Warning: Undefined variable $publishedDate in /srv/users/serverpilot/apps/production/public/wp-content/themes/adapt/templates/single-post.php on line 18
AI governance now tops security investments as 69% of Australian CISOs race to control data risk
AI, regulation, and human risk are converging. At Security Edge, CISOs redefined governance, resilience, and leadership for Australia’s cyber future.
Australia’s cyber landscape is being reshaped by intensifying regulation, surging attack volumes, and the rapid adoption of artificial intelligence.
As boards push for digital expansion and operational agility, organisations face the difficult balance of securing dispersed workforces while sustaining compliance and public trust.
These pressures framed the discussion at ADAPT’s 11th Security Edge in Melbourne, where more than 150 CISOs and senior security executives from leading enterprise and government organisations gathered to address how to strengthen posture, measure outcomes, and lead through another year of escalating risk.
Jim Berry, ADAPT CEO & Founder, opened the day noting the double-digit growth of Australia’s cybersecurity market and the urgency created by new obligations such as APRA’s CPS 230 operational resilience standard and the Cyber Security Act 2024.
He outlined that while quantum-safe systems are emerging, the community remains exposed to supply chain, identity, and extortion attacks.
ADAPT’s research, drawn from over 1,000 regional leaders, that AI governance has become the top investment priority for 69% of security leaders.
From that foundation, Security Edge examined how Australia’s security community is rebalancing governance, resilience, and human awareness to maintain trust and control in the age of AI.
Strengthening leadership through governance and accountability
During a conversation, David Gee, former Group CIO and CISO at HSBC, and Daryl Pereira, Head of the Office of the CISO for Asia Pacific and Japan at Google Cloud, explored how organisational confidence must be rebuilt from governance upward.
Daryl shared that leadership recovery begins with cultural clarity, not technical repair.
In previous incidents, he established unified command between the CEO, regulators, and technology teams to embed accountability across every executive tier.
David reinforced that such alignment converts cyber strategy from a cost centre into a performance function.
In a panel discussion led by security advocate and expert Jason Murrell, leaders from both public and private sectors reflected on what genuine governance maturity looks like in practice.
Tara Dharnikota, CISO at Victoria University, argued that maturity is less about ambition than realism.
She noted that many teams are stretched between the mounting demands of APRA’s CPS 230 and the expanding scope of the SOCI Act, forcing CISOs to prioritise essential controls before chasing automation at scale.
Building on that, Emily Mailes, Chief eHealth Strategy Officer at the VIC Department of Health, explained how public institutions must balance privacy assurance with digital growth.
She pointed out that effective governance now depends on shared trust frameworks across agencies to meet rising expectations from citizens and regulators alike.
Jason reflected that these shifts signal a new stage of maturity for Australian security leadership.
Drawing on ADAPT’s national data, he noted that CISOs are evolving from technical custodians to cross-functional strategists who link cyber investment directly to business confidence.
They demonstrated how maturity depends on consistent transparency and rhythm: regular board reporting, independent reviews, and shared sponsorship of risk.
Leadership alignment, more than technology choice, determines the pace of resilience.
Unifying visibility across multi-cloud environments
That focus on accountability extended into the cloud discussion led by James Ng, CISO at Insignia Financial, and Mitch Ryan, Senior Solutions Engineer at Wiz.
James described consolidating inherited systems across AWS and Google Cloud following several mergers.
The fragmented environment had blurred ownership and complicated compliance.
By adopting a contextual risk framework linking vulnerabilities to business impact, Insignia simplified decision-making and empowered non-security teams to take direct action.
Mitch supported this by highlighting how end-to-end visibility across pipelines, workloads, and runtime enables faster, evidence-based remediation.
In the Security Edge panel, Peter Wolski, General Manager of Reliability and Security at MYOB, expanded this challenge to the supply chain.
He noted that third-party and SaaS dependencies are becoming the new blind spot in enterprise visibility, with boards increasingly demanding real-time supplier assurance through SBOMs and vendor risk dashboards.
This shift reflects a broader trend across Australian enterprises.
ADAPT’s research shows that 39% of security functions are now fully outsourced to managed SOCs, underscoring the importance of retaining internal visibility and contextual control even as detection responsibilities are externalised.
Organisations are converging telemetry to close context gaps, ensuring that even when detection is externalised, accountability remains internal.
Engineering resilience through shared accountability
Andrew Dell, General Manager of the Customer Security Management Office at Microsoft, expanded the discussion to enterprise resilience.
He explained how Microsoft’s distributed model embeds 18 deputy CISOs across business units, each responsible for managing risk in their domain.
This structural shift pushes ownership closer to operations, allowing governance to operate as a continuous loop rather than a reactive function.
Andrew stressed that resilience must be engineered from clear dependencies, not redundant systems.
He positioned continuity as the ability to anticipate, absorb, and recover from disruption while maintaining stakeholder confidence.
Gabby Fredkin, Head of Analytics and Insights at ADAPT, connected these operational realities to Australia’s data landscape, showing that Australian security leaders identify the number-one risk of Agentic AI to security programs as uncontrolled access to sensitive data.
Gabby also noted that automation is scaling traditional weaknesses faster than maturity improves.
His findings tied directly to Andrew’s argument: resilience cannot be engineered without reliable data, unified ownership, and a governance model that translates intent into control.
In the Security Edge panel, Samrat Seal, Head of Transformation and Governance at Kmart Group, cautioned that uncontrolled generative AI tools are now expanding exposure faster than traditional controls can adapt.
He explained that identity misuse and credential-stuffing incidents continue to drain security resources, further proving that visibility and governance must evolve together.
Daniel Sutherland, Regional Vice President at DigiCert, added a complementary dimension on digital trust.
He outlined how cryptographic agility and post-quantum readiness are becoming board-level discussions.
By modernising certificates and adopting adaptable cryptographic frameworks, Australian organisations can align regulatory compliance with innovation rather than treat them as opposing forces.
These perspectives reframed resilience as a multidisciplinary exercise spanning architecture, governance, and digital assurance.
Addressing human risk through targeted intervention
Garrett O’Hara, Senior Director of Sales Engineering at Mimecast, shifted attention to the human element, identifying behavioural asymmetry as the next critical weakness.
While the majority of employees represent minimal risk, a small proportion consistently generate exposure events.
He urged a move from blanket awareness programs toward precision training driven by behavioural data and reinforcement within everyday workflows.
The Security Edge panelists built on this theme by examining how human behaviour and organisational culture shape resilience in practice.
VIC Department of Health’s Emily Mailes noted that cultural transparency remains the foundation of safe digital transformation in government, where security relies on trust between clinicians, administrators, and technology teams.
Building on that, Victoria University’s Tara Dharnikota explained that simplifying compliance cycles helps sustain engagement and morale, especially for teams under constant regulatory pressure.
MYOB’s Peter Wolski and Kmart Group’s Samrat Seal warned that the rapid adoption of AI-enabled tools without proper oversight is compounding human error with systemic risk, as shadow applications expand beyond existing controls.
Their insights collectively explained why cyber awareness training has jumped from 14th to 4th on Australia’s security agenda.
Behavioural reinforcement, not technical enforcement, is now the front line of resilience.
Turning compliance into boardroom confidence
Darren Argyle, former Group Chief Information Security Risk Officer and Board Advisor at Standard Chartered Bank Singapore, brought the discussion back to leadership maturity.
Drawing from his experience transforming risk programs under regulatory pressure, he illustrated how board influence depends on clarity, evidence, and consistency.
He framed cyber security as a mechanism for business assurance, not a compliance checkbox.
Darren’s focus on communication linked every preceding theme: governance transparency from David and Daryl, distributed visibility from James and Mitch, and behavioural trust from Garrett, Emily, and Tara.
Effective leadership is the force that binds these disciplines together, ensuring that controls deliver confidence rather than bureaucracy.
Australian CISOs now operate as integrators of trust: responsible for aligning technology, regulation, and culture in equal measure.
Recommended actions for Australian security leaders
Australian security leaders must bridge governance, visibility, and behaviour into measurable action.
The following priorities define the path forward for those leading the defence in FY26.
1. Institutionalise governance across executive teams
Distribute accountability for AI, data, and operational risk across business functions to ensure faster, coordinated decisions.
2. Converge visibility across hybrid and outsourced ecosystems
Integrate telemetry across cloud, SOC, and application layers to maintain clarity and reduce dependency risk.
3. Engineer resilience through design, not recovery
Define minimum viable operations, test partner continuity, and embed recovery principles within transformation programs.
4. Target the concentrated sources of human error
Adopt behavioural analytics and tailored awareness to address the 8% of users responsible for most incidents.
5. Elevate cyber security to a leadership function
Frame risk as performance, translating controls into commercial assurance and board-level confidence.
What is next for Australian security leaders
AI, regulation, and human complexity are converging faster than traditional defences can adapt.
The next phase of maturity will depend on how leaders integrate visibility, governance, and behaviour into a single operating model.
As ADAPT’s data confirms, uncontrolled access to sensitive data is the number-one AI risk, yet the deeper challenge lies in execution discipline.
The organisations that lead in FY26 will treat security as a business competency defined by clarity of ownership, data precision, and leadership cohesion.
Security Edge revealed a community determined to move beyond defence into assurance: where trust is measured not by compliance, but by confidence earned through intelligence, design, and decisive leadership.