FY25 was a defining year for cyber in Australia. The Australian Signals Directorate’s Annual Cyber Threat Report , published late 2024, recorded more than 36,700 calls to the Cyber Security Hotline, 12% up from the previous year, and over 1,100 significant incidents affecting governments, critical infrastructure, and businesses. State-sponsored actors and organised criminals both intensified their activity, with essential services a particularly favoured target.   

Regulations tightened in parallel. Updates to the Security of Critical Infrastructure (SOCI) Act , alongside the SLACIP and ERP Acts , expanded obligations across energy, communications, financial services, health care, transport, and water. The reforms also extended to new sectors, including data centres, food and grocery supply chains, higher education, defence contractors, and space technology. Operators must now maintain risk management programs, report incidents quickly, and for Systems of National Significance, comply with vulnerability assessments, cyber exercises, and potential government-led interventions.  

Outside critical infrastructure, APRA reinforced CPS 234 standards , warning regulated entities about gaps in authentication and incident controls. The new Cyber Security Act 2024 introduced mandatory ransomware reporting and set a baseline of governance, incident, and control requirements for all medium and large organisations. For banks, insurers, and super funds, CPS 234 continues to require strict incident reporting and controls to safeguard financial data.  

The natural response to these heightened regulations has been to increase or introduce investment in the people, processes, and technologies that strengthen detection, identity, and governance. For many organisations, this has meant building new internal teams where functions were previously outsourced, modernising access frameworks, and allocating budget to emerging AI security programs.  

Launch Recruitment’s Practice Lead – Cyber Security & GRC, Sophie Garrison , sees three major cyber security hiring trends influencing the market for FY26: Threat detection, identity, and AI security. “Every company will have some form of use for one of them,” suggests Sophie. “Companies will have to look at it … there is no other option.”  

• Detection and CTI are moving in-house. Mid to large organisations that once outsourced detection are now building internal teams, driving demand for engineers and analysts with depth as well as breadth.  

• Identity and PAM expertise is scarce. Offshore roles are being brought back to Australia, but the local pool of certified CyberArk and SailPoint specialists is narrow, particularly for government roles requiring clearance.  

• AI security is the next frontier. Still greenfield for most organisations, but budgets are opening and demand for AI governance, secure development, and AI-specific threat detection is expected to surge in FY26.  

• Cross-market dynamics are challenging cyber security hiring trends. Salaries are inflated, skill gaps persist from rapid post-COVID promotions, diversity remains a challenge, and employers must embrace upskilling and flexibility to secure capability.  

As highlighted in the Australian Signals Directorate’s Annual Cyber Threat Report , cyberattacks are becoming increasingly frequent and sophisticated, ranging from ransomware and phishing to state-sponsored threats. As a result, demand is growing for professionals with skills in threat detection, incident response, and cyber threat intelligence (CTI).  

Organisations across critical infrastructure, finance, healthcare and government are expanding their cyber resilience programs. This has led to a noticeable increase in hiring for roles such as threat hunters, incident responders and CTI analysts.  

The recent updates to the Security of Critical Infrastructure (SOCI) Act and the Australian Cyber Security Strategy have reinforced the need for proactive security measures. Both private and public sectors are building teams to identify, analyse, and mitigate threats before they impact operations.  

This is reshaping team structures. “A lot of organisations are starting to build out their internal threat detection and CTI capabilities,” shares Sophie. While SOCs ( Security Operations Centre) – the 24/7 units that monitor and respond to alerts – still tend to remain outsourced, Sophie finds that “mid to large organisations are now bringing detection in-house.”  

The shift to remote and hybrid work, along with cloud transformation, has intensified the need for secure identity and access frameworks. Identity and Access Management (IAM) and Privileged Access Management (PAM) are now critical to managing user access and protecting sensitive systems.  

PAM has gained particular momentum due to heightened awareness of insider threats and the targeting of administrative accounts. Regulatory updates, including changes to the Australian Privacy Act and APRA’s CPS 234, have further increased demand. As a result, professionals who can modernise legacy identity systems, enforce least-privilege principles, and implement robust access controls are now highly sought after.  

“Identity has been in demand in the market for the past 18 months,” shares Sophie. Before, this was a security specialisation mostly managed offshore. However, “In the last two years, companies have brought these people onshore. Naturally, they would like their information and access to be in Australia.”  

The demand for certified engineers remains strong, with CyberArk and SailPoint specialists particularly sought after. Yet the talent pool is narrow. “It’s a very tight market,” Sophie notes. “People who do have those certifications onshore are often on visas, and government roles usually need citizens with clearance.”  

For organisations, this means recruitment strategies must be flexible. Alongside external hiring, Sophie points to upskilling and internal referrals as viable options. Industry meetups and vendor networks also remain important channels for sourcing IAM and PAM professionals.  

Competition for recruitment in this space will be strong, with both enterprise and government organisations prioritising IAM and PAM expertise as part of their broader cybersecurity strategies.  

With AI now integrated into many business processes, cybersecurity strategies must adapt to new risks. AI security focuses on protecting machine learning systems from threats like data poisoning, adversarial attacks, model inversion, and algorithmic bias.  

Industries such as finance, healthcare, and infrastructure are rapidly adopting AI, and they’re looking for professionals who can secure these technologies while maintaining ethical and regulatory standards.  

Global investment trends suggest this will accelerate. Gartner forecasts that worldwide spending on security and risk management will grow by around 10% in 2025 (to $213 billion USD ), with AI-related security capabilities a major driver.  

“It’s still fairly greenfield for most organisations,” says Sophie, “but this is an area that will have the most rapid growth this financial year, and probably get sign-off for the most budget.”  

At present, very few professionals are working in AI security full-time. Most are exploring it alongside broader security roles. As organisations ramp up their AI adoption, that is likely to change quickly. For employers, preparing now means building frameworks for AI governance, threat detection, and secure development practices. Security teams need to be able to match the pace of innovation.  

Secure AI development, AI governance, and AI-specific threat detection are the skills that will be growing in demand.  

Salaries in cyber are quite inflated, particularly for technically strong engineers in detection and identity. Mid-to-senior detection engineers are currently earning between $135,000 and $175,000 plus super. And some organisations are paying well above this to retain key staff. “I spoke with one engineer who was on $180,000 including super, not managing people, not strategic — just so technically good that the company doubled his salary to keep him,” Sophie recalls.  

The surge in cyber security hiring after COVID pushed people up the ladder faster than usual. Salaries jumped, promotions came quickly, and in many cases, professionals skipped over the time needed to build depth in the fundamentals. As Sophie explains, “After COVID, there was a huge increase in cyber requirements. Salaries went up, and a lot of people were promoted very quickly. Now we’re really seeing a gap in knowledge and skill set in this area, just due to that boom.” For employers, the result is a workforce where not every senior-titled candidate will bring the expected experience. It will be vital to assess candidates on depth as well as breadth.  

Cyber is a discipline that struggles with diversity at the best of times. Despite Sophie being an industry leader in DEI, placing 49 women into tech roles in Q4 24/25, she suggests that these new role types require clients to be realistic. Clients are pushing for female candidates in threat detection and identity roles, but the pool is limited: “. All of my clients are passionate about gender diversity and want to hire more women in these roles. Unfortunately, the reality is that the pipeline just isn’t there yet.” While diversity is a priority, Sophie cautions that it will take sustained effort in training and outreach to shift the balance.  

While demand outstrips supply, organisations have to rethink their rigid cyber security hiring criteria. The perfect skills match probably doesn’t exist. Sophie recommends focusing on transferable skills and supporting professional development. “Some tools do exactly the same thing,” she explains. “If you can use Rapid7, you can pick up Qualys. Employers need to be open to that and back it with an L&D budget.” Flexibility will be critical for filling hard-to-source roles.  

FY26 will require pragmatism. Be flexible on toolsets and transferable skills, and invest in upskilling as part of recruitment. Expect inflated salaries for the top 5–10% of engineers, and build diversity into long-term strategies, understanding that it’s not always a practical short-term hiring target. Most importantly, prepare early for the rapid rate of expansion predicted in AI-driven security.  

For more on these cyber security hiring trends, or further guidance, benchmarks, and hiring strategies to help organisations meet the challenges of FY26, get in touch with Sophie or the team at Launch   .