technical skills are always gonna be there? What does that then look like from the other side of the point?

Ivano Bongiovanni [00:02:52]:
Yeah. So first thing first, the core technical skills are always gonna be there. And I think I actually strongly believe in the need for having foundational technical skills in professionals because it’s very, very important. And, you know, if you can’t speak the tech or at least have a level of understanding of the tech, it’s very difficult for you to be able to relate to it. What I’m trying to say is we’re probably gonna need to kind of add on top of that a little bit more than what we have traditionally done. And if you think about it, a lot of the the help that we can get from technology is around streamlining. And again, I’m thinking AI, but not only AI. It’s really streamlining some of those technical skills and making humans more efficient at performing them.

Ivano Bongiovanni [00:03:35]:
And, obviously, that all of a sudden requires people to have a bit more of a holistic understanding of how cyber security works within a business. So, obviously, we’re not going to start asking analysts to straight ahead report to boards, But having that view, especially for people interested in a career progression, having that broader view, being able to step back from the pure technical aspect and having a broader perspective into understanding the business, I think is going to be more and more necessary. And it doesn’t only apply to your your core cyber defense skills. It only applies to more traditional GRC skills. Obviously, GRC professionals tend to be more involved in communication, for example, with clients and with other stakeholders. But still, they’re gonna need to build on top of that and really make sure the communication skills are there. And it’s just just really communication. I I I look at at it from also a project management perspective, being able to take an idea from ideation into execution, into measurement, and and then decisions that come after after the project.

Ivano Bongiovanni [00:04:41]:
I think those that are gonna have these complementary skill sets are gonna have an edge in the industry.

KB [00:04:46]:
So you asked a question on stage which said, how do we train these people appropriately? So how do we do that? And then the reason why I ask you is we’ve been speaking the industry around, you gotta understand the business and you can’t speak jargon. But what does it actually mean? Like, what how do you sort of get it to a point where you can teach people in a course, in a certification? What does that look like in your perspective?

Ivano Bongiovanni [00:05:07]:
I think it’s really about hands on training, possibly. It’s really about getting people firsthand experience, getting them involved in situations in which, you know, they have to communicate, they have to manage stakeholders’ expectations, they have to lead the projects, and really, leaning on that more. I think especially when it comes to communication and, I guess, they call their management. There’s probably just as much could be taught traditionally in terms of someone transferring knowledge to you, you absorbing that knowledge and then applying it. It’s really learning by doing that’s gonna be very fundamental. That’s why I’m a big fan of facilitated workshops in which participants actually get their hands dirty with doing stuff, practicing, experimenting. Probably, we don’t give enough space and time and resources for people to experiment so that, yes, the first time they might not get it right, but, you know, we can create safe failure type of situations where maybe the second time is gonna be better, and so the third time, and the fourth, and so on and so forth.

KB [00:06:10]:
So if you were to generalize majority of cybersecurity professionals today, would you say a lot of them are missing a little bit communication skills and leading and probing?

Ivano Bongiovanni [00:06:19]:
It’s not just cybersecurity professionals. I think it’s a mixed bag across different industry and roles. Obviously, there’s some people that tend to lean more on the technical expertise, which is, as I said before, still absolutely fundamental and important to have. I think it’s more complementing those skill sets with a broader spectrum of capabilities and and skills. And, obviously, I think that is also quite natural with the cybersecurity professional industry evolving in its maturity. It’s gone from, really having specialized super specific skills into also requiring people to do more. And, obviously, if we don’t equip them, the capabilities and the skills necessary for them to do more, we can’t really ask them to do so.

KB [00:07:04]:
And so then what about the stigma in the industry? What I mean by that question would be, as you know, there’s always you all you are not technical, so therefore you are important. Will that start to dissipate when you say, now that what you’ve spoken about and where all sorts of reading towards end industry, will that whole, you know, technical enough, not be a scene moving forward?

Ivano Bongiovanni [00:07:23]:
Think? Well, I I would probably say that we have already moved away from this idea that if you’re not technical, there’s there’s a stigma put on you, and you actually cannot talk to people. I think the cybersecurity profession has gone a long way in that space also because we’ve seen more and more people with different backgrounds join cybersecurity ranks. Right? I’m thinking of people with a legal background. I’m thinking of, like myself, people with a risk management background. I’m thinking of people that, you know, maybe have a psychology background. It’s a collaborative effort. So we need everybody to be able to contribute a level of subject matter expertise. And again, in my opinion, we need most people to be able to have those complementary skillsets into the game.

Ivano Bongiovanni [00:08:01]:
When you put all of that together with a very well glued mechanism, obviously you get better results.

KB [00:08:08]:
So the other point I wanna speak to you about today, Ivano, would be the whole professionalization. I’ve seen people on LinkedIn having very vicious arguments around it. The for, the against, the arguing. Help me make sense of it.

Ivano Bongiovanni [00:08:23]:
It’s a heated topic. It’s a very dated topic. Look. Personally, I see pros and cons with both camps. It is a very difficult subject, if I can say, because, obviously, there’s a mixed battle of opinions in that space. So I think the important thing to me is to have a conversation, not being afraid of speaking to people that we know think differently from us, that have a different perception, and really kind of have that open discussion and interaction where we can make sense of what, as I said, it’s a very complex topic together. And, obviously, you know, there’s gonna be probably moments where it feels like we’re leading toward a more structured professionalization approach. But then, you know, technology gets in the way, so maybe we’re we’re working towards giving a structure to something that by definition in the future is not gonna be a structure because we’re gonna have new roles that maybe sit outside the professionalization stream.

Ivano Bongiovanni [00:09:16]:
I think it has to be an ongoing conversation.

KB [00:09:19]:
Why would you say it’s so heated?

Ivano Bongiovanni [00:09:22]:
There’s different camps. There’s probably, you know, basically two camps. It’s quite a polarizing topic. Some people are all for the professionalization scheme and think that must be done. Other people think that that’s not a good idea. And, obviously, when it comes to professions and the nature itself of a profession, especially for for some people, that kinda really touches upon what they’ve been doing for most of their life. So I think naturally, it’s it’s a topic that is particularly prone to having these heated conversations.

KB [00:09:51]:
So you mentioned the four. There are pros in both camps. So walk me through camp one, camp two, or however you wanna

Ivano Bongiovanni [00:09:57]:
Yeah. Look, the proponents of the professionalization scheme believe that it’s important to have structured cybersecurity professionals for people that have gone through a specific set of education and milestones because that prevents them having people that maybe have not had that background baseline education or experience propose themselves as cybersecurity experts or professionals. Okay? On the other end of the spectrum, that’s people that are actually against the professionalization scheme because they believe that, you know, basically, market regulates itself. Cybersecurity, they say, is not really a professional like, for example, a legal profession or or medical profession where there is a structure set of milestones that gets you to be certified or non certified. Those are very different camps, very different positions. And, obviously, when those two positions talk to each other, that that really makes it ongoing conversation.

KB [00:10:52]:
What’s your position?

Ivano Bongiovanni [00:10:53]:
I don’t really have a set opinion on this. As I said before, I see pros and cons of both. I’m just keen on, you know, people having an open debate and a little bit conversation about it.

KB [00:11:03]:
So going back to, obviously, people that are very focused on having a structured set of skill sets. Again, I see both sides and my role is always being neutral in these conversations. But if I look at that a little bit more, who is anyone to say you don’t deserve to be here because you don’t have the twenty years of experience? Everyone starts somewhere.

Ivano Bongiovanni [00:11:20]:
That’s probably the argument that the people that are opposing professionalization are putting forward. Right? So what is the ultimate authority that should be able to decide who should be in or who who should not be in? Whereas the people that are actually proposing the professionalization scheme are saying, well, actually, just as we have those authorities in other professions, we can have that type of authority in cybersecurity as well.

KB [00:11:43]:
But don’t you think because of this polarization, it means that we’re losing sight of the game? The game meaning we’re here to combat cybercrime, and yet we’re arguing about who deserves to be here, who doesn’t deserve to be here.

Ivano Bongiovanni [00:11:55]:
At the end of the day, the professionalization conversation baseline is we’re trying to improve the way in which we protect organizations and individuals and society in general. So I feel in the journey of the cybersecurity profession and industry to be more mature, it’s almost natural that we’re going to hit this type of debate. And I think it’s actually a good a positive thing to have this debate and think about what qualifies a cybersecurity professional. Is it possible to do it or not? So I think it’s part of the process as just as has been in other professions.

KB [00:12:28]:
So I’ve asked this question in previous interviews around, obviously, to be a doctor, you can’t just go out and be a doctor. You gotta get your certification and all of that right. You gotta go to university for a number of years and become qualified. But then I asked you, I said, well, why would we make it even harder? We don’t have enough people as it is. So we’re gonna raise the bar even more when we can’t get enough people and just say, well, sorry, John. You’re gonna work ten years and go to university and do all these other things. How does that sit with you?

Ivano Bongiovanni [00:12:54]:
If I think of the people that are actually proposing the professionalization scheme, their argument is more not so much to reflect on the numbers, but to look at the quality of the people that are going through the cybersecurity ranks. Whereas, yes, it’s actually one of the arguments that people are actually opposing the professionalization scheme. And they’re saying, well, we already have a bit of a lack of professionals in cybersecurity. So if we make it even harder, probably we’re gonna for for a matter of numbers, we’re gonna have even more challenges in getting enough professionals in cybersecurity.

KB [00:13:21]:
So given this conundrum, you don’t see this debate being a detractor from battling cybercrime.

Ivano Bongiovanni [00:13:29]:
I think it’s just a matter of how we have that debate. If the debate is adversarial and constantly confrontational and not constructive, then certainly, it is a problem. But if the debate is open, it’s with the willingness to lead to the uplift of cybersecurity as a profession. As I said, I think it’s part of the game, having that debate.

KB [00:13:50]:
So from your experience, how do we get to the point where it is open and that we can hear both sides and doesn’t get savage online and people are getting upset? How do you think we can get to that point as an industry?

Ivano Bongiovanni [00:14:00]:
I think we kind of have to look at the final goal, and I believe that the final goal of everyone is improving the cybersecurity professionals, being more mature as an industry, and do our job better at the end of the day. If we do not lose track of that and if we don’t get bogged down with, you know, personalities and personal opinions and so on, I think we can already start creating good conditions to have an open communication and an open debate.

KB [00:14:25]:
Is there a way that we could potentially, as an industry, meet the middle? And what I mean by that would be, hey. You don’t have to go do a four year degree because there’s no things are changing thing, you know, skills are actrifying because technology is advancing so fast. Is there a point that we can say, hey. You’ve got like a base certification, which is maybe it’s twelve months instead of four years. And that sort of keeps both sides happy or you don’t you don’t think there’s an equal agreement yet?

Ivano Bongiovanni [00:14:48]:
I don’t really I don’t really know if it’s a matter of the length of education. Oftentimes, you know, the situations in which in a very relatively short time, you can actually learn a lot and accumulate a lot of experience and skills. It’s probably, you know, being able to understand how important it is for people to be exposed to a set of different industries and problems and challenges. And again, looking at those high level skills like problem solving. Yes, your technical expertise, absolutely. But also problem solving, communications, as I said before, stakeholder management, those skills that actually cut across the different roles that we have in cybersecurity. If we don’t lose track of that, I think we can actually whole work together to figure out ways, whatever they are, for people to be better at being cybersecurity professionals.

KB [00:15:36]:
And do you envision that we’ll get to the point where people are served a little bit more? Peace with the whole professionalization or no and no? And where do you think it’s gonna take time?

Ivano Bongiovanni [00:15:46]:
It will certainly take time, but I think the fact that it’s taking time and the fact that we are having this debate, I I honestly see it as a very positive thing because it means that we’re actually reflecting on what’s good for the industry of all the stakeholders involved in the industry. Obviously, like everything in cybersecurity, it’s a maturity approach. Right? We started somewhere. We’re having these conversations. We’ll probably get to a point where, as I said, we maybe I’m gonna have a professionalization scheme, but that doesn’t mean that there’s not gonna be other professionals in cybersecurity that are gonna be relevant. So it’s a natural I believe it’s a natural evolution of a profession that used to be very, very niche and with a very specific set of skills and has expanded and has increased the number of perspectives and skills that are required.

KB [00:16:33]:
Do you think that also be perhaps the specificity of the roles? If you’re doing a super more technical role, maybe you need more of a structured learning or whatever it may be. You look at the medical profession, you’re a general purpose doctor, your day to day sort of task and what you what you do is fundamentally get rid into a brain surgeon. Right? So do you see that being what you do in that type of role? Maybe you have to have more those sort of credentials?

Ivano Bongiovanni [00:16:56]:
Fits a mix of things. Probably, yes. There’s something associated with how someone in a specific role can learn better, but it’s also a matter of personalities. Those are people that learn more through more traditional delivery of contents, especially when it comes to specific sets of skills or or domains or areas of expertise. And there’s other people actually maybe are more on the and so on training type of thing. So I think we need to look at the broader spectrum of of opportunities and also possibly understanding, are we training people? Are we indicating people to use tool as as a plug and play type of approach? Or are we training people to develop critical thinking, problem solving, and all of that? That’s why when I hear debates around whether a university degree is better than a certification or is better than, say, for example, hands on training and another circumstances in on the job training, I actually think there’s space for everything. It really depends on the the learners. It depends on the role that these people are learning for.

Ivano Bongiovanni [00:17:57]:
It depends on the organization they’re going to work for. And look at, for example, organizational size. There is more organizations tend to have maybe one or two people dedicated to cybersecurity. Those people are gonna need to be able to do a little bit of everything. So that kind of, transversal set of skills, it’s even more important.

KB [00:18:15]:
So what I’m hearing when it was saying is depending on how people learn so I’m probably more of an on the job learner than, you know, as shudiest by the book. Obviously, probably, you, Abano. So you’re saying that it doesn’t really matter. It’s the type of training whether it’s on the job, or whether it’s more book sort of study or an MLO sort of things. Doesn’t really matter. So you’re looking at more holistically Yep. With the

Ivano Bongiovanni [00:18:38]:
I would say probably complimentary set of training experiences is what works best. Right? You can try a little bit of the hands on. You can actually have someone deliver training to you and and explain concepts, especially for higher level skills in terms of, I would probably say, strategic skills in terms of problem solving, or communication, or against stakeholder management. I think, a mixed approach is what works best. Again, keeping in mind that different people have different learning styles that they prefer.

KB [00:19:06]:
Because I think even, you know, even when I went to school, there was a specific way this has all been learned. And I think perhaps opportunities were missed, but just using me as an example, I’m not picking on anyone. If it was perhaps different the way that you’re explaining it, perhaps it would have been a different outcome.

Ivano Bongiovanni [00:19:20]:
But, you know, when you look at it, I think, for example, universities have moved away from that traditional, you know, one way of learning type of approach. There’s more of a mixed bag of experiences. That’s why universities are not just teaching in the classroom, but they’re involved with students in capstone projects or in internship and training opportunities with external organizations. We need to kind of really rethink in the way which we we do training and look at having the different stakeholders. We can what they contribute can help build these all rounded professionals that I believe we need in cyber security.

KB [00:19:54]:
Any sort of closing comments or final thoughts you mind to leave our audience with today?

Ivano Bongiovanni [00:19:58]:
Probably the final thought is, yes, there’s a lot of conversations. Yes, there’s a lot of debate. Yes, there’s confrontation sometimes. But, again, it’s also a signal of the fact that we are willing to do better in this industry. And I think we kind of move away from this positive message. And I think we need to stick to it and be enthusiastic about what we’re doing because at the end of the day, we’re we’re in a very exciting profession that that has a lot of opportunities.

KB [00:20:25]:
And there you have it. This is KB on the go. Stay tuned for more.

Share This