Why the Cyber Skills Gap Is Slowing Government’s Cyber Maturity
by Tim Eichmann
When I talk to CISOs and technology leaders in government, one recurring frustration is — knowing what “good” looks like is no longer the real problem. Many agencies have maturity models, policies, even roadmaps — but turning those into real, resilient security is where the rubber meets the road. And that’s where the skills gap for attracting and retaining cyber skills for government organisations becomes a real problem.
What do we mean by “cyber maturity”?
In Australia, one visible benchmark is the Essential Eight maturity model defined by the Australian Signals Directorate (ASD).
As an overview, you aim for one of four maturity levels:
- Maturity Level 0 — you’re not aligned with the intent
- Level 1 — partial implementation
- Level 2 — mostly aligned
- Level 3 — full alignment, with robustness against advanced threats
Beyond the technical controls of the Essential Eight, maturity also includes organisational elements — incident response, leadership, threat intelligence capability, governance, and security culture. The full “cyber posture” of an agency is more than ticking boxes (or should be!!).
Where is the government now?
Having worked in a number of government organisations, both at the federal level and the QLD state level, I can honestly say the picture isn’t great. Staff tend to “massage” numbers to lessen the extent of the problem — no one wants to be seen as the problem in a skills-constrained environment. Managers then “shine” the numbers further up the chain… by the time it gets to board level, things can look far rosier than reality.
Public reporting also paints a sobering picture:
- According to the Commonwealth Cyber Security Posture 2024 report, only 15% of all government entities achieved overall Maturity Level 2 across the Essential Eight in 2024 — down from 25% in 2023.
- Many agencies cited legacy IT systems as a roadblock — 71% said legacy systems hindered implementing the Essential Eight (up from 52% a year earlier).
- Only about 32% of agencies reported half or more of observed security incidents to ASD.
- On the recruiting front, the Australian Public Service (APS) already flags difficulty attracting mid/experienced cyber/digital staff across agencies as an emerging risk.
- Projections suggest Australia may face a shortage of approximately 3,000 cyber security professionals by 2026.
Under-reporting of security incidents is telling — people don’t want to report risks or issues up the chain. Reporting is seen as failure rather than a red flag to get help. These figures tell us: government is not just behind; in some metrics, it’s slipping. The maturity floor is too low, and for many agencies, the climb is steep.
Why is increasing maturity especially hard in the public sector?
Government bodies face unique structural and institutional constraints that make maturity uplift more challenging:
- Legacy systems and technical debt
Decades-old systems, insecure platforms, unsupported software — many public agencies can’t easily redefine or replace core infrastructure. Aligning to modern security controls is hugely complex. (This 2024 reporting confirms this as a top obstacle.) - Procurement, budgeting cycles, and bureaucratic inertia
Security work is often underfunded in multi-year plans. Even when funding exists, procurement rules slow the adoption of newer tools, lock you into vendors, or discourage experimentation.
In QLD government, 12-month funding cycles make it near impossible to fund initiatives like Identity Management that take 2–3 years. Without funding model changes, uplift stalls. - Siloed governance, risk aversion, and stakeholder constraints
Risk committees, ministerial oversight, and cross-agency coordination slow decisions. Security may see a vulnerability but lack the authority or speed to act. Cyber reports a risk; another silo must fix the root cause (patching is a classic example). - Scale, complexity, interconnectedness
Broad dependencies across third parties, legacy vendors, and shared platforms raise the bar for change. Large agencies in Queensland illustrate this — legacy and connected systems are hard to evolve when coordination is challenging within and between departments.
Given these constraints, simply “telling” agencies to lift maturity doesn’t work — they must be enabled, resourced, and structurally supported. If government sets objectives, there must be budget and accountable roles to deliver success.
The skills gap: a centre-of-gravity issue
Let’s dive deeper into why the talent shortage is a principal throttle on maturity.
Demand vs supply — the numbers
- The APS workforce reports difficulty attracting experienced and mid-level staff in cyber, data, and digital roles.
- AustCyber and others warn of a national shortfall of thousands of cyber professionals as early as 2026.
- Industry commentary points to weak pathways from education to employment, especially in cybersecurity specialisation.
- There is underrepresentation of women, Indigenous Australians, and other cohorts, narrowing the talent pool.
In short: there are more required roles than qualified candidates, and government competes with private sector pay and flexibility. Also, AI won’t fix this — automation still requires people to design, tune, and operate systems.
Government-unique barriers
- Security clearances / vetting — delays deter candidates.
- Location constraints — many roles sit in capitals (e.g., Canberra); candidates prefer where they live (e.g., Brisbane).
- Rigid classification / HR frameworks — less flexibility than private sector to recruit or reward niche talent.
- Long recruitment cycles — the APS notes slow hiring loses candidates (link). From my experience, interview-to-contract often exceeds a month; good people move on.
- Contracting/consultant dependency — heavy reliance can hinder continuity and internal capability. Building a Vulnerability Management practice, for example, took ~14 months to set standards, procedures, and recruit A07 staff.
How the skills shortage slows maturity lift — real impacts
Here’s how the talent deficit manifests as delays or failures:
- Under-resourced implementation of controls
Targets are set, but there aren’t enough engineers to design, deploy, and test advanced controls (threat hunting, application control, PAM). Partial deployments leave gaps. - Slow audit, testing, verification, continuous improvement
Maturity isn’t “set and forget.” Controls need monitoring, pen testing, red teaming, assurance, and drift correction. Without staff, agencies fall behind year after year. - Overreliance on external consultants / vendor lock-in
Outsourced critical controls (e.g., ISO 27001) can create dependency, weak knowledge transfer, and higher costs. Internal audit capability is essential for lasting compliance. - Poor prioritisation & tactical drift
Too few staff leads to “easy wins” over foundational work (e.g., patching vs. threat modelling), creating uneven maturity. - Delayed incident response & threat intelligence
Without analysts and red teamers, prevention, detection, and response remain superficial. - Resistance to change & capacity burnout
Overwork drives burnout and attrition, further widening the gap.
What government must do (and early signs of good practice)
If government wants to raise maturity at scale, bridging the skills gap must be a front-line priority:
- Grow internal pipelines & rotational programs
- Graduate programs, cadetships, ICT/cyber rotations
- Internships and bridging for non-traditional candidates
- Clear cyber career pathways with structured progression
- Use role-based training / micro-certification
Focused upskilling for AppSec, cloud, monitoring; partner with providers and industry. - Flexible hiring / attract private sector talent
- Streamline recruitment timelines
- Use contractors to bridge until FTEs arrive, with planned handover
- Pay flexibility, retention bonuses, secondments
- Remote/hybrid roles to access wider talent
- Mandate knowledge transfer in consultancy/outsourcing
Require documentation, training, and embedded handover. Hold vendors to this as a standard. - Create cross-agency centres of excellence
Share specialist resources (threat intel labs, red teams) so smaller agencies benefit.
QLD Gov’s Technical Community of Practice via GovTeams is a great model; the federal level also uses GovTeams — tap into it. - Leverage automation to stretch limited people
Use SOAR, orchestration, and AI-assisted detection to reduce manual load — but retain skilled oversight. - Benchmark, monitor, incentivise progress
Use measurement (e.g., Victoria’s Cyber Maturity Benchmark). Align to the ASD ISM — don’t invent custom control sets. Don’t mark your own homework. - Legislative/policy support & funding frameworks
Targeted funding for lagging agencies; mandate minimum standards and regular assessments. Leaders must be honest about maturity and ask for help.
Some of this is already in motion: the Cyber Uplift Remediation Program (CURP) supports priority entities with skilled assistance. But too many departments aren’t telling their C-suite the full truth. Cyber security starts with transparency.
What next?
Raising cyber maturity across government isn’t a checkbox exercise. It’s a long climb — and without the right people, it stalls. The skills gap isn’t a “fix later” problem; it decides whether maturity goals are ever realised.
If I were advising a government today, I’d start with talent, training, and retention — not just more tools. Without the human capability to plan, execute, audit, and evolve, even the best-designed maturity model is just theory on paper.
Tools do play a part. Turn on built-in patching for Windows, Office, and browsers. Use what’s built into Windows, Edge, and Chrome. Then use affordable third-party tools to lift endpoint application patching above 90%. Once endpoints (OS and apps) are above 90%, move to the server estate — and tackle the “legacy” lumps under the rug that everyone avoids.