The plight of an Aussie cyber security start-up is tough.
Research shows new businesses can’t get a foot in the door of enterprise buyers without a high-profile customer on their books, which they can't get without an existing high-profile customer... and the vicious cycle continues.
Aussie venture capitalists reportedly don’t understand the security industry, so tend to undervalue local businesses compared to their peers in Silicon Valley. This makes it harder for start-ups to access what investment there is on offer - already 30 times less than in Israel and 10 times less than the US as a proportion of GDP.
Meanwhile, public funding is scattered all over the place, and Australia’s track record for business linking up with academia is the weakest in the developed world.
And that’s before they even think about hiring: the cyber skills shortage in Australia has been described as “serious”, which has meant skilled workers demand wages 11 percent higher than their IT peers and 85 percent above the national average.
It’s no wonder then, according to the Australian Cyber Security Growth Network, that so many young businesses feel like they need to flee overseas to get their companies up and running.
The ACSGN - the not-for-profit set up under the government’s cyber security strategy to promote local industry - has today launched its first cyber industry competitiveness plan.
It is eyeing off a $4 billion increase in Aussie cyber security revenues - from today’s $2 billion, up to $6 billion - in the coming decade.
But it says government, industry, and advocacy groups like itself need to make some big changes in order to get there.
For one, business backers and government should be focusing their resources on areas of the security industry where Australia already has a competitive advantage to maximise its chance of success.
The top of the heap is services within the protection stack, such as network security architecture, pen testing, vulnerability assessment, patch management - which employ the most of Australia’s high skilled workers and can also be delivered remotely to export customers.
But the ACSGN also says we should be boosting businesses delivering underlying process services like strategy development and doubling down on tertiary education as a key area of export growth.
It also wants to raise the sophistication of the venture capital sector and has proposed setting up an “informal panel” of local CIOs and CISOs that can rapidly vet start-ups' products for VC investment.
One tip for fledgling businesses is to start tailoring products to the needs of Australia’s banking sector, which makes up one-third of the demand for security services in Australia, as another way to build a foothold.
But likely the trickiest problem will be meeting demand for skills.
“While the skills shortage is affecting the cyber security industry globally, there are signs that the lack of cyber talent in Australia is among the worst in the world,” the ACGSN's report says.
The industry is estimated to employ roughly 19,000 staff today, but will need to grow this by 11,000 to meet demand for 26,000 skilled workers by 2026.
But graduation rates are as low as a few hundred every year, and industry continues to demand work-ready uni leavers without offering the training spots that will get them there.
The ACSGN says the government’s plans to tighten up skilled migration is unlikely to affect progress either way, with only 75 cyber security workers imported on 457 visas in the last financial year.