ADAPT’s latest webinar “Know Your Customer: 2025 A/NZ CISO Insights” unpacked the voice of 132 security leaders across ANZ, including CISOs, security directors, and heads of governance.  

The organisations they represent contribute more than 18 percent of the country’s GDP and employ 7 percent of the national workforce. 

CISOs are expected to protect their organisations from advanced threats, support transformation, and uphold regulatory requirements.  

But many teams remain structurally underfunded, lack operational clarity, and continue to fall behind in baseline maturity.  

This briefing, based on exclusive survey data presented at ADAPT’s April 2025 Security Edge event, reveals the immediate pressures facing security leaders and outlines the role vendors can play in addressing them. 

The above video is only an excerpt. 

ADAPT’s Research and Advisory Advantage clients can access the full webinar and slides.

Register to access the full webinar recording: Know Your Customer – 2025 A/NZ CISO Insights 

Security leaders are being pulled into business growth with little support

CISOs are increasingly being asked to support business expansion, customer outcomes, and faster product delivery.

Gabby observed that this shift has brought more attention to identity and governance capabilities, which are viewed as essential enablers of scale.

At the same time, many CISOs report insufficient budget and staffing to deliver on these objectives.

Organisations focused on growth are often the ones most constrained by headcount and funding, creating a growing mismatch between strategic ambition and operational capacity.

Back to top

Legacy systems block modernisation and transformation

Gabby said that while many CISOs want to support cloud migration and AI adoption, they are still tied to legacy systems and complex internal processes.

This limitation affects their ability to introduce advanced threat detection and implement modern security frameworks.

In highly regulated and operationally intensive sectors such as healthcare, policing, and utilities, the challenge is even greater.

Older platforms often lack visibility and flexibility, creating friction that delays security uplift and weakens response coordination.

Back to top

AI risks are high and preparation is low 

AI continues to gain momentum across organisations, but Gabby said security leaders do not feel ready to manage the risks.

Only 24 percent of CISOs say they are prepared to support AI adoption securely. The remaining 76 percent are either neutral or unprepared.

When asked to rate their capabilities, CISOs scored their ability to defend against AI threats at 4.1 out of 10, and their ability to use AI for security at 4.3.

Gabby explained that many teams are not implementing AI-based detection themselves and are unsure how to govern enterprise-wide use of generative models.

The perceived risk is highest in areas where AI makes autonomous decisions.

54 percent of CISOs view algorithmic decision-making as a critical risk, and 50 percent say the same for operations and process automation.

These concerns are driven by emerging attack vectors like prompt injection, data poisoning, and model supply chain compromise.

Back to top

Tool fragmentation weakens response and limits speed

Gabby pointed to fragmentation as a major barrier to secure digital delivery.

The difference between high-performing and struggling teams often comes down to integration.

Among CISOs who believe security enables the pace of digital services, 60 percent have integrated tooling.

Among those who say it does not, only 8 percent have integration in place.

The most impactful factors for secure, fast delivery are consolidated tooling, anomaly detection, and empowered data ownership.

CISOs who report success in these areas are more likely to support iterative delivery and manage distributed risk environments without operational slowdown.

Back to top

Maturity levels remain low across basic controls

ADAPT’s survey data shows that more than half of critical infrastructure organisations are not meeting baseline maturity across key control areas.

56 percent are below Level 2 on multi-factor authentication, 48 percent are below Level 2 on daily backups, and another 48 percent fall short on patching operating systems.

Gabby made clear that these are not advanced capabilities.

They are foundational measures required for baseline cyber hygiene and resilience.

Despite their scale and sectoral importance, many organisations still lack the tooling, processes, or internal advocacy to meet expected standards.

Back to top

Recommended actions for tech vendors based on the insights

The 2025 data shows that most CISOs are under pressure to secure more with less.

While internal priorities evolve, expectations from executives and regulators continue to rise.

Vendors that want to stay relevant in this environment must shift from transactional outreach to targeted support based on local needs and practical delivery gaps.

  • Use Australian examples and risk profiles to reflect the realities of this market. Relevance builds trust, and trust drives engagement.
  • Provide tools, frameworks, and guidance that help CISOs manage AI-related risks and adoption securely across the business.
  • Explain how your product reduces duplication, improves visibility, or replaces disconnected point tools.
  • Equip CISOs with board-ready impact metrics, risk-reduction mappings, and financial justification content.
  • Align your product with Essential Eight, ISO, or other maturity frameworks to help CISOs show progress and compliance.
  • Show how your outsourced offering will operate with shared goals, transparent reporting, and cultural alignment.
  • Acknowledge the shortage of internal security skills and bandwidth. Position your service or product to compensate for that gap without overpromising automation.

 

Back to top

The role of the CISO is expanding in scope, but remains limited in capacity.

Many security leaders are responsible for enabling business growth, governing AI adoption, and reducing operational risk.

But most still lack the tools, visibility, and board-level support to deliver effectively.

The gap between responsibility and resourcing presents a clear opportunity.

Vendors that understand the local challenges and can provide measurable, integrated support will stand out.

The above video is only an excerpt. 

ADAPT’s Research and Advisory Advantage clients can access the full webinar and slides.

Register to access the full webinar recording: Know Your Customer – 2025 A/NZ CISO Insights 

Contributors
Gabby Fredkin Head of Analytics & Insights at ADAPT
As the Head of Analytics and Insights at ADAPT, Gabby Fredkin’s primary role is managing analysis to produce ADAPT’s actionable insights to... More

As the Head of Analytics and Insights at ADAPT, Gabby Fredkin’s primary role is managing analysis to produce ADAPT’s actionable insights to identify trends supporting organisations in Australia.

With a passion for creating stories with data, Gabby is consistently rated as one of the top speakers at ADAPT’s events. In roundtable discussions, he specialises in using statistics to initiate thought-provoking discussions, enabling ADAPT’s customers to become more data-driven.​

Using modern data science techniques, he provides ADAPT and its customers with confidence in the accuracy and validity of the information used for ADAPT’s research, advisory and events.

Working across artificial intelligence, machine learning, AI ethics, DevSecOps, end-user behaviour, and human-centred design, Gabby’s vast experience continues to grow, supported in part by a Master of Business Analytics from Deakin University.

Less
Anthony Saba Partner & Research and Advisory Executive Director
Anthony leads the growth and development of ADAPT’s Research and Advisory Practice, engaging directly with ADAPT’s community of C-Level Executives and equipping... More

Anthony leads the growth and development of ADAPT’s Research and Advisory Practice, engaging directly with ADAPT’s community of C-Level Executives and equipping them with the relevant research, tools and advice to effectively lead and transform their organisations.

ADAPT’s Research & Advisory is pillared around equipping C-Level Executives with the insights & tools to:

– Empower the Workforce
– Improve Operational Efficiency
– Execute Data Driven Strategies
– Modernise Legacy Environments
– Embed Trust & Security
– Enhance Customer Experience
– Transform as a Business Leader
– Align the CEO & Board
– Engage Stakeholders Effectively
– Drive Technology Thought Leadership
– Enable Innovation & Transformation
– Optimise Budgets & Ensure ROI

Additionally, Anthony manages ADAPT’s 13-person Delegate Advisory Team responsible for the execution and delivery of all delegate acquisition and advisory programs for ADAPT across Asia Pacific.

Anthony also works within ADAPT’s Strategic Partner team consulting to leading service providers on customer acquisition and GTM strategies.

Externally to ADAPT, Anthony is the Public Officer and Board Member for Conviction Group; a newly established not-for-profit organisation aimed at encouraging young Australian’s to re-evaluate their perspectives on pivotal issues concerning their mental health and provide them with the tools to enhance their decision-making.

Less
investments know your customer go to market security