Portrait 11 of 15
Jacqui
Strengthening Cyber Capability through Inclusion
she/her · 48 · Wurundjeri Woi Wurrung Country (Melbourne), VIC
Cyber security · Gender equity
Women are 17% of the cyber security workforce. The system keeps losing the ones it has.
Jacqui founded Australia’s Women in Security Network after watching a pattern repeat across decades: women enter the field, build expertise, and leave at predictable transition points before that experience can shape standards and practice. Her portrait makes the case that this is not a diversity problem - it is a capability problem. Cyber threats increasingly exploit human behaviour and social systems. A workforce built without that breadth of perspective has blind spots written into its foundations.
Through Jacqui’s eyes
Jacqui (she/her), 48 | Wurundjeri Woi Wurrung and Boon Wurrung Country, Kulin Nations (Melbourne, Victoria)
In cyber security, Jacqui has learned to listen for what is missing. She first noticed it at university. Women arrived in her IT degree with confidence and aptitude, and by graduation most were gone. “A lot of women started with a bachelor’s of IT,” she recalls. “Not many women were finishing it.”
For Jacqui, this absence signals vulnerability. She came to understand that cyber security depends on how people think, not only what they code or configure. When perspectives narrow, blind spots widen. “Cyber security is like a team sport,” she says, and a team missing half its players cannot cover the field.
Her own entry into the field was unplanned. An accelerator program introduced her to information security, a discipline she had not even known existed. Training led to international work, and international work led to years overseas. In France, across Asia, and in the organisations she worked with, the same pattern appeared again and again. The rooms shaping digital security rarely reflected the communities they were meant to protect. With time, this pattern stopped feeling accidental and began to look structural.
A decade ago, that recognition turned into purpose. Jacqui founded the Australian Women in Security Network with a clear mission: bring more women into the field, keep them in it, and support their progression into leadership. For her, the challenge extends beyond access. It is about visibility, confidence, belonging, and reshaping the story of who cyber security is for. “This next decade is about increasing awareness among women and girls and moving into schools,” she says. “You need to stop the leaky pipeline first before we get more women and girls into this field.”
After years of watching who leaves and who remains, Jacqui reached a clear conclusion. A nation facing constant digital threat cannot rely on a workforce shaped by exclusion. Cyber security built without cognitive breadth carries risk into its foundations. In a system as interconnected as cyberspace, absence itself becomes a form of vulnerability.
The policy trajectory of cyber security capability
Jacqui’s experience brings into focus a cyber security system where expertise exits faster than it consolidates. Governance and workforce design emphasise rapid technical response and demonstrable resilience, while the slower formation of judgement and interpretive skill receives far less structural support. Women enter cyber education and early-career roles in significant numbers, then leave at recurring transition points. Each departure narrows perspective and interrupts institutional learning. Workforce pipelines focus on throughput and immediate deployment, limiting the retention of diverse expertise long enough to shape standards, risk assessment, and routine practice. What presents as a staffing challenge becomes a deeper capability constraint, as cyber threats evolve continuously while the ability to recognise socially embedded risk develops across longer horizons.
The potential of future generations policy to intervene
A future generations policy approach understands cyber security as a capability that matures through continuity. Workforce design would prioritise retention, progression, and inclusive career pathways that keep judgement, context, and diverse expertise embedded within institutions. As experience carries forward instead of being repeatedly lost, cyber defences gain depth and adaptability. Future Australians inherit digital systems shaped by sustained understanding of risk rather than episodic response.
Policy landscape
Today's policy landscape: Strengthening Australia’s cyber security through inclusion
Australia faces a cyber attack every six minutes. Tens of thousands of incidents are reported each year, and recent breaches have exposed significant financial and personal harm. National responses reflect strong technical ambition. The Cyber Security Act 2024 and the 2023-2030 Australian Cyber Security Strategy strengthen standards, coordination, and incident response, backed by rapidly increasing public investment expected to exceed AUD 6 billion by 2026.
Far less attention goes to how cyber capability forms and endures. The current system prioritises rapid response and visible resilience. Workforce pathways allow expertise to exit before judgement and institutional memory can take hold. For practitioners like Jacqui, the issue appears less as a shortage of tools than as a steady loss of people at critical career stages.
Women make up 17% of Australia’s cyber security workforce, with far fewer in senior roles. The imbalance begins early. Participation in IT education remains lower than in other STEM fields, and attrition continues through training and employment. Pay gaps, limited career progression, and workplace cultures that reward homogeneity weaken retention further. Representation of non-binary, gender-fluid, and gender-diverse people remains even more limited, with available data often too sparse to measure participation reliably.
Government has begun to recognise this challenge. The Department of Home Affairs in Australia released an Inclusive Cyber Security Recruitment guide to support organisations in attracting women, First Nations peoples, and neurodivergent professionals. The guide outlines practical steps for designing job advertisements, recruitment processes, and workplace practices that support diverse hiring and retention, while also highlighting the operational benefits of a broader workforce.
Public concern about digital security remains high, particularly around privacy and control of personal data. Yet the policymaking processes shaping cyber frameworks rarely reflect the diversity of those most affected by digital risk. Inclusion appears in supplementary action plans, but durable mechanisms to retain diverse expertise through mid-career and into leadership remain limited.
This gap extends beyond representation. Cyber security increasingly depends on understanding human behaviour, trust, and social systems. Narrow workforce composition reduces cognitive diversity and restricts analytical range. As experienced practitioners leave before their knowledge can settle into institutions, threat assessment and decision-making rely on partial perspectives. The result is a system where capability weakens as expertise exits before it can shape how institutions interpret risk.
The value of a future generations approach
Australia’s cyber security workforce reflects policy settings that favour rapid entry and short deployment cycles. Retention and progression receive far less attention. Experienced practitioners often leave before judgement and contextual understanding can settle into practice. Women and other under-represented groups exit at predictable transition points, narrowing the perspectives applied to threat assessment and response. Repeated turnover weakens institutional memory and anchors threat models in partial assumptions about user behaviour. Cyber systems may remain technically capable while becoming less prepared to recognise the social dimensions of risk.
Future Generations Policy Analysis
A future generations policy lens examines how workforce and institutional design shape the continuity of cyber capability. Effective defence relies on retaining experience long enough to influence governance, system architecture, and operational judgement. Systems that preserve this continuity strengthen their capacity to interpret evolving threats. Systems that lose it pass structural weakness forward to future Australians.
Case Study: 2023-2030 Australian Cyber Security Strategy
The Australian Cyber Security Strategy 2023-2030 sets out a national ambition to become one of the world’s most cyber-secure countries by the end of the decade. The strategy strengthens coordination between government and industry, expands intelligence sharing, and invests in new initiatives such as Digital ID to reduce exposure to cybercrime.
While broad in scope, the strategy focuses primarily on technical capability and incident response. It does not significantly change who participates in designing and governing cyber security systems. Equity and inclusion are not embedded as structural elements shaping workforce formation, retention, or leadership pathways.
The accompanying Action Plan acknowledges underrepresentation in the cyber workforce, particularly among women and First Nations people. However, most measures concentrate on recruitment-stage interventions. Less attention is given to qualification pathways, mid-career retention, or workplace conditions that determine whether expertise remains within institutions long enough to shape standards and practice.
As a result, the system continues to draw from a relatively narrow set of technical pathways, with limited mechanisms to retain diverse and cross-disciplinary expertise. The strategy strengthens national response capacity, yet leaves deeper questions of workforce continuity and institutional learning largely unresolved.
From a capability perspective, broader inclusion is not only an equity concern. Diverse experience expands foresight, strengthens adaptive capacity, and supports cyber defences that remain effective in a rapidly evolving threat environment.
Fairness dimensions
Life stage equity
Current pathways allow entry into cyber roles at multiple points, including mid-career transitions, but do not stabilise participation across key life stages. Early exits remain common before experience consolidates, repeatedly resetting capability rather than allowing it to mature and transfer forward.
Distribution Across and Within Generations
Decision-making influence concentrates within a narrow technical cohort, while the costs of incomplete threat perception are dispersed across users, institutions, and future cohorts. Such concentration normalises partial risk models that persist over time.
Future Opportunities and Path Dependency
Emphasis on rapid response and throughput improves short-term security outcomes while reinforcing linear career pathways, locking in response-heavy models that are less adaptable to social, legal, and behavioural dimensions of emerging risk.
Proportionate and Justified Trade-offs
Short-term efficiency gains from narrowly defined cyber roles shift coordination and interpretive costs forward. The erosion of cross-domain judgment reduces the value future systems can derive from today’s workforce investments.
Precautionary Approach
Policy treats workforce formation as recoverable rather than fragile, delaying action on foreseeable risks linked to loss of depth and diversity. Once experience thresholds are crossed, constraints become costly and difficult to reverse.
Our opportunity to shape Australia’s future
In cyber security, the long-term risk extends beyond the growing scale and sophistication of attacks. It also lies in the erosion of judgement available to interpret and respond to them. When workforce design filters out diverse and cross-disciplinary experience, systems continue to operate but the range of risks identified, prioritised, and addressed narrows. These losses embed themselves in standards, operating procedures, and leadership pipelines, leaving cyber defences more reactive, less adaptive, and harder to strengthen.
Two possible futures
A future of exclusion and poor outcomes
It is 2040, and cyber security in Australia still resembles the system built decades earlier. Workplace cultures remain unwelcoming, advancement pathways narrow, and bias persists across training and employment.
Over the preceding years, Australia moved through repeated cycles of digital instability with a workforce missing much of its available judgement. As AI-driven fraud evolved, it targeted demographics whose digital habits and vulnerabilities had never been fully considered when systems were designed. Women and girls, long told that securing devices was “too technical,” disengaged from proactive digital self-protection. Many relied on reactive education after harm occurred. The consequences spread across the economy. Blind spots in risk assessment allowed preventable breaches that deterred investor confidence and drove cyber insurance premiums sharply upward. Governments responded with reactive regulation and expanding compliance regimes that weighed heavily on small and medium enterprises, slowing digital adoption and innovation.
Exclusion reproduced itself. Fewer women entered the field, and those with experience left before influencing how cyber risks were defined and governed. The talent pool narrowed, deepening the workforce shortage. As domestic capability weakened, Australia relied increasingly on foreign cyber security contractors and infrastructure, reducing national sovereignty and limiting regional influence.
Public trust in digital systems steadily declined. Many citizens disengaged from online services or participated with minimal literacy about privacy, data rights, and device security. Governments and businesses absorbed rising recovery costs while households faced growing exposure to scams, coercion, and identity misuse.
By 2040, Australia had become a case study in the consequences of treating cyber security as specialist knowledge rather than a foundational civic capability. Systems built without diverse perspectives carried blind spots into their foundations. Digital exclusion reinforced social exclusion, transmitting risk and inequality into the next generation.
An inclusive cyber-resilient future
It’s 2040, and Jacqui is at the national cyber security conference in Canberra. The keynote speakers, technical leads, and audience no longer tilt in one direction. The room reflects the country, rich in its diversity and broad in its perspective.
This outcome emerged from a practical recognition that cyber threats exploit human behaviour as often as technical weakness. Earlier systems designed by narrow cohorts missed patterns others could see. In response, teams widened to better reflect the populations they protected. Diversity came to signal technical strength rather than a human resources objective.
The foundations were established years earlier. Cyber literacy entered schools early and often, embedded alongside lessons on health and financial capability. Securing devices, managing data, and recognising manipulation became everyday skills practised at home, in classrooms, and in workplaces. Girls grew up confident in configuring privacy settings, questioning platforms, and understanding digital risk as something they could influence. Security shifted from a reactive response to a shared civic habit.
University cohorts stabilised and career pathways strengthened. Workplaces retained practitioners long enough for judgement to mature and pass between generations of professionals. Inclusion extended across culture, identity, and discipline, reshaping how risks were interpreted and how safeguards were built. Secure-by-design standards began to reflect how Australians actually live and move online.
The effects reached far beyond the workplace. Fewer systemic breaches lowered insurance and litigation costs, allowing public and private investment to focus on innovation instead of recovery. Citizens regained confidence in digital systems, increasing participation in e-governance and secure digital identity programs that made public services more accessible and efficient.
By 2040, cyber resilience operates as a distributed capability across society. Inclusion no longer requires explicit emphasis. It is visible in how the system functions.
Go deeper