SecurityPolicy.com.au
Home/ Australia/ Human Factors/ Closing the cyber skills and capability gap
Australia Human Factors Fundamentals Reviewed 2026-07-12

Closing the cyber skills and capability gap

72,600
people in JSA's combined database, systems administration and ICT security occupation group in February 2026
14.2%
projected employment growth for the combined occupation group from May 2024 to 2029
3 of 5
cyber occupations assessed by JSA as being in national shortage in 2025
10 minutes
duration of the free Cyber Wardens Foundations course
Why this guide exists

Frequency is qualitative rather than search-volume data. It reflects recurring concerns in verified Australian forum discussions, Jobs and Skills Australia labour-market evidence, and the capability problems repeatedly addressed by Australian Government small-business, workforce, training and managed-service-provider guidance. Workforce figures must be read carefully: the 72,600 figure covers a combined occupation group containing database administrators, systems administrators and ICT security specialists, not cyber specialists alone.

Is there really a cyber skills shortage, and does it actually affect a small business like mine?

There is sustained demand for cyber capability, but the evidence is more nuanced than a single national shortage headline. Jobs and Skills Australia assessed three of five specific cyber occupations as being in national shortage in 2025, while two were not. Its headline employment figure also combines cyber specialists with database and systems administrators, so it should not be presented as a pure cyber workforce count. A small business usually feels the gap indirectly: experienced practitioners operate in a comparatively well-paid labour market, many specialists work in larger professional-services, government and regulated organisations, and a small employer may not have enough continuous specialist work to justify a dedicated role. The practical response is to identify the capabilities the business needs—secure administration, monitoring, advice, incident response, staff development and leadership—and source each appropriately rather than searching for one person who can do everything.

How this differs by situation
  • sole trader or microbusiness — Keep a named internal owner, use free guidance and buy specialist assistance for clearly defined tasks or incidents.
  • growing small or medium business — Combine an internal coordinator or IT generalist with external administration, security monitoring, testing or senior advice.
  • capability map — List each required capability, its current owner, backup, evidence and gap before deciding whether a new position is required.
PUT THIS IN YOUR PLAN, EXACTLY

We will plan for the security capabilities we need, not assume that every capability must come from one full-time cyber hire.

We can't afford a full-time security person — what are the realistic options?

A dedicated employee is only one delivery model. A microbusiness can retain an accountable owner, use an MSP for general IT administration, complete free training and keep an incident-support pathway. A growing SME can upskill an existing IT or operations person, use an MSP for routine technology management, engage a security-specialised provider for monitoring or response, and obtain periodic governance help from a fractional security lead. Specialist testing and incident response can be purchased as bounded services rather than permanent positions. An MSP generally manages IT infrastructure or end-user systems. MSSP is a market term usually applied to security-focused managed services, such as monitoring and response, but provider labels and service boundaries vary. Buy a written scope, service level, evidence schedule and responsibility split rather than relying on the acronym.

How this differs by situation
  • microbusiness — Use a named owner, free training, a well-scoped MSP and a documented source of incident assistance.
  • SME with an internal IT generalist — Upskill the generalist and outsource functions requiring continuous coverage, specialist tools or independent judgement.
  • blended capability model — Separate leadership, administration, monitoring, testing and incident response so each can be sourced according to need.
PUT THIS IN YOUR PLAN, EXACTLY

We will buy missing capability by function—support, secure administration, monitoring, incident response and leadership—rather than defaulting to one full-time hire.

Our "IT person" is really the owner / an office manager / an accidental admin — how do we make that safe?

Start by making the role visible. Give the accidental administrator a written and limited set of duties, paid time to perform them, appropriate training and a clear escalation path. Use a separate named administrator account rather than a shared credential, require MFA, provide only the access needed for the task and keep ordinary email and web activity on a non-privileged account. Record critical systems, suppliers, licences, recovery contacts and emergency access arrangements. Require another authorised person to approve high-risk access changes and ensure the business—not only the accidental administrator or provider—can recover key accounts. The person should not be expected to diagnose every threat, approve their own unrestricted access and carry incident responsibility alone.

How this differs by situation
  • owner as administrator — Separate ordinary and privileged accounts and nominate a second person or provider who can assist or recover access.
  • office manager or accidental administrator — Define the duties, protect training time and provide external support for matters outside the person's competence.
  • safe privileged administration — Use named accounts, MFA, least privilege, logging, review, emergency access and documented escalation.
PUT THIS IN YOUR PLAN, EXACTLY

Our accidental administrator will have defined duties, separate privileged access, practical training, backup support and a documented escalation path.

What can we do in-house with free training and upskilling?

A small business can build useful capability without trying to turn every employee into a security specialist. Start with the free ten-minute Cyber Wardens Foundations course, followed by the longer Level 1 course for the owner, internal coordinator and staff who handle money, customer information or administration. Use ASD's privileged-user modules for anyone with elevated access. Run a free Exercise in a Box scenario so staff practise communication, decisions and role clarity rather than only completing awareness content. Give the internal coordinator paid time to apply one lesson at a time and record the result. Formal TAFE or micro-credential study may suit someone moving into a substantial technical role, but check prerequisites, delivery options and current fees. Training should be selected against actual duties and capability gaps rather than accumulated without a plan.

How this differs by situation
  • all staff — Use short practical learning tied to scams, invoices, account security, customer information and reporting.
  • internal coordinator or privileged user — Add ASD privileged-user material, regular implementation time and scenario exercises.
  • developing technical practitioner — Consider structured VET or recognised training where the role genuinely requires deeper networking, security and incident-response skills.
PUT THIS IN YOUR PLAN, EXACTLY

We will give one named person paid time each month to learn, practise and document the security controls they actually own.

How do we choose and manage an MSP/MSSP so we don't just move the risk?

Choose and manage the provider against a written operating model, not its label. List each critical system and control, then state who configures it, who monitors it, who approves changes, what evidence is supplied and who acts during an incident. Ask how privileged access is protected, whether every account is attributable, whether MFA is required, what is logged, which subcontractors are involved, when incidents must be reported, how backups are tested and what support coverage actually applies. Review evidence regularly rather than waiting for an outage. The agreement should also address ownership of domains, tenants, licences, configurations, documentation and credentials; return or deletion of data; transition support; and the process for leaving. Outsourcing can add capability, but the customer still needs to set expectations, approve access, understand boundaries and verify performance.

How this differs by situation
  • provider selection — Assess capability, references, privileged-access controls, incident processes, evidence, subcontractors and support coverage.
  • responsibility matrix — For every critical control, name the provider task, customer task, evidence, review frequency and escalation point.
  • exit readiness — Keep business-controlled access, current documentation, export rights and a defined transition process.
PUT THIS IN YOUR PLAN, EXACTLY

Our provider must show who owns each control, what evidence we receive, how incidents are escalated and how we leave without losing access or knowledge.

What's a "virtual CISO" or fractional security lead, and when is it worth it?

A virtual CISO, or vCISO, and a fractional security lead are market descriptions for senior security leadership supplied part-time or under contract. They are not substitutes for a helpdesk, systems administrator, round-the-clock monitoring service or incident-response team. A useful engagement may translate business risk into a roadmap, clarify responsibilities, review providers, develop policies and incident plans, coordinate assurance and report to owners or directors. It may be worthwhile when customer contracts, sensitive information, regulation, rapid growth, multiple providers or a recent incident create a need for senior judgement but not enough work for a full-time executive. Purchase named outcomes, hours, decision rights, reporting cadence, independence and handover. Check experience relevant to businesses of your size and disclose conflicts where the adviser also sells products or managed services.

How this differs by situation
  • early-stage or low-complexity SME — A standing vCISO title may be unnecessary; buy a bounded risk review, roadmap or incident-planning engagement instead.
  • growing, contract-driven or regulated SME — Periodic senior leadership may help coordinate providers, customer assurance, regulation and risk decisions.
  • fractional engagement — Define deliverables, cadence, authority, conflicts, access, evidence and knowledge transfer.
PUT THIS IN YOUR PLAN, EXACTLY

We will use a fractional security lead only for defined outcomes, with named deliverables, decision rights, conflicts disclosed and a handover plan.

How do we keep capability when we can't match big-company pay or career paths?

Pay matters, particularly in a comparatively well-paid occupation group, but a smaller employer can also compete on role quality. Offer a realistic workload, paid learning time, meaningful ownership, direct access to decision-makers, flexibility, mentoring and a clear path from general IT into deeper security responsibility. Do not permanently assign higher-level work to a lower-paid title or rely on unpaid after-hours support. Retention is also a continuity issue: no employee should be the only person who knows the systems, holds recovery codes or can contact the provider. Pair critical work, maintain current runbooks and access records, cross-train a deputy and keep an external escalation option. This protects the organisation while giving the employee support rather than treating documentation as preparation to replace them.

How this differs by situation
  • employee value proposition — Use fair pay, flexibility, meaningful scope, learning, mentoring and realistic on-call arrangements.
  • career development — Define how capability growth leads to broader responsibility, recognition and remuneration.
  • continuity — Pair critical work, cross-train a deputy and document systems so retention and resilience reinforce each other.
PUT THIS IN YOUR PLAN, EXACTLY

We will retain capability with fair pay, protected learning time, realistic on-call expectations, clear progression and no single person carrying the whole risk.

What minimum capability must stay in-house even if we outsource everything else?

The business must retain enough capability and authority to direct and challenge its providers. At minimum, name an accountable owner and deputy who can identify critical systems and information, set priorities, approve and revoke privileged access, decide what risk the business accepts, authorise incident actions, contact insurers or authorities and approve communications. The business should own, or have independently recoverable control of, its domains, cloud tenants, licences, contracts, key configurations and emergency credentials. Someone inside the business must also be able to review service evidence and ask whether backups restored, alerts were handled and former users were removed. Technical execution can be outsourced; business judgement, access authority, incident authority and provider oversight cannot be left ownerless.

How this differs by situation
  • business authority — Risk acceptance, priorities, expenditure and incident decisions stay with authorised business leaders.
  • access authority — The business approves privileged access and can revoke or recover it without depending on one provider employee.
  • provider oversight — An internal owner reviews evidence, exceptions, incidents, service performance and exit readiness.
PUT THIS IN YOUR PLAN, EXACTLY

We will always keep an internal owner and deputy who can approve access, set priorities, direct an incident and challenge our providers.

Common failure modes — key-person risk, unmanaged MSP, tool sprawl, no documentation, no succession.

These failures often reinforce each other. One capable person accumulates undocumented knowledge; the business purchases additional tools to compensate; alerts, renewals and licences have no clear owner; the provider is assumed to handle everything; and a departure or incident reveals the gaps. Maintain a compact capability register showing each critical system, business owner, deputy, provider, administrator account, evidence, renewal date and recovery method. Require two-deep knowledge for critical processes, business-controlled emergency access, recurring provider reviews, a current tool and licence inventory and documented runbooks. Retire products that have no owner, operating process or measurable purpose. Test the arrangement by running an incident exercise, restoring a backup and walking through the departure of the main administrator or provider.

How this differs by situation
  • key-person risk — Use two-deep ownership, cross-training, emergency access and current runbooks.
  • provider and tool sprawl — Maintain one inventory showing owner, purpose, cost, access, evidence, renewal date and exit path.
  • succession and assurance — Test handover, account recovery, incident roles and backup restoration before they are needed.
PUT THIS IN YOUR PLAN, EXACTLY

No critical system will depend on one person, one provider or one undocumented account; every critical capability will have an owner, deputy and recovery path.

What's my next step?

Common misconceptions

  • “Every cyber occupation is in national shortage.” JSA's 2025 assessment found three of five assessed cyber occupations in national shortage and two not in national shortage. VERIFIED
  • “The 72,600 workforce figure is a count of cyber security specialists.” It covers a combined occupation group that also includes database administrators and systems administrators. VERIFIED
  • “A small business must hire a full-time CISO to manage cyber risk.” Capability can be combined across an internal owner, trained generalist and appropriately scoped external providers. INFERRED
  • “MSP and MSSP always mean the same thing.” MSP has an ASD definition focused on managed IT systems, while MSSP is a variable market term generally associated with security-specialised services; the written scope should be checked. INFERRED
  • “Outsourcing transfers accountability and data risk to the provider.” ASD's shared-responsibility guidance says customers retain responsibilities and the risk associated with their data. VERIFIED
  • “Giving the office manager an administrator password creates security capability.” Privileged duties need defined responsibilities, suitable training, limited access, oversight and an escalation path. INFERRED
  • “Buying more security tools automatically closes the capability gap.” Tools still require ownership, configuration, monitoring, evidence, maintenance and a response process. INFERRED
  • “Useful cyber training must be expensive or take months.” Cyber Wardens offers free training beginning with a ten-minute Foundations course, while ASD provides free exercises and privileged-user material. VERIFIED
  • “A certificate alone proves someone can own the organisation's security.” Qualifications can support development, but the business must still assess role-relevant experience, judgement, evidence and support. INFERRED
  • “A virtual CISO is a standardised or government-licensed service.” vCISO is a market description; buyers should verify the individual, service scope, independence and conflicts. INFERRED
  • “If the provider holds the documentation and credentials, the business does not need its own access or exit plan.” ASD tells customers to understand provider boundaries, keep access records current and retain visibility of provider activity. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
Privacy Act 1988 — APP 11 security of personal information Office of the Australian Information Commissioner The business is an APP entity, including organisations over the general turnover threshold and specified smaller organisations covered regardless of turnover. Ongoing. Take reasonable technical and organisational steps to protect personal information and destroy or de-identify it when it is no longer needed, subject to applicable retention exceptions.
Privacy Act 1988 — Notifiable Data Breaches scheme Office of the Australian Information Commissioner An entity covered by the scheme suspects or has reasonable grounds to believe an eligible data breach has occurred: unauthorised access, disclosure or loss likely to cause serious harm where remedial action has not prevented that harm. Assess a suspected eligible breach expeditiously, generally within 30 days. If it is eligible, notify affected individuals and provide a statement to the OAIC as soon as practicable unless an exception applies.
Cyber Security Act 2024 — ransomware and cyber extortion payment reporting Department of Home Affairs through the Australian Signals Directorate reporting portal A reporting business entity carrying on business in Australia with previous-financial-year turnover of at least $3 million, or a responsible entity for a covered critical infrastructure asset, makes or becomes aware of a ransomware or cyber-extortion payment made on its behalf. Report within 72 hours of making, or becoming aware of, the payment.

Sources

  1. Database and Systems Administrators, and ICT Security Specialists primary
  2. Cyber security skills in demand as labour market evolves primary
  3. Australian Labour Market for Migrants – October 2025 primary
  4. Australian Cyber Security Strategy 2023–2030 primary
  5. Cyber Wardens free online cyber security training primary
  6. Exercise in a Box primary
  7. Privileged User Training primary
  8. ASBFEO cyber security resources primary
  9. Small Business Cyber Resilience Service primary
  10. TAFE NSW Certificate IV in Cyber Security primary
  11. Managed Service Provider glossary primary
  12. Managed service providers primary
  13. How to manage your security when engaging a managed service provider primary
  14. Questions to ask managed service providers primary
  15. Cloud shared responsibility model: Guidance for individuals and small and medium businesses primary
  16. Cyber security for business leaders primary
  17. Cyber security priorities for boards of directors 2025–26 primary
  18. APP 11 security of personal information primary
  19. Quick reference guide for responding to data breaches primary
  20. Ransomware payment and cyber extortion payment reporting primary
  21. Whirlpool discussion: Where are Cybersecurity full-time roles? forum
  22. Whirlpool discussion: Difficulty recruiting IT support? forum
  23. Whirlpool discussion: Informal technical role and concentrated knowledge forum
  24. Whirlpool discussion: Analysis paralysis — which IT certification? forum
  25. Whirlpool discussion: Outsourced support agreement and prolonged outage forum
  26. Reddit r/cybersecurity discussion: Australian vCISO consultancy forum
  27. Whirlpool discussion: Privileged access requested by an IT auditor forum
  28. Reddit r/auscorp discussion: Licences and knowledge after a sysadmin departure forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.