Benjamin Mossé

There is no right way to be a cyber professional, only wrong ways.

© 2025. All rights reserved.

Listening Before Leaping: AISA's Cautionary Path on Professionalisation

05 May 2025

Professionalisation was explored, revisited, and reconsidered. AISA’s journey reflects not opposition, but the careful weighing of complex questions over time.

Sometimes in our professional journeys, we find ourselves circling back to questions we thought we had already answered. And that’s what seems to have happened with AISA and the idea of professionalisation in cybersecurity.

Back in October 2016, AISA took its first careful step into the topic. They explored professionalisation, publishing a study that considered it as a possible accreditation scheme to generate a new income stream. But after reflection, that path was not pursued further. The idea was set aside.

Years passed. Then, in August 2021, AISA revisited the question. A paper was submitted to Home Affairs, this time co-authored by Tony Vizza, Damien Manuel, and Mike Trovato. The tone was thoughtful, the language precise. But if you read it closely, something important reveals itself — a warning, subtle but sincere. AISA pointed out that earlier attempts at professionalisation had struggled to gain traction. They named the efforts plainly: ACS had certified only about 80 cyber professionals, IRAP around 150, and the ASD’s Cyber Skills Framework had seen “no real uptake.”

By September 2022, the conversation had matured. AISA turned to its members to listen. Through a survey, they sought to understand how the community felt. The responses were honest, sometimes conflicted. There was mixed support for accreditation. Industry leaders, it seemed, weren’t convinced. Certification in the sector was inconsistent, and worse, it appeared to disadvantage women. One-third of cyber professionals didn’t hold any certification at all. Interestingly, support for professionalisation came mostly from those in education, academia, or research — not from industry.

And then came April 2023. AISA responded to the government’s call for guidance in designing the 2023–2030 Cyber Security Strategy. Their words were direct, but also compassionate — acknowledging complexity, urging caution. They wrote:

“Although some organisations have struggled to find individuals with the necessary skills to fill vacancies, the issue facing the sector is more multifaceted than merely implementing professionalisation, accreditations or investing in additional industry-based training programs.”

And again, with striking clarity:

“Workforce issues relating to skill shortages in the supply and demand side are complex and cannot be resolved by using professionalisation or accreditation. It should be noted that professionalisation or accreditation will only disadvantage more women and drive them away from the sector.”

Still, the door wasn’t closed. In May 2023, AISA joined a workshop to help design the ACSP accreditation led by AustCyber. But something didn’t sit right: some decisions were being made behind closed doors in Canberra, protected under NDAs, with potential conflicts of interest involving some of the other participants. Another industry body stepped back — quietly. And in June, AISA followed. They exited the program.

By November 2024, the tone had shifted once again. Not to anger or accusation, but to a deeper kind of concern — the kind that comes from listening and witnessing over time. AISA released a paper that asked everyone to pause and reflect before moving forward. They wrote:

“Whilst the UK Cyber Security Council’s Cyber Career Framework has benefits, the broader focus on a limited number of accredited degrees and the focus on advancing ‘professionalisation’ of cyber security industry comes with risks. The obvious gate keeping risk needs to be addressed, particularly in an industry that already lacks diversity and can ill afford to further hinder new entrants or lose existing members of its community. With the Federal government looking to support professionalisation through Shield 5 of the 2023–2030 Australian Cyber Security Strategy, caution should be adopted to ensure it creates an uplift and not a hindrance.”

And then, something many had been thinking, but few had said out loud:

“Implementation of a ‘professionalisation’ scheme does not serve employers or staff well if the entity designing and updating the pathways also provides the qualifications. A complete separation of the two is necessary to ensure integrity in the pathway designs.”

It’s clear that this is a story still unfolding. That’s why I’m grateful that Damien Manuel and Mike Trovato have agreed to join me for a public interview — not to defend or to debate, but to help us all better understand. The questions are still alive, and so is the conversation.

Final Words:

Over the past decade, AISA has approached professionalisation not with dogma, but with care — listening, learning, and representing the views of the members. Now, as the conversation continues, we’re asking you to do the same. Be open-minded. Be helpful. Engage with others respectfully, even when you disagree. Take time to educate yourself on what’s come before, and what’s at stake. And if you have experience, concerns, or insights — reach out to AISA’s leadership. Your voice can help ensure this conversation remains thoughtful, inclusive, and grounded in the realities of our community.