AI governance overtakes threat prevention as Australia’s top security spend

Australian CISOs now prioritise proof of protection. Tech vendors must demonstrate governance and measurable trust through verifiable results.

Australian security leaders are redefining how they measure performance.

After years of investing in prevention and detection, the priority has shifted to governance, accountability, and verifiable control.

ADAPT’s latest CISO research shows that 69% of Australian security leaders now rank AI governance as their top investment, yet only 1% believe their organisations are ready to operationalise it.

This change reflects more than new regulation or technology.

It marks a reset in how resilience is judged.

Boards now want proof that systems behave as intended, that responsibilities are owned, and that trust can be demonstrated under audit.

The new advantage belongs to those who can evidence control through governance automation, explainability, and continuous validation.

For technology providers, the opportunity lies in enabling that proof and transforming assurance from paperwork into performance.

CISOs are buying proof of governance, not more protection

The Australian security market is demanding verification, not volume. Governance maturity has become the benchmark for credibility as boards and regulators require demonstrable evidence that controls work.

The modern CISO is no longer measured by the number of technologies deployed, but by how well those investments produce traceable outcomes.

Gabby Fredkin, Head of Analytics and Insights at ADAPT, confirmed that 69% of Australian CISOs have made AI governance their highest investment priority while only 1% feel ready to implement it.

He described this as a “perishable opportunity” for CISOs to embed themselves in enterprise AI strategy before decisions shift elsewhere.

His analysis shows that only 3% of organisations have automated decision-making within their governance frameworks, and 62% operate at minimal control maturity.

The result is a widening gap between investment ambition and measurable assurance.

At Microsoft, Andrew Dell, General Manager of the Customer Security Management Office, has addressed that gap by embedding 18 Deputy CISOs across business units.

Each is accountable for governance and risk within their domain, ensuring that ownership is distributed and outcomes are traceable.

This approach converts governance from a static oversight function into an operating system for continuous validation.

Darren Argyle, former Group Chief Information Security Risk Officer and Board Advisor at Standard Chartered Bank Singapore, reinforced that compliance only achieves value when it translates into confidence.

Drawing from his board-level experience, he explained that leadership influence depends on clarity and consistency.

CISOs who can communicate control effectiveness in business terms command greater credibility and sustained investment.

As performance expectations rise, technology must make governance quantifiable.

Tools that measure control efficacy and automate compliance reporting will win the attention of executives seeking transparency over technical depth.

Back to top

Resilience is being redefined as shared accountability, not outsourced assurance

Outsourcing has reached new heights, with 39% of security operations now externalised.

Yet responsibility cannot be delegated. Regulators and boards still hold enterprises accountable for assurance, continuity, and context.

The new definition of resilience hinges on shared visibility rather than isolated service contracts.

James Ng, CISO at Insignia Financial, and Mitch Ryan, Senior Solutions Engineer at Wiz, described how merging inherited systems across AWS and Google Cloud blurred ownership boundaries until visibility was unified under a contextual risk framework.

That integration connected vulnerabilities directly to business impact, allowing security teams to prioritise decisions with operational relevance.

Daniel Sutherland, Regional Vice President at DigiCert, observed that automation and crypto agility are now vital for sustaining resilience under regulatory pressure.

Continuous certificate monitoring, encryption lifecycle management, and post-quantum readiness ensure governance remains auditable even as systems evolve.

From the enterprise perspective, Peter Wolski, General Manager of Reliability and Security at MYOB, reported a surge in board requests for real-time supplier assurance dashboards across SaaS ecosystems.

He explained that visibility into third-party risk has become a standard boardroom expectation, not a specialised report.

These shifts are reshaping the resilience model.

The future belongs to platforms that integrate telemetry across clouds, suppliers, and identities into a single system of record.

When accountability is shared, control must be collective and technology that enables this convergence will become indispensable.

Back to top

Behavioural data is overtaking awareness as the next security currency

Human behaviour now defines the success or failure of governance.

Awareness programs once measured by completion rates are being replaced by behavioural telemetry that measures risk in real time.

Security outcomes depend not on knowledge but on consistency of action.

Garrett O’Hara, Senior Director of Sales Engineering at Mimecast, presented research showing that 8% of employees are responsible for 80% of incidents.

He explained that risk is concentrated among specific behavioural profiles, revealing why generic training fails to deliver meaningful change.

At Victoria University, Tara Dharnikota, CISO, and Emily Mailes, Chief eHealth Strategy Officer at the VIC Department of Health, described how constant compliance cycles cause disengagement.

Teams become fatigued by repetitive reporting and training, undermining risk awareness rather than strengthening it.

Both argued for models where governance adapts to human behaviour instead of imposing friction on it.

Samrat Seal, Head of Transformation and Governance at Kmart Group, warned that uncontrolled AI adoption is accelerating identity misuse and shadow applications beyond the reach of current policies.

Security functions must now model human adaptation as part of governance, treating behavioural drift as a technical risk rather than a training failure.

Behavioural intelligence is emerging as the next layer of governance maturity.

Systems capable of detecting context, adjusting authentication dynamically, and reinforcing safe behaviour through design will reduce reliance on manual enforcement and enhance enterprise trustworthiness.

Back to top

Recommended actions for technology vendors

Australia’s cyber priorities are shifting from defence to proof, and the vendors that will stay relevant are those that help CISOs demonstrate measurable trust.

These actions outline how technology providers can align their products with this transformation.

• Engineer explainability into every AI and analytics product – Ensure all AI-driven processes produce transparent, auditable evidence that meets governance, compliance, and board assurance requirements.
• Design for distributed accountability – Develop tools that unify visibility across hybrid and outsourced ecosystems so CISOs can retain clear ownership of risk, even when operations are externalised.
• Integrate behavioural intelligence – Convert human risk data into measurable governance indicators that elevate decision-making and sustain enterprise confidence.

AI, regulation, and human complexity are evolving faster than legacy controls can adapt.

Security leaders are prioritising transparency over defence, and boards now measure resilience through evidence, not intention.

Technology partners that enable CISOs to operationalise governance, embed accountability, and quantify resilience will shape the new standard for cyber maturity in Australia, where control is proven, trust is measurable, and assurance defines performance.

Back to top