Originally published on TechDay, Craig Jones, Lumify Work's regional manager talks about the shift in attitudes when it comes to cybersecurity skilling in ANZ. Read more below.
Demand in cybersecurity skills surges as ANZ firms ditch complacency
Corporate demand for cybersecurity skills is surging across Australia and New Zealand, as escalating digital threats and a fast-moving regulatory landscape force organisations to rethink their approach to cyber risk.
What was once a compliance checkbox has become a core business priority, with security training now viewed as essential infrastructure - not optional spend.
This shift is fuelling growth for providers like Lumify Work, Australasia's largest corporate IT training company.
The company, formerly known as Auldhouse in New Zealand and DDLS in Australia, reports a decisive change in enterprise behaviour. It comes as organisations are moving quickly from complacency to action as the costs of security failure - financial, operational and reputational - become painfully clear.
"Three or four years ago in New Zealand, there was a real resistance - a 'she'll be right' attitude around cybersecurity training," Craig Jones, Lumify Work's regional manager, told TechDay during a recent interview.
"But increasingly, and especially in the last two to three years, people have realised that upfront investment changes the end result."
Recent high-profile breaches targeting both the private and public sectors have underscored just how exposed many organisations are. In response, boards are now demanding clear answers about security capabilities and are investing accordingly. According to Jones, demand has intensified not just for technical training, but for guidance on what kind of training is actually needed.
"A lot of organisations are coming to us and saying, 'We need cybersecurity training, but we don't know what,'" he says. "Our job is to help them work that out - because not everything is relevant to everyone."
That shift in thinking - towards continuous, targeted capability-building - reflects a broader realisation that cybersecurity is no longer confined to IT departments.
Organisations increasingly understand that everyone, from frontline staff to senior executives, must be part of the solution.
"Everyone needs cybersecurity training. That training won't look the same for everyone, but it needs to happen across the board," Jones says. "End users need awareness - password hygiene, phishing detection. Architects and engineers need deep technical skills. And the executive level needs to understand the risks well enough to support and fund the right response."
With budget cycles tightening and threat levels rising, the stakes are higher than ever. Hybrid learning models are now the norm, with flexibility and responsiveness proving critical to delivering impact. Pre-COVID, online attendance was minimal. Today, it's standard. Participants shift fluidly between in-person and virtual formats, sometimes within the same course.
"You might get someone show up on Monday, work remotely Tuesday, come back in Wednesday, then dial in again Thursday to avoid traffic," Jones says. "We've built the AV infrastructure to support that flexibility."
Training content is increasingly tailored in real time, with programs adjusted after initial sessions to stay aligned with organisational needs.
The days of generic, one-size-fits-all training are over. Now, security education is about pinpointing the actual gaps and building capability with precision.
Internationally recognised certifications remain in high demand, with strong uptake in courses from ISC2, ISACA, EC-Council and CompTIA. Foundational programs like CompTIA Security+ provide broad visibility into the security landscape, while advanced tracks such as CISSP, CISM and CEH prepare professionals to operate at a strategic level.
"Security+ gives you enough knowledge to ask the right questions. But CISSP or Certified Ethical Hacker - that's where you need real depth," Jones says.
"You have to understand how attackers operate to effectively defend against them."
Still, the biggest hurdle for many organisations remains mindset. Jones says too many still view security training as an expense rather than a critical investment. But the costs of not investing - regulatory fines, operational shutdowns, loss of trust - are now too great to ignore.
"It's like insurance. It's not just the immediate cost - it's the long-term risk. And if you're a financial organisation, the reputational damage of a breach can be catastrophic," he says.
To combat this, Lumify leans heavily on direct engagement with clients, often involving domain experts instead of salespeople in early discussions. The goal is not just to sell courses, but to help organisations benchmark where they stand, identify blind spots, and prioritise what comes next.
"The realisation we're helping drive is: you'll never be finished. This isn't a one-off project. You will always be figuring out your next step," Jones says.
The skills gap is also widening outside the corporate world. From entry-level workers to seasoned executives, the need for baseline security awareness is universal. Cybersecurity literacy is no longer a luxury - it's a frontline defence.
"If you don't involve everyone, you've already lost," Jones warns. "The only real shield organisations have is education. Without it, they often don't even realise they've been compromised."
As cybercriminals grow more advanced and regulation more demanding, the race to upskill and embed a security-first culture inside organisations is accelerating.
Cybersecurity training has become one of the most important investments a business can make in 2025 - not just to stay compliant, but to also stay operational. Download our cybersecurity brochure to learn more.
