By Faraz Khan
During my international Fellowship on cybersecurity education, one lesson became increasingly clear: some of the most important cybersecurity decisions are made by people who do not work in cybersecurity. A health worker handles patient information. A community-services employee manages digital case records. A hospitality worker processes customer data. A manufacturing employee uses connected equipment.
None of these workers is a cybersecurity specialist, yet each decision can increase or reduce organisational cyber risk.
This is why cybersecurity can no longer be treated only as an ICT subject or the responsibility of a specialist security team. It is now part of everyday work across almost every digitally enabled industry.
The current gap
Australia alread has cybersecurity qualifications, awareness programs and industry resources. The problem is that cybersecurity is not consistently embedded across non-ICT vocational qualifications.
In some qualifications, cyber units appear only as electives. This means two learners completing the same qualification may receive very different preparation, even when both will handle personal information, use digital platforms or manage workplace risk.
In other cases, cybersecurity is reduced to generic advice: use strong authentication, apply updates and recognise phishing attempts. These messages are useful, but they do not show workers how cyber risk appears in their own roles.
There is also an over-reliance on written knowledge questions. Knowing the correct answer in an assessment is not the same as recognising a suspicious request, protecting sensitive information or escalating an incident under workplace pressure.
Australia therefore needs to distinguish between three levels of capability: specialist cybersecurity expertise, foundational cyber awareness and safe digital behaviour, and occupation-specific cybersecurity responsibility. Not every worker needs advanced technical skills, but every worker needs to understand the risks and responsibilities connected to their role.
What international practice demonstrates
During my Fellowship, I examined examples from the United States, Canada and Estonia. The strongest lesson was that cybersecurity becomes more meaningful when it is connected to occupational context.
At the National Cybersecurity Training and Education Center (NCyTE) in the United States, Michele Robinson and Dr Kristine Christensen highlighted the Cybersecurity Across Disciplines initiative. It supports integration into fields such as healthcare, finance, transportation and energy, with educators and industry partners working together to identify sector-specific challenges.
This matters because the cyber decisions made in healthcare are not the same as those made in manufacturing or finance. Cross-disciplinary education should begin with the work being performed, the systems being used and the consequences of failure.
The CLARK Cybersecurity Library provides another useful example. It offers shared curriculum resources for different education levels and disciplines, including material related to medical-device security. A resource like this can help educators who understand their profession deeply but have limited cybersecurity expertise. For Australia, a shared repository could reduce duplication, provided its content is quality assured, regularly updated, mapped to training products and aligned with Australian workplace and regulatory requirements.
Estonia offers a broader system lesson. Cybersecurity is embedded within digital competence rather than treated only as a standalone technical subject. Learners develop capability in areas including information and data literacy, communication, safety and problem-solving. The transferable principle is not to copy Estonia’s model, but to develop shared expectations that can be adapted to different occupations and qualification levels.
What Australia should build
A practical Australian model should combine a common baseline with sector-specific application.
The baseline should include recognising common threats, using strong authentication, protecting personal and organisational information, handling workplace data responsibly, using digital platforms, connected devices and artificial intelligence tools safely, following workplace procedures, and knowing when and how to escalate an incident.
That baseline should then be adapted to each field.
In health, learners may need to protect patient information and understand the cyber implications of connected medical devices. In community services, they may need to safeguard digital case records and use workplace platforms responsibly. In manufacturing, they may need to understand connected machinery, removable media and operational technology. In business, they may need to protect workplace and customer information. In hospitality, they may need to protect customer data. In critical infrastructure, workers may need stronger awareness of operational systems, access controls and escalation procedures.
The goal is not to make every worker responsible for solving technical security problems. It is to ensure they can make safer decisions within their authority, recognise when something is wrong and involve a specialist at the right time.
Embed capability without overloading qualifications
Australia does not need a separate cybersecurity unit in every qualification.
Cyber responsibilities could be built into existing core units, practical assessments and workplace scenarios. A learner managing client information could demonstrate secure storage and sharing practices. A manufacturing learner could respond to a scenario involving connected equipment.
A hospitality learner could demonstrate safe handling of customer information.
Jobs and Skills Councils, employers, discipline educators and cybersecurity specialists should jointly identify which practices are essential in each occupation and how competence should be demonstrated.
Implementation will require educator support, practical resources and regular review. The main risks are curriculum overload, content becoming too generic, uneven educator confidence and training products changing more slowly than technology.
Cybersecurity should remain a specialist profession. But it must also become a shared workforce capability. Cybersecurity does not need to become every worker’s profession, but it must become part of every worker’s professional responsibility.
Author biography
Faraz Khan is a cybersecurity educator at Victoria University and a 2025 ISS Institute VET International Practitioner Fellow, supported by the Victorian Skills Authority. His Fellowship examined international approaches to cybersecurity education, educator capability, practical learning and workforce development across the United States, Canada and Estonia.

