0
Learnado

Further Resources

Blog:

You can't bolt cybersecurity on at the end and expect the roof to hold.

That blunt thought is where most digital transformation projects go off the rails. They treat security like a compliance checkbox or an IT ops problem, rather than the strategic discipline it is. I've seen it in Sydney boardrooms and in smoke filled start up war rooms in Melbourne: great digital ambitions brought to their knees by predictable mistakes.

Digital transformation enlarges the prize, and the target. Systems become more connected, data flows multiply, and third parties proliferate. All of this is brilliant for agility and customer experience. But it also massively expands the attack surface. If you want your transformation to be durable, you need to make security intrinsic to design, not incidental.

Why this matters now

According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach was US$4.45 million. That's not just a headline number; it's an operational reality that affects valuations, insurance premiums and the practicality of running a Business in a digital first world. Closer to home, the Australian Cyber Security Centre's 2022-23 reporting showed an alarming volume of cybercrime affecting Australian organisations. These figures aren't meant to scare you into paralysis, they are a clear signal that the stakes are higher and that costs are avoidable with the right habits.

Two somewhat contentious positions up front

  • A cloud first posture, when executed properly, will usually be more secure than a self managed on premises stack. Hardware isn't the security differentiator people think it is; processes, identity hygiene and vendor SLAs are.
  • Regulation, if anticipated and used properly, can be a competitive advantage. Comply early, and your sales team has a trust story to tell that rivals can't match.

Both opinions will raise eyebrows. And that's fine. If you are not challenging orthodoxy you are probably not changing anything.

The expanding attack surface, and what to do about it

Every service you add, every API you expose, every supplier you onboard becomes a potential entry point. IoT devices, mobile access, cloud services, partner integrations, they all widen the surface area. The technical response is straightforward in principle: map it, measure it, manage it.

  • Map: Inventory everything. Yes, everything. Applications, databases, cloud resources, service accounts, third party API keys. If you don't know what you have, you can't secure it.
  • Measure: Prioritise risk. Not all assets are equal. Crown jewel data (customer information, IP, payment credentials) needs disproportionate protection. Use exposure scoring and business impact analysis rather than binary checklists.
  • Manage: Apply controls based on risk, not bureaucratic convenience. This includes network segmentation, endpoint protection, and strict identity governance.

Attackers are getting smarter. They use automation, social engineering and occasionally AI to scale reconnaissance. Defenders must respond with automation too, both in detection and in response. Manual review is fine for audit, not for containment.

Zero Trust, useful doctrine, not a silver bullet

Zero Trust is a great philosophy: never trust, always verify. But I'll be blunt, it's frequently sold as a product rather than an architectural shift. Zero Trust needs identity, telemetry and policy enforcement across all layers. It's not an easy checkbox. Organisations attempt partial implementations and declare victory. That's dangerous.

Do it right:

  • Centralise identity management, make multi factor authentication mandatory, and treat service accounts with the same scrutiny as user accounts.
  • Ensure least privilege access and regularly recertify privileges.
  • Use short lived credentials for machine to machine access and enforce strong session controls.
  • Instrument everything with telemetry so you can detect anomalies quickly.

People are often the weakest link, train them

You can have the best tools in the world and still be compromised by a clicked link. Building a security aware culture reduces the human error factor. Good training isn't once a year eLearning; it's short, frequent, contextual and practical.

  • Simulated phishing remains one of the best investments. But run it fairly, no public shaming; follow up with coaching.
  • Create security champions in business units who can translate policy into practice.
  • Reward reporting. Make it easy to report suspected incidents without fear. The first person who notices a breach is often a front line employee, encourage them to speak up.

Automation and AI, double edged swords

AI and machine learning are transforming both defence and attack. On the defensive side they enable smarter anomaly detection, prioritised alerting and faster containment. On the offensive side they increase the speed and sophistication of social engineering and vulnerability discovery.

My view: embrace AI, but with guardrails. Use it to reduce alert fatigue and to accelerate triage. Don't hand over critical decision making to opaque models without testing and escalation paths. And invest in explainability, if your SIEM or detection platform can't explain why it flagged something, you lose trust in the system.

Practical measures that actually work

You don't need a six figure security stack to be significantly safer. You need discipline.

  • Patch management: Automate patching where feasible and prioritise internet facing assets. Many breaches exploit known, patched vulnerabilities.
  • Multi factor authentication: Deploy it everywhere. No exceptions for senior execs.
  • Encryption: Data at rest and data in transit as standard. Key management matters, if you lose control of keys, encryption is no protection.
  • SIEM and observability: Centralised logging and correlation reduce mean time to detection. Integrate with playbooks and automate simple containment.
  • Regular tabletop exercises: Run realistic scenarios. Tabletop theory is fine; simulations and red team exercises reveal where your processes actually fail.
  • Third party governance: Vet vendors, require SOC 2/ISO27001 where sensible, and use contractual obligations to ensure security standards are maintained.

Governance and compliance, don't treat them as cost centres

Regulation can feel like a tax unless you use it to improve your business. Think of compliance as a structure that disciplines risk decisions. Align security KPIs with business KPIs: incident recovery time, percentage of assets with MFA, time to patch critical vulnerabilities. Make security part of board reporting.

Culture shifts slowly. Start where you can measure impact. For example, reduce phish reporting times or decrease mean time to contain by a concrete percentage. Those metrics resonate with executives because they demonstrate ROI.

Incident response, assume it will happen

The worst time to figure out how you'll respond to a breach is during a breach. Have an incident response plan, and test it.

  • Define roles clearly: who talks to Customers, who talks to regulators, who handles media.
  • Pre authorise key actions like IP blocks and DNS redirects so you don't get stuck waiting for approvals.
  • Practice forensic readiness: log retention, chain of custody procedures, and legal hold processes.
  • Prepare Customer messaging templates and legal checklists in advance, when the heat is on, clarity saves reputations.

A word about budgets: spend to reduce exposure, not to chase shiny tech. Security ROI is often realised by reducing dwell time and avoiding catastrophic incidents. That's a commercial conversation, not an IT wishlist.

What I would change, one opinionated improvement

Embed security architects into business transformation teams early, not as auditors but as enablers. They should sit in program teams for new product launches, cloud migrations and M&A activity. This stops the "bolt on security" problem and ensures security is part of design, procurement and rollout. It's simple: put the expert in the room where decisions are made.

Training and accountability: name a security champion in every product team, give them 10% of their time and a small discretionary budget to implement practical safeguards. Measure their results.

How we apply this in practice

In our work with clients across Sydney and Melbourne, we don't start with products; we start with conversations. What is the single most valuable asset? Who are your critical suppliers? Where would a breach hurt you most, financially, operationally or reputationally? From there we build pragmatic roadmaps focused on people, process and technology in that order.

We run tabletop exercises, simulate phishing campaigns tailored to the Business, and help embed security KPIs into leadership reporting. No silver bullets. Incremental improvement that compounds.

A few truths that are worth repeating

  • Security is not an IT only problem.
  • Visibility is everything: you can't secure what you can't see.
  • Shorter blast radius is better than brittle fortress mentality. Limit the damage when things go wrong.
  • Assume compromise and focus on resilience and recovery as much as prevention.

Some myths I love to debunk

  • Myth: "Our industry is too small to be targeted." False. Small and medium enterprises are often low hanging fruit.
  • Myth: "Security will slow us down." Not if designed into the workflow. Security should enable trust and speed, not block it.
  • Myth: "We can wait until we move everything to the cloud." No, migrate with security, not to it.

Final, messy thought (because endings should sometimes be imperfect)

If you want to transform digitally, design for security from day one. It's less sexy than a Customer facing feature, but it's the foundation that keeps everything standing. Treat security as product quality. Build it in, measure it, and make it a collective responsibility.

And yes, sometimes you'll overcompensate and poke holes in useful processes. That's fine. Learn, iterate, and keep the prize in mind: durable, trusted digital capability. The rest is detail. So fix the basics first. Then worry about the bells.

Sources & Notes

  • IBM Security. (2023). Cost of a Data Breach Report 2023. IBM Corporation. Report finding: global average cost of a data breach US$4.45 million.
  • Australian Cyber Security Centre. (2023). Annual Cyber Threat Report 2022-23. Australian Government, Department of Home Affairs. Note: report details and incident volumes for Australian Organisations during 2022-23.
  • Observational note: practical recommendations and implementation examples are informed by frontline consulting and training experience with organisations across Sydney and Melbourne, drawn from our work delivering tabletop exercises, phishing simulations and leadership workshops.