What does it take to balance operational resilience with rapid adoption of autonomous systems?

In this Security Edge panel, Sam Fariborz, CISO at David Jones, Darren Kane, Chief Security Officer at NBN, Mark Alexander, CISO at ASD and Peter Hind, Principal Research Analyst at ADAPT explored how security leaders enable change while maintaining resilience.

They framed cyber not as a control function, but as a business enabler grounded in risk, governance, and collaboration.

 

Key takeaways:

  • Security must position itself as an enabler of innovation, not a blocker, using risk-based conversations and practical alternatives to build trust and avoid being bypassed.
  • The balance between resilience and innovation depends on strong, frictionless governance that is embedded early, aligned to business context, and supported by clear ownership of risk.
  • AI adoption is unavoidable, so organisations must combine experimentation with guardrails: through education, shared accountability, and governance that enables safe scaling rather than restricting progress.

 

Shifting the role of security

The panel agrees that security must act as an enabler.

If teams are seen as the “department of no”, the business simply works around them.

Instead, leaders position cyber as a problem-solving partner, explaining risk in practical terms and offering safer alternatives that still deliver outcomes.

This approach is increasingly important as organisations lean into generative AI.

As Darren put it, businesses are already “paddling to catch the wave” and if security slows them down, they risk being bypassed entirely.

 

Sector context shapes the risk conversation

Security strategy must align with the organisation’s context and risk appetite.

For Sam, retail priorities differ significantly from financial services, requiring a tailored view of threats and controls.

Rather than enforcing uniform standards, effective CISOs act as advisors, translating risk into business impact and allowing executives to make informed decisions.

This hinges on deep engagement with stakeholders and aligning cyber objectives to broader organisational goals.

 

Walking the fine line between operational resilience vs innovation

Resilience remains non-negotiable, particularly in critical infrastructure environments.

Darren emphasises that with the scale of NBN, failure has national consequences, requiring extreme caution when introducing new technologies.

Mark reinforced this tension: AI is a powerful productivity enabler, but it introduces new risks around data sovereignty, access, and misuse.

Successfully navigating this balance requires embedding controls early while maintaining enough flexibility to innovate.

 

Governance as the foundation, not friction

Governance emerges as the central mechanism for balancing innovation and control.

Crucially, it must be practical and frictionless.

Heavy-handed policies or excessive approval processes drive behaviours underground.

Instead, organisations focus on early engagement and continuous dialogue, embedding governance into workflows so that it guides behaviour rather than blocks it.

This includes understanding how AI is used across the organisation, monitoring inputs and outputs, and evolving controls based on real usage.

 

Risk ownership and regulatory pressure

The panel highlights a shift in how risk is managed. Increasing regulatory requirements, particularly in critical infrastructure, mean organisations can no longer rely solely on risk acceptance.

Darren notes this makes conversations easier: security requirements are no longer negotiable, but mandated.

However, success still depends on maintaining trust and transparency with stakeholders, avoiding a purely compliance-driven approach that damages relationships.

 

Culture, collaboration, and shared accountability

Sam emphasises building allies across the business, particularly in functions like health and safety that already operate within risk frameworks.

By aligning cyber with existing practices and language, organisations create shared ownership of security outcomes.

Simple, accessible principles, such as secure access, logging, and authentication, help scale this approach, especially in smaller teams.

Over time, the goal is to embed cyber thinking into everyday decision-making across the organisation.

 

Experimentation with guardrails in an AI world

The panel closes on a clear point: experimentation with AI is unavoidable.

The focus must shift to enabling safe experimentation through strong governance and education.

Sam outlines an approach that starts with early guidelines on responsible AI use, followed by organisation-wide training, cross-functional governance groups, and continuous refinement.

The aim is not to restrict innovation, but to shape it responsibly.

Ultimately, the balance between resilience and innovation comes down to one principle: security enables performance by creating the confidence to move faster, not the friction that slows it down.

Contributors
Darren Kane Chief Security Officer at NBN
Darren Kane has been the Chief Security Officer at nbn™ since March 2015. In 2018, Darren was appointed to the Federal Government’s Industry... More

Darren Kane has been the Chief Security Officer at nbn™ since March 2015.

In 2018, Darren was appointed to the Federal Government’s Industry Advisory Panel.

In 2020 he remained for the implementation of the Cyber Security Industry Advisory Panel to help guide the nation’s 2025 Cyber Security Strategy and provide ongoing advice to address emerging cyber security challenges.

Prior to nbn™, Darren served in Federal Government Law Enforcement Agencies for over 19 years in the Australian Federal Police, financial markets regulator the Australian Securities & Investment Commission, and 11 years at Telstra Corporation as Corporate Security Director where he was accountable for global protection of Telstra’s assets and engagement with national and international law enforcement and security agencies. Darren was Telstra’s inaugural Internet Trust and Safety Officer appointed in 2006.

In 2024 he was recognised as the iTnews Telecommunications Security Leader of the year and named as the AISA Diversity and Inclusion Champion of the Year. In 2020 Darren was awarded Male Champion of Change at the AWSN (Australian Women’s Security Network).

Less
Sam Fariborz CISO at David Jones
Sam is an award‑winning cybersecurity and technology leader with two decades experience in uplifting cyber maturity across complex IT, OT and cloud... More

Sam is an award‑winning cybersecurity and technology leader with two decades experience in uplifting cyber maturity across complex IT, OT and cloud environments. Recognised as CSO30 2024 Top Cybersecurity Leader and AISA Cyber Professional of the Year 2024, she brings a blend of strategic clarity, operational depth, and people‑first leadership. She excels at simplifying complex risk for executives, guiding organisations through ambiguity, and building high‑performing teams that strengthen enterprise resilience. Her leadership creates structure and confidence during transformation, consistently lifting cyber maturity and reducing exposure.

Less
Mark Alexander CISO at ASD
Less
Peter Hind Principal Research Analyst at ADAPT
One of the ICT industry’s foremost analysts and commentators, Peter Hind has spent over 25 years advising and talking on topics across... More

One of the ICT industry’s foremost analysts and commentators, Peter Hind has spent over 25 years advising and talking on topics across the technology industry. His primary areas of interest are the potential of technology to transform the way organisations operate, the change management obstacles executives encounter in realising this potential, as well as the tactics and techniques leaders have deployed to overcome these difficulties.​

With roles across IDC, Unisys, NCR, Sigma Data, and others, Peter now takes on multiple roles within ADAPT including the moderation of private events and roundtables, interviewing business executives about the strategies they are pursuing and assisting with the structuring of delegate surveys.​

Less
security leadership transformation