What does effective cyber security look like when budgets, maturity, and operational reality do not line up?

In this Security Edge discussion, Adam Cartwright, CISO at Australia Post, and David Gee, ADAPT Advisor and Influential CISO, examined how security leaders operate outside well funded, cyber mature environments.

The discussion focused on pragmatism, threat-led decision-making, and the commercial judgment required to make security land in organisations where resources are constrained and cyber is rarely the dominant priority.

Cost, context, and the FMCG mindset shift

Cyber security in FMCG requires a shift from abundance to trade offs.

Unlike financial services, where boards are often more cyber mature and budgets are already established, FMCG organisations operate on thinner margins.

Every security dollar competes with manufacturing, operations, and other functions tied more directly to revenue.

Adam described this in commercial terms.

To fund a control, the business has to sell more product.

That changes the job of the security leader. Success depends on understanding those pressures, speaking in operational language, and building executive awareness in environments where cyber starts from a lower baseline.

Operational reality means safety and uptime come first

In manufacturing environments, cyber is rarely the first lens through which risk is viewed.

Safety and availability come first.

Operational technology changes the hierarchy of priorities.

These systems were built to prevent physical harm and downtime, not cyber intrusion.

That leaves exposure through legacy access methods, vendor practices, and weak identity controls.

Engineers are focused on safety and continuity, so cyber measures such as privileged access or identity enforcement can feel secondary.

Closing that gap requires translation.

Security leaders need to explain cyber risk in terms of operational disruption, production impact, and safety consequences.

Storytelling carries more weight than compliance theatre

Boards respond more clearly to real scenarios than abstract maturity reporting.

The panel argued that security leaders gain more traction when they map known attacker techniques to their own organisation and show where controls would fail.

That makes risk easier to understand and harder to dismiss.

It also gives executives a clearer basis for decisions about funding, exposure, and priorities.

This is where CISOs move beyond compliance updates.

Showing how an incident could actually unfold in the business creates more urgency than reporting against a framework alone.

Do fewer controls, but embed them properly

Resilience improves more when a small number of important controls are deeply embedded than when a long list is only partially implemented.

Most breaches still exploit familiar weaknesses.

Adam pointed to credential theft as a common initial access path, yet many organisations still have not dealt properly with passwords or moved fully to stronger identity controls such as passkeys.

For resource constrained teams, the message is simple. Start with the risks that show up most often and the controls that cut most deeply into them.

Breadth matters less than effectiveness.

Intelligence-led defence does not require a large team

Threat intelligence is useful when it is focused and applied.

Even without a dedicated intelligence function, organisations can use open source reporting, breach analysis, and adversary testing frameworks to understand how attackers operate and where their own defences are weak.

That gives security teams a way to test whether controls work against real behaviours rather than assumed threats.

The value comes from using intelligence to guide action, not from collecting more information than the team can use.

Tools support the work, but process determines the outcome

Tools help, but they do not solve the underlying problem.

The panel pushed back on the habit of treating each new tool category as progress.

From AI to XDR, vendor narratives can pull attention away from weak process discipline and poor execution.

Buying technology without embedding it into daily operations creates the appearance of control without much improvement in resilience.

Adam made the point plainly. Owning a tool does not create capability. Process, visibility, and decision making do.

Culture is the control layer that holds when everything else is stretched

As attacks scale faster and central teams remain limited, security depends more heavily on behaviour across the organisation.

That means fewer exceptions, especially for senior leaders, and more consistent expectations across teams.

It also means treating security as something owned operationally, not only by the security function.

In that environment, culture becomes a practical control layer.

It determines whether good practice survives pressure or gets bypassed when speed and convenience take over.

Key takeaways:

  • Focus investment on the controls that reduce the most common risks, especially around identity and credential security.
  • Use threat led scenarios to make risk concrete for boards and executives, rather than relying on framework reporting alone.
  • In constrained environments, stronger outcomes come from prioritisation, process discipline, and organisational consistency more than tool volume.
Contributors
Adam Cartwright CISO at Australia Post
A seasoned cybersecurity leader with extensive expertise in establishing and overseeing cybersecurity teams. A published author in the field of cybersecurity, notably... More

A seasoned cybersecurity leader with extensive expertise in establishing and overseeing cybersecurity teams. A published author in the field of cybersecurity, notably with the book ‘Ransomware: Enhancing Threat-Centric Cyber Defense’. Demonstrates strong leadership skills, fostering the growth of individuals within the industry.

Bringing a wealth of experience as an IT executive, adept at customizing security strategies according to specific industry sectors and threat landscapes. Proficiently manages security budgets spanning from $5 million to $160 million. Successfully established both in-house onshore and offshore security operations centers, collaborating with partner organizations to achieve robust security outcomes.

Possesses a rich background working with major global financial institutions such as American Express, Commonwealth Bank, ANZ Bank, as well as prominent players in the technology sector like IBM, and within the manufacturing vertical.

Less
David Gee CIO, CISO, Risk Executive & Author
David is a former CIO and CISO with over 20 years of global leadership experience across financial services, insurance, and technology risk.... More

David is a former CIO and CISO with over 20 years of global leadership experience across financial services, insurance, and technology risk. His roles at Macquarie Group, HSBC, MetLife Japan, and in advisory positions within fintech and cybersecurity ecosystems have shaped his deep expertise in cyber resilience, digital transformation, IT risk management and value realisation.

  • Global Head Tech, Cyber & Data/AI Risk at Macquarie Group.​
  • Former CISO for HSBC Asia Pacific, overseeing 19 critical markets.​
  • Led digital transformation as CIO of MetLife Japan, managing US$300M+ annual IT spend.​
  • Past CIO of Credit Union Australia and Information Officer for Lilly USA.​
  • Board and venture adviser across cybersecurity, fintech, and innovation sectors.​
  • Best Selling Author and Writer, regular contributor to ITnews, CIO Magazine, CSO, ​
    and Computerworld with 100+ published articles.​
  • Experienced in international assignments across Asia and the US, ​
    with a strong background in financial services and insurance.​
Less
security leadership transformation