ADAPT’s Security Edge explored how CISOs can lead secure AI adoption, close maturity gaps, embed resilience into strategy, and meet Australia’s 2030 goals.
At Security Edge, over 150 of Australia’s top CISOs convened to tackle the theme Accelerating Secure Automation and Scaled AI.
Together, these leaders protect more than 29% of Australia’s GDP and over one in ten Australian workers, not including the customers and suppliers that amplify their cyber risk exposure.
The sentiment is clear: the stakes have never been higher.
CISOs are navigating a storm of accelerated digital growth, evolving compliance, and escalating threats, now supercharged by AI and looming quantum technologies.
While AI offers automation potential for detection and protection, it also introduces entirely new vulnerabilities.
As we all know, only fools rush in.
Despite seven years since the launch of the Essential Eight, implementation remains a national concern.
Of 84 participating organisations, including 29 labelled as critical infrastructure, fewer than six have reached the target maturity level.
More than 50% remain below Level Two.
Meanwhile, 75% of CISOs say they are not prepared to securely adopt AI, and 43% rate their current AI defences below average.
This is not due to a lack of intent, but a wall of structural headwinds.
CISOs cite the same ten barriers again and again: insufficient funding, outdated systems, competing internal priorities, skills shortages, user resistance, and lack of executive sponsorship.
Security often remains under-resourced, even as the risks compound.
Yet, this community remains united in its purpose.
The question is no longer why to secure, but how to gain the recognition and resourcing required to do so.
For Australia’s cyber leaders, success now hinges on making the business case, consistently, credibly, and well before the breach.
We explored the urgency of confronting these gaps head-on and outlined the practical next steps leaders are taking to protect their environments, elevate their influence, and embed cyber into the fabric of business decision-making.
Turn AI ambition into defensible capability or get left behind
Gabby Fredkin, Head of Analytics and Insights at ADAPT, opened the day with a data-led breakdown of CISO priorities and constraints.
The research revealed a widening gap between AI ambition and organisational readiness.
While AI is seen as a strategic enabler, most organisations are not equipped to harness it securely.
Only a small proportion rated themselves above average in using AI to defend against cyber threats, and even fewer felt confident in addressing the risks introduced by AI itself.
This capability gap is exacerbated by legacy environments and inconsistent progress on basic controls.
ADAPT’s aggregated benchmarking found that many organisations are still struggling to decommission outdated systems, maintain governance standards, and implement identity and access controls.
Where CISOs are making progress, it is often by reframing security as an enabler for business growth, aligning IAM, governance, and secure-by-design approaches with revenue expansion or product launches.
Those who fail to do so risk being outpaced by business transformation.
Cut through compliance noise by influencing with business-aligned clarity
Darren Argyle, former Group Chief Information Security Risk Officer at Standard Chartered Bank and Chair of the Cyber Leadership Institute, reinforced that true boardroom influence is not achieved through technical acumen, but by translating cyber risk into business impact.
CISOs must move from compliance reporting to articulating how cyber resilience protects revenue, enables customer trust, and sustains operations under stress.
Darren urged leaders to use frameworks such as the kill chain and business-aligned risk appetite models to reshape internal narratives.
Rather than focus on technical vulnerabilities, successful CISOs gain traction by clearly communicating their ability to defend the “crown jewels” — the assets that matter most to executive stakeholders.
He described how crisis simulations and ambassador programs can be leveraged to build internal awareness and political capital.
When done effectively, they open the door to greater executive sponsorship and increased funding before a breach occurs.
In an interview with ADAPT before Security Edge, Darren added that compliance should be treated as a trajectory, not an end state.
He warned that CISOs who fall behind industry peers risk increased scrutiny from regulators and potentially greater systemic risk exposure.
He also framed executive influence as the most critical factor in unlocking resources, particularly when leaders experience the operational impact of security failures firsthand.
Expose the gaps using transparency and metrics to lift national resilience
Jason Murrell, Chair and Co-founder of the Australian Cyber Network, challenged attendees to assess national progress against the 2030 cyber strategy.
He was joined by Kylie Watson, Head of Cyber Security at DXC Technology, and Catherine Rowe, Global CISO and previously at QBE Insurance.
All three speakers called attention to the absence of consistent progress reporting, funding transparency, and practical measurement across government initiatives.
Their joint research report found that Australia remains the fourth most attacked nation in the world.
Despite this, per capita investment in cybersecurity is significantly lower than peer nations.
Attacks on critical infrastructure are rising, yet many SMEs remain unequipped to defend themselves, putting entire supply chains at risk.
In the absence of clear national benchmarks or reporting mechanisms, CISOs are left to piece together their own metrics to justify spend and demonstrate readiness.
As Catherine put it, transparency is not just a policy issue but a prerequisite for national resilience.
In an interview with ADAPT before Security Edge, Jason expanded on these concerns, warning that Australia’s projected shortfall of 86,000 cyber professionals by 2030 poses a direct risk to national resilience.
He called for early cyber education, greater diversity in recruitment, and the development of sovereign innovation capacity to prevent local talent and IP from being commercialised offshore.
Outpace AI-powered threats by unifying signals and shrinking response time
In a panel moderated by Pratima Singh, Security Specialist Solutions Architect at AWS, four technology leaders unpacked the evolving threat landscape and the operational demands of defending against AI-enabled adversaries.
Fabio Fratucello, Field CTO – World Wide at CrowdStrike, pointed to increasing attacker speed and sophistication, driven by generative AI.
Attackers now leverage automation for vulnerability discovery and social engineering at scale, often overwhelming defenders with volume.
Brett Winterford, Regional CISO at Okta, emphasised that while AI lowers the barrier for attackers, defenders can regain ground by enforcing strong identity controls, least privilege access, and cryptographic protections that resist manipulation.
Antonie Falco, APJ CTO at Zscaler, called for harmonised telemetry across hybrid environments to improve detection and accelerate response.
Legacy silos, inconsistent signals, and fragmented tooling continue to delay incident handling and undermine trust in controls.
By streamlining visibility and enabling real-time analytics, security teams can improve mean time to detect and reduce fatigue across SOC operations.
Build trust that acts by formalising intel sharing and shared-response frameworks
William MacMillan, former CISO at the CIA and SVP for Information Security at Salesforce, drew from his experience in both government and private sector security.
He warned against “summitry” — well-intentioned but ineffective collaboration that produces no tangible change.
To move forward, he argued, partnerships must be operationalised with trust, clear incentives, and a shared understanding of objectives.
He cited examples from the US, where structured intelligence-sharing frameworks and cleared threat briefings helped overcome historical reluctance to share information.
Success depended not on goodwill alone, but on leadership setting the tone, allocating the right resources, and removing procedural roadblocks.
Australia’s cyber strategy will require a similar level of execution maturity if it is to make measurable progress by 2030.
In an interview with ADAPT before Security Edge, William expanded on the cultural and operational underpinnings of resilience.
He stressed that AI adoption must follow defined goals, not pressure, and that security environments should be structured to allow non-reactive teams to lead culture, hiring, and long-term planning.
He also urged CISOs to approach insider threat management as a multidisciplinary, values-aligned initiative that protects trust while mitigating risk.
Lead with composure under fire where visibility beats volume in cyber crises
Throughout the event, one theme persisted: leadership under pressure.
William’s reflections on crisis leadership at the CIA echoed throughout the day.
He spoke candidly about the demands of stepping into the CISO role during SolarWinds, building trust with unfamiliar teams, and navigating chaos with calm, direct communication.
His message was clear: in high-stakes environments, leadership must be seen as well as heard.
In his words, cyber professionals must ensure that stressed teams feel clarity, direction, and care.
CISOs must embody resilience before they can demand it from others.
Whether facing a regulatory crisis or a zero-day event, how leaders show up matters, and that presence is often what defines outcomes in the boardroom and beyond.
William also highlighted that operations centres must be structured to support distributed decision-making and coordination.
Clearly defined responsibilities and alignment on authority are critical to improving incident response outcomes.
He encouraged CISOs to begin evaluating emerging tools that reduce operational fatigue, positioning themselves early to adopt solutions that streamline noisy, complex security environments.
What’s next for Australian CISOs?
Security Edge 2025 revealed that Australia’s cyber leaders are focused on actionable strategies that strengthen resilience and influence decision-making at the highest levels.
The path forward requires:
- Mapping AI and automation initiatives to measurable business outcomes
- Embedding resilience through security architectures that support both agility and control
- Closing the execution gap by simplifying environments and harmonising detection
- Broadening talent pipelines through early education and inclusive hiring
- Influencing through clarity, business language, and metrics that align with risk appetite
As threat actors scale their operations and AI technologies continue to evolve, organisations that elevate cyber into strategic planning rather than reaction will set the benchmark for maturity and resilience in 2025 and beyond.
Justina Uy
Content Strategist
Justina Uy is a data-driven content producer that thrives on democratising elite know-how to empower Australia’s underdogs.
Skilled at translating complex ideas into a compelling story across formats and channels, she shifts seamlessly between writing long-form articles, creating viral social media posts, and producing thumb-stopping videos.
Since 2015, Justina executes her vision through a sophisticated understanding of the rapidly evolving digital and business landscape to serve entertaining and educational insights to the executive community.
Less
Join the ADAPT
Insider Community
Get the latest ANZ market research and insights on the core trends impacting leaders.
