Home
You’re currently viewing our content for All Regions.
You can switch to a different region:
October 14, 2025
Australia is entering a critical phase in its digital journey. The last few years have seen a surge in cyber security and digital legislation, reflecting the government’s clear commitment to safeguarding the nation’s economy, critical infrastructure and citizen data.
The Cyber Security Strategy, the Digital ID Act, updates to the Security of Critical Infrastructure (SoCI) Act and reforms to the Privacy Act collectively signal that protecting our digital ecosystem is now a national priority.
Yet, legislation alone cannot secure the future.
The establishment of the National Cyber Security Coordinator’s Office and the ongoing work of the Australian Signals Directorate (ASD) have strengthened national resilience, while the implementation of a world-class AI governance framework ensures technology can drive productivity, prosperity and employability without compromising security or ethics.
Overcoming ‘unique’ cyber challenges
In assessing the evolving threat landscape today, the most concerning attack vectors causing the biggest concerns are identity compromise and supply chain risks, because they take advantage of trust and are often used in attacks.
Phishing is still a major problem too, regularly leading to account takeovers and data leaks.
According to Moxie Research – Security Outlook: Australia 2025 / 2026 – 57% of Australian organisations consider phishing as the “most concerning” attack vector while 41% remain challenged by rising identity access management (IAM) complexity.
On top of that, relying on third-party platforms leaves organisations exposed if a trusted partner is breached. Tackling these risks means keeping a close watch, putting proactive controls in place and ensuring vendors meet strong security standards.
This is supported by Moxie Research with 82% of Australian businesses set to strengthen risk management and cyber resilience during the next 6-12 months, alongside preparing the business for a ransomware incident in the first 24 hours (74%).
All up, Australia faces unique challenges. As a vast continent, we are reliant on subsea cables for 98% of internet traffic, making us inherently vulnerable to disruptions. While small and medium enterprises (SMEs) remain underprepared and are often exploited as entry points for cyber attacks that ripple across supply chains.
Addressing these risks requires strategic investments, including a Cyber and AI Centre of Excellence in Western Australia, enhanced quantum computing capabilities and stronger collaboration between government, industry, academia and global partners.
Accountability has also become central to Australia’s approach. In response to high-profile breaches at Medibank, Optus and Epworth Healthcare, the government has signalled that board members and executives cannot ignore their responsibilities.
Prosecutions and regulatory actions underline a clear message; cyber security is not optional and organisations must actively manage cyber risks and protect customer data.
Yet cyber security teams remain under constant pressure with talent shortages making it hard to attract and keep the right people. At the same time, cyber efforts must compete with other business priorities and be seen as supporting education outcomes rather than standing in the way.
As outlined by Moxie Research, the three most pressing business challenges facing Australian organisations from a cyber security standpoint are:
The threat landscape is becoming more complex as attackers move faster and innovate quicker than many organisations can respond.
In education, the challenge is even greater because open learning environments need to stay accessible while also being protected with strong security measures. Overcoming these barriers requires strategic leadership, collaboration, and culture change.
Translating cyber concern into business blueprints
In Australia, cyber security is now a critical factor in broader digital transformation and business resilience strategies.
Forward-thinking organisations have embedded security across all digital and resilience initiatives from the outset. At a minimum, security is addressed as part of broader projects, though not always a primary driver.
According to Moxie Research, by business percentage breakdown, security is currently viewed as:
My priorities are centred on cyber resilience, governance and culture, framed within the broader national context of Australia’s digital future.
At the Department of Education in Western Australia, I lead the Cyber Security Enhancement Program, which takes a holistic approach to protecting the education sector’s digital ecosystem.
Beyond these technical initiatives, there is a significant cultural transformation effort; empowering staff and students to practice good cyber hygiene, ensuring executives understand their role in cyber governance and embedding awareness into day-to-day operations.
The drivers are both external and internal.
Externally, we face increasingly sophisticated threats – the education sector is particularly vulnerable given its open and collaborative digital environments, constrained budgets and lower maturity. Recent incidents such as ransomware attacks in Los Angeles and breaches at Catholic Education Melbourne and NSW schools highlight these risks.
Internally, legislation and regulatory needs, including WA Government Cyber Security Policy, emphasise the need for strong information security standards.
Together, these drivers make resilience, governance and culture essential to protecting not only organisational operations but also the nation’s broader digital ecosystem.
From a technology, standpoint, priorities over the next 12-24 months focus on:
Key areas include maturing Security Operations Centre’s for real-time threat detection and response, deploying advanced SIEM (security information and event management) and SOAR (security orchestration, automation and response) platforms to automate monitoring and incident handling, as well as enhancing identity and access management to guard against credential-based threats.
Across Australia, organisations will also leverage AI and automation to accelerate detection, address workforce constraints and streamline processes.
Collectively, these initiatives aim to ensure that technology not only defends against evolving threats but also enables the organisation to operate securely and efficiently in a rapidly changing digital environment.
These priorities are driven by the need for resilience, operational efficiency and risk reduction.
According to Moxie Research however, only 33% of Australian organisations claim to have a “fully integrated” security stack with tools providing a single, unified view through centralised monitoring and analytics. Alternatively, that exposes 67% of businesses due to integration issues, which can be broken down as:
Evaluating security solutions is not just about adopting the latest technology; it is about making strategic choices that genuinely strengthen the organisation’s resilience. Every solution should be assessed through three lenses; measurable risk reduction, seamless integration with existing platforms and operational simplicity.
Solutions that fail these tests often add complexity, consume resources and create new vulnerabilities instead of addressing the real challenges. By approaching security investments with this mindset, organisations ensure that technology aligns with strategy, enhances capability and delivers tangible value.
This disciplined approach transforms security from a reactive function into a proactive enabler of trust, efficiency and long-term organisational resilience.
To balance long-term strategic initiatives with immediate operational needs, I take a dual-track approach – tackling immediate risks while building long-term capability.
Quick wins such as improved vulnerability management, phishing detection, stronger identity controls and enhanced incident response provide the board with visible assurance and reduce pressing threats. At the same time, strategic programs focus on strengthening resilience and embedding sustainable security practices across the organisation.
By acting now and investing in the future, the organisation stays secure today and ready for tomorrow’s challenges. Long-term strategic programs focus on building structural resilience and sustainable capability, while immediate improvements provide visible assurance to the board and address urgent risks.
Assessing the evolving role of the CISO
The role of the CISO has evolved from being a technical guardian to a strategic leader and trusted advisor. Today, my responsibilities include guiding the board on risk exposure and appetite, shaping organisational cyber culture and ensuring that digital transformation initiatives are secure by design.
This is supported by Moxie Research, with 40% of CISOs now primarily identifying as a “business leader”, ahead of “crisis / risk manager” at 36%.
At a national level, coordination with the National Cyber Security Coordinator and ASD is fostering integrated information sharing and resilience across sectors.
Strategic partnerships with vendors, integrators and managed service providers (MSPs) are moving beyond transactional relationships toward co-innovation, where partners are expected to share intelligence, integrate seamlessly and take accountability.
The Whole-of-Government SOC model in Western Australia demonstrates how scalable resilience can be achieved through collaboration, turning partnerships into ecosystems of shared responsibility measured by improved resilience and response capability.
This integrated approach combines national strategic context, operational priorities and CISO leadership, positioning the CISO as a thought leader bridging technology, governance and policy.
In terms of advice for fellow CISOs in market, building cyber resilience isn’t just about technology; it’s about people, culture and collaboration. By working closely with business and industry, we can create strong talent pipelines, ensuring the right skills are in place to meet evolving cyber threats.
Making cyber part of everyday business conversations helps gain executive support and shows that security is not just a compliance task but a key enabler of organisational goals.
Simplifying tools and processes reduces complexity, letting teams focus on the most important security actions. At the same time, fostering a culture of shared responsibility empowers staff, teachers and students to play their part. Activities like awareness programs, simulated phishing exercises and clear reporting channels help build this collective vigilance.
Cyber security is everyone’s job and real resilience comes when people, processes and strategy work together. By acting now and planning for the future, organisations can stay secure today while preparing for tomorrow’s challenges.
The prosperity, productivity and employment of future generations will depend on the foundations laid out today. This means combining robust cyber security, responsible AI adoption and sovereign technological capability with a culture of accountability and collaboration across sectors.
By investing strategically, fostering international partnerships and ensuring that our critical infrastructure is secure, Australia is not merely reacting to cyber threats, it is leading the way in creating a resilient, innovative and forward-looking digital economy.
As we look toward 2030 and beyond, Australia could become a global leader in cyber resilience and AI-driven innovation, ensuring that our digital future is secure, prosperous, and inclusive.
But the time to act is now.
Prashant Singh is a Cyber Security Manager at the Department of Education, Western Australia. As part of Moxie Top Minds, Prashant contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.
Inform your opinion with executive guidance, in-depth analysis and business commentary.
