The ongoing discussion surrounding a professional recognition scheme for the Australian cyber security industry has sparked a vital debate. While the proposal aims to standardise a complex field, we must carefully consider whether adding individual regulations will truly solve our security challenges or simply create new ones. As we look to build a resilient national workforce, the focus should perhaps shift from individual “tick-box” certifications toward business accountability and practical trust mechanisms.
Bridging the Experience Gap Through Incentives
One of the most pressing issues in Australia is the gap between education and employment. Many graduates finish their studies with theoretical knowledge but lack the practical skills to be “job-ready.” Currently, the burden of training these individuals falls on businesses, many of which are hesitant to invest in interns or juniors who may leave shortly after becoming productive.
If our goal is to grow a skilled workforce, the answer may not lie in more exams, but in better support for the companies that provide the experience. Instead of a mandatory professionalisation scheme, we could consider government-backed incentives, such as tax discounts, lower pay structures similar to apprenticeships in trades or government co-payment schemes, for businesses that hire and mentor intern cyber staff. This would provide the hands-on experience required for new entrants to become valuable members of the Australian cyber workforce without the deterrent of added red tape.
Defensive Restrictions versus Offensive Agility
In the digital landscape, the “bad actors” operate without any rules. A cyber attacker does not require a license, a degree, or a professional membership to breach a network. They are agile, unburdened by regulation, and constantly evolving.
By contrast, imposing strict individual licensing on the defenders risks “tying our hands behind our backs.” Cyber security is inherently a sub-speciality of Information Technology. If we create a system where a general IT professional is restricted from performing defensive tasks such as applying security patches or configuring software simply because they lack a specific “cyber” license, we reduce our collective ability to respond to threats quickly. Historically, excessive “red tape” has been proven to reduce the number of people entering a profession, which is the last thing Australia needs during a skills shortage.
Redefining Trust: Security Clearances and Ethics
The heart of the professionalisation debate is the question of trust. How do we know a practitioner is both capable and ethical? Rather than creating an entirely new licensing body, we could look to existing, proven frameworks.
Consider a simplified trust or clearance process, perhaps by making security clearances like NV1 (Negative Vetting Level 1) more accessible to the broader IT and cyber workforce. Coupling a formal vetting process with a mandatory acceptance of a professional Code of Ethics would provide a robust “trust mark.” This confirms that an individual is reliable and understands their responsibilities, while leaving technical skills assessment to the market and existing certification bodies.
The Gig-Employee Trap and the Risk of Registries
Focusing on individual licensing risks encouraging a “gig-employee” approach. In this scenario, companies might bypass building internal, high-quality security teams in favour of hiring different casual contractors for specific tasks. This is problematic because a “gig” model often lacks the consistent processes and long-term accountability required for true security.
Furthermore, there is a significant safety concern regarding a national registry of licensed cyber defenders. Such a list could effectively serve as a “target database” for attackers. By providing a centralised directory of the country’s defenders, we might inadvertently make it easier for hostile actors to identify, profile, and attack the very people protecting our infrastructure.
Regulating the Business for Quality Outcomes
In the commercial world, businesses buy cyber services from other businesses. It is the company that defines the methodology, the quality control, and the professional standards of the work delivered. Therefore, if we want to improve the quality of cyber services in Australia, the focus should be on regulating the provider, not just the individual.
A practical solution is to require that any business providing critical services, such as penetration testing or cyber audits, be verified by a sovereign body like CREST Australia. CREST Australia already evaluates the processes and company-wide standards of its members. For individual skills assessment, organisations like the Australian Computer Society (ACS) and CREST Australia already have established pathways that could remain optional, especially for those just entering the workforce.
The Truth Behind Modern Breaches
It is important to acknowledge why businesses continue to be hacked. Often, it is not a lack of licensed individuals, but rather a choice to avoid spending on cyber security or to do the bare minimum for compliance. Some organisations may opt for “cheap,” low-quality cyber services from general IT providers who lack specialised expertise.
Neither of these issues cost-cutting or the purchase of substandard services would be solved by the professionalisation of individual workers. Real improvement comes from businesses taking accountability, investing in quality, and partnering with verified firms that prioritise high-standard security processes.
A Path Forward for Australian Cyber Security
In summary, the professionalisation of cyber security, if implemented correctly, could create a sustainable pathway for the future. This might involve a process for interns with lower pay structures similar to apprenticeships in trades like plumbing supported by background checks or clearances and a strict Code of Ethics. By collecting only limited details to avoid creating a “honey pot” registry and providing a License ID that can be verified annually by authorised employers, we can create a system of verified experience.
Coupling this with a requirement that businesses only purchase specific cyber services from CREST Australia verified companies would ensure both individual trust and corporate accountability. However, if done incorrectly, this scheme could simply add unnecessary red tape to an already hamstrung industry, leading to a shortage of available talent and leaving businesses more vulnerable than before.