logo
+1 619 559 3838
Image

BLOG

Australia’s Cyber Crisis: How a Crippling Skills Shortage Is Leaving the Public Service Exposed

Introduction: A Digital House Built Without Enough Builders

Every six minutes, a cybercrime complaint is filed somewhere in Australia.

That staggering statistic — drawn from the Australian Signals Directorate’s (ASD) latest annual threat report — is not just a headline. It is the drumbeat behind a crisis that has been quietly building inside the federal government for years: a deep, structural shortage of cybersecurity talent in the Australian Public Service (APS).

Billions of dollars flow into government digitisation every year. New platforms are launched. Cloud migrations are announced. Ambitious ICT roadmaps fill ministerial briefings. But the people needed to actually secure those systems — to defend them against a rapidly evolving threat landscape — are leaving for the private sector, getting stuck in security clearance backlogs, or simply not entering government work at all.

This is the cyber crisis hitting the Australian public service. And it is getting worse.

The Scale of the Problem: What the Data Actually Shows

The Australian Public Service Commission’s State of the Service reports have tracked this crisis with uncomfortable precision since 2023.

The findings are stark:

  • A majority of federal agencies have been identified as having a critical skills shortage in the ICT and digital domain.
  • Among those agencies, cyber security is the single most dominant shortfall — flagged by approximately four in five affected agencies.
  • More than one in two agencies report a critical deficit in artificial intelligence (AI) training and development capability.
  • Federal government networks are targeted in roughly one in three of all severe national cyber incidents.

These are not edge-case vulnerabilities. They represent a systemic exposure sitting at the heart of Australia’s national security infrastructure.

Scarlett McDermott, a board member of the Australian Information Security Association (AISA), has been vocal about what these numbers mean in practice. Despite massive budget injections into digital infrastructure, she warns that the human element — the trained professionals who actually implement, monitor, and respond to security threats — is consistently left behind in the planning.

“Although large public digitisation initiatives receive huge budget injections each year, the human element is frequently left behind, leaving agencies vulnerable to cyber threats.” — Scarlett McDermott, AISA Board Member

Why Is the Public Service Losing the Talent War?

1. The Pay Gap Is Real — But It’s Not the Whole Story

The most obvious explanation for the talent drain is salary. Private sector technology companies — particularly in cloud security, financial services, and defence contracting — routinely offer remuneration packages that the APS simply cannot match through standard pay scales.

But McDermott argues that framing the problem purely in financial terms is a mistake. The true competition is more nuanced, and the public service has genuine advantages it consistently fails to deploy.

2. The Security Clearance Bottleneck

One of the most damaging — and least discussed — recruitment failures in government cybersecurity hiring is the clearance process itself.

Standard APS hiring pipelines, complicated by the requirement for NV1 and NV2 security clearances, routinely stretch the recruitment process to three to four months. For a senior cybersecurity professional who has received competing offers from the private sector, that timeline is simply too long.

Top-tier technical candidates abandon the process before it concludes — not because they don’t want the role, but because they cannot afford to wait for a bureaucratic system that was designed for a different era of talent competition.

This structural bottleneck is not just inconvenient. It is actively draining the pipeline of exactly the people the government most needs to hire.

3. The Demographic Crisis: Women Are Being Left Behind

There is a second talent crisis nested inside the first, and it compounds the overall shortage in ways that are rarely addressed directly.

Women make up less than one fifth of Australia’s cybersecurity workforce.

That is not a pipeline problem. It is an industry-wide culture and structure problem that manifests in recruitment, retention, and progression. McDermott points to two specific failure points:

Mid-career transition barriers: A significant proportion of women who enter technology do so mid-career, transitioning from other professional backgrounds. Yet most government and industry entry programs are designed around early-career STEM pipelines — university graduates, school leavers — and provide little support for professionals pivoting later.

Retention without inclusion: Diversity hiring targets, where they exist, focus on getting women into the door. Far less attention is paid to whether those women stay, advance, and feel genuinely included in technical teams. Cybersecurity has a documented retention problem, and fixing it requires structural workplace reform, not recruitment targets alone.

“Cyber security has got a real retention issue when it comes to keeping women in the workforce, so we do need to look beyond just diversity, but actually really look at inclusion.” — Scarlett McDermott, AISA Board Member

The Threat Landscape Is Not Waiting

While the APS works through these structural challenges, the adversarial environment is accelerating.

The ASD’s latest threat report documents a threat landscape that has moved decisively beyond opportunistic cybercrime into state-sponsored, persistent, and sophisticated attacks:

  • Cybercrime complaints are now being filed in Australia at a rate of one every six minutes — a figure that represents both growing criminal infrastructure and improved reporting.
  • Denial-of-service attacks surged multiple times over in recent years, with government infrastructure among the primary targets.
  • Severe cyber incidents requiring ASD response have risen by double-digit percentages year-on-year.
  • Federal government networks are caught in the crossfire of approximately one in three of all nationally significant cyber incidents.

The organisations responsible for defending these systems — the Australian Cyber Security Centre (ACSC), the ASD, individual agency ICT security teams — are doing so with workforces that are already stretched thin and struggling to fill critical vacancies.

What Needs to Change: A Framework for Solutions

Solution 1: Reframe the Public Service Value Proposition

McDermott’s core argument is that the public service is losing the talent war partly because it is fighting on the wrong ground. Rather than trying to match private sector salaries — a battle it cannot win at scale — the APS should be aggressively promoting the genuine advantages it offers:

  • Generous leave entitlements that private tech sector roles rarely match
  • Stable defined-benefit superannuation that provides long-term financial security
  • Genuine work-life balance compared to the intense, always-on culture of major tech companies
  • Work of national significance — the opportunity to defend critical infrastructure, protect citizens, and contribute to genuine national security outcomes

For the right candidates, these are not consolation prizes. They are decisive advantages. The challenge is that government recruitment has consistently failed to communicate them effectively in competitive labour market conditions.

Solution 2: “Shift Left” on Cybersecurity Capability

One of the most actionable structural reforms proposed is a concept borrowed from software development methodology: shifting left on cybersecurity.

In a traditional model, cybersecurity expertise is concentrated in specialist roles — dedicated security teams that sit apart from general ICT functions, development teams, and operational areas. This creates fragility. When those specialists leave, depart on extended leave, or are simply insufficient in number, entire capability gaps emerge.

The “shift left” approach redistributes baseline cybersecurity capability across the organisation. Rather than treating security as the exclusive domain of specialists, it means:

  • Training existing developers and data analysts to embed security thinking and protocol into their daily workflows
  • Upskilling non-technical generalist staff to recognise social engineering, phishing attempts, and basic threat indicators
  • Building cyber hygiene culture across agencies, not just cyber expertise in siloed teams

This doesn’t replace specialist expertise — it builds a resilient foundation under it, reducing the blast radius when specialist gaps open.

Solution 3: Diversify the Definition of a “Cyber Professional”

Perhaps the most important mindset shift comes from Stephanie Crowe, head of the Australian Cyber Security Centre.

Crowe’s message is that modern cybersecurity is not, and should not be, exclusively a technical discipline. The ACSC and the ASD need professionals who can:

  • Communicate risk to executives in commercial and strategic terms
  • Manage stakeholder relationships across complex government environments
  • Engage publicly and clearly on cyber threat narratives
  • Train and educate non-technical staff across agencies

Deep technical coders are essential. But an organisation composed entirely of deep technical coders will be structurally exposed the moment it needs to brief a minister, manage a public incident, or explain the ROI of a security investment to a budget committee.

Crowe’s own career is a living example of this principle. She entered the ASD graduate program with a bachelor of Asian studies — not a computer science degree — and built her technical literacy entirely through institutional training and hands-on learning. She now leads one of Australia’s most significant cyber institutions.

“Don’t be afraid of the tech, and never be afraid to ask questions. You will find that technical people are more than happy to tell you the intricacies of what they do.” — Stephanie Crowe, Head of the Australian Cyber Security Centre

This matters enormously for recruitment strategy. Limiting cyber hiring to candidates with deep prior technical credentials excludes a vast pool of talented professionals who have complementary skills, genuine motivation, and the capacity to develop technical fluency on the job.

Solution 4: Fix the Clearance Bottleneck

The three-to-four month security clearance timeline is a structural problem that requires a structural solution. Options that have been discussed in policy circles include:

  • Pre-cleared talent pools: Building registries of pre-vetted professionals who can be matched to roles faster
  • Provisional clearance pathways: Allowing candidates to begin in non-classified roles while clearance is processed
  • Process reform at AGSVA: Examining the administrative steps in the clearance pipeline for opportunities to accelerate without compromising integrity
  • Cross-agency coordination: Enabling clearance portability so professionals moving between agencies don’t restart the clock

None of these are simple. The security clearance system exists for real reasons. But the current timeline is a demonstrated recruitment barrier, and addressing it should be treated as a national security priority in its own right.

The Bigger Picture: This Is a National Security Issue

It is tempting to frame the APS cybersecurity skills shortage as a workforce management challenge — a human resources problem with HR solutions.

That framing is dangerously inadequate.

Federal government networks are not just administrative infrastructure. They carry data on national defence posture, citizen welfare systems, critical infrastructure dependencies, intelligence assessments, and economic policy deliberations. A successful intrusion into poorly defended agency systems is not an embarrassment. It is a national security event.

The ASD’s threat reporting makes clear that Australia’s adversaries — state-sponsored actors, sophisticated criminal organisations, and opportunistic attackers — are not waiting for the APS to solve its hiring challenges. They are probing, testing, and exploiting gaps right now, every six minutes, around the clock.

The talent crisis is not a background condition. It is an active vulnerability.

Key Takeaways

ChallengeRoot CauseProposed Solution
Talent drain to private sectorSalary gap and poor positioningPromote non-financial APS advantages
Recruitment pipeline failure3–4 month clearance timelineClearance reform and pre-cleared pools
Women underrepresented (< 20%)Culture, retention, and entry path gapsMid-career pathways + inclusion focus
AI/emerging tech capability gapInsufficient training investmentStructured upskilling and “shift left”
Over-reliance on pure technologistsNarrow hiring definitionsDiversify cyber role archetypes

Conclusion: The Battle Is for People, Not Just Infrastructure

Australia is spending heavily to digitise its government. It is not spending wisely enough — or thinking creatively enough — about the people required to make that digitisation secure.

The cyber crisis hitting the Australian public service is not primarily a technology problem. It is a people problem: too few of them, in too narrow a range of backgrounds, arriving through processes that are too slow, and leaving for environments where they feel better valued.

The solutions are known. The advocates are vocal. What is needed now is urgency — the kind of urgency that matches the threat environment these professionals are being asked to defend against.

Every six minutes, the clock resets.

This article draws on reporting by Ray Athwal for The Canberra Times (June 2026), insights from AISA board member Scarlett McDermott, and Australian Cyber Security Centre head Stephanie Crowe.