The flexible
cybersecurity
workforce: what
actually works.

The Skills Shortage Is Structural. Stop Waiting for It to Fix Itself.

The global cybersecurity workforce gap has reached 4.8 million unfilled positions according to the ISC2 2024 Cybersecurity Workforce Study, up from 4 million the year before. The Asia-Pacific region accounts for the largest share of that deficit at 3.7 million. Australia specifically faces a shortfall estimated at around 17,000 workers by AustCyber's workforce modelling.

These numbers matter, but the raw gap understates the real problem. The shortage is not evenly distributed across all security roles. Entry-level analyst positions can be filled. Senior security architects, experienced incident responders, cloud security engineers, and GRC leaders with genuine regulatory expertise are profoundly scarce. These are the roles that determine whether your security program actually works or just looks like it does on paper.

For Australian organisations specifically, three forces make this worse:

• Regulatory expansion. The SOCI Act, APRA CPS 234, the Privacy Act reforms, and the Cyber Security Act 2024 have all increased the security obligations organisations must meet. Each new obligation requires capability. Capability requires people.
• Salary escalation. A competent CISO in Sydney now commands $280,000 to $400,000+ in total compensation. Senior penetration testers and cloud security architects sit at $180,000 to $250,000. These figures are rising faster than most mid-market security budgets.
• Retention pressure. ISC2 research consistently shows that cybersecurity professionals face high rates of burnout, with more than 50% of respondents reporting increased stress levels year on year. The professionals you do manage to hire are actively being recruited by competitors from the day they start.

Waiting for the skills pipeline to solve this problem is not a strategy. The organisations that perform best in this environment are the ones that have accepted the structural reality and designed their security operating model around it.

Three Operating Models That Actually Work

There is no single correct way to structure a flexible cybersecurity workforce. The right model depends on your organisation's size, regulatory exposure, risk appetite, and existing internal capability. But the models that work in practice tend to fall into three categories.

Model 1: Core Team Plus Specialist Access

This is the most common model for mid-market organisations with revenue between $50 million and $500 million. You maintain a small internal security team, typically 2 to 4 people, who own day-to-day operations, policy, and internal stakeholder relationships. You then supplement them with specialist external capability for areas that require deep expertise you cannot justify employing full-time.

Typical specialist roles filled externally in this model include penetration testing, security architecture review, incident response, and compliance gap assessments. The internal team acts as the continuity layer. The external specialists bring depth.

Where this model fails: when the internal team is too junior to direct external specialists effectively, or when there is no one internally with the authority and expertise to translate security findings into business decisions. If your internal team consists entirely of analysts without a senior leader, you have a monitoring team, not a security function.

Model 2: Virtual CISO With Managed Services

For organisations that need strategic security leadership but cannot justify a full-time CISO, a virtual CISO engagement paired with managed security services provides the most complete coverage at the lowest fixed cost. The vCISO owns strategy, risk management, board reporting, governance, and vendor oversight. The managed services layer handles operational functions like SOC monitoring, vulnerability management, and awareness training.

This model works particularly well for organisations under $200 million in revenue, for subsidiaries of larger groups that need local security leadership in Australia, and for organisations going through rapid growth where the security requirements are evolving faster than the team can scale.

Where this model fails: when the vCISO engagement is treated as a checkbox rather than a genuine leadership function. A vCISO who attends a monthly meeting and writes a quarterly report is not providing strategic leadership. A good vCISO engagement involves meaningful time allocation, board access, direct involvement in risk decisions, and the authority to influence how the organisation spends its security budget.

Model 3: Embedded Teams and Staff Augmentation

Larger organisations, particularly those in regulated industries, sometimes need external specialists embedded within their team for extended periods. This is not outsourcing in the traditional sense. It is placing experienced practitioners inside your organisation, working alongside your people, using your tools, and operating under your governance framework.

This model suits large-scale security transformation programs, ISO 27001 certification projects, cloud migration security work, and standing up new security capabilities like threat hunting or DevSecOps. The embedded approach transfers knowledge to internal staff over time, building internal capability while delivering immediate results.

Where this model fails: when the augmented staff become permanent dependencies rather than a bridge to internal capability. If you have had the same contractor in the same role for three years without building any internal capability in that area, you do not have a staff augmentation arrangement. You have an outsourced function that you are paying contractor rates for.

The Cost Comparison No One Wants to Publish

One reason the flexible workforce conversation stays vague is that few organisations or providers publish honest cost comparisons. Here is what we see in practice across Australian mid-market engagements.

A fully internal security team of 4 to 5 people, consisting of a CISO, a security architect, two analysts, and a GRC specialist, costs approximately $900,000 to $1.4 million annually when you account for salaries, superannuation, training budgets, tooling licences, and the overhead of recruitment and retention. That figure does not include the opportunity cost of the 4 to 8 months it typically takes to fill senior roles.

A blended model using a virtual CISO (2 to 3 days per week equivalent), a managed SOC service, and quarterly specialist engagements for testing and architecture review delivers comparable capability from approximately $250,000 to $600,000 annually. The exact cost depends on scope, complexity, and how much regulatory compliance work is required.

The blended model is not always cheaper on a per-hour basis. What it does is eliminate the recruitment risk, the retention risk, and the single-point-of-failure risk that comes with having one senior person own your entire security program. When your CISO resigns, and statistically they will within 2 to 3 years, a blended model does not leave you starting from zero.

Regulatory Reality: What Your Regulator Actually Expects

One of the most persistent myths about flexible workforce models is that regulators want to see a fully in-house security team. This is wrong. What regulators want to see is adequate capability, proper governance, and clear accountability.

APRA CPS 234 is explicit about this. Paragraph 15 requires APRA-regulated entities to maintain an information security capability commensurate with the size and extent of threats to their information assets. It does not prescribe how that capability must be structured. Entities can and do use managed service providers, consultants, and virtual CISOs, provided the board maintains oversight and the capability is genuinely commensurate.

The SOCI Act similarly does not mandate in-house teams. Critical infrastructure entities must adopt, maintain, and comply with a risk management program, but the Act recognises that security capabilities can be delivered through third-party arrangements.

The Essential Eight framework is a set of technical controls. It is agnostic about who implements and manages them. Whether your patching is managed by an internal team or a managed services provider, what matters is whether it meets the maturity level requirements.

The regulatory risk with flexible workforce models is not the model itself. It is poor governance over the model. If you cannot demonstrate that your provider's capability is adequate, that you have oversight of their performance, and that accountability sits clearly with named individuals in your organisation, that is a compliance gap regardless of whether your team is internal or external.

Where Flexible Workforce Models Go Wrong

We have seen enough flexible workforce arrangements fail to identify the common patterns. These are not theoretical risks. They are recurring problems we encounter when assessing organisations that thought they had security covered.

No internal ownership. The most damaging failure is having no one internally who owns security outcomes. External providers can deliver services, but someone inside the organisation must own the risk, make decisions under pressure, and maintain the relationship with the board and executive team. If your entire security function is outsourced with no internal owner, you do not have a security program. You have a service contract that no one is managing.

Vendor sprawl without integration. Some organisations end up with four or five different external providers, each covering a narrow slice of the security landscape, none of them talking to each other. The penetration tester does not know what the managed SOC is monitoring. The compliance consultant does not know what the architecture team designed. This fragmentation creates gaps that are invisible until an incident exposes them.

Confusing cost reduction with risk reduction. A flexible workforce model should be justified primarily on capability grounds, not cost grounds. If the driving motivation is to spend less on security, the model will be designed to minimise cost rather than to maximise coverage. These are different objectives and they produce different outcomes.

Treating contractors as permanent staff without the commitment. Organisations that rely on long-term contractors without investing in their integration, without giving them access to the context they need, and without building internal capability alongside them get the worst of both worlds: contractor cost with employee-level dependency but without the retention mechanisms that keep employees loyal.

What Good Looks Like

The organisations that get flexible cybersecurity workforce models right share several characteristics. None of them are complicated. All of them require deliberate design.

• Clear internal ownership. Someone inside the organisation, whether a full-time CISO, a senior IT leader with security responsibility, or a board member with security oversight, owns the security outcomes. External providers report to this person.
• Defined capability map. The organisation has documented what security capabilities it needs, which are delivered internally, which are delivered externally, and how the two integrate. This is not a complex exercise, but it needs to exist.
• Integrated providers. External providers are not siloed. The managed SOC feeds findings into the risk management process. The penetration testing results inform the security architecture roadmap. The compliance work references the operational reality.
• Knowledge transfer by design. The engagement model is structured so that internal capability grows over time. External specialists document their work, train internal staff, and progressively hand over routine responsibilities. The goal is to reduce dependency, not increase it.
• Regular review. The workforce model is reviewed at least annually against the organisation's changing risk profile, regulatory requirements, and strategic direction. What worked when you were a $50 million company may not work when you are a $200 million company.

What to Do Next

If your organisation is struggling with any of the workforce challenges described in this article, the worst response is to keep doing the same thing while hoping the talent market improves. It will not.

Start by being honest about what your current security team can and cannot do. Map the capabilities you need against the capabilities you have. Identify the gaps. Then evaluate whether those gaps are best filled by hiring, by engaging external specialists, by adopting managed services, or by some combination of all three.

The best flexible workforce models are not compromises. They are deliberate designs that give mid-market organisations access to security capability that would otherwise require budgets and talent pipelines only the largest enterprises can sustain.

Cliffside's virtual CISO and strategy practices work with Australian organisations to design and operate security functions that match their actual risk profile, regulatory requirements, and budget. If you want an honest conversation about what your security team should look like, start with a Lighthouse Assessment.