Keynote ยท Cybersecurity & Board Risk

"Your Cyber Risk Report Is Lying to You"

"Medium." "Improving trend." "Amber, headed green." The traffic light says everything is fine. It is not fine. A keynote by someone who has written hundreds of these reports and knows exactly what the language hides.

Book this keynote All keynote topics

The hook

I have written cyber risk reports. Hundreds of them. As a CISO, as a Big Four advisory partner, and now as an external advisor to ASX 200 boards. I know exactly how the language is constructed. I know which words go in to reassure, and which words get left out so nobody asks the next question.

The risk says "medium". The trend says "improving". The board moves on. Two years later the same control fails and 9.8 million records are on a forum. That is not a coincidence. That is reporting working exactly as designed.

What this talk is about

This keynote dismantles the standard cyber risk report and shows directors what the dashboard is hiding. Not the dishonesty of any one CISO. The structural pattern that turns a control failure into an "amber, improving" line item, and the simple set of questions that breaks the spell.

I take the audience through five reporting patterns I see again and again. The aggregation trick where ten amber controls become one green domain. The trend line that improves on paper while the underlying exposure widens. The "controls designed" finding that says nothing about whether they actually operate. The risk acceptance buried two pages deep in an appendix. The vendor-attested control that nobody has actually tested.

Then I take a real, anonymised report and walk through it. Where the language softens. Where the numbers are missing. Where the heat map collapses three different threats into one cell. The audience sees the shift in real time.

What the audience walks away with

  • The five most common risk report patterns that hide material control gaps, with the exact phrasing to watch for.
  • How "improving trend" can coexist with increasing actual exposure, and why it usually does.
  • The questions directors should ask that no risk report will answer voluntarily.
  • What a genuinely useful cyber risk report looks like, and how to demand one without breaking the relationship with the CISO.
  • A one-page board cheat sheet with the questions and the red flags.

Who this talk is for

Boards and risk committees. Directors get a sharper tool kit for their next paper, and a vocabulary that does not require a degree in cyber to use.

Audit committees and chief risk officers. A common language with the CISO and a clearer view of where the second-line assurance is thin.

CISOs and security leaders themselves. Honestly, half the CISOs in the room nod through this talk. They want to write a more honest report. The keynote gives them air cover to do it.

Format options

  • 45-minute conference keynote
  • 60-minute keynote with audience Q&A
  • 30-minute board briefing on the next risk paper
  • Half-day workshop redesigning the organisation's actual cyber risk report

The audience reaction

The most common comment after this talk: "I am going to ask a different question at the next risk committee." That is the entire goal. One sharper question changes the report you get next quarter. Three sharper questions change the security posture inside a year.

Why this keynote lands in 2026

Every major Australian breach since Optus had a cyber risk report in the year before that did not surface the actual exposure. None of those reports were dishonest. All of them were structurally incapable of surfacing what later mattered. That is the gap the keynote attacks.

I have written this kind of report. I have read hundreds of them as a Big Four advisor. I have approved them as a CISO. I know what the language is doing and I know what the heat map is hiding. The talk gives directors a clean, repeatable way to ask one or two sharper questions per cycle. That is enough to change the report they get next quarter, and enough sharper questions over a year change the underlying control posture.

This is a constructive talk, not a hostile one. I am careful with the CISOs in the room. Honestly, half of them want to write a more honest report and have not had air cover from the board to do it. The keynote gives them that cover.

What I bring to the stage

30 years writing, reviewing, defending, and approving cyber risk reports across Big Four advisory and enterprise CISO roles. Founder of Cyber Impact, the executive advisory firm I run today. The author of the Australian AI safety research that landed on the front page of the Daily Telegraph in early 2026. A speaker who can name the patterns because he has produced them.

What a useful cyber report looks like

A useful board cyber report is short. It tells you which crown-jewel services are protected, which are not, and what is being done about it this quarter. It tells you what changed since last quarter and why. It tells you which vendors carry your risk and how that risk is assured. It tells you what a serious incident would actually cost and how long recovery would take. No traffic lights. No 60-page appendix. No "we are continuing to monitor".

I show boards exactly what to ask for, how to read what comes back, and how to push back when the answers are evasive. Most directors I work with realise within five minutes that the report they have been receiving is not fit for the decisions they are being asked to make. The fix is straightforward once you know what to look for. This keynote is how you find it.

Book this keynote

Enquire now   Browse all 10 topics

Related