IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
CyberPath study says barriers block cyber job entry

CyberPath study says barriers block cyber job entry

Tue, 14th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

New research from CyberPath has found that costly certifications, unclear career pathways and experience requirements are blocking Australians from entering cybersecurity jobs. The study drew on input from more than 300 people across Australia's cyber security ecosystem.

The findings come from the CyberPath Professionalisation Pilot, which examined how people move into and through cyber security work. Researchers identified a mismatch between rising demand for cybersecurity workers and the structure of entry routes into the profession.

Participants identified three recurring problems: entry-level vacancies often asked for two or three years' experience, role definitions were hard to interpret, and certifications cost between AUD $3,000 and AUD $4,000 without any clear guarantee of employment.

Those barriers are affecting aspiring professionals, career changers and people coming through non-traditional learning routes. The research also found that uncertainty about how skills fit into the labour market is slowing movement into a field that includes a wide range of technical and non-technical roles.

According to the research, cybersecurity now covers more than 60 job types. Yet there is no simple national structure that explains what those jobs involve, what skills they require, or how workers can progress from one role to another.

That lack of consistency also creates problems for employers, who may struggle to assess applicants on a common basis, and for educators trying to align courses with workplace needs. A shared framework for occupations and skills could help reduce uncertainty on both sides of the market.

For people trying to enter the field, the barriers described in the study are both practical and financial.

"I have 10 years' experience in project coordination within risk management in banking, and I'm now trying to build my technical capabilities in cybersecurity. The hard part is connecting that experience to specific roles. When you search for cybersecurity jobs online, you often see highly technical roles, but for someone from a management and governance background, it can be hard to know where you fit. Clearer guidance, structured programs, and mentors from the cybersecurity field would make a big difference," said Kelly Nguyen, Master of Commerce student at UNSW specialising in AI and cybersecurity.

Another student described the challenge of meeting experience thresholds while trying to enter the sector.

"One of the biggest obstacles I'm facing is the experience required to land a cybersecurity role. A lot of organisations ask for two or three years' experience, even for entry-level roles. Cybersecurity is also a vast industry, with different roles requiring different certifications, and those certifications can be costly. I'm currently working in IT helpdesk to build the experience needed for an entry-level cyber security role. It's a long journey," said Amrit Thapa, Bachelor of Cybersecurity student at UTS.

Role confusion

The report suggests these concerns are not isolated. It found broad support for a more practical approach to recognising professional readiness, with greater weight given to skills and demonstrated ability rather than fragmented credentials alone.

That would require clearer definitions of cybersecurity roles and stronger links between education providers and employers. It would also mean creating more accessible entry paths for people with experience in adjacent fields such as IT support, governance, risk management and operations.

Industry figures involved in the broader debate said current hiring habits risk excluding people who could help fill workforce gaps.

"We would never build a hospital, declare a health crisis, and then require every nurse applicant to have already worked in one. Yet that is precisely what we are doing with cyber security. The threat is not waiting for us to sort out our credentialling philosophy," said Maryam Shoraka, Cybersecurity Leader and Australian CISO Advisory Board member.

The research also underlined how quickly cybersecurity work is evolving. As threats, systems and tools change, employers increasingly need workers who can learn and adapt rather than simply present a fixed list of certificates.

Dean Wunder, Lead Developer at finao, argued that the profession depends on shared learning.

"Cyber security requires continuous learning, and collaboration is critical. No individual can keep pace with every emerging threat, technology, or security tool. Organisations and professionals must share lessons learned, effective practices, and practical experience to accelerate collective capability and improve security outcomes," said Wunder.

Next phase

The findings have informed a CyberPath Occupations Framework Discussion Paper, which proposes a national map of cybersecurity jobs and a common language for describing work in the field. Consultation on that framework has been completed.

CyberPath is now developing a capabilities framework intended to define the skills, knowledge and behaviours required across cybersecurity roles. The aim is to give employers a more consistent basis for assessment while helping students, workers and career changers understand what they need to build for a move into the sector.

The study's central conclusion is that Australia's cyber workforce challenge is not only about supply, but also about how the profession defines entry, recognises transferable experience and signals opportunity to new entrants. Certification costs of AUD $3,000 to $4,000 and entry-level vacancies requiring three years' experience were identified as key pain points.