Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

March 2026

In our call this month, the following topics were covered:
  • Post-Quantum Cryptography Planning: Some organisations are being asked by their boards about planning for post-quantum cryptography, with a focus on adding to their risk register, long-term thinking (e.g., 2030), and addressing the problem by focusing on the weakest encryption first.
  • AI Tool Trust and Observability: Discussions centered on the risks of machine-controlled processing (MCP) servers and AI tools like large language models, specifically regarding data leakage, limited observability, and the challenge of trusting that information is not being sent externally.
  • Geopolitical Conflict Impacts: Participants discussed the potential for conflict to cause supply chain shortages (memory/chips, laptops, fuel), drive up costs, and affect platform availability. Some organisations are looking at reducing offshore dependency and using geoblocking as mitigation.
  • Rising Costs and Budget Pressure: The group noted significant budget constraints, vendor price increases (especially for ISPs, storage, and backup servers), and cost blowouts, leading to mitigation strategies such as going to market to fulfill multiple functions with one person, trimming services, and using chargeback.
  • Black Swan Event Planning: There is an increasing regulatory expectation for industries to more seriously plan for and understand the potential impact of ‘black swan’ events.

Interesting Links:

February 2026

On this months call the following subjects were discussed:

  • Notepad ++
    • Moving away from Notepad ++ and moving towards a better enterprise grade solution.
    • Targeted attack on Notepad ++ and was compromised when the company publicly announced they were not reissuing a certificate.  
  • Disappearing messages.
      • One organisation uses policy to make it the responsibility of the employee.
      • One CIO mentioned that  Onus used to be on individuals, now it is being turned on to the organisations.
  • Hacktivism and Social Issue motivated groups
    • Are people starting to see more social motivated groups?
    • One organisation has people showing up physically and abusing.
    • There are also abusive phone calls.
    • There is an uptick in AI generated requests for freedom of information.
    • One CIO mentioned that they charge for each FOI request. 
  • AI Implementation
    • Can anyone regenerate an AI audit trail of activity ? Are they happy with their logging?
    • One company is taking their AI policy to the board.
    • AI is very difficult to keep up with now.
    • Are we putting in guardrails or are we just putting in signposts to warn users.
  • Priorities for 2026 
    • Building effective partnerships | GRC System.
    • Educate and influence | Data Governance (Stop exposing data).
    • AI use and securing AI (Non-human identities) | Post Quantum.
    • ISO 2700 | Cyber Security training.
    • DR plan review.

Articles of Interest

October 2025

In our call this month, the following topics were covered:
  • Cisco gear and comms gap: Limited updates from Cisco and mixed messaging from ACSC left CIOs questioning reliability of vendor and government advisories; recent global outages added to concern.
  • Third party dependencies: Service providers insisting ‘no local issue’ contrasted with evidence of wider impacts.
  • Board-level preparedness: Interest in running ransomware/incident simulations for directors; peer discussion highlighted different approaches and value in shared playbooks.
  • Incident response cover: Consensus that insurance-driven responders aren’t sufficient; The CIOs are weighing direct IR retainers, scale of provider capacity, and what happens in a nation-wide event.

September 2025

The September call discussion covered the following topics:
  • Salesloft Drift OAuth compromise and the evolving supply chain attacks
  • Mobile device management and third party applications
  • Privilege access management and effort to train staff
  • Federal Government’s approach to age verification with the upcoming social media legislation
  • AI Discovery, AI BOM (Bill Of Materials), and continuous testing and validation
Tools Explored:
Useful references from the September Call to review: 
 
AI was once again very topical. Here’s a link to a recent IBRS Framework that could be of interest, The IBRS Artificial Intelligence Maturity Assessment Framework

August 2025

On this months call, the participants discussed: 
 
  • Ingestion Loggin Costs 
    • One CIO asked about Ingestion logging costs. Whilst they have some exponential growth, which is a good thing, it is becoming more and more expensive.
    • Another CIO mentioned being cloud based was a benefit and had their monthly bills capped at $300 a month
    • Another CIO mentioned they also had a monthly flat rate
    • It was agreed that Microsoft do not negotiate so there is not a lot of wriggle room
    • One CIO is about to engage Cribl to do some discovery
  • Insider Threat Programs
    • Everyone agreed this was a great idea, but only one CIO was initiating a program
    • Everyone was keen to see how the program evolves in time
    • JQ from CIO Lens has also mentioned that one of their CISO members that are mature in this space reference this org as best in class framework
  • AI
    • One CIO is rolling at a pilot of Gemini
    • The Google offering much more cost effective than Co-Pilot
    • Everyone agreed the foundations were DLP and data classification
    • One organisation in the process of a POC of Co-pilot

July 2025

On July’s cyber and risk call, the participants discussed: 
 
  • The recent (and ongoing) Microsoft SharePoint exploitation incident. 
  • The social engineering attack against Qantas and implications for call centres and business processes.
  • Breach fatigue across the industry
  • That the participant’s board members were broadly confident with the level of cyber posture. However, there was a question around what reporting the participants are using to help communicate progress to the board.
A CISO Lens report based on feedback from their members, on standardised executive reporting, was shared will all partipants

June 2025

On June’s CIO call, the participants shared and discussed their answers to three questions:

  1. When a major cyber incident strikes, who owns the response within your organisation?
  2. What help/support do you need to better prepare your organisation to manage a major cyber incident?
  3. What help/support do you expect from the government when a major cyber incident strikes?

The participants spoke about how:

  • Their organisation’s ability to respond to a cyber incident was still locked in siloes.
  • Their plans were good in theory, but had yet to be subjected to a real test.
  • Many non-IT executives assume that IT will naturally be able to save the day with magical restoration of the entire technical environment and all the workflows that depend on the technical environment. 
  • Useful it would be if government agencies could share the same vendor assessments, instead of having to waste time and money by each agency conducting their own assessment.
  • Their executives appreciated that their organisation was probably at the lower end of the pecking order when it came to third party incident response providers.

One participant shared that a third party had recently guided their executives through a tabletop exercise and a key finding had been that the business needed to rely less on IT when a crisis happens. This aligns with our observations from when an incident happens; you do not get to choose which technology is available, or even which IT staff are available.

April 2025

  • Summary of April’s call:

Agenda Items

  • Budget forecast for 2025/26 – What risks/opportunities are you seeing? Implications for security programs?
  • Cyber simulations – strategies and approaches

Summary of Discussion

  • Budget forecasts for 2025/26 were discussed, with expectations of flat budgets and increased vendor licensing costs impacting security programs.
  • Organisations are moving away from traditional ransomware cyber simulations towards more realistic exercises like DDoS and ideologically motivated attacks.
  • The effectiveness of vendors claiming to run server infiltration exercises was questioned, particularly in cloud environments.
  • BYOD policies are being refreshed, and the use of messaging apps with disappearing messages for official communication is being examined, with varying approaches to policy and record management.
  • A number of CIOs mentioned they used WhatsApp for internal messaging.
  • Cost reduction in cyber security is being considered, focusing on optimising existing resources, demonstrating value, and process improvements.
  • One CIO mentioned that Incident response and accountability across system owners are being emphasised, with a shift towards supporting business owners and moving away from textbook simulations.
  • One CIO is willing to share the costs of managed SOC services as they have recently tested the market.

March 2025

In this months call, the CIOs discussed two agenda items:
 
The use of AI notetakers during meetings
  • Concerns were raised about consent, data privacy, and the accuracy of the summaries. 
  • Different organisations had varying policies and experiences with AI notetakers. Some were experimenting with them, while others were more cautious.
  • The use of internal versus external meetings and AI notetaking were also discussed, some CIOs brought up that a lot of vendors were now looking to record meetings.
  • The topic of consent was also discussed with some organisations seeking legal advice.
The effectiveness of all-staff phishing simulations
  • Some organisations were turning them off, while others were using incentives.
  • Some organisations have implementedd policies for repeat offenders with additional training (usually two strikes).
  • One organisation which is highly regulated used a stricter approach to repeat offenders.

A concern was raised that phishing campaigns are undermining user confidence and that they need to be well integrated into business practices. However one CIO suggested that this could be due to the way it was rolled out and by whom.

There was discussion about whether to extend policies about links in emails to external senders.

February 2025

Summary from Febuary’s call;
 
Agenda: What are organisations doing in regards to DeepSeek
  • Organisations are responding to Deepseek in various ways, including encouraging innovation with guidelines, banning it, or blocking it temporarily 
  • Data privacy and security concerns are prominent, especially with Deepseek’s data storage policy 
  • One CIO is running four pilots with different AI technologies (Co-Pilot, Gemini, OpenAi, Drop Box) and is drafting an AI policy 
  • Some CIOs have varying approaches, with some blocking Deepseek temporarily until they know more and others developing frameworks for AI governance 
  • One CIO mentioned the Atlassian conference and watched a demonstration on a variant to Zoom called Loom. This inferred if you need to demonstrate the value of AI look at what the tech companies are doing 
  • It was agreed there is a need for AI training and awareness across organisations, with some opting for internal experts and lunch-and-learn sessions. In contrast, others prefer generic training followed by more focused departmental training

Related Advisory