Australia has a cybersecurity workforce problem, and part of the explanation is hiding in plain sight: the language of the field actively repels the people we need. Last year, I was on a panel for the Canberra Cyber Hubs Career Symposium, discussing career pathways with an audience of high school students. When one panelist mentioned working as a penetration tester, a male student in the audience started sniggering. I remember thinking little of it at the time. But later I reflected on the term itself: why did we name that job ‘penetration tester’? When examined, it carries connotations that have nothing to do with the work.
I have nothing against penetration testers. We need more of them. But the naming choice is symptomatic of something larger. Language in cybersecurity is deeply masculine or militarised. Consider the standard vocabulary: man-in-the-middle attack, kill chain, brute force. The list goes on. The problem is not merely aesthetic. Militaristic language creates the professional culture it describes – one that reads as homogenous, combative and accessible only to those fluent in combat jargon.
This framing was, in part, a deliberate institutional choice. In the early 2000s, the US Department of Defense shifted from information warfare to the cyberspace domain. By the late 2000s, cyberspace was officially defined as a ‘global domain’ within the information environment. The move was strategic: it gave the military legitimate authority to operate there, just as it does in physical spaces. But it also handed cybersecurity a conceptual vocabulary that has since shaped professional culture far beyond defence institutions and narrowed who feels entitled to work in the field.
That narrowing has real consequences. It feeds the hacker-in-a-hoodie stereotype and perpetuates the misconception that cybersecurity belongs to those who write code and think in adversarial terms. This ignores the reality of modern cybersecurity practice, where effective defence sits at the intersection of governance, risk, psychology, law and public policy. It overlooks the reality that, ultimately, a field that defines itself through combat metaphors alone will struggle to recruit – and retain – the multidisciplinary talent that the complex, challenging and changing threat environment demands.
The definitional problem runs deeper than culture. A study conducted by the University of Sydney found that even experienced cybersecurity professionals could not agree on the field. Women interviewed were more likely to include e-safety – including stalking, image-based abuse and digital surveillance – as a core cybersecurity concern, while male respondents were more likely to exclude it.
That divergence is not merely academic. That is because if practitioners define the field differently, they model threats differently, and they leave gaps.
Language also shapes who enters the profession in the first place. Research from Monash University examining IT and software engineering job advertisements found specific patterns of linguistic bias: male pronouns, references to ‘rockstar’ candidates, and analytical terms statistically associated with male applicants.
Researcher Carol Cohn has documented the same dynamic in defence intellectual culture. Despite genuine expertise, she found that speaking in plain English rather than ‘techno-strategic jargon’ caused her interlocutors to treat her as uninformed. The barrier was not knowledge but rather language used as a credentialing mechanism, one that sorted insiders from outsiders before the argument began.
Australia faces a sustained cybersecurity workforce shortfall. Addressing it requires more than pipeline programs and graduate schemes. It requires interrogating the professional culture those pipelines feed into, starting with the language that defines it. That means professional bodies, government and educational institutions revisiting how they define the field, how job standards are written and what vocabulary they treat as the baseline of competence. Given cyberspace is a global domain, the language we use to govern it should reflect that – and the full range of people capable of defending it.
