The Security Divide: Why Australia’s Security Leaders Are Fighting Yesterday’s War
Published Dec 5, 2025 in
Articles
Security
Contributors
Pooja Singh
Australia’s Chief Information Security Officers are presiding over a dangerous illusion. Boardrooms applaud compliance dashboards and earmark budgets for AI pilots, yet the foundational controls that determine resilience remain incomplete.
Multi-factor authentication, among the most basic safeguards, is still not universal. Patching cycles, which should be embedded as routine, continue to drag out over months. And across critical infrastructure, Essential Eight maturity lingers at levels that would have been considered insufficient a decade ago.
This isn’t hyperbole. It’s a stark reality revealed by ADAPT’s Security Edge Survey of more than 120 CISOs including executives responsible for protecting assets worth trillions of dollars and infrastructure serving 26 million Australians. Security incidents are climbing 30-40% year-over-year, even as the average security budget reaches $75 million.
However, that figure masks a telling disparity. While the average budget is $75 million,
the median is just $10 million. This exposes a two-tier system where a small number of organisations operate with very large budgets, while the majority manage with
considerably less.
Before we examine the data, we anchor this report in three practitioner perspectives that span national security, regulated finance, and large-scale enterprise change.
William MacMillan, former CIA CISO and now Chief Product Officer at Andesite, brings a hard-edged view of baseline controls and regulatory momentum.
David Gee, who built programs across HSBC and Macquarie and advises Australia’s critical infrastructure sectors, exposes the execution and resourcing realities behind most board dashboards.
Archie Reed, former CTO for Cloud Security at HPE and now CEO of strategic consulting firm Fragile to Agile, is a veteran security executive and advisor, helping enterprises translate technical initiatives into enterprise risk and business outcomes.
Australia’s Chief Information Security Officers are presiding over a dangerous illusion. Boardrooms applaud compliance dashboards and earmark budgets for AI pilots, yet the foundational controls that determine resilience remain incomplete.
Multi-factor authentication, among the most basic safeguards, is still not universal. Patching cycles, which should be embedded as routine, continue to drag out over months. And across critical infrastructure, Essential Eight maturity lingers at levels that would have been considered insufficient a decade ago.
This isn’t hyperbole. It’s a stark reality revealed by ADAPT’s Security Edge Survey of more than 120 CISOs including executives responsible for protecting assets worth trillions of dollars and infrastructure serving 26 million Australians. Security incidents are climbing 30-40% year-over-year, even as the average security budget reaches $75 million.
However, that figure masks a telling disparity. While the average budget is $75 million,
the median is just $10 million. This exposes a two-tier system where a small number of organisations operate with very large budgets, while the majority manage with
considerably less.
Before we examine the data, we anchor this report in three practitioner perspectives that span national security, regulated finance, and large-scale enterprise change.
William MacMillan, former CIA CISO and now Chief Product Officer at Andesite, brings a hard-edged view of baseline controls and regulatory momentum.
David Gee, who built programs across HSBC and Macquarie and advises Australia’s critical infrastructure sectors, exposes the execution and resourcing realities behind most board dashboards.
Archie Reed, former CTO for Cloud Security at HPE and now CEO of strategic consulting firm Fragile to Agile, is a veteran security executive and advisor, helping enterprises translate technical initiatives into enterprise risk and business outcomes.
