The hook
I have sat in too many board rooms in 30 years to keep calling this a technology problem. Optus. Medibank. Latitude. AustralianSuper. MediSecure. Every breach has the same fingerprint. Sanitised reports up the chain. Underfunded controls. A risk register with the right colour but the wrong number behind it. And a board that signs off, year after year, and quietly hopes the dice do not land badly on its watch.
It is not ignorance. It is complicity. And it is rotten.
What this talk is about
This keynote names the structural failure in Australian corporate cyber governance. Not the bad apple at the top. The system that makes underinvestment rational, makes risk acceptance comfortable, and makes the next breach almost certain.
I draw on three decades of advisory and CISO work across ANZ, IRESS, Serco, EY, and PwC. The pattern is the same everywhere. The CISO reports four levels deep, presents a two-page board paper twice a year, and watches the budget get cut because the last twelve months were quiet. The risk committee debates the heat map for ten minutes, accepts the residual, and moves on to the next agenda item. The auditors confirm the controls "are designed". Nobody asks if they actually work.
Then the breach lands. Customer data is on a forum. The CEO is on television. The regulator opens a file. The board chair tells the press the company is "deeply concerned". The same board, two years earlier, accepted a written risk that described the exact failure that just happened.
This talk lays out the specific governance patterns that produce that outcome. Where the CISO sits in the structure. How risk is presented and what the language hides. Why the audit function is not catching it. Why the regulator now is. And what genuine reform looks like, from someone who has implemented it.
What the audience walks away with
- The five governance patterns that produce systemic cyber risk acceptance, with real examples from Australian breaches.
- Why the CISO reporting structure is broken in most ASX 200 organisations, and the structural fix.
- What ASIC, APRA, and the OAIC are actually looking at after the post-Optus enforcement wave, and what is coming next.
- The risk language that should trigger a follow-up question, every time, with the exact wording to use.
- A reform agenda the board can adopt before the next risk committee, not next year's strategic plan.
Who this talk is for
Board strategy days and director education. Confronting, but constructive. Directors leave with a clearer picture of what they are signing and a sharper set of questions for the CISO, the CRO, and the auditors.
Governance and risk conferences. Australian-grounded, regulator-aware, and built on lived experience. Attendees come for the diagnosis. They stay for the reform agenda.
Insurance and audit professionals. The same patterns that drive premium increases and qualified opinions are the ones the talk dissects. A common language for a hard conversation with clients.
Format options
- 45-minute conference keynote
- 60-minute keynote with audience Q&A
- 30-minute board briefing in camera
- Half-day governance workshop combining the keynote with reform-agenda design
The audience reaction
Honestly, the most common response after this talk is a director coming up at the break and saying something close to "I know exactly which paper you are describing. I signed it." That is the point. The talk does not point at someone else's company. It points at the room.
Why this keynote lands in 2026
Australia is in the middle of a regulatory wave that started with Optus and has not stopped. ASIC is filing. APRA is enforcing. The OAIC has the budget and the appetite. Privacy Act reforms have raised the maximum penalty to the greater of fifty million dollars or 30 per cent of adjusted turnover. The board paper that accepted "medium residual risk" in 2023 reads very differently in 2026.
This keynote was built for the moment when boards are asking, honestly, why the same pattern keeps repeating. It is not a victim-blaming talk. It is a structural diagnosis from someone who has sat in those rooms for 30 years. Directors I have worked with describe the relief of hearing the diagnosis named clearly, even when it stings, because the next conversation can finally be productive.
I bring it to the stage with credit before challenge. Australian boards are not unintelligent. The system around them rewards underinvestment, and most directors are doing what the system asks. The talk is about changing the system, not vilifying the people who operate inside it.
What I bring to the stage
30 years advising and operating inside Australia's largest cyber programmes. Former Big Four advisory partner. Former enterprise CISO at ANZ, IRESS, and Serco. CyberCon 2025 speaker. University guest lecturer. The author of the AI safety research that drew international media coverage in early 2026. The keynote is delivered by someone who has been on both sides of the table, which is what gives it its grip.
The cultural fix nobody wants to fund
The rot is cultural before it is technical. Cyber gets surfaced as a compliance story, not a business story. Risk owners are middle managers without authority. Vendors are paid to tell the executive layer everything is fine. Internal audit reports get softened in committee. The board hears a coloured heat map and signs off. Nobody is lying. Nobody is telling the truth either.
I have sat in those rooms for 30 years. The fix is not another framework. It is a small set of cultural changes: real ownership at the executive layer, internal audit with teeth, vendors held to a higher bar, and a board that asks the second and third question. The talk shows leaders how to drive that without breaking morale or burning relationships. It is doable. It just takes courage.
Book this keynote
Enquire now Browse all 10 topics