Home
You’re currently viewing our content for All Regions.
You can switch to a different region:
April 29, 2026
There’s a quiet shift happening in cyber security – one that most organisations haven’t fully caught up with yet.
It’s the move from protection to endurance. From control to continuity. From security as a function, to resilience as a capability.
And it’s being driven not by theory, but by reality.
Across industries – particularly critical infrastructure, mining, energy, and resources – the threat landscape has fundamentally changed.
AI is not just another tool in the attacker’s arsenal; it is reshaping how attacks are conceived, scaled, and executed. The result is a world where trust itself is under attack.
We’re now seeing fake executive profiles, fabricated financial reports, and fake schemes appear openly on social platforms. Misinformation could be just as disruptive as malware.
This is not a future scenario. It’s already here.
The traditional model of resilience – prevent, detect, respond – is no longer sufficient. Not because it’s wrong, but because it’s incomplete.
Resilience is emerging as the defining capability of modern security leadership. Not resilience as a buzzword, but as an operational discipline embedded across OT, IT, and cloud environments – and increasingly, across AI systems.
This requires a shift in mindset:
At Fortescue, ensuring our operations across OT, IT, and cloud can withstand and recover from disruption is no longer aspirational – it’s table stakes.
And yet, many organisations are still structured around siloed controls, fragmented tooling, and reactive processes.
If resilience is the outcome, security by design is the mechanism. But this isn’t the version of “secure by design” that lived in architecture diagrams five years ago.
This is something far more pragmatic and far more urgent – resulting in designing systems that expect clicks. Containing. Sandboxing. Isolation.
It’s a subtle but critical reframing.
Instead of trying to eliminate human error, systems are being designed to absorb it. Instead of assuming users won’t click, we assume they will – and build environments that limit the blast radius when they do.
This becomes even more important in an AI-driven environment, where:
Security by design, in this context, is less about perfection – and more about containment.
As infrastructure decentralises and applications fragment across hybrid environments, one control layer is becoming dominant: identity.
According to Moxie Research – Security Outlook: Australia 2025 / 2026 – 41% of Australian organisations cite identity and access management (IAM) complexity as the most pressing area of cyber concern currently.
Identity has become the new control plane, and defending it is central to our resilience. This is one of the most important shifts in modern cyber strategy.
Perimeters are gone. Networks are porous. Devices are transient. But identity – human, machine, and increasingly agentic – remains the consistent thread.
The implication is clear in that identity is no longer just an access function, rather the enforcement layer for policy, trust, and risk. But it must extend across people, workloads, and AI agents.
This is where many organisations are still underinvested.
Achieving real-time situational awareness across hybrid environments is a foundational requirement. But visibility alone does not equal security.
The real question is: what do you do with that visibility?
This is where automation and AI come into play – not as standalone capabilities, but as force multipliers:
The goal is not just to see more but to respond faster, with greater precision, and at scale.
Perhaps the most significant shift is not technological, it’s organisational. Because the CISO is now a strategic enabler of business outcomes.
This is supported by Moxie Research, with 40% of Australian CISOs now primarily identifying as a “business leader” – ahead of “crisis / risk manager” at 36%.
This is easy to say, but much harder to execute.
In practice, it means:
Enterprises do not exist to be secure; they exist to create value. The role of security and risk management is to safeguard that value while enabling growth.
This is the tension every modern CISO must navigate. And it’s why the most effective leaders are operating on two tracks:
It’s not a choice between the two. It’s a requirement to deliver both.
One of the most under-discussed challenges in cyber security today is not capability, it is complexity.
Too many tools. Too many platforms. Too little integration.
The answer is not more technology. It’s better alignment:
This is where many organisations fall short – adding layers without removing friction.
Finally, there’s a shift happening in how organisations engage with partners. The old model of transactional procurement is being replaced by strategic co-innovation.
Partners are no longer just vendors. They are extensions of capability.
But the bar is higher:
This is particularly true in environments where security, sustainability, and innovation are deeply intertwined.
Cyber security is no longer a defensive discipline. It is an operational enabler of resilience, trust, and growth.
The organisations that will lead over the next decade are not those with the most controls but those with the most coherent, integrated, and resilient operating models.
Vannessa Van Beek is Global CISO at Fortescue. As part of Moxie Top Minds, Vannessa contributed to Security Outlook: Australia 2025 / 2026 by Moxie Insights. Download the report here.
Inform your opinion with executive guidance, in-depth analysis and business commentary.
