Cyber Ethos

Facebook Linkedin Instagram Youtube
logo

Why are Cyber Graduates still NOT job-ready after 3–4 Years of University?

A Conversation that got me thinking…

Yesterday, I was speaking to a cybersecurity graduate who reached out for advice on how to kickstart their career in the industry. Naturally, I asked what they’d been studying. They rattled off the usual units: network security, cryptography, digital forensics. All textbooky. All structured. All very… academic.

But here’s what hit me: after 3 – 4 years of formal tertiary education, they were academia-ready. But were they job-ready in the cyber industry?

To be clear, I’m not against universities, actually…. quite far from it. I’ve pursued multiple tertiary degrees myself and continue to encourage students to take the university pathway. This isn’t about discrediting colleges and education providers. It’s about challenging academia to rethink a few things in the context of what the industry needs today and tomorrow.

That moment reinforced something I’ve been observing for years – our pipeline is producing cyber graduates who know the theory but aren’t equipped for the complexity and nuance of real-world security.

Rethinking how we grow Cyber-Talent in Australia

We keep talking about the cyber skills shortage. But the bigger issue is what kind of skills we’re teaching and what kind of roles we’re shaping students for.

Our education system is overly fixated on technical capability, assuming that’s what every cyber role needs. But cyber security in the real world is human, dynamic, and often messy. And students aren’t being prepared for that.

From governance to culture change, from insider risk to third-party assurance, the vast majority of security issues stem from people, not just poorly configured systems.

And yet, we continue to build cookie-cutter degrees that favour tools over context.

To be fair, I know some universities are already innovating and embedding capstone projects, by expanding cross-discipline options, and engaging with industry partners in meaningful ways. But this progress isn’t yet consistent across the board. That’s the gap I believe we still need to close together.

The Uni pipeline is overdue for a REDESIGN

Most cyber degrees in Australia still follow a rigid, technically biased structure. There’s little flexibility. No room for specialisation. No space to build cross-disciplinary capability.

Unlike medicine, teaching, engineering or law, where students grow through foundational learning into specialist tracks – cyber students are thrown into deeply technical content from Day 1, with no chance to tailor their journey.

And it’s costing us. We’re losing students who might have thrived in policy, human factors, or cyber law. Not many tertiary education providers focus on the Governance Risk and Compliance (GRC) or Identity and Access Management (IAM) facets of Cybersecurity, in my opinion. It’s all about either offensive security (Red team) or defensive security (Blue team).  We’re alienating career changers who bring critical experience from other sectors. And we’re not producing the breadth of thinkers our future threat landscape demands.

Cybersecurity is a HUMAN problem. We need HUMAN thinkers.

You don’t just need to be a red or a blue teamer to work in cyber. I acknowledge and understand that seems to be the more attractive (or rather more advertised) facet of cybersecurity but its not the be all and end all.

We need people who can ask the right questions in a boardroom. Who can translate risk into language a CEO, the CFO and the broader Executive Leadership Team understands. Who can influence behaviours, design ethical guardrails for AI, and make cybersecurity make sense to the rest of the business.

That means embracing streams such as:

  • Cyber Behaviour & Psychology
  • Security Culture & Awareness Design
  • Cyber Ethics & Technology Governance
  • Privacy Law & Digital Trust Building
  • Cyber Law Specialisation
  • Cyber Incident Response Specialisation (this is more than Cyber Forensics)

These aren’t fringe topics. They’re core to modern cyber maturity.

This isn’t a call to water down technical standards. Far from it. Strong cyber professionals must understand the fundamentals – networking, systems, detection, response. But that knowledge becomes far more valuable when paired with human insight and strategic fluency.

A better way forward: Customisable Cyber Degrees

Here’s what I believe we need to do urgently.

  1. Core technical foundations for everyone, so the fundamentals are covered
  2. Specialisations or minors to let students explore human, strategic, or legal domains
  3. Industry-linked capstone projects that solve real-world business problems
  4. Cross-faculty electives that invite interdisciplinary thinking—from business, psychology, criminology, or design

This model wouldn’t just boost diversity. It would produce better cyber professionals more adaptable, more relevant, and more capable of leading change in complex environments.

From the cyber frontlines: A CEO’s perspective

At Cyber Ethos, we sit at the intersection of technology, governance, risk and Artificial Intelligence (AI). We have advised Boards, upskilled executive teams, and run simulations where the true test isn’t how fast you can patch a system, it’s how clearly you can communicate the impact.

Time and time again, I see brilliant technicians falter when they need to step into the human dimension of cyber – navigating politics, handling stakeholders, or managing ambiguity.

That’s not their fault. It’s ours. We built a system that teaches the tech but forgets the context.

My message to the Academia

The curriculum should stop teaching cyber security as a one-size-fits-all track. Rather start treating it like the diverse, multidisciplinary ecosystem it is.

My message to academia isn’t one of blame – it’s one of partnership. Universities play a vital role in shaping the mindset of our future cyber workforce. But to meet the needs of a rapidly evolving threat landscape, we need deeper collaboration between educators and industry practitioners.

That means co-designing curriculum, co-supervising research, opening student placements, and ensuring both sides understand the capabilities and constraints of the other.

My three (3) top tips

1.      Allow students to specialise.

2.      Encourage new perspectives.

3.      And don’t be afraid to rethink the entire cyber academia model.

If we truly want to build national cyber resilience, we need more than firewalls and frameworks. We need minds that can adapt, translate, empathise, and lead.

Keen to have a further discussion on how we can.

My message to the Students

Keep dreaming BIG but push for CHANGE

If you’re studying cyber right now and wondering why your course feels narrow or disconnected from real-world roles, you’re not imagining things – trust me.

My three (3) top tips for you

1.      Advocate for choice.

2.      Seek mentors especially if you can find someone in the Industry. I’m talking about a Cyber Practitioner.

3.      Find side projects that expand your perspective – even if it’s an internship.

I strongly believe that cybersecurity needs more than coders, it needs critical thinkers.

As I conclude

I don’t have all the answers. But I’m extending a genuine invitation to university leaders, curriculum designers, and lecturers let’s talk.

Let’s collaborate.

Let’s co-create a cyber education ecosystem that doesn’t just fill jobs but builds leaders.

Let’s make security more human before the threat landscape forces us to.

Kiran Kewalramani

Kiran Kewalramani

Kiran Kewalramani stands as an acclaimed technologist with over two decades of robust executive experience in technology, cybersecurity, data privacy and cloud solution enablement. His illustrious career has been marked by transformative roles in esteemed organizations, including Cyber Ethos, Queensland Department of Education, Gladstone Area Water Board, NSW Rural Fire Service, NSW Police Force, Telstra, American Express, and more.

Linkedin Instagram Facebook