The hook
I have read the post-incident reports. So have you. Optus. Medibank. Latitude. AustralianSuper. MediSecure. Different organisations, different sectors, same finding. The breach was not sophisticated. It was an unpatched system, a default credential, an account without MFA, a log nobody was watching, or a person who clicked a link.
The cybersecurity industry sells complexity because complexity is profitable. The basics are the strategy. They are also the answer.
What this talk is about
This keynote resets the conversation. After 30 years inside Australia's largest cyber programs, I have watched the same pattern. Boards approve seven-figure tooling refreshes while basic patching slips by 60 days. Vendors sell AI-powered threat hunting platforms to organisations that have not deployed MFA on their privileged accounts. The story is everywhere if you read the breach reports honestly.
I take the audience through the actual root causes of Australia's biggest cyber incidents. Each one mapped against the Essential Eight, ASD's cyber threat intelligence, and the post-incident regulator findings. The pattern is uncomfortable for vendors. It is also clarifying for boards. The expensive tooling did not fail. It was bought instead of the hard work, and the hard work is what the attackers exploited.
The talk is not anti-tooling. There is a real role for advanced detection, identity-based controls, and AI-augmented response. The argument is sequencing. The organisations doing fundamentals well do not need most of the expensive tooling. The organisations buying the expensive tooling have usually skipped the fundamentals. The keynote names the sequence and the test.
What the audience walks away with
- The actual root causes behind Australia's biggest breaches, none of them sophisticated.
- Why the cybersecurity vendor ecosystem incentivises complexity over fundamentals.
- The Essential Eight, why it works when organisations actually implement it, and where most stop short.
- A board-level investment framework that starts with the basics and earns the right to add complexity.
- The two questions that separate organisations that get fundamentals right from organisations that pretend they do.
Who this talk is for
Any audience. This talk works for boards, all-hands events, government, and industry conferences. The argument is universal because the data is universal.
CFOs and CEOs questioning cyber spend. A clearer test for whether the next dollar should buy tooling, capability, or basic hygiene. Honestly, a lot of CFOs leave this talk happier than they came in.
Public sector and regulated industries. Australian-grounded, ASD-aligned, and consistent with the regulatory direction of travel.
Format options
- 45-minute conference keynote
- 60-minute keynote with audience Q&A
- 30-minute board briefing on cyber investment sequencing
- Half-day workshop on Essential Eight implementation maturity
The question I get asked every time
"If the basics are this important, why is no one doing them?" The honest answer is that they are not exciting. They do not generate vendor commission. They do not justify a strategy refresh. They are the work, and the work is unglamorous. The talk closes with how to make the basics fundable, repeatable, and visible to a board.
Why this keynote lands in 2026
The cybersecurity industry has spent a decade selling complexity. AI-powered detection. Threat intelligence platforms. SOAR. XDR. Microsegmentation. Cloud security posture management. The list is long and the spend is real. The breaches are also still happening, and the post-incident reports keep coming back to the same finding. Patch the systems. Enforce MFA. Watch the logs. Train the people.
This keynote is calibrated for boards that have approved several years of expensive tooling and want an honest answer on whether the dollars are landing. The honest answer is that, in most organisations, the dollars are landing on top of fundamentals that were not in place. The talk explains why that pattern is rational, why it produces consistent failure, and how to break it without becoming anti-vendor.
I am genuinely funny in this talk. The pattern is absurd in a way that lends itself to honest humour, and an executive audience appreciates a speaker who can name the absurdity without becoming preachy. The substance still lands. So does the laughter, which makes the substance more memorable.
What I bring to the stage
30 years inside Australian cybersecurity, including the implementation of the Essential Eight before it was called that in many of the organisations I led. Former Big Four advisory partner. Former enterprise CISO. Author of the AI safety research that drew front-page media coverage in early 2026. Trusted because the audience knows the speaker has done the work, not just talked about it.
What good looks like, in practice
I describe a maturity ladder boards can actually use. At the bottom: patching, MFA, backups, asset inventory, privileged access, and known-good baselines. Above that: detection that works, response that has been rehearsed, recovery that has been tested under load. Higher again: third-party assurance, supply chain visibility, and a real measurement of cyber resilience tied to the services that keep the business running.
Most Australian organisations sit somewhere on the bottom rung and tell themselves they are halfway up. The talk shows directors how to spot the gap, what questions to ask, and where to direct investment first. Boring as it sounds, this is the highest-return cyber discussion you can have right now.
I leave audiences with a one-page board check. A short list of questions any director can take into their next risk committee meeting and use to test whether the basics are actually in place. It is the most downloaded artefact from this talk, because it works. The fundamentals are not glamorous, but they are measurable, defensible, and absolutely the strategy.
Book this keynote
Enquire now Browse all 10 topics