Home
You’re currently viewing our content for All Regions.
You can switch to a different region:
October 21, 2025
Over the next 12–24 months, my priorities are fairly simple to say, though not always simple to deliver – visibility, identity, data and resilience.
We are uplifting our SOC (security operations centre), tightening how we manage who has access to what and strengthening data protection. But all of that only matters if we can bounce back quickly when disruption inevitably happens.
Our focus is on simplifying, not adding complexity. I have a simple litmus test – does this technology make us more resilient or does it just give us another dashboard? Tools don’t solve problems on their own.
Does it reduce risk, reduce cost or reduce friction? If a solution doesn’t tick at least two of those boxes, it is likely just adding noise.
I also ask, can we operationalise it with the team we have today, or will it sit in ‘shelf-ware purgatory’?
The right solution fits the organisation’s risk profile, integrates smoothly and makes life easier for both security teams and the wider business. Otherwise, it is just layering band-aids.
I’m also passionate about breaking down the walls between physical and cyber security. Attackers don’t think in silos, so why should we?
A converged model gives us the ability to respond holistically and proactively, whether it is a network event or something on campus.
Just as importantly, people remain at the centre – technology helps but culture is the real differentiator. Building trust, awareness and shared accountability across the university drives lasting impact.
To borrow a line that I often use… ‘we are not here to prevent every storm, we just have to make sure the roof doesn’t cave in when the rain comes’.
Achieving this is a constant balancing act however.
I approach it by framing strategy as a journey with visible wins along the way. Boards don’t want a three-year plan gathering dust; they want evidence we are moving the dial today.
That means linking each tactical initiative – for example. uplifting MFA or DLP – to the longer-term roadmap and clearly showing ‘here is how this reduces risk now and gets us closer to our end state’.
I treat it like driving – you keep your eyes on the road ahead but you still check the mirrors. The long-term strategy provides direction but quick wins and operational hygiene build confidence with stakeholders along the way.
The trick is not letting the urgent crowd out the important. If you only fight fires, you will never fireproof the house.
Inside the identity dilemma
Universities are open by design and that openness makes identity the new perimeter.
According to Moxie Research – Security Outlook: Australia 2025 / 2026 – 41% of Australian organisations are challenged by identity access management (IAM) complexity.
Threat actors are exploiting compromised credentials to blend into the noise. It is less about zero-days, more about the slow, quiet exfiltration of data through accounts that look legitimate.
Based on Moxie Research, 55% of Australian businesses cite data protection and privacy compliance as an ongoing area of concern.
But the real concern isn’t just one vector, it is the pace of change.
AI has supercharged both sides of the fence. Attackers are scaling their campaigns and defenders need to scale trust, detection and response at the same speed.
We don’t just need to play chess faster; the rules of the game keep changing while we are mid-move.
Beyond threats – and as outlined by Moxie Research – other organisational roadblocks remain.
Reflective of tough economic conditions – and a drive towards industry standards – the three most pressing business challenges facing Australian organisations from a cyber security standpoint are:
Competing priorities, stretched budgets and finding the right talent – and none of that is unique to universities. That means cyber often feels like ‘cost without benefit’.
The culture piece is equally critical and so the real challenge is translating security into language that shows it is an enabler of trust, continuity and reputation; things every sector leader cares about.
On this, my advice to peers is simple – don’t try to do it all alone.
Build coalitions with stakeholders such as your IT department, with business units, with your staff on the ground. Security is ultimately about people, so bring them on the journey.
From a board perspective, speak less in terms of ‘threats’ and more in terms of ‘outcomes’.
Boards don’t wake up thinking about phishing kits; they worry about bigger things that affect the organisation and in the university where I work, it would be about student safety, operational disruption and reputational risk.
Therefore, anchor your conversations in their world, not ours.
And don’t underestimate the value of peer networks. I have learnt as much from informal peer conversations as from formal frameworks.
Examining the expanding CISO mandate
The CISO role used to be seen as purely technical, the protector of systems and patching.
Today, a CISO is part educator, part strategist, part diplomat explaining risk in business language, influencing culture and sometimes acting as a crisis manager.
We are also seeing the role expand into more of a CSO remit, bringing cyber and physical security together under one umbrella.
That convergence makes sense; threats don’t arrive neatly packaged as ‘digital’ or ‘physical’ and having a single leader gives organisations the ability to respond holistically.
You are not just building defences anymore, you are helping leadership navigate uncertainty, reputational risk and resilience in the broadest sense.
It is a role that now demands resilience, persuasion and occasionally a sense of humour because if you can’t laugh in this line of work, you will run out of energy before the threats run out of steam.
As the role of the CISO evolves – transitioning from technical to business value – outsourcing partnerships are progressing in the same direction.
Vendors and external partners such as managed security service providers (MSSPs) are becoming consolidated and scrutinised against enhanced criteria.
According to Moxie Research, outsourcing partnerships in Australia can now be defined as:
Partnerships are no longer transactional. I am not just after a vendor who sells me a tool or a product.
I want a partner who understands and brings insight into the sector’s unique risks and can co-invest in capability uplift, shares accountability and helps us succeed.
The best relationships are collaborative and transparent. I should be able to call them at 2am during an incident and know they are in the fight with me.
And as the landscape becomes more complex, partnerships become more valuable – ‘none of us is as strong as all of us’.
A partner who can blend expertise, agility and trust is worth their weight in gold.
Tara Dharnikota is CISO at Victoria University. As part of Moxie Top Minds, Tara contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.
Inform your opinion with executive guidance, in-depth analysis and business commentary.
