PurposeThe purpose of this paper is to compare and contrast university governance structures with those of commercial providers of information security education.Design/methodology/approachPolicy analysis methods from social research are used. Professional information security education (and certification) is generally provided by commercial training arms of major IT vendors, independent industry groups and universities. While the “for profit” status of commercial training organisations is recognised, the commercial standing of universities is unclear, since they increasingly charge commercial‐grade (or higher) fees for professional development, especially at the postgraduate level. The independence from commercial interests is one of the main attractions for students to undertake professional education at universities; however, if universities are becoming commercial, at what point and according to which criteria is the veracity of vendor‐supplied training and university education considered equal, or indeed, superior?FindingsThis paper briefly reviews the key drivers of university commercialisation, and discusses the implications for postgraduate education in the very sensitive area of information security, in an Australian context, especially where universities directly compete with private sector interests. The key findings are that universities who wish to offer information security programs in competition with private providers will need to adopt corporate‐style governance policies and procedures, which include industry representation on boards, and ensuring that academic independence is not compromised by deeper vendor relationships.Originality/valueNo other papers have specifically investigated the emerging trends in information security education, in an Australian context, and related these to the necessary changes in governance that will be required for universities to compete on equal terms with corporate providers.