Why Queensland's cyber sector keeps losing the talent war — and the local pathway already fixing it

The numbers on Australia's cyber workforce shortage have stopped being surprising and started being structural. ACS's 2025 Digital Pulse report forecasts the country will need an estimated 54,000 more cyber security operations and management professionals by 2030. The Digital Transformation Agency estimates a digital talent shortfall of more than 8,000 just inside the Australian Public Service over the same period. ISACA's 2025 State of Cybersecurity report says 54% of Australian cyber teams are understaffed and 58% are carrying unfilled positions right now.

That's not a soft skills problem that resolves itself with the next graduate intake. It's the shape of the sector for the next five years at least.

The Queensland picture

Queensland sits inside the 80% of Australia's cyber talent concentrated in NSW, Victoria and Queensland combined — but local demand is growing faster than supply. The Cyber Resilience Summit QLD speaker line-ups have shifted hard toward critical infrastructure cyber, SOCI Act compliance, and OT/IT convergence over the last two years. The 2032 Games are accelerating procurement timelines for the gov agencies that have to defend it all. The work is here.

The hiring data is brutal. ISACA's report shows 36% of Australian organisations say it takes three to six months to hire for entry-level cyber roles. For non-entry-level roles, it's 48%. And half of Australian organisations admit they struggle to retain cyber talent — so even when you hire, you're already losing the counter-offer war before the new hire has finished onboarding.

Why training alone won't fix this

Australia produces around 7,000 IT graduates a year. The cyber subset of that number is much smaller — somewhere in the low thousands. Even doubling university intake doesn't close a 54,000-person gap by 2030.

The math forces a different conversation. The gap closes when three things happen at once: the pipeline widens beyond traditional computer science graduates, existing IT professionals transition into cyber, and the people we've already trained stop leaving. None of those happen on their own.

Which is why the most interesting workforce intervention in Queensland cyber right now isn't a university program. It's a TAFE one.

Queensland's quiet advantage

TAFE Queensland delivers the Certificate IV in Cyber Security as a traineeship, in a program developed in partnership with the Australian Computer Society and the Queensland Government. Government-subsidised. Earn-while-you-learn. Twelve to eighteen months from intake to qualified, entry-level cyber capacity.

ISACA's data backs the model in a way that should change how QLD cyber employers think about hiring. Fifty-five percent of current Australian cyber professionals say more than half their team transitioned from non-security roles. Cyber, more than most ICT disciplines, is a destination industry — the people doing the work today are overwhelmingly career-changers who came in through a side door rather than a CS degree. The right entry pathway opens that side door for the next cohort of career-changers: experienced IT professionals, women returning to work, mature-age career switchers, and the kind of analytical thinkers who'd never apply for a traditional grad role.

The Cert IV traineeship is one of the fastest and most affordable ways a Queensland ICT employer can bring qualified entry-level cyber talent into their team. The catch: most employers don't know it exists, or assume "trainee" means an apprentice in a high-vis vest. It doesn't. It means a paid, structured, qualified hire who's been embedded in your environment from day one.

The retention half of the problem

Hiring solves part of the equation. Keeping people solves the rest. Mentorship, clear progression, and visible career pathways are the under-invested side of the cyber workforce conversation. Most Queensland cyber employers know this. Few are doing it well. The trainees and graduates we lose to interstate employers — or to consulting firms paying counter-offers — aren't usually leaving because of the work. They're leaving because someone showed them what year three of their career could look like, and we didn't.

The supply-side conversation nobody owns

There's a familiar complaint at every cyber leadership table in Queensland: graduates and trainees don't walk in the door ready. Fair enough — entry-level capability rarely matches a senior team's expectations on day one. But the only fix is industry telling TAFE what "ready" looks like, for cyber specifically. The tools, the frameworks, the operational habits, the soft skills, the gaps you keep seeing.

ICT Industry Queensland works closely with TAFE Queensland and we're well-placed to broker exactly that conversation. If you've got a view on what your environment needs from an entry-level cyber hire, get in touch. We'll connect you with the right people at TAFE and make sure the feedback actually lands. Enough of us doing this drives real change. Few of us doing it changes nothing.

How to back the pipeline

Three concrete things any Queensland cyber employer can do this year:

Hire a TAFE Queensland Cert IV in Cyber Security trainee. Twelve to eighteen months from intake to qualified. Government-subsidised. The fastest entry-level cyber pathway in the state, and one of the few that's open to career-changers.

Mentor a cyber trainee or student. Cyber relies heavily on practitioner judgement, and that judgement only transfers through someone watching how you think about a problem. Two hours a month from a senior practitioner changes a career.

And if you want to back the pipeline financially as well as personally — every dollar raised at the Government vs ICT Industry Trivia Night funds TAFE Queensland ICT scholarships, including those that put students into cyber pathways. The more we raise, the more students we put through. Buy a table, sponsor the night, or bring your team. See you there.