MCSI #031 - Will Professionalization Fix Cybersecurity or Break It?
There is a growing trend in cybersecurity toward professionalization—a push to establish formal standards, certifications, and accreditation frameworks similar to those in law and medicine. Advocates argue that this would improve competency, accountability, and trust within the industry.
The 2023-2030 Australian Cyber Security Strategy includes a recommendation to professionalize the industry, with an active $1.9M grant to design, test, and promote a national, self-sustaining cybersecurity professionalization scheme.
Following the publication of this grant, 40 senior cybersecurity leaders shared their points of view on LinkedIn. I used that data to perform a sentiment analysis which revealed that 7.5% of them are firmly in favour of the scheme, 2.5% mostly in favour, 15% are ‘in the middle’, 50% mostly against and 25% firmly against.
The key themes identified from their perspectives are as follows:
Theme #1: There is mixed support for a professionalization scheme
In addition to the Sentiment Analysis in this paper, a 2022 AISA survey found that 53.1% of members supported regulation and accreditation, 26.4% opposed it, and 20.5% were unsure, indicating divided opinions within the industry.
This means that the scheme is at risk of not being adopted by at least 1 in 2 cybersecurity professionals – possibly more than that.
Theme #2: Many are concerned that vested interests will hijack the scheme
There seems to be no consensus on the best entity to implement the scheme – ideas include non-profits, government agencies, or quangos. Leaders also raised ongoing concerns about risks of vested interests. This suggests that senior leaders view the risk of the scheme being hijacked by vendors or unscrupulous parties as very high, which could pose a significant threat to the entire industry and the success of this project.
“Mandating an Australian cybersecurity certification will create a supply line for a demanded product, being the Australian cybersecurity certification. It will also create significant demand if this certification is mandated as a condition of being able to perform specific cybersecurity roles. The immediate conclusion is that while I can't say if certificate holders or the cyber industry will benefit from this scheme, the certain beneficiaries will be the businesses and organisations that successfully integrate themselves into the Australian cybersecurity certification supply line, as they will benefit financially.”
Theo Nassiokas, Founder of Cyber8Lab, ex APAC CISO at Berclays
“I would say that some people who are pushing a specific single scheme also hold executive or governance roles where there’s a clear conflict of interest that is not typically disclosed”
Honorary Professor Dr. Paul Watters and vCISO
Theme #3: The scheme oversimplifies a deeply complex profession
Cybersecurity is an exceptionally complex and dynamic field, with frameworks like NIST NICE identifying over 50 work roles and DoD Directive 8140 listing more than 70—and these numbers continue to grow. The field encompasses numerous distinct domains of expertise, and it is uncommon for individuals to master even a few, let alone all, of these areas, particularly given the rapid pace of change.
Simplifying job credentials into broad categories such as “associate,” “principal,” and “chartered,” tied to pre-selected certifications, degrees, and years of experience, oversimplifies this complexity. Such an approach fails to capture the diverse roles, specialized domains, and competencies required of cybersecurity professionals.
If the goal of the professionalization scheme is to clarify individual competencies, this kind of oversimplification may have the opposite effect: create more confusion and undermine its intended purpose of providing clarity.
“Having been responsible for looking at large-scale cyber workforces, including Whole of the Victorian Government with 350,000+ total staff […]. I am firmly of the opinion that there are many different skillsets that consist of being a Cyber Professional.”
Shane Moffitt, ex CISO of the Victorian Government
Theme #4: There’s a misalignment between the scheme’s goals and proposed solutions
Expectations for the scheme are widely varied, ranging from:
improving classroom education
increasing the availability and quality of teachers
increasing gender diversity
establishing ethical standards
removing underperforming or delinquent actors from the marketplace
either creating or eliminating barriers to entry (depending on whom you ask)
and many other claims
These diverse objectives make the scheme’s goals overly ambitious.
This lack of clarity suggests that, for many, the scope of the professionalization scheme is uncertain, making its value equally unclear. A poorly defined scope risks either failing to achieve its goals or focusing on the wrong objectives, ultimately preventing the intended value from being realized.
“As a proponent for professionalization for my entire 45 year career - for professional services firms - I have supported industry and professional associations globally, the qualifying and certification/credentialing of my team and clients. But is this something we need for the everyone? Just professional services? Again, what problem are we solving?”
Mike Trovato, Managing Partner at Cyber Risks Advisors, ex EY and KPMG Partner
“Sounds like there's a big disconnect between the goals and the path to reach them. There's a lot of this in our industry. We do things that feel like they should work and make us feel like we are doing something but in practice don't achieve their outcomes”
Daniel Grzelak, Chief Innovation Officer at Plerion, ex CISO of Atlassian
Theme #5: The scheme’s return-on-investment (ROI) lacks evidence
There is no clear, first-hand evidence to show that a professionalization scheme for the cybersecurity sector can effectively address or alleviate the root causes of the problems it seeks to solve. This means the scheme might be set up to fail from day one.
“How does a professionalisation scheme solve the real challenge of making Australian businesses more secure?”
John Ellis, Global Head of Security at QBE, ex CISO at Bupa
“While attempts to uplift the profession are always welcome, they should be guided by clear evidence in terms of both efficacy, priority with a clear and achievable mandate.”
Jarrod Loidl, Director at Deloitte
Theme #6: Malicious actors will game the system without mastering the skills
Past cheating scandals, such as the CREST UK cheating incident, highlight risks of the malicious actors finding loopholes in the system to gain a marketplace advantage:
“People who worked hard to pass their CREST exams expressed disgust to El Reg that a significant backer of the industry body appeared to be spoon-feeding its staff the answers, raising questions about the exams' integrity and the competence of people who ultimately sign off clients' crown jewels as secure. Those clients include the British government and critical national infrastructure operators.”
Gareth Corfield, The Register
If the goal is to ensure that individuals accredited under the scheme are truly competent, but the scheme is easy to cheat, then it has fundamentally failed. Even worse, a cheating scandal could tarnish the reputation of the entire cybersecurity profession and undermine decades of effort spent building credibility across business, government and society.
Here’s a screenshot from LinkedIn of a bad actor taking industry tests for a fee:
Theme #7: The scheme ignores the broader context within which professionals operate
Cybersecurity professionals lack not only the legal backing but also the enforcement mechanisms at all levels to ensure secure practices are upheld.
Voluntary frameworks such as those proposed by associations (e.g., the ACS) rely on employer goodwill and carry no penalties for noncompliance. Consequently, organizations often ignore basic security measures – like enforcing multi-factor authentication – because it’s cheaper or more convenient, leaving ethical practitioners helpless or risking their careers by “blowing the whistle.”
Moreover, current legislation is rarely enforced, enabling companies to treat breaches as tolerable risks rather than obligations. Even the Australian government resists adopting its own cybersecurity standards.
In the absence of robust legislative enforcement and binding industry standards, efforts to ‘professionalize’ cybersecurity might not achieve its goal of improving the protection of both ethical practitioners and the public.
“Cyber security won't be a certifiable profession before we are charging $600 per hour, held personally liable for poor advice, hold professional indemnity insurance at a cost exceeding $20,000 per annum and CISOs/board members are held criminally liable for reckless and negligent security decisions.”
Dale J., Consultant and ex Chief Security Architect for the ATO
Conclusion
While this summary highlights what I believe to be the top 7 concerns raised by senior leaders, I have collected a total of 28 unique criticisms. This suggests to me that more consultation and research is needed.
You can read my full paper here, with approximately 4 pages of recommendations.
I submitted my paper to the Department of Home Affairs on January 27, 2025. Today, they issued a formal response, and I look forward to the opportunity to discuss my recommendations with them in greater detail.