Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

September 2025

The September call discussion covered the following topics:
  • Salesloft Drift OAuth compromise and the evolving supply chain attacks
  • Mobile device management and third party applications
  • Privilege access management and effort to train staff
  • Federal Government’s approach to age verification with the upcoming social media legislation
  • AI Discovery, AI BOM (Bill Of Materials), and continuous testing and validation
Tools Explored:
Useful references from the September Call to review: 
 
AI was once again very topical. Here’s a link to a recent IBRS Framework that could be of interest, The IBRS Artificial Intelligence Maturity Assessment Framework

August 2025

On this months call, the participants discussed: 
 
  • Ingestion Loggin Costs 
    • One CIO asked about Ingestion logging costs. Whilst they have some exponential growth, which is a good thing, it is becoming more and more expensive.
    • Another CIO mentioned being cloud based was a benefit and had their monthly bills capped at $300 a month
    • Another CIO mentioned they also had a monthly flat rate
    • It was agreed that Microsoft do not negotiate so there is not a lot of wriggle room
    • One CIO is about to engage Cribl to do some discovery
  • Insider Threat Programs
    • Everyone agreed this was a great idea, but only one CIO was initiating a program
    • Everyone was keen to see how the program evolves in time
    • JQ from CIO Lens has also mentioned that one of their CISO members that are mature in this space reference this org as best in class framework
  • AI
    • One CIO is rolling at a pilot of Gemini
    • The Google offering much more cost effective than Co-Pilot
    • Everyone agreed the foundations were DLP and data classification
    • One organisation in the process of a POC of Co-pilot

July 2025

On July’s cyber and risk call, the participants discussed: 
 
  • The recent (and ongoing) Microsoft SharePoint exploitation incident. 
  • The social engineering attack against Qantas and implications for call centres and business processes.
  • Breach fatigue across the industry
  • That the participant’s board members were broadly confident with the level of cyber posture. However, there was a question around what reporting the participants are using to help communicate progress to the board.
A CISO Lens report based on feedback from their members, on standardised executive reporting, was shared will all partipants

June 2025

On June’s CIO call, the participants shared and discussed their answers to three questions:

  1. When a major cyber incident strikes, who owns the response within your organisation?
  2. What help/support do you need to better prepare your organisation to manage a major cyber incident?
  3. What help/support do you expect from the government when a major cyber incident strikes?

The participants spoke about how:

  • Their organisation’s ability to respond to a cyber incident was still locked in siloes.
  • Their plans were good in theory, but had yet to be subjected to a real test.
  • Many non-IT executives assume that IT will naturally be able to save the day with magical restoration of the entire technical environment and all the workflows that depend on the technical environment. 
  • Useful it would be if government agencies could share the same vendor assessments, instead of having to waste time and money by each agency conducting their own assessment.
  • Their executives appreciated that their organisation was probably at the lower end of the pecking order when it came to third party incident response providers.

One participant shared that a third party had recently guided their executives through a tabletop exercise and a key finding had been that the business needed to rely less on IT when a crisis happens. This aligns with our observations from when an incident happens; you do not get to choose which technology is available, or even which IT staff are available.

April 2025

  • Summary of April’s call:

Agenda Items

  • Budget forecast for 2025/26 – What risks/opportunities are you seeing? Implications for security programs?
  • Cyber simulations – strategies and approaches

Summary of Discussion

  • Budget forecasts for 2025/26 were discussed, with expectations of flat budgets and increased vendor licensing costs impacting security programs.
  • Organisations are moving away from traditional ransomware cyber simulations towards more realistic exercises like DDoS and ideologically motivated attacks.
  • The effectiveness of vendors claiming to run server infiltration exercises was questioned, particularly in cloud environments.
  • BYOD policies are being refreshed, and the use of messaging apps with disappearing messages for official communication is being examined, with varying approaches to policy and record management.
  • A number of CIOs mentioned they used WhatsApp for internal messaging.
  • Cost reduction in cyber security is being considered, focusing on optimising existing resources, demonstrating value, and process improvements.
  • One CIO mentioned that Incident response and accountability across system owners are being emphasised, with a shift towards supporting business owners and moving away from textbook simulations.
  • One CIO is willing to share the costs of managed SOC services as they have recently tested the market.

March 2025

In this months call, the CIOs discussed two agenda items:
 
The use of AI notetakers during meetings
  • Concerns were raised about consent, data privacy, and the accuracy of the summaries. 
  • Different organisations had varying policies and experiences with AI notetakers. Some were experimenting with them, while others were more cautious.
  • The use of internal versus external meetings and AI notetaking were also discussed, some CIOs brought up that a lot of vendors were now looking to record meetings.
  • The topic of consent was also discussed with some organisations seeking legal advice.
The effectiveness of all-staff phishing simulations
  • Some organisations were turning them off, while others were using incentives.
  • Some organisations have implementedd policies for repeat offenders with additional training (usually two strikes).
  • One organisation which is highly regulated used a stricter approach to repeat offenders.

A concern was raised that phishing campaigns are undermining user confidence and that they need to be well integrated into business practices. However one CIO suggested that this could be due to the way it was rolled out and by whom.

There was discussion about whether to extend policies about links in emails to external senders.

February 2025

Summary from Febuary’s call;
 
Agenda: What are organisations doing in regards to DeepSeek
  • Organisations are responding to Deepseek in various ways, including encouraging innovation with guidelines, banning it, or blocking it temporarily 
  • Data privacy and security concerns are prominent, especially with Deepseek’s data storage policy 
  • One CIO is running four pilots with different AI technologies (Co-Pilot, Gemini, OpenAi, Drop Box) and is drafting an AI policy 
  • Some CIOs have varying approaches, with some blocking Deepseek temporarily until they know more and others developing frameworks for AI governance 
  • One CIO mentioned the Atlassian conference and watched a demonstration on a variant to Zoom called Loom. This inferred if you need to demonstrate the value of AI look at what the tech companies are doing 
  • It was agreed there is a need for AI training and awareness across organisations, with some opting for internal experts and lunch-and-learn sessions. In contrast, others prefer generic training followed by more focused departmental training

Related Advisory