AI, regulation, and human risk are converging. At Security Edge, CISOs redefined governance, resilience, and leadership for Australia’s cyber future.

Australia’s cyber landscape is being reshaped by intensifying regulation, surging attack volumes, and the rapid adoption of artificial intelligence.

As boards push for digital expansion and operational agility, organisations face the difficult balance of securing dispersed workforces while sustaining compliance and public trust.

These pressures framed the discussion at ADAPT’s 11th Security Edge in Melbourne, where more than 150 CISOs and senior security executives from leading enterprise and government organisations gathered to address how to strengthen posture, measure outcomes, and lead through another year of escalating risk.

Jim Berry, ADAPT CEO & Founder, opened the day noting the double-digit growth of Australia’s cybersecurity market and the urgency created by new obligations such as APRA’s CPS 230 operational resilience standard and the Cyber Security Act 2024.

He outlined that while quantum-safe systems are emerging, the community remains exposed to supply chain, identity, and extortion attacks.

ADAPT’s research, drawn from over 1,000 regional leaders, that AI governance has become the top investment priority for 69% of security leaders.

From that foundation, Security Edge examined how Australia’s security community is rebalancing governance, resilience, and human awareness to maintain trust and control in the age of AI.

Strengthening leadership through governance and accountability

During a conversation, David Gee, former Group CIO and CISO at HSBC, and Daryl Pereira, Head of the Office of the CISO for Asia Pacific and Japan at Google Cloud, explored how organisational confidence must be rebuilt from governance upward.

Daryl shared that leadership recovery begins with cultural clarity, not technical repair.

In previous incidents, he established unified command between the CEO, regulators, and technology teams to embed accountability across every executive tier.

David reinforced that such alignment converts cyber strategy from a cost centre into a performance function.

In a panel discussion led by security advocate and expert Jason Murrell, leaders from both public and private sectors reflected on what genuine governance maturity looks like in practice.

Tara Dharnikota, CISO at Victoria University, argued that maturity is less about ambition than realism.

She noted that many teams are stretched between the mounting demands of APRA’s CPS 230 and the expanding scope of the SOCI Act, forcing CISOs to prioritise essential controls before chasing automation at scale.

Building on that, Emily Mailes, Chief eHealth Strategy Officer at the VIC Department of Health, explained how public institutions must balance privacy assurance with digital growth.

She pointed out that effective governance now depends on shared trust frameworks across agencies to meet rising expectations from citizens and regulators alike.

Jason reflected that these shifts signal a new stage of maturity for Australian security leadership.

Drawing on ADAPT’s national data, he noted that CISOs are evolving from technical custodians to cross-functional strategists who link cyber investment directly to business confidence.

They demonstrated how maturity depends on consistent transparency and rhythm: regular board reporting, independent reviews, and shared sponsorship of risk.

Leadership alignment, more than technology choice, determines the pace of resilience.

Back to top

Unifying visibility across multi-cloud environments

That focus on accountability extended into the cloud discussion led by James Ng, CISO at Insignia Financial, and Mitch Ryan, Senior Solutions Engineer at Wiz.

James described consolidating inherited systems across AWS and Google Cloud following several mergers.

The fragmented environment had blurred ownership and complicated compliance.

By adopting a contextual risk framework linking vulnerabilities to business impact, Insignia simplified decision-making and empowered non-security teams to take direct action.

Mitch supported this by highlighting how end-to-end visibility across pipelines, workloads, and runtime enables faster, evidence-based remediation.

In the Security Edge panel, Peter Wolski, General Manager of Reliability and Security at MYOB, expanded this challenge to the supply chain.

He noted that third-party and SaaS dependencies are becoming the new blind spot in enterprise visibility, with boards increasingly demanding real-time supplier assurance through SBOMs and vendor risk dashboards.

This shift reflects a broader trend across Australian enterprises.

ADAPT’s research shows that 39% of security functions are now fully outsourced to managed SOCs, underscoring the importance of retaining internal visibility and contextual control even as detection responsibilities are externalised.

Organisations are converging telemetry to close context gaps, ensuring that even when detection is externalised, accountability remains internal.

Back to top

Engineering resilience through shared accountability

Andrew Dell, General Manager of the Customer Security Management Office at Microsoft, expanded the discussion to enterprise resilience.

He explained how Microsoft’s distributed model embeds 18 deputy CISOs across business units, each responsible for managing risk in their domain.

This structural shift pushes ownership closer to operations, allowing governance to operate as a continuous loop rather than a reactive function.

Andrew stressed that resilience must be engineered from clear dependencies, not redundant systems.

He positioned continuity as the ability to anticipate, absorb, and recover from disruption while maintaining stakeholder confidence.

Gabby Fredkin, Head of Analytics and Insights at ADAPT, connected these operational realities to Australia’s data landscape, showing that Australian security leaders identify the number-one risk of Agentic AI to security programs as uncontrolled access to sensitive data.

Gabby also noted that automation is scaling traditional weaknesses faster than maturity improves.

His findings tied directly to Andrew’s argument: resilience cannot be engineered without reliable data, unified ownership, and a governance model that translates intent into control.

In the Security Edge panel, Samrat Seal, Head of Transformation and Governance at Kmart Group, cautioned that uncontrolled generative AI tools are now expanding exposure faster than traditional controls can adapt.

He explained that identity misuse and credential-stuffing incidents continue to drain security resources, further proving that visibility and governance must evolve together.

Daniel Sutherland, Regional Vice President at DigiCert, added a complementary dimension on digital trust.

He outlined how cryptographic agility and post-quantum readiness are becoming board-level discussions.

By modernising certificates and adopting adaptable cryptographic frameworks, Australian organisations can align regulatory compliance with innovation rather than treat them as opposing forces.

These perspectives reframed resilience as a multidisciplinary exercise spanning architecture, governance, and digital assurance.

Back to top

Addressing human risk through targeted intervention

Garrett O’Hara, Senior Director of Sales Engineering at Mimecast, shifted attention to the human element, identifying behavioural asymmetry as the next critical weakness.

While the majority of employees represent minimal risk, a small proportion consistently generate exposure events.

He urged a move from blanket awareness programs toward precision training driven by behavioural data and reinforcement within everyday workflows.

The Security Edge panelists built on this theme by examining how human behaviour and organisational culture shape resilience in practice.

VIC Department of Health’s Emily Mailes noted that cultural transparency remains the foundation of safe digital transformation in government, where security relies on trust between clinicians, administrators, and technology teams.

Building on that, Victoria University’s Tara Dharnikota explained that simplifying compliance cycles helps sustain engagement and morale, especially for teams under constant regulatory pressure.

MYOB’s Peter Wolski and Kmart Group’s Samrat Seal warned that the rapid adoption of AI-enabled tools without proper oversight is compounding human error with systemic risk, as shadow applications expand beyond existing controls.

Their insights collectively explained why cyber awareness training has jumped from 14th to 4th on Australia’s security agenda.

Behavioural reinforcement, not technical enforcement, is now the front line of resilience.

Back to top

Turning compliance into boardroom confidence

Darren Argyle, former Group Chief Information Security Risk Officer and Board Advisor at Standard Chartered Bank Singapore, brought the discussion back to leadership maturity.

Drawing from his experience transforming risk programs under regulatory pressure, he illustrated how board influence depends on clarity, evidence, and consistency.

He framed cyber security as a mechanism for business assurance, not a compliance checkbox.

Darren’s focus on communication linked every preceding theme: governance transparency from David and Daryl, distributed visibility from James and Mitch, and behavioural trust from Garrett, Emily, and Tara.

Effective leadership is the force that binds these disciplines together, ensuring that controls deliver confidence rather than bureaucracy.

Australian CISOs now operate as integrators of trust: responsible for aligning technology, regulation, and culture in equal measure.

Back to top

Recommended actions for Australian security leaders

Australian security leaders must bridge governance, visibility, and behaviour into measurable action.

The following priorities define the path forward for those leading the defence in FY26.

 

1. Institutionalise governance across executive teams

Distribute accountability for AI, data, and operational risk across business functions to ensure faster, coordinated decisions.

2. Converge visibility across hybrid and outsourced ecosystems

Integrate telemetry across cloud, SOC, and application layers to maintain clarity and reduce dependency risk.

3. Engineer resilience through design, not recovery

Define minimum viable operations, test partner continuity, and embed recovery principles within transformation programs.

4. Target the concentrated sources of human error

Adopt behavioural analytics and tailored awareness to address the 8% of users responsible for most incidents.

5. Elevate cyber security to a leadership function

Frame risk as performance, translating controls into commercial assurance and board-level confidence.

Back to top

Contributors
Justina Uy Content Marketing Manager
Justina Uy is a data-driven content marketer that thrives on democratising elite know-how to empower Australia’s underdogs. Skilled at translating complex ideas... More

Justina Uy is a data-driven content marketer that thrives on democratising elite know-how to empower Australia’s underdogs.

Skilled at translating complex ideas into a compelling story across formats and channels, she shifts seamlessly between writing long-form articles, creating viral social media posts, and producing thumb-stopping videos.

Since 2015, Justina executes her vision through a sophisticated understanding of the rapidly evolving digital and business landscape to serve entertaining and educational insights to the executive community.

Less
security leadership compliance