Every six minutes, a cybercrime complaint is filed somewhere in Australia.<\/p>\n\n\n\n
That staggering statistic \u2014 drawn from the Australian Signals Directorate’s (ASD) latest annual threat report \u2014 is not just a headline. It is the drumbeat behind a crisis that has been quietly building inside the federal government for years: a deep, structural shortage of cybersecurity talent in the Australian Public Service (APS).<\/p>\n\n\n\n
Billions of dollars flow into government digitisation every year. New platforms are launched. Cloud migrations are announced. Ambitious ICT roadmaps fill ministerial briefings. But the people needed to actually secure those systems \u2014 to defend them against a rapidly evolving threat landscape \u2014 are leaving for the private sector, getting stuck in security clearance backlogs, or simply not entering government work at all.<\/p>\n\n\n\n
This is the cyber crisis hitting the Australian public service. And it is getting worse.<\/p>\n\n\n\n
The Australian Public Service Commission’s State of the Service<\/em> reports have tracked this crisis with uncomfortable precision since 2023.<\/p>\n\n\n\n The findings are stark:<\/strong><\/p>\n\n\n\n These are not edge-case vulnerabilities. They represent a systemic exposure sitting at the heart of Australia’s national security infrastructure.<\/p>\n\n\n\n Scarlett McDermott, a board member of the Australian Information Security Association (AISA), has been vocal about what these numbers mean in practice. Despite massive budget injections into digital infrastructure, she warns that the human element \u2014 the trained professionals who actually implement, monitor, and respond to security threats \u2014 is consistently left behind in the planning.<\/p>\n\n\n\n “Although large public digitisation initiatives receive huge budget injections each year, the human element is frequently left behind, leaving agencies vulnerable to cyber threats.” \u2014 Scarlett McDermott, AISA Board Member<\/p>\n<\/blockquote>\n\n\n\n The most obvious explanation for the talent drain is salary. Private sector technology companies \u2014 particularly in cloud security, financial services, and defence contracting \u2014 routinely offer remuneration packages that the APS simply cannot match through standard pay scales.<\/p>\n\n\n\n But McDermott argues that framing the problem purely in financial terms is a mistake. The true competition is more nuanced, and the public service has genuine advantages it consistently fails to deploy.<\/p>\n\n\n\n One of the most damaging \u2014 and least discussed \u2014 recruitment failures in government cybersecurity hiring is the clearance process itself.<\/p>\n\n\n\n Standard APS hiring pipelines, complicated by the requirement for NV1 and NV2 security clearances<\/strong>, routinely stretch the recruitment process to three to four months<\/strong>. For a senior cybersecurity professional who has received competing offers from the private sector, that timeline is simply too long.<\/p>\n\n\n\n Top-tier technical candidates abandon the process before it concludes \u2014 not because they don’t want the role, but because they cannot afford to wait for a bureaucratic system that was designed for a different era of talent competition.<\/p>\n\n\n\n This structural bottleneck is not just inconvenient. It is actively draining the pipeline of exactly the people the government most needs to hire.<\/p>\n\n\n\n There is a second talent crisis nested inside the first, and it compounds the overall shortage in ways that are rarely addressed directly.<\/p>\n\n\n\n Women make up less than one fifth of Australia’s cybersecurity workforce.<\/strong><\/p>\n\n\n\n That is not a pipeline problem. It is an industry-wide culture and structure problem that manifests in recruitment, retention, and progression. McDermott points to two specific failure points:<\/p>\n\n\n\n Mid-career transition barriers:<\/strong> A significant proportion of women who enter technology do so mid-career, transitioning from other professional backgrounds. Yet most government and industry entry programs are designed around early-career STEM pipelines \u2014 university graduates, school leavers \u2014 and provide little support for professionals pivoting later.<\/p>\n\n\n\n Retention without inclusion:<\/strong> Diversity hiring targets, where they exist, focus on getting women into the door. Far less attention is paid to whether those women stay, advance, and feel genuinely included in technical teams. Cybersecurity has a documented retention problem, and fixing it requires structural workplace reform, not recruitment targets alone.<\/p>\n\n\n\n “Cyber security has got a real retention issue when it comes to keeping women in the workforce, so we do need to look beyond just diversity, but actually really look at inclusion.” \u2014 Scarlett McDermott, AISA Board Member<\/p>\n<\/blockquote>\n\n\n\n While the APS works through these structural challenges, the adversarial environment is accelerating.<\/p>\n\n\n\n The ASD’s latest threat report documents a threat landscape that has moved decisively beyond opportunistic cybercrime into state-sponsored, persistent, and sophisticated attacks:<\/p>\n\n\n\n The organisations responsible for defending these systems \u2014 the Australian Cyber Security Centre (ACSC), the ASD, individual agency ICT security teams \u2014 are doing so with workforces that are already stretched thin and struggling to fill critical vacancies.<\/p>\n\n\n\n McDermott’s core argument is that the public service is losing the talent war partly because it is fighting on the wrong ground. Rather than trying to match private sector salaries \u2014 a battle it cannot win at scale \u2014 the APS should be aggressively promoting the genuine advantages it offers:<\/p>\n\n\n\n For the right candidates, these are not consolation prizes. They are decisive advantages. The challenge is that government recruitment has consistently failed to communicate them effectively in competitive labour market conditions.<\/p>\n\n\n\n One of the most actionable structural reforms proposed is a concept borrowed from software development methodology: shifting left<\/strong> on cybersecurity.<\/p>\n\n\n\n In a traditional model, cybersecurity expertise is concentrated in specialist roles \u2014 dedicated security teams that sit apart from general ICT functions, development teams, and operational areas. This creates fragility. When those specialists leave, depart on extended leave, or are simply insufficient in number, entire capability gaps emerge.<\/p>\n\n\n\n The “shift left” approach redistributes baseline cybersecurity capability across the organisation. Rather than treating security as the exclusive domain of specialists, it means:<\/p>\n\n\n\n This doesn’t replace specialist expertise \u2014 it builds a resilient foundation under it, reducing the blast radius when specialist gaps open.<\/p>\n\n\n\n Perhaps the most important mindset shift comes from Stephanie Crowe, head of the Australian Cyber Security Centre.<\/p>\n\n\n\n Crowe’s message is that modern cybersecurity is not, and should not be, exclusively a technical discipline. The ACSC and the ASD need professionals who can:<\/p>\n\n\n\n Deep technical coders are essential. But an organisation composed entirely of deep technical coders will be structurally exposed the moment it needs to brief a minister, manage a public incident, or explain the ROI of a security investment to a budget committee.<\/p>\n\n\n\n Crowe’s own career is a living example of this principle. She entered the ASD graduate program with a bachelor of Asian studies<\/strong> \u2014 not a computer science degree \u2014 and built her technical literacy entirely through institutional training and hands-on learning. She now leads one of Australia’s most significant cyber institutions.<\/p>\n\n\n\n “Don’t be afraid of the tech, and never be afraid to ask questions. You will find that technical people are more than happy to tell you the intricacies of what they do.” \u2014 Stephanie Crowe, Head of the Australian Cyber Security Centre<\/p>\n<\/blockquote>\n\n\n\n This matters enormously for recruitment strategy. Limiting cyber hiring to candidates with deep prior technical credentials excludes a vast pool of talented professionals who have complementary skills, genuine motivation, and the capacity to develop technical fluency on the job.<\/p>\n\n\n\n The three-to-four month security clearance timeline is a structural problem that requires a structural solution. Options that have been discussed in policy circles include:<\/p>\n\n\n\n None of these are simple. The security clearance system exists for real reasons. But the current timeline is a demonstrated recruitment barrier, and addressing it should be treated as a national security priority in its own right.<\/p>\n\n\n\n It is tempting to frame the APS cybersecurity skills shortage as a workforce management challenge \u2014 a human resources problem with HR solutions.<\/p>\n\n\n\n That framing is dangerously inadequate.<\/p>\n\n\n\n Federal government networks are not just administrative infrastructure. They carry data on national defence posture, citizen welfare systems, critical infrastructure dependencies, intelligence assessments, and economic policy deliberations. A successful intrusion into poorly defended agency systems is not an embarrassment. It is a national security event.<\/p>\n\n\n\n The ASD’s threat reporting makes clear that Australia’s adversaries \u2014 state-sponsored actors, sophisticated criminal organisations, and opportunistic attackers \u2014 are not waiting for the APS to solve its hiring challenges. They are probing, testing, and exploiting gaps right now, every six minutes, around the clock.<\/p>\n\n\n\n The talent crisis is not a background condition. It is an active vulnerability.<\/p>\n\n\n\n Australia is spending heavily to digitise its government. It is not spending wisely enough \u2014 or thinking creatively enough \u2014 about the people required to make that digitisation secure.<\/p>\n\n\n\n The cyber crisis hitting the Australian public service is not primarily a technology problem. It is a people problem: too few of them, in too narrow a range of backgrounds, arriving through processes that are too slow, and leaving for environments where they feel better valued.<\/p>\n\n\n\n The solutions are known. The advocates are vocal. What is needed now is urgency \u2014 the kind of urgency that matches the threat environment these professionals are being asked to defend against.<\/p>\n\n\n\n Every six minutes, the clock resets.<\/p>\n\n\n\n This article draws on reporting by Ray Athwal for The Canberra Times (June 2026), insights from AISA board member Scarlett McDermott, and Australian Cyber Security Centre head Stephanie Crowe.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Introduction: A Digital House Built Without Enough Builders Every six minutes, a cybercrime complaint is filed somewhere in Australia. That staggering statistic \u2014 drawn from the Australian Signals Directorate’s (ASD) latest annual threat report \u2014 is not just a headline. It is the drumbeat behind a crisis that has been quietly building inside the federal […]<\/p>\n","protected":false},"author":1,"featured_media":1283,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[1036,1038,1035,1034,1037,1039],"class_list":["post-1282","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-acsc-cyber-threat-2026","tag-aps-cyber-security","tag-australia-cybersecurity-skills-shortage","tag-australian-public-service-ict-crisis","tag-government-cyber-workforce","tag-women-in-cybersecurity-australia"],"_links":{"self":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/1282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/comments?post=1282"}],"version-history":[{"count":1,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/1282\/revisions"}],"predecessor-version":[{"id":1284,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/1282\/revisions\/1284"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/media\/1283"}],"wp:attachment":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/media?parent=1282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/categories?post=1282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/tags?post=1282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n\n\n\nWhy Is the Public Service Losing the Talent War?<\/h2>\n\n\n\n
1. The Pay Gap Is Real \u2014 But It’s Not the Whole Story<\/h3>\n\n\n\n
\n\n\n\n2. The Security Clearance Bottleneck<\/h3>\n\n\n\n
\n\n\n\n3. The Demographic Crisis: Women Are Being Left Behind<\/h3>\n\n\n\n
\n
\n\n\n\nThe Threat Landscape Is Not Waiting<\/h2>\n\n\n\n
\n
\n\n\n\nWhat Needs to Change: A Framework for Solutions<\/h2>\n\n\n\n
Solution 1: Reframe the Public Service Value Proposition<\/h3>\n\n\n\n
\n
\n\n\n\nSolution 2: “Shift Left” on Cybersecurity Capability<\/h3>\n\n\n\n
\n
\n\n\n\nSolution 3: Diversify the Definition of a “Cyber Professional”<\/h3>\n\n\n\n
\n
\n
\n\n\n\nSolution 4: Fix the Clearance Bottleneck<\/h3>\n\n\n\n
\n
\n\n\n\nThe Bigger Picture: This Is a National Security Issue<\/h2>\n\n\n\n
\n\n\n\nKey Takeaways<\/h2>\n\n\n\n
Challenge<\/th> Root Cause<\/th> Proposed Solution<\/th><\/tr><\/thead> Talent drain to private sector<\/td> Salary gap and poor positioning<\/td> Promote non-financial APS advantages<\/td><\/tr> Recruitment pipeline failure<\/td> 3\u20134 month clearance timeline<\/td> Clearance reform and pre-cleared pools<\/td><\/tr> Women underrepresented (< 20%)<\/td> Culture, retention, and entry path gaps<\/td> Mid-career pathways + inclusion focus<\/td><\/tr> AI\/emerging tech capability gap<\/td> Insufficient training investment<\/td> Structured upskilling and “shift left”<\/td><\/tr> Over-reliance on pure technologists<\/td> Narrow hiring definitions<\/td> Diversify cyber role archetypes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nConclusion: The Battle Is for People, Not Just Infrastructure<\/h2>\n\n\n\n
\n\n\n\n