The Australian cybersecurity landscape in 2026
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), serves as the government's lead agency for cyber security. The ACSC publishes the Essential Eight maturity model, provides threat advisories, coordinates incident response for critical infrastructure operators and administers the Information Security Registered Assessors Program (IRAP) for assessing government systems.
Australia's cybersecurity ecosystem has been shaped by several high-profile events. The Optus data breach (2022), the Medibank data breach (2022) and the Latitude Financial breach (2023) collectively exposed the personal information of millions of Australians, accelerating government action on cybersecurity regulation and workforce development. These events led to increased Privacy Act penalties, the expansion of the SOCI Act and significant investment in the Australian Cyber Security Strategy.
The 2023-2030 Australian Cyber Security Strategy sets out a vision to make Australia a world leader in cyber security by 2030, with six cyber shields covering citizens, businesses, critical infrastructure, the region, sovereign capability and workforce development.
Cybersecurity roles and salary ranges
| Role | Experience | Annual Salary (AUD) | Key Requirements |
|---|---|---|---|
| Security Analyst (SOC) | 0-2 years | A$65,000 - A$85,000 | Security+, SIEM experience |
| Penetration Tester | 2-5 years | A$95,000 - A$135,000 | OSCP, CEH, hands-on testing |
| Security Engineer | 3-6 years | A$115,000 - A$160,000 | Cloud security, IAM, DevSecOps |
| Security Architect | 5-10 years | A$155,000 - A$200,000 | CISSP, enterprise architecture |
| Security Manager | 6-10 years | A$140,000 - A$185,000 | CISM, team leadership, APRA CPS 234 |
| Incident Response Lead | 5-8 years | A$130,000 - A$175,000 | GCIH, forensics, IR playbooks |
| CISO | 10+ years | A$210,000 - A$400,000+ | CISSP, CISM, board-level comms |
Note: All figures exclude superannuation (11.5% in 2026). Sydney commands the highest salaries, typically 10-15% above the national average. Perth offers competitive compensation for mining and resources security roles.
The skills shortage: scale and impact
Australia faces a critical cybersecurity talent gap that the government is actively working to address:
- Estimated shortage: 17,000 to 20,000 unfilled cybersecurity positions across Australia
- Government target: The Cyber Security Strategy aims to grow the workforce to 33,600 by 2030
- Time to fill: Average recruitment cycle of 90 to 120 days for mid-to-senior security roles
- Salary growth: Year-over-year increases of 8-12% for in-demand specialisations including cloud security, OT security and threat intelligence
- Skilled migration: Cybersecurity roles feature on the Priority Migration Skilled Occupation List, facilitating international recruitment
Top employers for cybersecurity professionals
Financial services
- Big Four banks: Commonwealth Bank, Westpac, ANZ and NAB maintain large SOCs, threat intelligence teams and security engineering groups. CBA alone employs over 1,000 cybersecurity professionals
- Insurers and super funds: QBE, IAG, Suncorp, AustralianSuper and ART employ substantial security teams to comply with APRA CPS 234
Mining and resources
- BHP, Rio Tinto, Fortescue: Major mining companies require OT/ICS security expertise to protect operational technology environments across remote sites
- Woodside, Santos: Energy companies invest heavily in cybersecurity for SCADA systems and critical infrastructure compliance under the SOCI Act
Telecommunications
- Telstra: Australia's largest telco maintains a significant security operations capability and offers cybersecurity services to enterprise clients
- Optus: Following its 2022 breach, has invested heavily in security transformation and expanded its security team
Government and defence
- Australian Signals Directorate (ASD): Employs cryptographers, security analysts, incident responders and offensive cyber operators
- Department of Defence: Cyber operations and defensive security capabilities
- Services Australia: Protects critical government service delivery systems including MyGov, Centrelink and Medicare
Consulting and managed security
- Big Four: Deloitte, EY, KPMG and PwC maintain growing cybersecurity advisory and managed security practices
- CyberCX: Australia's largest dedicated cybersecurity company, formed through the merger of multiple Australian security firms
- Tesserent, Sapien Cyber: Growing Australian cybersecurity services firms
In-demand skills and certifications
Australian employers seek professionals with expertise in:
- Essential Eight implementation: Assessment, implementation and maturity improvement across all eight mitigation strategies
- Cloud security: AWS, Azure and GCP security architecture, particularly for government workloads requiring IRAP assessment
- OT/ICS security: Industrial control system security for mining, energy and manufacturing sectors
- Threat intelligence: CTI frameworks, MITRE ATT&CK, threat hunting and adversary emulation
- IRAP assessment: Security assessment of systems against the Information Security Manual (ISM) for government clients
The most valued certifications are CISSP, CISM, OSCP, CompTIA Security+, CEH and CCSP. Government and defence roles require Australian security clearances (Baseline, NV1, NV2 or Positive Vetting), which add a significant premium to compensation.
Looking for cybersecurity jobs in Australia?
Browse our complete overview of cybersecurity vacancies across Australia. Also read our CISO salary guide for executive compensation insights.
Browse Security Vacancies