Thermite

HomeThreaderCleanerPostsAbout
Australian Cyber Security Professionalisation Scheme

Australian Cyber Security Professionalisation Scheme

Published on 6 April 2026 - Author: David Cheal
Cybersecurity

Australia's Cyber Security Professionalisation Scheme is being debated as if it's meant to make the country more secure. Read the source documents and it's obvious it was never designed to do that.

I noticed three posts related to the 'Cyber Security Professionalisation Scheme', and that reminded me this thing was still happening.

  • There was this post by Grant Hughes, that points out the challenges of implementing professionalism in an industry, if the processes can change, but the decisions do not: Grant Hughes

  • this one by Benjamin Mossé which identifies that any attempt to establish a professionalised body, is going to need funding. Lost of funding: Benjamin Mossé

  • and this one by Chris Haigh that points out legislation and penalties achieve better results because without it, companies don't invest enough in cybersecurity. Chris Haigh

There is still some debate going around about the pro's/con's of the scheme, but for it to make sense, you have to realise there are overlapping, but distinctly different things being discussed.

  • The potential benefits of making cybersecurity a Profession
  • The specific scheme (CyberPath) being piloted
  • Reducing cybersecurity breaches

People hold a mental image that implies Professionalisation > CyberPath > Improved Cybersecurity > Safety for Australians.

There are two problems with this:

  1. The assumptions involved are a load of bollocks
  2. Most of the debate is focused on CyberPath itself, assuming the scheme is broken or poorly constructed in some way. Which it is not.

Some basics first, because they are important if you’re going to understand what is going on.

Who's involved

Four key stakeholders are involved in this endeavour:

  • Federal Government
  • Organisations (companies to the most part)
  • Cybersecurity Companies
  • Training and Certification Companies

There is the professionalisation body itself, of course, but conveniently they also happen to be the Training and Certification Companies 🤔

Now, don't be quick to jump in and say I forgot Cybersecurity Practitioners and the Public.

Calling those two groups “stakeholders” is delussional. They are affected by the scheme, but they have no real influence over it. As with most programs like this, the people most impacted are consulted to ensure the box is ticked. Then presented as evidence of inclusion and engagement.

The truth is, the decisions were made long before anyone filled in the feedback forms. The data exists to validate those decisions.

So what's it all about?

You can see the latest roadmap here but ignore that for a moment.

Go read the source docs here: Growing and Professionalising the Cyber Security Industry Program. There's also a PDF with the full details

Now, does it say anywhere in the requirements, that establishing a Professional organisation for Cybersecurity practitioners, will increase cybersecurity defence capabilities or reduce cybersecurity breaches?

Importantly, is the government, the scheme pilot or the resulting Professional body, in any way legally accountable for reducing cybersecurity breaches?

The answer is no.

There is only a single reference in the 25 pages to cybersecurity defence outcomes. Page 4, point 1, first box.

What people think they are trying to acheive
What people think they are trying to acheive

This scheme is meant to contribute to the overall government program, but in itself, has no obligation or metrics to achieve this. The contribution is in not way binding.

From that point forward in the document, the entire professionalisation scheme is about commercial interests.

What causes confusion within the cybersecurity space (the actual boots on the ground people, not the vendors) is they think the scheme is intended to increase security, via improving the skills and outcomes of the people doing the work.

Looked at through that lens, this scheme makes no sense. It's a lot of work, that in no way defines how said improvements would occur and entirely ignores some glaringly obvious issues that will actually make things worse.

That's because CyberPath is not meant to resolve the problems we have in the cybersecurity industry.

I’ve written a lot more explaining why this is all true, but the answer to “Why doesn't this thing make sense?!” is because you didn't RTFM.

Prove it!

It's actually straightforward to demonstrate why this wont work, you don't even need to go into details about the schema. As with most things in life, it's the core principles that matter. If those are rotten, it doesn't matter what you build on top, the fucker is going to fall down.

Let's look at the core issues that will impact the outcome of the scheme. There are very little details on CyberPath, but it certainly won't be more restrictive than their international counterparts, so I can safely reference them. We can also safely assume it won't be more restrictive than the current ACS membership requirements.

I will also do a comparison with the profession of lawyer because when most people think of professionals, they think of Doctors and Lawyers. But let's not set the bar too high, so lawyers it is.

Is the Profession mandatory?

  • Lawyer: ✅
  • Cybersecurity Professional: ❌

There has been no mention in any of the governments tender requirements or the CyberPath material that membership would be mandatory to carry out the trade.

It's worth noting that there is no equivalent model in any other country that enforces membership for cybersecurity professionals to trade. ISC2, ISACA, CIISec, CREST, UK Cyber Security Council. None of them are mandatory for employees or employers.

  • You can't force anyone to join
  • You can't force employers to hire Professionals

If it's not mandatory, then it's just not that important. Maybe I feel like joining, maybe I don't. Either way, I can still do the same job I've always done, sell the same services and hire the same people.

Now, advocates for the scheme will undoubtably say market forces push membership, but that's bullshit. Especially in an industry where everyone has complained for years about a shortage of candidates.

They won't make it mandatory because:

  • The talent pool would plummet overnight. Even if everyone in roles got a free pass or a waiver period, the talent pool would still plummet.
  • Companies will refuse to participate because mandatory membership for staff, would push staff costs through the roof
  • Employers would also be put in a precarious legal position, as all their staff would suddenly be unprofessional by definition. Which is fine if that has no legal weight, but if it means something, they are deep shit.

For comparison, the UK Cyber Security Council was awarded Royal Charter status in 2022. In 2026, it stated it had surpassed 1000 members. The UK government 2025 labour market report says approximately 143,000 individuals were employed in cybersecurity roles.

That's a .7% adoption rate.

Side note, it cost the UK government about 5 million pounds to establish and run their scheme so far. To get 1000 Professionals.

Do the rules of the Profession, restrict your actions?

  • Lawyer: ✅
  • Cybersecurity Professional: ❌

The membership guidelines haven't been detailed yet, but they won't restrict trade. None of the international bodies that exist, have membership rules that have legal standing in regards to members actions.

  • The Profession will have rules, a method of review, and a disciplinary board.
  • If you break the rules, you can get kicked out of the Profession
  • Getting kicked out, will mean nothing beyond getting kicked out. You can keep doing what you've always done. See previous section.
  • There will not be a public list of expelled members. No "Hall of shame".

There wont be any restrictions on trade, for much the same reasosn as above. The talent pool would crash, cost would skyrocket.

CREST has the strictest rules of all the internation bodies, and even they don't forbid activities. All they mandate is that if the client requests something illegal or unethical, that the CREST member must inform the client in writing. Then they are free to forge on and do whatever they are being paid for.

If the rules of the Profession have no legal status, then it's just club rules and really don't matter.

Does the Profession, restrict the employer/client actions?

  • Lawyer: ✅
  • Cybersecurity Professional: ❌

No mater what a CyberPath Professional says, a client does not have to give one single fuck.

  • They don't have to follow professional advice
  • They are not restricted/compelled to hire professionals, so the Profession has no market leverage
  • They can carry out the most insane practices and have no fear you are compelled to report them.

The scheme can't restrict client actions because organisations would go broke overnight. Every single company/organisation in the country has cybersecurity issues ranging from inconvenient to catastrophic. If this scheme impacted their actions based on professional advice, they would have to implement two policies immediately:

  • Never hire anyone in the Profession
  • Immediately implement "don't ask, don't tell" practices.

So the Profession can't make clients do the right thing, either directly or indirectly. Which means it's utterly powerless.

  • Lawyer: ✅
  • Cybersecurity Professional: ❌

You won't be able to refuse an employer/client request because it's a breach of the profession policies/ethics. You can say the rules prevents you from doing something, should you want to remain a Professional, but why would that mater to the person paying?

  • The rules are just related to membership, not about what a cybersecurity professional can and can't do. The distinction is critical.
  • Employers know you can't offload responsibility of a refusal to the profession's rules. They are asking you to do something, and it’s your refusal, not the Professions. So either do it, or get a new job.

If the rules bound your actions as a cuybersecurity practioner, two things would happen:

  • You would never join, because you want to get paid
  • Nobody would ever hire you even if you did

So,

  • Not mandatory
  • No restrictions on actions
  • No restrictions on clients/employers
  • No legal protections for members

From that position, the scheme is meant to somehow increase cybersecurity standards and reduce breaches?

Shall we play a game?

Let's look at how this plays out in the real world.

An Australian medical services provider asks your employer to "improve their security". Your boss hands it to you because there might be some billable work in it.

The client sells pathology services, vaccines, STD tests, and holds the usual collection of deeply private medical information. In other words, exactly the sort of business that should not be operating with garbage cybersecurity.

You spend five minutes looking around and the picture is depressingly obvious.

  • They do indeed have an online store. Excellent start!
  • Is it a piece of garbage ecomm app you've never heard of? ✅
  • Is everything running on a $30 a month VPS host? ✅
  • Does the server also host the marketing site? ✅
  • Is it also the CMS server? ✅
  • Does it run cPanel publicly? ✅
  • Is the VPS running FTP, IMAP and SMTP? Of course it is
  • Has PHP been patched since 2019? No, no it has not

The company, naturally, tells customers a very different story:

"Your Personal Information is stored on secure servers at a top-level security-controlled data centre in Australia with safeguards and protocols in place to detect, alert and block suspicious behaviour such as attempts at unauthorised data access. Our data security systems and Website protocols are under constant review and subject to continuing upgrades."

Stright from the Privacy Policy.

At this point everyone in the room knows what the honest answer is. This environment is a joke. Fixing it properly means replacing the pile of cheap hosting decisions, cleaning up the application stack, separating systems that should never have been glued together, and putting some actual operational discipline around how the thing is run. That costs real money.

And this is where the professionalisation fantasy meets the market.

Clients like this usually do not want the real answer. Sometimes they are wilfully negligent. Sometimes they are just broke. Or all of the above. Either way, they are not paying for a proper remediation program. If they were prepared to do that, they would not be in this state to begin with.

The consultancy knows this too. It still wants the engagement, because firms need revenue and staff need to stay billable. So the job gets reshaped into something everybody can stomach: a report, some recommendations, maybe a light-touch mitigation plan, and a carefully drafted section explaining that if the client ignores the advice and gets breached, that is on them.

That is the actual operating model. Take the money, narrow the scope, document the warnings, and make sure legal can point to the disclaimer later. You can call the practitioner a "professional" if you like. You can give them a badge. You can put them on a register. None of that changes the commercial reality of how the work is getting done.

So what, exactly, does the scheme change in this case?

  • Does it stop the consultancy from taking the job anyway? ❌
  • Does it force the client to spend what is required to secure a medical business handling sensitive data? ❌
  • Does it give the practitioner any real power to refuse the engagement without risking their job? ❌
  • Does it create a duty of care to report the client's negligence to a regulator? ❌
  • If you did ignore your boss and client NDA, does the scheme provide any legal protection? ❌

Does it stop the whole exercise collapsing into a liability-management document with a bit of security advice attached? Of course not.

That is why this scheme won't “lift standards”. It adds professional theatre to a market that is still governed by budget constraints, client denial, and vendor self-protection. The badge might change how the function is described. It does not change how the function is bought, sold, or neutered.

Why is it being done, then?

Well, that depends on which of the stakeholders you ask. They each have differing goals, but mostly it's money, self-preservation and electoral votes.

You have to break down the CyberPath roadmap:

  • Occupations Framework
  • Capabilities Framework
  • Recognition Framework
  • Pathways Framework
  • Durability Plan

and look at what each pillar gives the stakeholders.

Occupations Framework

On paper, this sounds simple enough: a national map of cyber jobs, role groupings, career pathways, and alignment with other workforce models. CyberPath says employers will use it to structure teams and positions, while practitioners use it to understand career options and mobility.

That all sounds neat, orderly and sensible. If you work in HR or recruiting.

An occupations' framework does not patch a vulnerability. It does not improve logging. It does not reduce attacker dwell time. It does not make an executive approve a security budget. It does not stop a business from under-resourcing security while claiming it takes cyber risk seriously.

What it does do is create a taxonomy. And taxonomies are useful to bureaucracies, HR teams, consultancies and certification vendors for reasons that have very little to do with whether organisations become more secure.

What government gets

Government gets countable structure.

Once people are sorted into nationally recognised work types, domains and roles, the government gets the thing governments love most: a data model. It becomes possible to publish reports showing how many professionals exist, how many are “pathway aligned,” how many are entering the workforce and how the scheme is “maturing” over time.

That is politically valuable, even if the underlying security posture of Australian organisations barely changes.

It’s also a great talking point when the next breach occurs. “Sure, all those kids got their personal details leaked, but we set up a Professionalisation scheme. We tried so hard. Look at the stats!”

What employers get

Employers get a common language for job architecture.

That helps HR write job descriptions, classify staff, define progression, benchmark roles, and make hiring managers stress less about choosing a hire that turns out to be a dud. CyberPath said they were a Professional.

Most importantly, this framework will reduce overall HR costs.

Businesses do not have a cybersecurity failure because they lack a role taxonomy or that they got tricked into hiring unprofessional staff. They fail because:

  • They knowingly take massive risks
  • Security is underfunded
  • Profit always trumps protection
  • Nobody has to fear accountability

An occupations framework does not fix any of that. It gives organisations a better way to describe the problem while leaving the decision-making incentives untouched.

What consultancies get

Consultancies get a cleaner catalogue.

Once roles are standardised, services become easier to package, staff become easier to classify, and capability claims become easier to market.

It becomes simpler to say: we provide this role, at this level, mapped to this framework, with these competencies.

That will make sales a whole lot easier. It reduces ambiguity and makes very nice slide decks, but it won't change anything about the actual capabilities. It's the same staff you ha last week, now they just get nice titles.

What training and certification providers get

This is where the commercial incentive becomes blatantly obvious.

A formalised occupations framework is the foundation for a larger system of:

  • pathways
  • competency assessments
  • accreditation
  • recognition of prior learning
  • ongoing certification
  • conversion of existing workers into recognised status

That creates a market.

Before a scheme like this, certifications are optional. After a scheme like this, they can become embedded into hiring filters, procurement expectations, internal progression rules, and organisational capability claims. That is a major commercial opportunity for anyone selling training, assessment, certification or framework-aligned services.

We’ve had this garbage in the industry forever. Every new release of an OS or product is another chance to crank the certification money making machine.

Yet somehow, after 30+ years of “Certified XYZ” being on employee CV’s wee still need more before cybersecurity breaches will be resolved?

Dont even get me started on the government allowing such a grossly biased group of stakeholders to be involved in piloting the scheme.

Capabilities Framework

This is the bit that sounds the most impressive to outsiders.

A Capabilities Framework sounds like the part where CyberPath finally gets serious. This is where we stop talking about job titles and start talking about actual capability. Real skills. Real standards. Real assurance.

Except that’s not what this will do.

A capabilities' framework does not create capability. It describes it. At best, it creates a standardised language for talking about capability, measuring capability, and selling capability.

As with most certification or capabilities frameworks in technology, this will set the bar as low as humanly possible. Because the government and the industry needs bodies in seats. If you set the capabilities too high, you end up with a staff shortage.

The framework won't give someone better judgement or moral integrity. It won't help them when the PM or product own demands they skip non-functional security tasks because there’s no more budget.

What it does do is create a nice matrix.

And who loves a matrix? Bureaucrats, assessors, consultants and certification vendors.

What government gets

Government gets prettier messasging.

Not an outright lie. Just a shinier, better organised truth.

Once capability is formalised into a national framework, the government gets to talk in the language of uplift, maturity, standards, benchmarks and national readiness. That sounds fantastic in a press release. It sounds even better in a ministerial brief.

It also lets government claim they are strengthening sovereign cyber capability without having to do anything annoying like force organisations to spend more on security, impose meaningful liability, or hold executives personally accountable for catastrophic negligence.

A capabilities' framework gives them a way to say they have acted on the problem. Whether the problem is actually improved is a different matter entirely and not their problem.

The thing that matters politically is not whether Australia is safer. It is whether the government can point at a framework, a dashboard, a report and a pilot and say “we have improved cyber capability.”

What employers get

Employers get a benchmark they can weaponise.

In theory, this framework helps employers understand what good looks like. In practice, it gives them another tool for:

  • writing job ads with impossible requirements
  • lowballing existing staff against competency bands
  • turning performance reviews into framework compliance exercises
  • expecting “senior” capability at “intermediate” salaries

It also gives them cover.

Instead of taking responsibility for whether their teams are genuinely effective, they can point to the framework and say their people are aligned to an approved standard. That is wonderful from a governance optics perspective.

A capabilities' framework does not force employers to hire enough staff. It does not force them to fund training properly. It does not force them to reduce workload, improve tooling, fix reporting lines or stop pretending one security person and a SIEM subscription counts as a mature security function.

All it really gives them is a way to dress up a shitshow in more professional language.

What consultancies get

Consultancies get a sales multiplier.

A capability framework is brilliant if your business model depends on selling expertise. It gives you a standard way to:

  • describe staff capabilities
  • package service tiers
  • justify day rates
  • compare yourself against competitors

It also makes proposals easier. Much easier.

You can map services to capabilities. You can map personnel to capability levels. You can map client needs to capability gaps. You can then recommend an engagement to fill those gaps. Everyone nods because it all looks structured and mature.

This is fantastic for pre-sales. Fantastic for account management. Fantastic for revenue expansion.

The big four consultancies are going to ruin their undies over this.

Does it mean the consultant is better than they were before the framework existed? Of course not. It just means the same capability can now be sold back to the client in a better sales deck.

What training and certification providers get

Training and certification providers get the motherlode.

This is where the money starts really flowing.

Once you define capability, you can assess capability.
Once you can assess it, you can certify it.
Once you can certify it, you can sell the training required to obtain or retain it.

That is the whole game. It's a feedback loop to print cash, so long as candidates can remember the multiple choice answers for 90 minutes.

A capabilities' framework is the bridge between vague professional aspirations and recurring revenue. It enables:

  • capability assessments
  • gap analysis
  • bridging courses
  • refresher courses
  • certification exams
  • continuing education products
  • reskilling programs
  • conversion pathways for existing workers

And the beauty of capability frameworks is that they never finish. Technology changes. Threats evolve. Products update. New capability domains emerge.

Which means the assessment and training market never dies. It just keeps spawning more SKUs.

So let’s not pretend it has anything like a proven relationship to fewer breaches. This game has been going on since I did a certification in Novell NetWare 3.12.

Cybersecurity has been drowning in training, exams, certifications, maturity models and capability taxonomies for decades. If those things were enough to materially solve the problem, the industry would be a fortress by now.

It isn’t, it’s a sieve.

Recognition Framework

This is where we all play dress-up. You get a badge, I get a badge, we all get badge 🎉

The Recognition Framework is the part that determines who gets to be seen as legitimate. Who gets accredited. Who gets to use the title and wear the big boy pants. Gets to put the logo on the slide deck and the badge on LinkedIn.

This is not about security outcomes. This is about social and commercial signalling.

Recognition frameworks do not make a bad security architect good. They do not make a reckless employer responsible. They do not force a board to care.

What they do is decide who gets prestige, who gets market visibility, and who gets shunned as undesirables.

What government gets

Government gets a mechanism to manufacture trust. Pure gold.

Once the state can point to a recognised profession, recognised practitioners, recognised providers and recognised pathways, it gets to tell the public there is now a trusted, standards-based system in place.

That sounds reassuring. It feels like progress. It photographs well.

And most importantly, it transfers a chunk of responsibility for “assurance” away from government and onto the framework itself. If things go wrong, the answer becomes:

  • the standards existed
  • the recognition model existed
  • the accredited people existed
  • the system was in place

Somebody (not me, bro!) must have done something outside the framework.

What employers get

Employers get a shortcut for due diligence.

Or at least something they can pretend is due diligence.

Instead of having to ask candidates hard questions, they can use recognition as a filter. Instead of assessing vendors directly, they can favour recognised providers.

That is incredibly attractive to organisations that want certainty without having to develop the internal knowledge needed to judge security work properly. Because, let's face it, most clients wouldn't have a clue what cybersecurity professionals do. It’s why they hired one in the first place.

Recognition gives procurement and HR something they love: a stamp.

The problem is that stamps are often used in place of judgement, not in support of it.

A recognition framework will make employers feel more comfortable. It may even reduce some hiring friction. But it will not protect them from bad decisions, lazy governance, shallow assessments or security theatre.

What consultancies get

Consultancies (especially the larger ones) get market differentiation.

Or more accurately, they get a new story to sell.

If you can claim that your staff, services or organisation are recognised under a national framework, you immediately gain a new tier in:

  • tenders
  • panel applications
  • enterprise deals
  • procurement checklists
  • rate negotiations
  • internal promotions

Recognition is commercial leverage.

It lets one consultancy say, “we are not just experienced, we are formally recognised.” It lets quality for projects in the big end of town of government work. The gigs where the margins are fat and contracts run for moths if not years.

It also lets you lock out the little, annoying vendors that were sniping your more technical projects. You know, those annoy fucks with real skills who refused to wear proper office attire? Well, those guys won't be able to afford the overhead of reaching high levels of recognition so either can't bid, or even better, have to bid under your paper as subcontractors.

And once recognition exists, everybody starts chasing it because nobody wants to be the only one without the badge.

What training and certification providers get

As with the others, money.

A recognition framework is the piece that converts “optional nice-to-have” into “market expected.”

Without recognition, training and certification are just icing. With recognition, certification is the whole cake.

That changes everything.

Now courses are no longer just professional development. They become prerequisites. This is where the scheme stops being a conceptual framework and starts becoming a marketing structure.

And it is a lovely market structure if you happen to be one of the organisations sitting close to the machinery that decides:

  • what counts
  • who qualifies
  • what prior learning is accepted
  • what assessments are valid
  • what providers are recognised
  • what ongoing requirements must be paid for

If you are a provider in or around that ecosystem, you are not looking at a public-interest intervention. You are looking at a pipeline. Again, I can't believe the vultures got a seat at the table.

Pathways Framework

This one is just pure theatre.

The Pathways Framework is the human face of the scheme, and it’s unassailable. You can't criticise it because then it looks like you're getting in the way of people’s careers and/or being exclusive.

And to be fair, pathways are not a bad thing in themselves. Clearer entry routes into cyber would genuinely help many people.

A pathways' framework helps people move through a labour market. Like moving mince through a sausage making machine.

It does not reduce the incentives that produce insecure organisations. It does not stop executive cowardice or procurement stupidity.

So yes, pathways might help people, but that's got nothing to do with materially improving cyber resilience.

What government gets

Government gets a socially acceptable success story.

This pillar is politically delicious.

You can talk about:

  • reducing barriers to entry
  • helping career changers
  • growing sovereign capability
  • improving diversity
  • supporting underrepresented groups
  • creating opportunities for Australians

All of that plays beautifully.

And unlike cybersecurity talking points the public doesn't understand, it is much easier to generate outputs you can point at:

  • number of pathway participants
  • workforce growth figures
  • Number of minority/underrepresented people engaged

That means the scheme can produce success statistics even if breach trends remain flat or get worse.

This is the magic trick. The program can (and will) succeed on paper while failing on the problem most people assume it is meant to solve.

What employers get

Employers get a wider funnel and that reduces HR costs.

A pathways' framework helps them identify entry-level talent, career transitioners and more standardised development routes. That reduces hiring friction and potentially labour costs.

It also helps employers rationalise internal development. They can tell staff:

  • here is your pathway
  • here is your band
  • here is your next milestone
  • here is what you need to do to progress

From an HR and workforce planning perspective, that is tidy.

And to be fair, a lot of staff really love that shit. They want the comfort of knowing exactly where they sit in the sausage making machine. What they need to meet KPI’s and how they can reach their long-term goal of “Senior Engineer of Windows Patching and Compliance”.

It’s also an employee trap. Because once progression is formalised into a framework, it becomes easier for employers to shift responsibility for development onto the worker. Suddenly, it is not “we are underinvesting in staff.” It is, “you have not yet completed the pathway.” Sure, you are doing the job, but you don't have the badge! Cant has the more money without the badge, now can you! Silly sausage meat…

What consultancies get

Consultancies get a talent pipeline.

This one is simple.

Consultancies are always hunting for people they can:

  • classify
  • market
  • bill

A pathways framework helps create a more legible workforce and a more predictable feeder system. It also makes it easier to onboard mid-career transitioners and junior staff into standardised roles and development tracks.

That sounds positive. And in some cases it probably will be.

But it is also commercially convenient as hell.

A pathway is not just a career tool. It is a staffing pipeline. It helps consultancies identify what kind of bodies they can bring in, how quickly they can professionalise them, how cheaply they can slot them into service lines, and how convincingly they can sell that progression story to clients.

What training and certification providers get

Pathways sell hope, and hope is awesome for selling certification training. Especially entry-level stuff.

A pathways' framework creates a sequenced journey that is literally doing half your marketing for you.

If you are a provider, pathways are fantastic because they turn isolated purchases into lifecycle revenue.

You are not selling one course anymore. You are selling the journey.

And the best part is that this can all be framed as social good. Helping people enter the industry. Supporting workforce mobility. Creating opportunity.

Which sounds much better than “locking thousands of workers into an ongoing paid credential ecosystem.”

Durability Plan

I'm honestly surprised this one got on the list. I can only assume enough people asked hard questions about future funding, that the government felt it should get in early and have a plan for how this scheme keeps running when the free government money runs out.

If it's anything like the UK experience, it won't. The government money has kept flowing in the form of various grants each year. It’s not a lot of money and the government won't care. We are talking rounding errors in department budgets. Few million a year at most.

The durability pillar is not about cybersecurity. It is about institutional survival and appearing to not be a burden on taxpayers.

The Professional Body

This is the only time we have to separate the certification stakeholders from the actual professional body.

They obviously need to keep getting paid, so they need the free government money to keep flowing, and they need fees to get paid by members.

Apart from that, as long as they keep producing positive reporting, everything is golden.

What government gets

Government gets an exit strategy.

The grant was always a pilot. That means government needs a way to say:

  • we seeded the initiative
  • industry took ownership
  • the model became self-sustaining
  • the ecosystem matured
  • the profession now stands on its own

Political theatre at its finest.

Government gets credit for launching it, without having to fund it forever (theoretically). It can point to independence as proof of success rather than asking whether the scheme actually changed national security outcomes in any meaningful way.

A durability plan lets government build the thing, hand it off, and move on.

There is a risk it will collapse under its own weight, but any additional funding can be handed over in the form of isolated grants. Year two is “new grant for additional efforts to reduce underrepresentation of XYZ group” etc

What employers get

They already got what they wanted by this point, they just need it to keep going. The cost of doing that is trivial and mostly born by employees.

They will get hit by some increased overheads from the cybersecurity industry, but that will be offset by vendor dinners and conferences.

What consultancies get

Again, they already have what they wanted. It’s just about keeping the machine ticking along.

What training and certification providers get

They get exactly what they wanted from the start.

A recurring revenue model, fully endorsed by the government and the industry.

So what is the CyberPath scheme and its roadmap really for?

Mostly it’s about making money, but also political capital and offloading accountability.

And don't get me wrong, I love money as much as the next person. Money’s great.

But this Professionalisation scheme ahas nothing to do with increasing cybersecurity or protecting the nation. Which is why the debates had so far about the scheme dont makes sense.

People are arguing over the benefits of Professionalisation, the details of what should be in the rules, how this would make companies increase compliance etc.

They rightfully ask the core question of “How will this reduce the risk of cybersecurity breaches?”

The “Cyber Security Professionalisation Scheme” will be an amazing success because it will achieve all the things it actually set out to do. Just not any of the things cybersecurity professionals what it to do.

Sorry to be the bearer of bad news.