Safeguarding trust through resilience… the security mandate in health

What drives our cyber security priorities is simple; trust.

Our patients trust us with their health, our team trusts us with their personal data and our customers trust us to operate securely. Delivering on that trust is at the core of our cyber security strategy.

From a business standpoint, our top cyber security priorities during the next 12-24 months are:

• Data governance and classification: We’re putting strong focus on securing both patient and employee data, while also ensuring we’re AI-ready from a governance perspective. Getting data classification right means we can protect sensitive information but also use data responsibly to enable AI and analytics in a safe, controlled way.
• Building resilience through continuous testing: Cyber security isn’t a “set and forget” exercise. We need to assume attacks are constant, so we’re committed to testing, improving and testing again. This cycle ensures our defences evolve as quickly as the threats do.
• Managing third-party and supply chain risk: Healthcare organisations are deeply interconnected. We rely on partners and platforms, which makes supply chain security a critical part of protecting our ecosystem.
• Remote work: Providing new ways of working to our remote employees by providing a secure environment where employees can use their own devices.

Balancing long-term strategic initiatives with immediate operational needs and board expectations comes down to trust, discipline and clarity of purpose.

Over the past eight years, I’ve built strong trust with our board and executive team by being transparent, consistent and outcomes focused. That trust gives us the space to pursue longer-term initiatives, like strengthening data governance and classification to ensure we’re both secure and AI-enabled for the future.

At the same time, I never lose sight of the day-to-day.

Cyber threats are constant, so we keep our resilience sharp by testing, improving and testing again. This ensures the organisation sees immediate protection while we continue to build for the future.

Balancing both means framing security as a business enabler, not a roadblock. When the board sees that long-term investments reduce risk, unlock innovation opportunities and protect patient trust, they understand why the strategy matters just as much as today’s operational response.

Managing risk, from people to supply chain

According to Moxie Research – Security Outlook: Australia 2025 / 2026 – 72% of organisations in Australia remain confident that cyber security preparedness translates into actual readiness. To illustrate this point, security investments continue to align with evolving risk profiles in the majority of instances, with 54% of businesses “fully aligned” and 39% “mostly, somewhat aligned”.

But more work is required with 82% of organisations committed to strengthening risk management and cyber resilience during the next 6-12 months.

In assessing the evolving threat landscape today, our biggest concerns are third-party/supply chain risk and the growing wave of attacks on healthcare organisations. Healthcare is a prime target because of the value of patient data and the critical nature of our services – attackers know disruption here can have immediate human impact.

At the same time, we operate in a highly interconnected environment, relying heavily on partners. This makes third-party risk a real pressure point. Even if we secure our own systems, vulnerabilities in our partners’ systems or processes can expose us.

It’s why we are doubling down on partner due diligence, continuous monitoring and making sure our supply chain is as resilient as our internal systems.

According to Moxie Research – and reflective of tough economic conditions and a drive towards industry standards – the three most pressing business challenges facing Australian organisations from a cyber security standpoint are:

• Managing budget constraints: 64%
• Tackling cyber risk: 44%
• Ensuring regulation compliance: 34%

In the context of Aspen Medical, we consider three significant barriers to strengthening organisational security posture today.

First, people remain the most common entry point for attackers. Phishing, social engineering, and human error are still responsible for many breaches. No matter how advanced our technology is, we have to continually educate, support and empower our people to be the strongest part of our defence, not the weakest.

Second, third-party risk is a growing challenge. Healthcare relies heavily on partners and suppliers, which means our security is only as strong as the weakest link in that chain. Ensuring our supply chain meets the same standards we hold ourselves to requires constant vigilance and collaboration.

Finally, there’s the challenge of balancing the CIA triad – confidentiality, integrity and availability.

In healthcare, availability is mission critical. Systems must be up to deliver patient care. But sometimes, the push for high availability can come into tension with strict confidentiality and integrity requirements. Striking that balance is complex and it requires trade-offs that always put patient trust and safety at the centre.

Consequently, the CISO role has moved well beyond being a purely technical function. Today, it’s about trust, resilience and enabling the business. We’re no longer just securing systems, we’re helping shape how organisations use data responsibly, prepare for AI and manage risk across an extended supply chain.

For me, the role has become more about translation. I translate cyber risks into business risks the board understands and I translate strategic priorities into practical steps the workforce can act on. It’s about balancing confidentiality, integrity and availability in a way that protects patients and employees while keeping services running.

That requires as much focus on people and culture as on firewalls and threat feeds.

To overcome the challenges outlined above, we focus on three things: people, supply chain and balance.

• People: Invest in awareness and behaviour, not just training. Make security real for staff by showing how it protects patients and colleagues, not just data. When people understand the “why”, they’re more likely to make the right choices under pressure.
• Supply chain: Treat third-party risk as a shared responsibility. Don’t just check the box with contracts, build genuine partnerships where transparency and joint resilience testing are the norm. We’re only as strong as the weakest link, so strengthening that chain requires collaboration, not just compliance.
• Balance: Remember the CIA triad: confidentiality, integrity and availability. In healthcare, availability can feel like it overshadows the others but true resilience means balancing all three. That takes constant dialogue with the business so everyone understands the trade-offs and supports the right decisions.

If you keep those three pillars in focus, you’ll not only strengthen security but also build trust.

Strengthening our security stack, future-proofing operations

As outlined by Moxie Research, during the next 12-24 months, Australian organisations will increase adoption of data security (56%), AI security (55%) and cloud security solutions (43%).

Our technology focus is tightly aligned to the challenges already outlined – protecting people, managing third-party risk and preparing for the future:

• Automating data governance across our Office 365 environment – so that employee and business data is not only secure but also properly classified and ready for responsible AI use.
• Providing more flexibility with BYOD – giving our team secure ways to work on the devices they’re comfortable with, without compromising our standards.
• Strengthening our cyber dashboards and real-time threat intelligence – ensuring both the board and operations teams have clear visibility of risks and can respond quickly.
• Strengthening our supply chain risk management by utilising AI tools – applying the same continuous testing mindset to third parties that we apply internally, so we can spot vulnerabilities before they impact us.

These priorities are driven by the same principle: trust. Patients and our employees trust us with their data and customers trust us to operate securely – every solution we invest in must reinforce that trust.

In a challenging economic climate, cyber security investments are under growing scrutiny as boards demand proof of measurable risk reduction. While spending on tools, training and services has surged in recent years, many organisations are now required to translate investment into clear outcomes.

Under this level of scrutiny – and according to Moxie Research – 65% of Australian organisations are struggling to demonstrate “clear measurable impact” from cyber security investments.

To evaluate whether a new security solution truly adds value to our organisation, we apply a very practical lens.

• First, we look at the technology we already have, have we fully optimised it? If not, we don’t want to add another tool that just creates technical debt.
• Second, we talk to our peers in the industry. Their real-world experience with a solution often tells us more than any sales pitch.
• Finally, we look hard at the vendor relationship. We want partners, not just vendors. That means alignment with our values, a commitment to transparency, and a willingness to grow with us. If a solution can strengthen our resilience without adding unnecessary complexity, then it’s worth our investment.

By extension, partnerships are becoming less transactional and more collaborative. We don’t just want vendors who sell us a product, we want partners who share accountability, who value transparency and who are willing to grow with us.

That means:

• Working together on continuous testing and improvement, not just one-off deployments.
• Expecting vendors to help us strengthen data governance and AI readiness, not just add another tool to the stack.
• Building relationships where values align, so we know they’ll support us when challenges arise, not just when it’s convenient.

The threat landscape is too dynamic for “set and forget” relationships. We need genuine partnerships that evolve alongside our risks and our business.

Sanja Marais is Chief Technology and Security Officer at Aspen Medical. As part of Moxie Top Minds, Sanja contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.