Is Australia's Cybersecurity Focus in the Right Place? Talent Shortages and Regulatory Pressures with Andrew Horton

Andrew Horton, CTO of ThreatCanary, analyzes Australia's cyber growth, compliance-driven priorities, and the talent shortage impacting national security

What if our relentless focus on compliance checklists is creating a dangerous illusion of security, leaving us vulnerable to the very threats evolving just beyond their scope? This tension between regulatory frameworks and emerging technological risks is at the heart of modern cybersecurity.

To explore this, we sat down with Andrew Horton, CTO and co-founder of ThreatCanary, an autonomous AI platform hunting for zero-day vulnerabilities in APIs. A full-stack leader who applies design-thinking to complex security problems, Andrew provides a candid look at Australia’s cyber growth drivers, the sectors investing under duress, and the critical skills gap facing the industry.

Interview with Andrew Horton

How fast is the cybersecurity industry growing in Australia, and what is driving this growth?

Public measurement of Australia’s cybersecurity sector is imperfect, because most official data aggregates cyber roles into broader ICT categories. For example, Jobs and Skills Australia projects employment growth of around 14% between May 2024 and May 2029 for a broader ICT occupational group that combines cyber with other roles like database administrators, compared with a national average of approximately 6.6%.

While this figure includes many non-cyber roles and is therefore not a precise measure of cybersecurity growth, it does provide a reasonable indication that cyber-related employment is expanding faster than much of the wider economy.

Growth is being driven less by discretionary innovation spend and more by structural pressures: regulatory requirements, rising breach costs, insurance expectations, and mandatory security obligations in regulated and critical sectors.

What types of cyber threats are Australian businesses most concerned about today?

At an executive level, concerns tend to focus on data breaches, ransomware, and increasingly AI-enabled cyber risks. However, in practice, most organisational action is driven by compliance and regulatory frameworks rather than direct threat modelling.

Frameworks such as the Australian Essential Eight, ISO/IEC 27001, and SOC 2 strongly influence security priorities. These frameworks provide broadly effective baseline controls that address many high-impact threats, but they do not fully mitigate emerging risks such as sophisticated AI-assisted attacks or complex supply-chain compromises.

Which sectors in Australia are investing the most in cybersecurity solutions?

The largest and most consistent investors are banking and financial services, followed by sectors designated as critical infrastructure under the Security of Critical Infrastructure Act 2018.

These sectors — including energy, telecommunications, healthcare, transport, and water — are legally required to meet higher standards of security assurance, resilience, and reporting, which drives sustained cybersecurity investment.

How are government regulations and policies influencing cybersecurity adoption in Australia?

Government policy is a major driver of cybersecurity adoption. The Australian Cyber Security Strategy 2023–2030 and its associated Action Plan introduce a set of national “shields,” several of which impose new or expanded obligations on critical infrastructure operators.

There is also growing recognition of cyber risk as a geopolitical and national security issue, particularly where cyber operations intersect with information warfare. This aligns with findings in the World Economic Forum Global Risks Report, which ranks cyber espionage and warfare among the top short-term global risks, while misinformation and disinformation are projected to become the leading global risk in the near term.

This context suggests significant scope for further Australian government investment in sovereign cyber capability.

What are the biggest challenges cybersecurity companies face in the Australian market?

Australia’s relatively small domestic market — approximately 27 million people compared with around 340 million in the United States — limits scale opportunities for local cybersecurity firms.

In addition, venture capital is less readily available than in larger markets, particularly for deep-tech and long-horizon cybersecurity ventures. This constrained access to capital has implications for the long-term development of sovereign cybersecurity capability and the health of the local startup ecosystem.

Is there a skills shortage in Australia’s cybersecurity workforce, and how does it impact the industry?

Yes. There is a shortage of genuinely industry-ready talent across both security operations (SecOps) and governance, risk, and compliance (GRC) roles.

Australia has produced a large number of entry-level certifications and postgraduate cybersecurity degrees, but many graduates are not yet equipped to meet entry-level job requirements. This creates a mismatch: high numbers of qualified candidates on paper, but persistent difficulty filling roles that require practical skills. This isn't simply a lack of experience, it indicates a fundamental mismatch between education provider and the needs of industry.

Efforts are underway to address this. For example, the Australian Computer Society is working toward greater professionalisation of the cybersecurity workforce. However, many experienced practitioners have expressed reservations about whether the ACS professionalisation initiative will materially close the skills-readiness gap or simply become an annual cost of doing business for professionals.