The hook
If I tell you that your name, address, date of birth, driver licence number, Medicare number, and password reuse history are already on a forum somewhere, you should not be surprised. You are an adult Australian in 2026. The maths says yes.
So what now? That is the keynote.
What this talk is about
This is not the doom version. It is the practical one. After 30 years of advising organisations on cybersecurity, I have come to a conclusion that I share carefully. The premise of cybersecurity, that we can prevent unauthorised access to data, may no longer be realistic for most Australian organisations holding consumer data at scale. The data is out. The maths is in. The next strategy has to start from there.
I take the audience through the breach landscape honestly. What was actually lost in the major Australian incidents. What can still be protected. Where prevention still works and where it has stopped working. The talk then pivots to the resilience model. What it means operationally to design for breach rather than only prevention. How identity, fraud detection, and consumer protection layer differently when the underlying data is assumed to be compromised. And what individuals can actually do now, given that.
The talk is built to leave the audience clear-eyed, not heavy. Australia has a real chance to lead on resilience because we have already had the bad weeks. The next decade of corporate cyber strategy is being written right now. The keynote argues for getting it right.
What the audience walks away with
- The honest assessment: what has already been lost in the major Australian breaches and what can still be protected.
- Why the prevention-first model has reached its operational limits and what replaces it.
- Resilience versus prevention: the operational shift, with concrete examples from financial services and health.
- What individuals can actually do to protect themselves in a post-breach landscape, beyond credit-monitoring theatre.
- The role of regulators, insurers, and consumer-facing organisations in writing the next contract with the public.
Who this talk is for
Public sector and consumer-facing organisations. Health, insurance, banking, retail, and government. Audiences whose customers are already affected, whether they know it or not.
General conferences and industry forums. A keynote that lands for non-technical audiences without dumbing the substance down.
Insurance and risk industries. The pricing of cyber risk is already shifting toward resilience. The talk gives the audience the language to drive that shift, not just react to it.
Format options
- 45-minute conference keynote
- 60-minute keynote with audience Q&A
- 30-minute executive briefing for consumer-facing leadership teams
- Panel anchor on the Australian breach landscape and resilience strategy
The audience reaction
The most common reaction I get after this talk is a short pause and a long question. People know the breaches happened. They have not been told what it means for them, in plain language, by someone who has been inside the rooms. The keynote gives the audience permission to take the next decade seriously without resignation.
Why this keynote lands in 2026
The Optus breach in late 2022 changed the public conversation. The Medibank, Latitude, MediSecure, and AustralianSuper incidents that followed cemented the new reality. By 2026, every adult Australian has had at least one data set compromised, in many cases several. The premise of cybersecurity, that we can prevent unauthorised access to data, no longer holds at the population level.
The talk is not nihilistic. Australia has a real chance to lead globally on the resilience model because we have already had the bad weeks. The next decade is being written now in the form of regulatory reforms, identity systems, fraud detection investments, and consumer protection norms. The keynote argues for getting that decade right.
I deliver this talk with a particular care for the audience. People are tired. The talk does not add to that tiredness. It gives them a clearer-eyed view and a constructive next step, which is the part of the cyber conversation that has been missing.
What I bring to the stage
30 years in Australian cybersecurity. Former CISO at ANZ, IRESS, and Serco. Big Four advisory partner at EY and PwC. The author of the AI safety research featured in front-page Australian media in early 2026. A speaker who has been inside the breach response rooms and the regulatory rooms, and who can speak honestly to a public audience about what those rooms actually decide.
The honest reframe boards need
Calling it a post-cybersecurity world is not defeatism. It is the start of a more honest conversation. Once you accept breach is not an "if", every dollar starts working harder. Detection becomes operational, not theoretical. Response becomes muscle memory, not a tabletop exercise from 2021. Recovery becomes a board-tested capability, not a vendor slide.
I work with executives who have spent a decade hearing that the next platform, the next framework, the next certification will move them out of risk. It has not happened. It is not going to. The organisations that will weather this decade are the ones that stop pretending and start building for the world they actually operate in. That mindset shift is what this keynote delivers.
The boards I respect most are the ones that hear this talk and ask harder questions, not softer ones. They go back to their executive teams and challenge the comfortable assumptions. They ask what would actually happen at 2am on a Sunday in the middle of a cyber incident. The answers tell you everything about the work you have ahead of you, and the talk gives you the language to drive it.
Book this keynote
Enquire now Browse all 10 topics