The cybersecurity skills gap is a pressing issue for New Zealand, and it's not just about the numbers. While the country is producing thousands of business and IT graduates each year, the tertiary education system is failing to bridge the gap between theory and practice, leaving a significant skills shortage in the cybersecurity sector. This is a missed opportunity for both the education sector and the broader economy, as highlighted by the 3,500-strong professional deficit and the 70% of businesses linking this gap to rising risks.
Dr. Steven Woodhouse, a former university lecturer and Fortinet's field chief information security officer (CISO) for Australia and New Zealand, believes the problem lies in the disconnect between tertiary education providers and the industry. He argues that the tertiary sector needs to bring industry into the classroom more effectively, co-designing courses with security vendors and employers, and embedding vendor certifications and internships into the curriculum. This approach would make graduates more job-ready and bridge the skills gap.
Woodhouse emphasizes that cybersecurity should not be a niche technical elective but an integral part of all business degrees. He points out that only a fraction of cybersecurity professionals work on technical network security, encryption systems, or computer programming. Instead, many are involved in administrative, compliance, and governance roles. By incorporating cybersecurity into business and management curricula, graduates will be better equipped to pursue cybersecurity roles and understand the broader implications of cybersecurity for their organizations.
The newly established Electrotechnology and Information Technology Industry Skills Board is a step in the right direction, according to Woodhouse. This board will give the industry a stronger voice in shaping vocational education, setting standards, and endorsing programs. However, he also stresses the importance of targeting under-represented groups and mid-career workers in cyber programs. Indigenous communities, for example, are an obvious opportunity, but their inclusion is often lacking. Similarly, with automation and artificial intelligence reshaping roles, mid-career workers can benefit from cybersecurity training to enhance their existing skills and adapt to the changing landscape.
The urgency of the situation is underscored by recent cybersecurity breaches, including the exploitation of sensitive patient and medical information. The Fortinet 2025 Cybersecurity Skills Gap Report reveals that nearly one-third of businesses surveyed experience five or more breaches in a year. With AI providing cybercriminals with more sophisticated tools, organizations are under increasing pressure to protect their systems, data, and people. Woodhouse emphasizes that while AI is a valuable asset in the cybersecurity arsenal, the key resource remains people, and the industry must prioritize bolstering the cybersecurity workforce.
In conclusion, New Zealand's cybersecurity strategy aims to uplift cyber capability and build national cyber resilience. However, the skills gap is a significant hurdle that requires a collaborative effort between the education sector, industry, and government. By addressing the opportunity shortage, incorporating cybersecurity into business degrees, and targeting under-represented groups, New Zealand can build a robust cybersecurity workforce and reduce its reliance on overseas talent. The time to act is now, as the consequences of a skills gap can have far-reaching implications for the country's digital security and economic prosperity.
