Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

July 2025

On July’s cyber and risk call, the participants discussed: 
 
  • The recent (and ongoing) Microsoft SharePoint exploitation incident. 
  • The social engineering attack against Qantas and implications for call centres and business processes.
  • Breach fatigue across the industry
  • That the participant’s board members were broadly confident with the level of cyber posture. However, there was a question around what reporting the participants are using to help communicate progress to the board.
A CISO Lens report based on feedback from their members, on standardised executive reporting, was shared will all partipants

June 2025

On June’s CIO call, the participants shared and discussed their answers to three questions:

  1. When a major cyber incident strikes, who owns the response within your organisation?
  2. What help/support do you need to better prepare your organisation to manage a major cyber incident?
  3. What help/support do you expect from the government when a major cyber incident strikes?

The participants spoke about how:

  • Their organisation’s ability to respond to a cyber incident was still locked in siloes.
  • Their plans were good in theory, but had yet to be subjected to a real test.
  • Many non-IT executives assume that IT will naturally be able to save the day with magical restoration of the entire technical environment and all the workflows that depend on the technical environment. 
  • Useful it would be if government agencies could share the same vendor assessments, instead of having to waste time and money by each agency conducting their own assessment.
  • Their executives appreciated that their organisation was probably at the lower end of the pecking order when it came to third party incident response providers.

One participant shared that a third party had recently guided their executives through a tabletop exercise and a key finding had been that the business needed to rely less on IT when a crisis happens. This aligns with our observations from when an incident happens; you do not get to choose which technology is available, or even which IT staff are available.

April 2025

  • Summary of April’s call:

Agenda Items

  • Budget forecast for 2025/26 – What risks/opportunities are you seeing? Implications for security programs?
  • Cyber simulations – strategies and approaches

Summary of Discussion

  • Budget forecasts for 2025/26 were discussed, with expectations of flat budgets and increased vendor licensing costs impacting security programs.
  • Organisations are moving away from traditional ransomware cyber simulations towards more realistic exercises like DDoS and ideologically motivated attacks.
  • The effectiveness of vendors claiming to run server infiltration exercises was questioned, particularly in cloud environments.
  • BYOD policies are being refreshed, and the use of messaging apps with disappearing messages for official communication is being examined, with varying approaches to policy and record management.
  • A number of CIOs mentioned they used WhatsApp for internal messaging.
  • Cost reduction in cyber security is being considered, focusing on optimising existing resources, demonstrating value, and process improvements.
  • One CIO mentioned that Incident response and accountability across system owners are being emphasised, with a shift towards supporting business owners and moving away from textbook simulations.
  • One CIO is willing to share the costs of managed SOC services as they have recently tested the market.

March 2025

In this months call, the CIOs discussed two agenda items:
 
The use of AI notetakers during meetings
  • Concerns were raised about consent, data privacy, and the accuracy of the summaries. 
  • Different organisations had varying policies and experiences with AI notetakers. Some were experimenting with them, while others were more cautious.
  • The use of internal versus external meetings and AI notetaking were also discussed, some CIOs brought up that a lot of vendors were now looking to record meetings.
  • The topic of consent was also discussed with some organisations seeking legal advice.
The effectiveness of all-staff phishing simulations
  • Some organisations were turning them off, while others were using incentives.
  • Some organisations have implementedd policies for repeat offenders with additional training (usually two strikes).
  • One organisation which is highly regulated used a stricter approach to repeat offenders.

A concern was raised that phishing campaigns are undermining user confidence and that they need to be well integrated into business practices. However one CIO suggested that this could be due to the way it was rolled out and by whom.

There was discussion about whether to extend policies about links in emails to external senders.

February 2025

Summary from Febuary’s call;
 
Agenda: What are organisations doing in regards to DeepSeek
  • Organisations are responding to Deepseek in various ways, including encouraging innovation with guidelines, banning it, or blocking it temporarily 
  • Data privacy and security concerns are prominent, especially with Deepseek’s data storage policy 
  • One CIO is running four pilots with different AI technologies (Co-Pilot, Gemini, OpenAi, Drop Box) and is drafting an AI policy 
  • Some CIOs have varying approaches, with some blocking Deepseek temporarily until they know more and others developing frameworks for AI governance 
  • One CIO mentioned the Atlassian conference and watched a demonstration on a variant to Zoom called Loom. This inferred if you need to demonstrate the value of AI look at what the tech companies are doing 
  • It was agreed there is a need for AI training and awareness across organisations, with some opting for internal experts and lunch-and-learn sessions. In contrast, others prefer generic training followed by more focused departmental training

Related Advisory

December 2024

On Wednesday we discussed two agenda items;

  1. Whether to pursue a third party to help with domain takedown requests given the number of lookalike domains out there and the risk of these being used for malicious activity
  2. Cyber Security Act – how well have industry been consulted
  • The CIOs discussed the benefit of crowdstrike on end devices, the fact that once a domain is protected you can buy it
  • It was also agreed that tools can only get you so far and there is still a need for manual intervention. Where there is some value its not an easy journey
  • One CIO mentioned they use Link Busters. This was a value for money service with no additional resources required
  • We also discussed privacy and content and a number of CIOs mentioned that this area was owned by their legal teams 
  • In regards to the Cyber Act – all participants agreed that the Federal Government had done a good job in consulting industry and believed they were getting better at engaging
  • We then asked the CIOs what good wins were had during 2024. Most of the feedback was around audits;
    • Most CIOs had good audit results 
    • Improved relationships with the audit and risk committees in particular changing their views on ICT 
    • Resilience getting a better look in

November 2024

On our call in November, we discussed the impact of the Government’s Cyber Security Act. We were keen to understand;

  • Which of the reforms will impact you the most
  • Do you have a view on the proposed reforms
  • How are you preparing your organisation for change

One CIO mentioned there were concerns from their legal department, and another suggested there needed to be more formalisation around minimum standards. However it was noted that it is advantageous to have mandatory standards driven through mandates and legislation.

It was also agreed that whilst it is good to have legislation it is creating more red tape.

Organisations with IOT devices also brought up concerns that there are a lot of always connected devices that are continuously tracked and scanned that will be a major issue.

We then went through the latest ASD threat report. It was mentioned that the ASD have improved their support over the past 18 months and getting them to report to the board was a good idea, it could sometimes take a while to get this scheduled. This feedback has been shared with the ASD.

In closing it was agreed that too often staff assume IT systems will be available during a crisis. We need to get them thinking about manual workarounds when Teams, Outlook etc aren’t available. E.g., BCP team ask people to generate a new Confluence form to report an issue and request help – that’s useless if the entire network is down

In closing I have also added some useful links, as requested by one CIO, that have been provided by ASD previously.

October 2024

On todays call, the CIOs discussed:

  • How vendors are pushing AI in everything, and whether anyone on the call was actually using AI to help sift through the data in their SIEM. 
  • How vendor price increases are unaligned with the reality of what’s happening in ICT budgets, and how the CIOs are noting a substantial increase in the number of cyber security vendor sales people trying to get in touch with them. 
  • Two participants spoke about where they each are on their journey of migrating between third party SOC providers. 
  • The call participants had an extensive discussion about budgets, and how their ICT and security budgets were under scrutiny. All noted that budgets are very tight, and for both government and private sector, “they’re as tight as I’ve ever seen them” was a common sentiment. 
  • Two call participants shared that they were struggling to get approval for additional headcount, and they were each concerned about their ability to find the right talent if the headcount is approved.