Home
You’re currently viewing our content for All Regions.
You can switch to a different region:
October 28, 2025
Today, CISOs must become involved in more technical conversations and on most occasions, wear different hats – it’s a new expectation from the role.
This is in addition to thinking like a CFO and making any decision through the lens of contributing to reducing risk, reducing cost or even creating revenue.
Within this context, security roadmaps and strategies must align closely with overall business objectives. Long-term security initiatives should include tactical quick wins that reduce risks immediately while also contributing to broader, long-term security goals.
For example, when using the NIST Cybersecurity Framework, CISOs may determine that the Protect and Recover functions require more attention than the others.
Within each of these functions, you can define short-term quick wins that deliver measurable improvements while simultaneously developing longer-term plans to strengthen them further.
In practice, uplifting one domain area may require significant budget or resources, while another domain may be less costly and easier to address. It’s essential to identify the areas where risk reduction can be achieved quickly while also planning carefully for areas that demand more time, effort and investment.
Equally important is setting the right expectations with the board and executive leadership from the outset.
They need to understand that a security uplift is a multi-year journey requiring organisation-wide support. Success cannot rest solely with the cyber security team, it demands shared responsibility across the entire business.
According to Moxie Research – Security Outlook: Australia 2025 / 2026 – 41% of Australian organisations consider cyber security as “foundational” and a “core strategic pillar” by business percentage breakdown.
In other words, security is no longer a standalone function, rather an enabler and competitive differentiator.
Identity, vulnerabilities, awareness and culture
During the next 12-24 months, our top cyber security priorities span three key areas – identity and access management (IAM), threat and vulnerability management and security awareness and culture change.
On IAM, we assess our security maturity using the NIST Cybersecurity Framework, in alignment with retail industry best practices and benchmarks. One of the most critical gaps we identified was the maturity of our IAM capabilities.
The end-to-end process, from on-boarding to off-boarding, needed to be revisited and realigned. To address this, we defined a dedicated IAM sub-strategy aimed at reducing security risks while enhancing user experience.
This initiative includes reviewing and restructuring identity groups and organisational units, re-architecting our identity provider solution, on-boarding a fit-for-purpose privileged access management tool, enforcing the principle of least privilege and enabling auditing of administrative activities to improve anomaly detection and incident response.
According to Moxie Research, 41% of Australian cite IAM complexity as the most pressing area of cyber concern currently.
Another priority area is strengthening our vulnerability and patch management practices. Previously, we lacked structured processes and proper tooling to identify vulnerabilities, nor did we have a framework to link vulnerability management with patching.
Our initiative focuses on improving visibility by at least 80%, establishing a consistent scanning cadence and building clear processes for working with asset owners on patching and remediation. These actions are designed to reduce risk exposure and ensure timely response to threats.
Based on Moxie Research – and in rating an organisation’s ability to detect and respond to threats in real-time – Australian businesses rank as:
Finally, security awareness and culture change is an important area of focus. With a workforce that includes many non-technical employees, tailored security awareness has become an essential focus.
Our approach is to educate users not just on corporate security policies but also on practical online safety practices that matter to their personal lives. By making cyber security relatable and relevant, we aim to drive genuine behavioural change and build a stronger security culture across the organisation.
Guiding principles for CISOs
For fellow CISOs seeking to overcome ongoing cyber challenges, my advice is to build a strong relationship with your executive leadership team and peers – we can’t succeed without their support and sponsorship. This also extends to communicating early on risks and on dependencies.
Beyond business, three guiding principles can be used to evaluate whether a new security solution truly adds value to your organisation versus simply adding another layer of complexity.
A key aspect of my role is managing partnerships with our vendors and managed security service providers (MSSPs). This is especially critical for smaller teams that rely heavily on their partners to help manage risks and respond to threats and incidents.
However, I am noticing a growing disconnect between vendors and customers. As customer budgets become tighter, vendors are pushing for significant increases in annual costs. In fact, many of this year’s price adjustments have been well above the standard CPI increases seen in previous years.
According to Moxie Research, outsourcing requirements remain high as businesses balance resource constraints with rising cyber threats. Based on the data, the leading qualities that CISOs seek in a vendor or partner are:
Outsourcing doesn’t mean relinquishing control for CISOs, however. Accountability for tool selection, vendor due diligence and enterprise risk framework alignment still remain core responsibilities.
Sam Fariborz is CISO at David Jones. As part of Moxie Top Minds, Sam contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.
Inform your opinion with executive guidance, in-depth analysis and business commentary.
