The Consolidation and Quiet Crisis in Australian Cybersecurity with Adam Selwood

Adam Selwood argues Australia's cybersecurity growth is uneven, leaving SMBs exposed. He critiques market consolidation, regulatory gaps, and the struggle for local innovation

The Australian cybersecurity industry, while consolidating around large enterprises, is paradoxically leaving the nation's critical SMB sector dangerously exposed and stifling the local innovation needed to protect it.

Our conversation today pivots on this critical tension within Australian cybersecurity. While headlines points industry growth, Adam Selwood, Managing Director and CTO at Cynch Security, and a leader in the SMB and supplier assurance space, observes a period of consolidation that masks a deeper vulnerability.

He argues the market is heavily serviced towards the top end of town, creating a vacuum of tailored, affordable advice for the 95% of businesses that are small-to-medium sized. From this frontline perspective, Selwood dissects the regulatory landscape, the challenges of market noise, and the systemic hurdles preventing local startups from flourishing, presenting a compelling, contrarian view of the sector's true health

Interview with Adam Selwood

How is the cybersecurity industry growing in Australia, and which sectors are driving this growth?

From where we sit in the SMB and supplier assurance space, it doesn’t seem like there's much growth right now. We seem to be going through a period of consolidation.

The industry is heavily services oriented, largely geared around selling to larger enterprise and government organisations. Quite a bit of regulation is starting to flow through to mid-sized companies which is leading to early signs of growth emerging among suppliers to larger organisations, particularly those in critical infrastructure. The SMB sector remains relatively immature, though MSPs are increasingly seeing cybersecurity as an opportunity to grow their revenue, which will hopefully bring much needed cyber fitness to 95% of Aussie businesses.

What are the biggest challenges Australian companies face in protecting against cyber threats today?

I’d argue the largest threat today is simply noise. We’re constantly bombarded with simple recommendations like enabling MFA and installing updates, making it feel like we’re on top of things. Meanwhile, some of our largest companies hit the headlines with an incident most weeks, suggesting no one is safe.

Access to appropriate advice, tailored to the circumstances of a given business, is tough at the best of times. With a cybersecurity industry largely geared towards advising the top end of town, and a price point to match, most businesses are simply priced out of being in a position to understand what they can do, let alone actually do it.

How effective are Australia’s current cybersecurity regulations in supporting businesses and protecting consumers?

Our regulations are well considered and appropriate, but adoption and enforcement is patchy. This is largely due to the complexity of the landscape and a growing focus towards compliance box ticking. Carve outs for smaller businesses leave them largely vulnerable to the protections regulations are designed around, with little incentive outside of an actual attack to motivate action.

The insatiable appetite to “adopt AI” rolling through the economy has businesses running well ahead of regulation at the moment, increasing risk at an alarming rate. Governance and risk management are clearly in the back seat at the moment while everyone tries to keep up with the Jones’. As consumers we’re going to have a lot more cyber attack induced bad days before things get better. Regulation isn’t necessarily the right answer to this, but we should be looking for ways of incentivising businesses to act responsibly.

What role does government funding play in developing the local cybersecurity ecosystem?

Government funding is foundational to a thriving local cybersecurity ecosystem, however it’s largely stuck behind procurement processes oriented to buying from larger, increasingly multi-national players. Cynch could not exist if we tried to start today as government funding and support for the local cybersecurity ecosystem is next to non-existent. With little or no direct grant funding outside of the R&D Tax Incentive, local companies are forced to either chase increasingly few enterprises open to innovative solutions or head offshore to survive. While there are still plenty of us trying to make things happen, we’re all struggling to compete against massively resourced multi-nationals and lobbyists for government programs with little change on the horizon.

How are startups and small businesses contributing to innovation in Australia’s cybersecurity landscape?

There’s massive, largely untapped potential to grow the startup and small business ecosystem in Australia. Outside of academia, all of the innovation in the Australian cybersecurity landscape comes from startups and small businesses. Our larger organisations are great at technology adoption, but I struggle to think of any that are actively contributing to cyber innovation. Sadly, there is currently little by way of incentive for starting a cybersecurity business in Australia today as the appetite to innovate has taken a back seat to driving down cost and consolidating around larger, imported vendors.

What skills or workforce gaps are currently limiting the growth of the cybersecurity sector in Australia?

The Australian cybersecurity sector is heavily services oriented. As a result there aren’t many out there with experience building and running cybersecurity product companies. Up-skilling experienced cyber operators with product engineering skills would be a massive unlock for the sector.

We have plenty of eager grads out there looking for experience, but few organisations in a position to give them a chance to learn and grow. Programs like AWSN’s Summer of Cyber initiative, funded by the Victorian Government, are showing how connecting young grads with industry mentors and small businesses in need could be a win-win-win for everyone.