Home
You’re currently viewing our content for All Regions.
You can switch to a different region:
October 30, 2025
As of this year, the Australian Institute of Company Directors (AICD) has started incorporating cyber security incidents in their scenarios and assessments.
This demonstrates a mentality shift and is a clear signal that Australian boards must pay close(r) attention to security matters. No longer is this ‘an IT problem’ and no longer does the ‘I don’t understand technical matters’ fly.
Setting the tone from the top alleviates some of the traditional dichotomy and daily skirmishes around long-term versus immediate priorities.
The reason why this is more relevant than ever before is because when assessing the most significant barriers to strengthening organisational security posture today, the answer can be found in one word.
People.
Upfront warning that I am heavily biased in this particular response, as conditioned by my academic background and much of my work to date. But in my humble (and passionate) opinion, the reasoning behind that simple response is threefold:
I briefly touched upon this above, when discussing the board setting the tone from the top and the need for a better understanding of the pivotal importance security holds within any organisation.
Not everyone needs to be a technical specialist but a decent understanding and good-natured curiosity would go a long way in offering better support and improved, more sympathetic budgeting to strengthen security resilience.
Educating leadership and even middle management on the relevance and importance of security also goes a long way in supporting the balance of long-term and short-term goals.
At KPMG, we have seen tremendous benefits and a surprisingly evolving dialogue in this space in our client organisations that have chosen to invest in a particular kind of cyber security training.
That is, an offering targeting department heads / managers that would otherwise fight for their own patch and traditionally see security as a hassle (and the CISO as a terrible person).
Some of the individuals that underwent said training appear to have ‘seen the light’ in the form of understanding that the organisation’s security strategy is more than a ‘nice to have’, rather a horizontal that both affects and supports their own area – and isn’t going anywhere.
This point, I would further break down into three parts.
First, there is a need to shift organisations’ thinking from seeing their people as their weakest link and biggest vulnerability, to the (unfortunate) greatest attack vector and first line of defence.
This change in perception would lead to a strengthened security posture by virtue of facilitating behaviour change – which is, ultimately, the entire goal of an organisation endeavouring to manage its human risk.
Second, and in direct support of the first point, I firmly believe every organisation needs an internal security culture strategy. People are at the core of the organisation both as workers and as customers, and trust across the board is paramount.
An organisation’s culture will always have a direct correlation to its success, especially long-term. As such, adequate and deliberate investment in people in a security sense – from mandatory training to up-skilling, to event attendance, to mentorship, and so on – sits at the core of this response.
Third, end-users can be benevolent or malevolent; the insider threat can therefore be unintentional or malicious. A well-rounded approach to tackling this risk and improving organisational security posture requires both soft and hard skills and strategies – neither can be overlooked.
Complaint is rife in our industry around the lack of available / suitable talent. Scary figures are released on a yearly basis with the widening gap Australia will need to fill in this space.
Therefore, the skills shortage remains a top issue in Australia’s security landscape; improving an organisation’s ability to attract and retain talent maintains a sense of urgency in most organisations, while being a continuous source of frustration. I do not see this going away anytime soon.
However, an organisations’ specialised technical workforce is not the ‘be-all and end-all’ in strengthening a security posture and neither are the fanciest tools.
Enabling an organisation’s people to know what the best behaviour / response is, and choose to act it out – supported by suitable policies and procedure, genuine trust in peers and a good culture – would make a tremendous difference to the talent piece.
The concept that ‘if everyone has a bucket of water, the fireman’s job is easier’ is highly applicable here.
Rising identity risk, phishing exposure high
At present, and at least for the near future, compromised credentials and identity-based attacks represent the attack vector of highest concern to most organisations.
This is confirmed by the Australian Cyber Security Centre as the principal way attackers gain access to business systems. Execution occurs via phishing and social engineering, the abuse of multi-factor authentication (MFA) weaknesses, brute force attacks, session hijacking and other such unfortunate means, while access is exacerbated by remote work and cloud usage.
According to Moxie Research – Security Outlook: Australia 2025 / 2026 – 57% of Australian organisations consider phishing as the “most concerning” attack vector today.
While the human layer can be hard to secure, intruders can also be difficult to detect against legitimate activity.
Unfortunately, while this may have minimal adverse effect and be caught in time, it can also have devastating consequences – such as ransomware and its financial implications, and / or long-lasting consequences, such as data exfiltration and its reputational complexities.
According to Moxie Research, during the next 6-12 months, Australian organisations will prioritise:
Priorities are subjective however.
From people’s own opinions based on lived experience, to internal organisational pressures, to market expectations, to industry foci, the state legislative approaches, to national strategy… priorities will differ (sometimes only slightly, other times greatly).
No two reports are congruent on stats, or in complete agreement on order of importance. Similar threat trends can, of course, be observed, and some have the clear potential to affect all Australian organisations, no matter the size, location, etc., while others are far more niche but may be top of mind for some.
But I would be remiss not to mention the following:
When considering the drivers for these priorities and their broader context, a few core points come to mind.
First, the 2023-2030 Australian Cyber Security Strategy sets the status quo for cyber maturity expectations, regulation and general resilience.
This driver is born out of the Australian Government’s core duty and commitment to protecting its citizens and must continue to be relentless. Horizon 2 (2026-2028) is the Strategy’s next step in its phased approach, which will seek to scale up the level of cyber maturity across Australia’s overarching economy, increasing investment in the cyber ecosystem overall.
Second, continuously expanding regulatory changes, with more in the works – this will affect businesses’ governance and compliance requirements, and must be kept-up with.
I see this as being driven by mostly reactive (and, occasionally, proactive) legal responses to cyber security developments on a global, national and local scale.
Australian organisations will continuously need to comply with changing security standards, increased transparency demands, privacy law updates, mandatory reporting, and so on in a bid to avoid legal / financial / reputational damage.
Third, growth in breadth, complexity and intensity of threats – we have all seen the published (horrendous) ever-climbing stats in Australian cyber crime, and we know that, as a nation, we are a highly attractive target, even as our organisations’ attack surface is also consistently increasing.
The sophistication of malevolent actors is definitely a priority for those in charge of / ultimately responsible for cyber security across any organisation, and it is something that does keep people up at night.
Strengthening the security stack
According to Moxie Research, during the next 12-24 months, Australian organisations will increase adoption of:
But this is once again a subjective one. Although I believe three key trends will dominate both budget and attention over the near(ish) future:
Zero-Trust Architecture (ZTA) and Identity Security:
Discussion around this isn’t new, but some solutions are. As attackers seem to have a knack for compromising and stealing credentials (and money, of course), for example, urgently implementing the best possible identity hygiene seems like a highly worthwhile pursuit for most organisations.
The ZTA framework operates on the principle of ‘never trust, always verify’, with systems defaulting to inherent suspicion. Strict authentication and authorisation solutions remain a top priority, with least privilege and privileged access management, strong MFA policies and generally securing identities front of mind for the foreseeable future.
Cloud and supply chain security:
In today’s Australia, no organisation operates in isolation, and the overwhelming majority have (vast amounts of) online operational components.
One is only as strong as their weakest link, whether this is an upstream supplier, or that cloud provider with an unreal offer; assessing and securing dependencies, as well as monitoring and mitigating associated risks, is central to any business (and noting the regulatory expectations are also increasing for this area of priority and must be well-understood).
The appetite – and hunt – for the most efficient and effective solutions in this space will remain strong in the short-to-medium term.
The rise and evolution of agentic AI:
This is notably transforming service industries but also introduces serious, novel cyber security concerns.
For example, autonomous decision-making offers cost-saving solutions, increased speed, reduced potential operational bottlenecks, real-time personalisation, 24/7 capability, and an unprecedented potential for proactive action, making it a highly attractive business addition.
Nevertheless, the sheer complexity of its operation makes for an unprecedented surface of attack (e.g. interactions with many application programming interfaces (APIs), databases, environments, etc.), and, if compromised or malfunctioning, agentic AI can act without human oversight in a highly dangerous way.
This can range from transferring funds, altering records or shutting down crucial systems at the hand of an adversary, to unpredictable emergent behaviour and the posing of great difficulties with functions such as monitoring and auditing.
In spite of the many known and unknown risks, this technology is expanding in use exponentially; solutions that can provide a degree of certainty around controlling and securing it will thus be increasingly and highly sought-after.
New CISO pressures, new partnering criteria
CISOs are under an enormous amount of pressure to get things right, keep them cheap and never drop a single ball.
A number of our KPMG cyber leadership have been on that side of the fence in previous lives and genuinely understand and sympathise with that high-pressure position.
Indeed, many of them personally reach out to CISOs whose organisations have been breached and publicly exposed, in order to offer support on a human level. We are well-aware that could realistically happen to any one of us, anytime.
As an interesting side point, CISOs are a unique ‘breed’ of professionals who will often share intel with competitor counterparts; there is something wonderful about that, in the spirit of “the enemy of my enemy is my friend”. I truly enjoy watching those collaborations unfold and support / encourage them to the best of my abilities, whenever possible.
The trusted advisor piece is highly crucial in this context, as CISOs rely on us to pick up on things they may have missed, in a bid to stretch their own ‘protective’ abilities, temporarily bolstering their team and its purpose.
What they want from our partnership is honest feedback, bold and creative strategies, and streamlined ways to follow their thought pattern and holistically support them, demonstrating the best possible value for money (and working within often tight budgets).
Perhaps, most importantly, CISOs need us to tell them what they need to hear and not just what they’d like to. This is a shift away from the traditional model of providing just what is contractually required and never risking to upset the client – and it is truly fascinating.
According to Moxie Research, outsourcing partnerships in Australia can now be defined as:
CISOs also seek advice on how best to tackle board briefings, deliver impactful reporting and improve relationships with other areas of the business, in a bid to see their cyber strategies realised to the best of their potential.
Not only do they grapple with constant change and swift technological progress but also with how best to communicate the ever-changing threat landscape to an organisation that has its own internal competing interests, and do so in a compelling way.
This advisory relationship is one of the most fascinating ones that, as a consulting industry, we are privileged to hold; whenever such a partnership has taken hold, we have seen it blossom and incredibly rewarding work has almost always come out of it.
Dr Ana Forsyth GAICD is Associate Director at KPMG. As part of Moxie Top Minds, Dr Ana contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.
Inform your opinion with executive guidance, in-depth analysis and business commentary.
