Can Australian businesses win the whack-a-mole cyber war?

It’s so easy to get lost in the headlines. Overwhelmed by the billions of threats causing millions of damage by thousands of bad actors.

An endless supply of numbers, each carrying caution and consequence. No wonder businesses are burying heads in the sand.

Or worst yet, that feeling of complete desensitisation.

Many experienced observers argue that the market has swung like a pendulum from a state of complete ignorance to one of utter immunisation.

Armageddon. The result of years of doomsday scenarios being played out in the media – coupled with blockbuster breaches in the press – has served to switch off an industry to the true danger that cyber attacks pose.

“Security investment is a little under pressure in Australia,” observed Simona Dimovski, Founder and CEO of SkyGrid Industries. “Yes, the board remains very interested in cyber and that personal responsibility still exists but that isn’t translating in the same way in terms of investment dollars.”

To explain and expand, Dimovski deferred to more than 20 years of experience transforming cyber security and technology operations for organisations across financial services, insurance, local government, energy and aviation.

This is a seasoned figure of influence, previously holding leadership roles at Helia, Sutherland Shire Council, Ausgrid, Macquarie Group, Qantas, BT Financial Group and AMP.

“My roles have been around the CIO and CISO positions – finding that combination,” Dimovski added.

“In my experience, the board still sees cyber security as a technology issue. They understand the impact and risk to the business but at the same time, it’s still widely viewed as a cost.”

Even now? With high-profile breaches such as Optus, Medibank and DP World dominating news headlines in Australia.

“Opinions have definitely changed compared to previously,” Dimovski acknowledged.

“I remember how hard we used to have to fight for those investment dollars in cyber 10 years ago. Even six years ago, companies would still adopt the position of, ‘look, I don’t think we’ll be breached because we’re not really a target’.

“That thinking has changed, partly due to the incidents with Optus and Medibank which changed the executive mindset. So there’s still investment but not compared to what it was even a few years ago when those incidents had the most profound impact.”

The consequence of this is a business landscape rapidly falling into a “complacent state” – investment exists but in such a volatile economy, boards are making decisions and trade-offs.

“Cyber is now potentially part of that conversation,” Dimovski said.

“Especially for organisations in industries that are not regulated. In those instances, some businesses are favouring investments that will generate revenue.”

Taking centre stage at Moxie Authority 2025, Dimovski debated the state of security in Australia during the session – Winning the Whack-a-Mole Cyber War.

Declaring that cyber security is a mission-critical priority is as obvious as it is futile however. Instead, energy must now be devoted to dissecting cyber resilience frameworks in the pursuit of exposing weaknesses and strengthening defences.

“It’s a never ending war that we’re fighting,” Dimovski outlined.

The sharp rise in threats – now more sophisticated and severe than before – has created a new industry of cyber criminals, with hacking entities emerging across the world with the sole aim of attacking companies on a 24/7 basis. If cyber crime was a state, it would represent the third largest economy in the world, behind only the US and China in size.

“There’s just so much to consider from a cyber security perspective, the perimeters that you have to cover are huge,” Dimovski said. “Whether it’s the endpoint or the network, it’s never ending and very complex.

“It’s difficult to secure what you can’t see or don’t know and in some instances, the visibility of environments can be quite impossible.”

As a consequence, organisations are now probing CISOs with the multi-million dollar question – where do we draw the line?

“A huge investment is required yet businesses will never be fully secure,” Dimovski accepted. “So naturally, some boardrooms are coming to the conclusion that they could literally keep throwing money at this problem but still never be secure.

“Hence why boards are now asking, ‘what’s our return on investment? We’ve invested in all of this work and ran a massive security program yet we’re still not where we need to be’.”

In a sense, patience is wearing thin among executive leadership groups that understand the consequences of complete inaction but now question the relentless wave of investment required to remain on track.

Perhaps the gloss is wearing off. Maybe the day of reckoning didn’t arrive.

“The sensible companies are making risk-based decisions,” Dimovski said. “They are assessing their own organisational risk appetite and understanding their core purpose, product and/or service.

“This then extends to examining their risk appetite on cyber security and acknowledging that this could easily become a never ending money pit – so instead, what’s the right baseline? That’s the only way you can pragmatically approach this.”

Aligned to the theme of Inspired Knowledge, Moxie Authority 2025 housed the most influential figures setting the market agenda in business and technology across Australia.

This inaugural and invite-only conference in Sydney hosted more than 400 industry front-runners spanning all ends of the ecosystem, from CIOs, CTOs and CISOs to CDOs, CEOs and Founders.

Dimovski highlighted the frailties of Australian organisations and crystallised the salient strategies that matter in 2025 and beyond, supported by local data shared by Moxie Research.

Consolidation and convergence collide in cyber

To understand the true scale of the consolidation problem facing organisations across Australia, attention must be paid to the rise of convergence in the local market.

The negative impact of a soft market is that vendors – and by extension, partners – are expanding reach and moving into new areas of commercial focus.

Network vendors are moving into cyber security. Cyber security vendors are moving into the network. Enterprise vendors are moving down into the mid-market. SMB vendors are scaling up to the enterprise.

In other words, nobody is staying in their lane.

The end result is hundreds of partners, thousands of products and millions of threats – further challenging Australian businesses that are already struggling to navigate such a highly congested cyber security market.

Depending on who you ask, the average number of security tools and products that exist within an organisation varies.

For Palo Alto Networks, the average total comes to 31.5. Gartner has it at 45 while Panaseer stands at 76. Whether at the bottom or top end of that spectrum however, the number remains high.

“We’re talking humans, we’re talking networks, we’re talking applications – it’s a very vast landscape that businesses have to secure,” Dimovski stated.

“Based on my experience, I would agree that there’s somewhere between 40 and 80 different applications and tools in security. There’s certainly too many tools in that respect.”

The domino effect from an outsourcing perspective is that vendors and partners are now under greater levels of scrutiny as organisations rationalise third-party providers in an attempt to wrestle back control from a technology and commercial standpoint.

According to Moxie Research, 81% of Australian businesses are currently consolidating the number of cyber security vendors they work with.

By extension, 75% are also consolidating the number of cyber security outsourcing partners working in the account, such as managed security service providers (MSSPs), consultancy firms and system integrators.

For the majority, the aim is to consolidate the number of cyber security tools and vendors into a unified solution and/or platform during the next 6-12 months – a plan currently in place for 67% of companies surveyed and under consideration from a further 21%.

When probed further by Moxie Research, Australian businesses either “strongly agreed” or “agreed” with the position that multiple security vendor products create:

• Increased project costs (90%)
• Implementation challenges (88%)
• Operational challenges (88%)
• Additional risk / exposure (86%)
• Unnecessary complexity (84%)

“Don’t forget the task required to manage the amount of security tools in any one given organisation,” Dimovski cautioned.

“Unless you’re going to increase your resources to quite a high number, no one single team can manage that and no analyst will be able to have a view on what it will take to run those security tools ongoing.”

The on-stage observations from Dimovski mirror behind closed door conversations among CIOs and CISOs at Executive Roundtables hosted by Moxie Insights in Sydney, Melbourne and Brisbane.

As one leading CISO shared during a recent Chatham House Rules discussion, “I knew I was running too many security products when I walked around Gartner IT Symposium on the Gold Coast and 50-odd vendors said hello and shook my hand.”

While anecdotal, this type of insight is commonplace among the corridors of power at organisations of all shapes and sizes from the mid-market to the large enterprise.

“It’s a huge overhead but the sprawl happens organically over time,” Dimovski expanded. “Yes, great tools do exist on the market and CISOs sometimes drink the Kool-Aid, especially when you may already have tools in-house that do the job.”

Based on Moxie Research, the primary benefits of Australian businesses consolidating cyber security products and vendors is to:

1. Reduce complexity in management (61%)
2. Lower total cost of ownership (55%)
3. Improve threat detection and response times (55%)
4. Strengthen integration and communication between tools (52%)
5. Enhance visibility and reporting capabilities (50%)
6. Reduce skill gaps and easier training (35%)

On the flip-side however, the main consolidation concerns when swinging too far the other way are ranked as:

1. Risk of over-relying on a single solution (54%)
2. Cost of transition and integration (47%)
3. Vendor lock-in (43%)
4. Lack of customisation or flexibility (42%)
5. Compatibility with existing infrastructure (38%)
6. Loss of specialised features (29%)
7. Lack of awareness of consolidated options (29%)
8. Resistance to change or organisational inertia (27%)

For Dimovski – drawing on the experience of running a 12-month program around technology and security consolidation at a previous organisation – success is dependent on adopting a “balanced approach”.

“The program was across the board and yielded a lot of great savings as a result,” Dimovski explained.

“But it was a program of work and as a CIO or CISO, you really have to run it with a clear goal on what you want to achieve and dedicate people and resources to drive that forward. Run it like a project.”

In looking back, Dimovski recalled a mountain of questions arising at every turn, notably around who in the organisation has the required access and skills to operate each of the tools in place.

• Who has the right access?
• Who has the right skill sets to operate them?
• What contracts do we have in place?
• What does tool A or B actually do for the business?
• Do we actually need this tool?

“That is linked to a detailed timeframe which you have to work toward to figure all of this out along the way,” Dimovski added.

“The process reached a successful conclusion and we had a great outcome but yes, you have to give this type of work time, effort and focus. From a contractual standpoint, we took a whole year to complete it.”

Equally, businesses must understand the why behind the project and the projected benefits upon completion.

“They don’t necessarily always have to be financial benefits,” Dimovski recommended.

For example, one of the issues that Dimovski and the team encountered was too many tools for the team in place to monitor. This in turn created a significant amount of alert fatigue.

“Everything was alerting us and we couldn’t see the forest from the trees,” Dimovski recalled. “That was one of the biggest issues because we had people running around like headless chickens looking at what was going on all of the time.

“That’s when we decided, ‘no, this is a massive overhead for a team of our size so we need to start downsizing’. But on the flip side there’s a balance to strike because no single tool can actually do it all either.”

Accepting the fact that multiple tools are still required is an important caveat to consider during the consolidation process. Because as cautioned by Dimovski, there’s little value in pivoting the business too far in the other direction.

“It comes down to what you can effectively manage and whether it’s a good fit for purpose within your organisation,” Dimovski advised.

In a quick-fire summary, Dimovski shared the TLDR (too long, didn’t read) takeaway as “complexity is the enemy of security.”

At the crux, that means simplification, focus and resilience are required to drive cyber strategies in 2025 and beyond – based on the below checklist.

1. Supply chain risk is non-negotiable
2. Your incident response playbook isn’t a “nice to have” – simulate it
3. Get ahead of AI-powered threats by leveraging AI-powered defence

Moxie Authority 2025 housed the most influential figures redefining business and technology across Australia. This inaugural and invite-only conference in Sydney hosted more than 400 industry front-runners spanning all ends of the ecosystem, from CEOs, CIOs and CTOs to CDOs, CISOs and Founders.