The Security Divide: Why Australia’s Security Leaders Are Fighting Yesterday’s War
In this Community Intelligence report, ADAPT examines the gap between board confidence and real resilience, where weak controls and execution gaps leave organisations exposed.
Published Dec 5, 2025 in
Articles
Security
Contributors
Pooja Singh
Australia’s Chief Information Security Officers are operating in a dangerous gap between board level confidence and operational reality.
The resilience gap is widening
Compliance dashboards look healthy, AI programs are attracting attention, and security budgets appear substantial.
Yet many of the controls that determine actual resilience remain incomplete.
Multi factor authentication is still not universal. Patching cycles still stretch over months.
Across critical infrastructure, Essential Eight maturity remains below the level many leaders would consider acceptable for today’s threat environment. Incidents are rising, while foundational execution continues to lag.
This report draws on ADAPT’s Security Edge Survey of more than 120 CISOs, including executives responsible for protecting assets worth trillions of dollars and infrastructure serving 26 million Australians.
Budget pressure is shaping execution
Security incidents are climbing by 30% to 40% year over year, even as the average security budget reaches $75 million.
That headline figure overstates the operating reality for most organisations.
The median budget is only $10 million, showing that a small number of very large programs are lifting the average while most CISOs are working with far tighter constraints.
To ground the findings in practice, the report draws on three practitioner perspectives spanning national security, regulated finance, and large scale enterprise transformation.
William MacMillan, former CIA CISO and now Chief Product Officer at Andesite, brings a hard edged view of baseline controls and regulatory momentum.
David Gee, who built programs across HSBC and Macquarie and now advises Australia’s critical infrastructure sectors, exposes the execution and resourcing realities behind board dashboards.
Archie Reed, former CTO for Cloud Security at HPE and now CEO of Fragile to Agile, shows how technical initiatives translate into enterprise risk, resilience, and business outcomes.
What you’ll learn in this report:
- The four critical weaknesses every CISO must confront: baseline negligence, the compliance trap, the AI mirage, and the widening skill gap.
- Why board confidence, budget growth, and compliance activity are still failing to translate into stronger operational resilience, including gaps in board communication and vendor effectiveness.
- The practical actions CISOs can take now, from auditing fundamentals and setting AI guardrails to improving influence and rationalising vendors with ROI in mind.
Australia’s Chief Information Security Officers are operating in a dangerous gap between board level confidence and operational reality.
The resilience gap is widening
Compliance dashboards look healthy, AI programs are attracting attention, and security budgets appear substantial.
Yet many of the controls that determine actual resilience remain incomplete.
Multi factor authentication is still not universal. Patching cycles still stretch over months.
Across critical infrastructure, Essential Eight maturity remains below the level many leaders would consider acceptable for today’s threat environment. Incidents are rising, while foundational execution continues to lag.
This report draws on ADAPT’s Security Edge Survey of more than 120 CISOs, including executives responsible for protecting assets worth trillions of dollars and infrastructure serving 26 million Australians.
Budget pressure is shaping execution
Security incidents are climbing by 30% to 40% year over year, even as the average security budget reaches $75 million.
That headline figure overstates the operating reality for most organisations.
The median budget is only $10 million, showing that a small number of very large programs are lifting the average while most CISOs are working with far tighter constraints.
To ground the findings in practice, the report draws on three practitioner perspectives spanning national security, regulated finance, and large scale enterprise transformation.
William MacMillan, former CIA CISO and now Chief Product Officer at Andesite, brings a hard edged view of baseline controls and regulatory momentum.
David Gee, who built programs across HSBC and Macquarie and now advises Australia’s critical infrastructure sectors, exposes the execution and resourcing realities behind board dashboards.
Archie Reed, former CTO for Cloud Security at HPE and now CEO of Fragile to Agile, shows how technical initiatives translate into enterprise risk, resilience, and business outcomes.
What you’ll learn in this report:
- The four critical weaknesses every CISO must confront: baseline negligence, the compliance trap, the AI mirage, and the widening skill gap.
- Why board confidence, budget growth, and compliance activity are still failing to translate into stronger operational resilience, including gaps in board communication and vendor effectiveness.
- The practical actions CISOs can take now, from auditing fundamentals and setting AI guardrails to improving influence and rationalising vendors with ROI in mind.
