Australian CISOs are being pulled into a new operating reality.

AI is moving into workflows, suppliers are expanding the attack surface, and operational systems now sit inside the cyber resilience mandate.

ADAPT research shows 77% of Australian CISOs are investing in AI governance in 2026.

That investment reflects a broader resilience challenge: business teams are operationalising new technologies faster than traditional oversight models can govern them, while security leaders are expected to manage data exposure, identity risk, agent behaviour, auditability and human approval without forcing the business into workarounds.

ADAPT’s Security Edge in Melbourne last May 2026 exposed the executive challenge.

Cyber risk is moving faster than enterprise decision-making.

Threat actors are using automation and AI-enabled discovery.

Cloud platforms, software dependencies, suppliers and operational technology are widening the attack surface.

Many organisations still rely on funding cycles, governance forums and board reporting rhythms designed for slower change.

The next cyber advantage will come from operating models that let leaders see risk earlier, decide faster, govern AI in workflow and keep critical services running when compromise, disruption or uncertainty hits.

Security has to reduce decision friction before the business finds workarounds

ADAPT research shows 75% of Australian organisations are exploring or actively pursuing security tool consolidation.

That trend points to a wider issue than vendor count.

Fragmented platforms create fragmented visibility, duplicated workflows and unclear accountability, which slows detection, decision-making and recovery when leaders need speed.

At the Security Edge panel discussion, Sam Fariborz, CISO at David Jones, explained that retail risk has to be assessed through the threats, customer data, business model and risk appetite of the organisation.

Her approach at David Jones was to create simple security and architecture principles around access control, authentication, authorisation, logging and monitoring, giving project teams practical guidance before formal security review.

She also connected cyber awareness with health and safety, using an existing business discipline that already understands risk language, behaviour change and shared accountability.

Security scales when the business has simple principles it can apply early.

Consolidation helps reduce the technical estate, while embedded principles reduce decision friction.

The leadership task is to give teams safer paths before risk becomes an escalation or shadow behaviour.

Back to top

AI governance must prove who acted, what changed and where human approval sat

ADAPT research shows 77% of Australian CISOs are investing in AI governance this year.

Governance spend has to produce evidence inside workflows.

Executives need to know:

  • which AI tools are being used
  • what data those tools can access
  • which identities and agents can act
  • what actions agents are permitted to take
  • when human approval is required
  • how decisions can be audited after the fact

William MacMillan, Chief Product Officer of Andesite and former CISO at the CIA and former SVP of InfoSec at Salesforce, drew the key operating boundary through the OODA loop.

William described AI as valuable in observe and orient work, where it can process data, contextualise alerts, correlate information and reduce analyst toil.

He was more cautious at the decide and act stages, where containment, escalation, production changes and sensitive data movement require human authority.

His “evidentiary AI” concept demands fine-grained records that humans can review, challenge and use for reporting, governance and regulatory scrutiny.

AI governance now lives in identity, role-based access, agent permissions, logging, data classification and approval thresholds.

Boards should expect evidence of control at the point where AI recommends, escalates or acts.

Security leaders who cannot reconstruct an AI-driven decision will struggle to defend it.

Back to top

AI scale depends on data, governance and ownership moving at the same pace

Machine-speed risk exposes organisations whose data, governance and decision models are maturing unevenly.

AI magnifies those gaps because it cuts across workflows, systems, teams and accountabilities at the same time.

Gabby Fredkin, Head of Analytics and Insights at ADAPT, framed this through ADAPT’s analysis of more than 1,000 executive surveys.

He shared a maturity model, showing AI readiness depends on data architecture, governance, people capability and process maturity moving together.

His koala, greyhound, turtle and tiger archetypes show the failure patterns clearly: fragmented experimentation, fast but weakly controlled scale, heavy governance without enabling architecture, or advanced capability that still has to sustain trust and orchestration.

If data is not trusted, classified, governed and observable, organisations get friction, weak control and poor scale.

ADAPT data shows 56% of organisations are “not ready” or “emerging” in data preparedness, while only 8% are optimised.

CISOs now have to treat data readiness as a control issue, CIOs have to treat architecture as a resilience issue, and CDOs have to treat classification, lineage and observability as security infrastructure.

The most useful AI maturity question is no longer how many pilots exist.

It is whether the organisation can answer who owns the workflow, what data is being used, how identity is controlled, how exceptions are managed and how quickly leaders can intervene when conditions change.

Back to top

Resilience now includes the operational systems and people that keep services running

ADAPT research shows 44% of Australian organisations have operational technology environments requiring significant or business-critical cybersecurity oversight.

Cyber resilience now extends into operational systems, infrastructure partners, suppliers, connected assets and AI-enabled workflows that can affect service continuity.

The discussions during the Security Edge panel made that risk practical.

Darren Kane, Chief Security Officer at NBN, described security accountability as a whole-of-risk role spanning personnel, protective security, infrastructure and technology, with incident response and recovery carrying national consequence in NBN’s context.

Meanwhile, Mark Alexander, CISO at ASD, added that AI can enable productivity while creating risks around data sovereignty, compartmentation, access and misuse.

Mark’s point on governance was operational: security teams need to understand who is using AI, what inputs and outputs are being created, whether hallucination is occurring and whether usage fits approved use cases.

During his keynote presentation, Alex Loizou, Cyber Security Leader at Intrinsic Security, showed what resilience requires during a public breach.

Drawing on his Medibank experience, Alex explained that incidents can move from unusual behaviour to confirmed breach, public disclosure and executive pressure before all facts are known.

He described 24 by seven leadership rotation, a twin CISO model and “warts and all” communication as mechanisms that preserve decision quality under exhaustion and scrutiny.

He also stressed that recovery has to run in two speeds: immediate remediation and longer-term trust rebuilding through assurance, testing and proof.

Resilience is now an operating design question.

Technical containment remains critical, while leadership capacity, communication discipline, supplier coordination, team endurance and trust rebuilding determine whether the organisation keeps functioning under pressure.

Back to top

Cyber investment is secured through executive alignment before the board pack lands

Boards need cyber information that supports decisions on exposure, control effectiveness, risk appetite and investment.

Dense reporting weakens that conversation because directors need clarity on what is working, where the gaps sit and which investment changes the outcome.

Jamie Rossato, CISO at Orica Australia, was direct about where cyber investment is won.

In an interview for the ADAPT Insider podcast, he argued that funding conversations need to be aligned with executive management before they reach the board because executives own implementation, trade-offs and budget sponsorship.

His preferred path is to show management that current controls are operating effectively, demonstrate value for money and then make unresolved risk visible.

He also favours a threat-led investment approach, where controls are prioritised against the internal and external threats most likely to affect the organisation.

Jamie’s view also applies to AI.

He warned that organisations likely have more AI activity underway than they realise, including shadow development or pilots that have effectively moved into production.

The CISO’s role is to create observability across data movement, third and fourth parties, code, applications and use cases so risk appetite can trigger the right controls.

Cyber investment cases need to give executives and boards decision-grade evidence:

  • the threats most likely to affect the organisation
  • the controls that materially reduce exposure
  • the gaps sitting outside risk appetite
  • the operating consequence of leaving those gaps unresolved
  • the investment that changes the outcome

The board conversation works when executive alignment already exists.

Back to top

The adaptation mandate for Australian security leaders

AI governance investment, security tool consolidation and OT exposure point to the same enterprise pressure.

Australian organisations are trying to govern faster, simplify complexity and protect operations in a risk environment that keeps accelerating.

Security needs to enter business decisions earlier through principles the business can use.

AI governance needs to produce evidence inside workflows.

Data discipline needs to become a control layer.

Resilience needs to account for leadership capacity, communication and assurance.

Board reporting needs to move from technical density to decisions about exposure, appetite and investment.

Cyber resilience is now a measure of enterprise adaptability. Security teams cannot offset slow decision-making, fragmented ownership, opaque AI use, excessive complexity or crisis plans that underweight people and trust.

The organisations hardest to destabilise will be those that move quickly with evidence, accountability and control.

Security Edge 2026 makes the mandate clear: cyber resilience is defined by how fast the enterprise can make the right decision under pressure.

Back to top

Contributors
Justina Uy Content Marketing Manager
Justina Uy is a data-driven content marketer that thrives on democratising elite know-how to empower Australia’s underdogs. Skilled at translating complex ideas... More

Justina Uy is a data-driven content marketer that thrives on democratising elite know-how to empower Australia’s underdogs.

Skilled at translating complex ideas into a compelling story across formats and channels, she shifts seamlessly between writing long-form articles, creating viral social media posts, and producing thumb-stopping videos.

Since 2015, Justina executes her vision through a sophisticated understanding of the rapidly evolving digital and business landscape to serve entertaining and educational insights to the executive community.

Less
management data compliance