What does effective cyber security look like when budgets, maturity, and operational reality do not line up?

In this Security Edge discussion, Adam Cartwright, CISO at Australia Post, and David Gee, ADAPT Advisor and Influential CISO, examined how security leaders operate outside well funded, cyber mature environments.

The discussion focused on pragmatism, threat-led decision-making, and the commercial judgment required to make security land in organisations where resources are constrained and cyber is rarely the dominant priority.

Cost, context, and the FMCG mindset shift

Cyber security in FMCG requires a shift from abundance to trade offs.

Unlike financial services, where boards are often more cyber mature and budgets are already established, FMCG organisations operate on thinner margins.

Every security dollar competes with manufacturing, operations, and other functions tied more directly to revenue.

Adam described this in commercial terms.

To fund a control, the business has to sell more product.

That changes the job of the security leader. Success depends on understanding those pressures, speaking in operational language, and building executive awareness in environments where cyber starts from a lower baseline.

Operational reality means safety and uptime come first

In manufacturing environments, cyber is rarely the first lens through which risk is viewed.

Safety and availability come first.

Operational technology changes the hierarchy of priorities.

These systems were built to prevent physical harm and downtime, not cyber intrusion.

That leaves exposure through legacy access methods, vendor practices, and weak identity controls.

Engineers are focused on safety and continuity, so cyber measures such as privileged access or identity enforcement can feel secondary.

Closing that gap requires translation.

Security leaders need to explain cyber risk in terms of operational disruption, production impact, and safety consequences.

Storytelling carries more weight than compliance theatre

Boards respond more clearly to real scenarios than abstract maturity reporting.

The panel argued that security leaders gain more traction when they map known attacker techniques to their own organisation and show where controls would fail.

That makes risk easier to understand and harder to dismiss.

It also gives executives a clearer basis for decisions about funding, exposure, and priorities.

This is where CISOs move beyond compliance updates.

Showing how an incident could actually unfold in the business creates more urgency than reporting against a framework alone.

Do fewer controls, but embed them properly

Resilience improves more when a small number of important controls are deeply embedded than when a long list is only partially implemented.

Most breaches still exploit familiar weaknesses.

Adam pointed to credential theft as a common initial access path, yet many organisations still have not dealt properly with passwords or moved fully to stronger identity controls such as passkeys.

For resource constrained teams, the message is simple. Start with the risks that show up most often and the controls that cut most deeply into them.

Breadth matters less than effectiveness.

Intelligence-led defence does not require a large team

Threat intelligence is useful when it is focused and applied.

Even without a dedicated intelligence function, organisations can use open source reporting, breach analysis, and adversary testing frameworks to understand how attackers operate and where their own defences are weak.

That gives security teams a way to test whether controls work against real behaviours rather than assumed threats.

The value comes from using intelligence to guide action, not from collecting more information than the team can use.

Tools support the work, but process determines the outcome

Tools help, but they do not solve the underlying problem.

The panel pushed back on the habit of treating each new tool category as progress.

From AI to XDR, vendor narratives can pull attention away from weak process discipline and poor execution.

Buying technology without embedding it into daily operations creates the appearance of control without much improvement in resilience.

Adam made the point plainly. Owning a tool does not create capability. Process, visibility, and decision making do.

Culture is the control layer that holds when everything else is stretched

As attacks scale faster and central teams remain limited, security depends more heavily on behaviour across the organisation.

That means fewer exceptions, especially for senior leaders, and more consistent expectations across teams.

It also means treating security as something owned operationally, not only by the security function.

In that environment, culture becomes a practical control layer.

It determines whether good practice survives pressure or gets bypassed when speed and convenience take over.

Key takeaways:

  • Focus investment on the controls that reduce the most common risks, especially around identity and credential security.
  • Use threat led scenarios to make risk concrete for boards and executives, rather than relying on framework reporting alone.
  • In constrained environments, stronger outcomes come from prioritisation, process discipline, and organisational consistency more than tool volume.
Contributors
Adam Cartwright CISO at Australia Post
A seasoned cybersecurity leader with extensive expertise in establishing and overseeing cybersecurity teams. A published author in the field of cybersecurity, notably... More

A seasoned cybersecurity leader with extensive expertise in establishing and overseeing cybersecurity teams. A published author in the field of cybersecurity, notably with the book ‘Ransomware: Enhancing Threat-Centric Cyber Defense’. Demonstrates strong leadership skills, fostering the growth of individuals within the industry.

Bringing a wealth of experience as an IT executive, adept at customizing security strategies according to specific industry sectors and threat landscapes. Proficiently manages security budgets spanning from $5 million to $160 million. Successfully established both in-house onshore and offshore security operations centers, collaborating with partner organizations to achieve robust security outcomes.

Possesses a rich background working with major global financial institutions such as American Express, Commonwealth Bank, ANZ Bank, as well as prominent players in the technology sector like IBM, and within the manufacturing vertical.

Less
David Gee Former Global Head Technology, Cyber & Data Risk, Macquarie Group
David J. Gee has 20+ years experience as CIO and CISO. He joined Macquarie Group in early 2021 as Global Head Technology,... More

David J. Gee has 20+ years experience as CIO and CISO. He joined Macquarie Group in early 2021 as Global Head Technology, Cyber and Data Risk. David is responsible for protecting Macquarie Group using his significant expertise in technology and cybersecurity. He has served as CISO for HSBC Asia Pacific, based in HK and responsible for the most critical and profitable countries for this large investment bank. David drove the cybersecurity maturity uplift and led all aspects of cyber for HSBC in these 19 countries. Prior to HSBC, David had an extensive Transformational CIO experience across numerous significant roles.

At MetLife Japan, David was Statutory Executive Officer, Senior Vice President and CIO. This is the second largest market for MetLife – a US$70B enterprise. David led the digital transformation for this large insurer with a significant focus on digitizing end to end customer engagement processes. At MetLife Japan managed a team of 230 IT Staff supported by 1200-1300 external resources, with an Annual IT spend in excess of U$300m.

David is Board Advisor to Sekuro, a successful cybersecurity company. A number of other Advisory roles are to be announced.

He is also past CIO at Credit Union of Australia where he successfully led a major transformation of all systems and technology. In this role he won CIO of the Year for Financial Services in Australia.

David has also been Executive Advisor for large scale transformation with KPMG, Ernst & Young and ICG. He has deep experience with Fintech and innovation ecosystems. Mentor at Stone & Chalk and Tyro Fintech Hub. Venture Partner with Sapien Ventures and Advisory Board of Venturetec.Accelerator. David also has been Fintech Advisor for a number of startups.

He is a digital industry thought leader and regular columnist with ITnews, CSO (Cyber), CIO Magazine and Computerworld, with more than 100+ articles published.

David was Information Officer and CIO for Lilly USA ($12B sales) & member of Lilly USA management. He has also enjoyed international expatriate assignments in Tokyo, Shanghai, Hong Kong and Kobe and in the USA.

Less
security leadership transformation