Cybersecurity is no longer just a concern for IT boffins — it is a fundamental business risk that demands executive and board-level attention. As threats become ever more sophisticated and human error persists as a critical vulnerability, organisations must rethink their approach. Beyond technology, the real challenge lies in fostering accountability, embedding security early in business strategy, and engaging decision-makers in a meaningful and relatable way.
Featuring insights from our Threat Intelligence panel at the Future of Security, Sydney conference this week, this discussion explored some of the foremost challenges in cybersecurity today, from human vulnerabilities to optimising security investments. The panel also highlighted how gamification and competition can drive executive engagement in cyber, making cybersecurity a business-wide priority rather than a compliance checkbox.
With insights from Westpac, NGM Group, Zurich, and Tokio Marine, this conversation presents senior technologists with a number of practical strategies to build resilience and align security with business goals.
Featured panellists:
- Dan Elliott, Head of Cyber Resilience ANZ, Zurich Insurance
- Nathan Lewis, Head of Cyber, Technology and Data Risk, NGM Group
- Prakhar Rawat, Chief Technology Officer, Tokio Marine Management Australasia
- Ross Mackenzie, Head of Security Control Assessment, Westpac Group
Moderated by Luke Hannon.
Hannon (Mod): Let’s start with the threat landscape itself, because it’s evolving at such a fast pace. But I wonder if there’s an evolution or change that has surprised each of you the most. And Nathan, I might throw to you to start with.
Lewis (NGM Group): In preparation for today, I spoke to a colleague today who’s responsible for our cybersecurity operation. When I asked her this question, her answer was intriguing. She questioned not what has changed but, rather, what hasn’t.
What she was trying to highlight was that, no matter how much the threat landscape has evolved over time, people are always the weakest link.
And it’s despite all of our efforts to train people in cybersecurity, despite all the success we’ve had with things like phishing campaigns internally and so forth, and despite all the sophistication that we’ve gained with facilitator training, it’s still people that are the weakest link. That’s always been the case.
Outside of that, what we’re seeing – and it’s fair to say this has been the case year on year for some time – are those threats from phishing and business email compromise, which remain our biggest concerns. We’re also very concerned about state-sponsored threat actors – those threat actors you can’t see, that are virtually undetectable and are difficult to purge from your network.
Elliot (Zurich): Building off what Nathan [Lewis] said, we’re seeing that evolution from state-sponsored to state-sanctioned actors. This is something that really emerged after the start of the war in Ukraine; these are often threat actors that did not want to be in the state space, but still had the state training and still had that support.
Whether they were being directed or whether they were just having a blind eye turn to them, we’re seeing a lot of criminal groups who have a level of skill that didn’t exist five to 10 years ago.
And although some of that can be attributed to AI, and I think it often is, there’s an element where individuals have a skill in writing code that just did not exist among that community five to 10 years ago.
Mackenzie (Westpac): I think we’ve been talking about the threat landscape increasing for as long as I can remember – so for the last 20 years at least – and it’s become more and more scary. In response to that, you need to make sure you keep investing in your people, your processes, and your technology capabilities to constantly keep up with that threat landscape.
I like to think of it as walking up the down escalator – if you stand still, you’re going to go backwards.
Specifically on the people side of things, yes, people can be a bit of a challenge in your environment because they like to click on links and what not. But they can also be your greatest asset. If your staff are letting you know where you’ve got issues or problems in your systems, or reporting a phishing email to you, you can take action on that and look to protect the rest of your organisation and other organisations as well.
Rawat (Tokio Marine): Everyone has covered different aspects of people, process and technology.
But I think ownership of security and security needs to be embedded in individuals’ KPIs.
Let’s be honest, it’s not just the responsibility of security teams. What I feel organisations can do in order to maintain the high standards that we’re talking about is to not just increase [security] training, but also make it less of a burden on individuals. A good example that we practice at Tokio Marine is that, as soon as you sign into our intranet, every day we’ll tell you two or three things you need to care about; then, after a week or so, we ask staff for feedback. This gives us a constant measure of how the training worked without really training them on it for hours.
But there’s really no answer to how to keep up with the threat landscape, because anytime you want to modernise something, say a new application or when you put up a new business, you inevitably increase your exposure.
Hannon (Mod): ‘Ownership’ is a special word. It tells us that accountability – whether it’s CPS 230 or third parties – ultimately rests with the team. How do we move ownership or accountability onto people? How do we pivot from ‘it’s a them’ problem to ‘it’s an us’ problem?
Rawat (Tokio Marine): Things like data governance protocols today express a very similar point – ‘everyone owns it’, but of course how to execute this is a challenge. I think the extent of the recommendations or framework can be reduced to: every time you want to do anything or check the architectural intent, embed security in it.
Embed the security architect to have a voice in it in terms of how you’re doing it and what you’re doing, and how much of a deviation is allowed and what risk you accept.
This is just one way of thinking, at the strategic level, in order that the execs understand the importance of security.
When, say, we have to prepare software for security, it’s always looked at as a budgetary burden, a constraint that now we have to deal with. But I think when we’re planning roadmaps or planning the next year in our organisations, if you actually involve your security architect and work with the domain architects when, for instance you’re trying to position for buy versus build, that’s where you start adding value.
This should should happen in the first presentation you show to management and get funding allocated, making sure that security is baked in your every step and early in the development process. I’m not saying you’ll never do a code review – security people won’t like that – but at least have security people involved in the build. It really is a continuous journey.
Lewis (NGM): The question was, how do we get everyone on board and accountable? And I think we’ve found one good way which relates to phishing – an issue faced by many organisations for many years.
How we’ve found some success with phishing prevention is by harnessing the inner competitive nature of our senior executives, and these are people that are very competitive by nature.
What we do at NGM is produce a monthly report, essentially a leaderboard with every division, which ranks them (say 1 to 10 or however many there may be), on things like reporting rates and click rates. And what you find is that the executive group is pretty competitive with each other and, as a result, there’s this real drive to ensure that everyone gets to the top of the leaderboard. So the messages that follow the publication of this [phishing statistics] report, particularly if your name is on the list, can be motivating enough to ensure that you are very careful the next time there is a real phishing email.
By harnessing that positive effect, we’ve been able to ensure that each one of those execs is personally invested in ensuring that there’s a successful outcome.
Elliot (Zurich): Competition is definitely one of those drivers. I was chuckling along because we’ve done something like that with an organisation I was working with as part of cyber awareness month to try to drive that on a smaller scale rather than year-round, and it motivated that the same kind of drive. It convinced everybody to buy in very quickly; everybody’s competitive nature got them to the table, and it became a self-propagating security control because everybody became a champion for their team and wanted to win.
The other piece that we’ve seen work effectively is in helping people understand the cost of not having these tools, because, as a security professional, my ideal, my inclination, would be to lock it all down: turn off everybody’s email, lock down the network, store everything, encrypt everything and, boom, we’re done. But the cost of doing business is that I need to have these controls in place, I need to have these levers or these compensations and to step back from the wall in these areas.
Having business unit leaders understand that that’s a cost allocation that they’re bearing in order to do their piece of the business, having those one-on-one discussions with them, really helps them to understand that part of the cost and part of the engagement is theirs to bear.
If they dip below the overall organisational risk appetite, it then becomes a question of, are they willing to bear that namesake or are they willing to hold that risk beyond what the organisation considers tenable?
Mackenzie (Westpac): Building on the other panelists’ comments, it’s around the visibility and transparency of the security state of each of your business units. And healthy competition always goes a long way.
If you think of an organisation as only being as strong as its weakest link, then where you’ve got certain business unit that might be letting the overall business down, and that’s made visible and transparent with things like dashboards and reporting and metrics. That then drives that level of healthy competition for organisations and certain business units to try to get back up to where they feel like they need to be.
Hannon (Mod): It’s interesting that you mentioned the cost of inaction, and as a part of your business unit, this is an allocated investment that needs to be made. I wonder if we can go a bit deeper on demonstrating the ROI of cyber.
Elliot (Zurich): I’ll give you an example to draw on from a colleague I worked with a few years back. He was working in a manufacturing and a retail space and went to his marketing lead, the CMO, and said, ‘I do a better job of marketing dollar-for-dollar than you do’. And at this executive roundtable, his articulation was, as soon as a competitor has a break in their supply chain, as soon as they can’t get products on the shelves, or as soon as their reputation sees that damage, people turn to our stuff that’s still on the shelves, and in doing so, we cut out that ability for them to buy our competitors’ product. As a result, they become ours. And it was an industry where, after two or three purchases you get a lifetime buyer.
What he was articulating was the amount of cost you need to outlay to gain more buyers on the front-end and just maintain security and maintain reputation and hold fast, basically. It showed it as a driver: ‘We are holding the reputation in a way that other business units can’t. We are holding that reputational control in a really unquantifiable space because we know that it’s bad; we just don’t know how bad it is.
And then to that, what I’ve seen a lot of organisations do, and what we’ve helped some with, is that risk quantification. So you can’t manage reputation, and it’s really hard to manage how much it’s going to hurt you on a bad day, but you can measure everything else. And being able to go to a CFO and say ‘This is how much it’s going to cost us’ – this is that cost for an investment in, say, expanding our MFA program or investing in this new tooling or changing the way we are training our people, and this is the likely cost of a bad day and the frequency of that bad day based on current statistics and trends and everything else.
It’s about moving it to their language, rather than expecting them to come across the way and say that, ‘Maturity is going to improve by this many bullet points and therefore that our Red, Amber, Green dashboard is going change and then that will make the whole world better!’
Hannon (Mod): The language aspect is interesting, and we hear a lot about connecting people, especially from cyber. It’s speaking their language, making it relevant to them. After all, being compliant with Essential Eight may not mean as much as X amount or this many sales impacted. Any other thoughts on ROI?
Mackenzie (Westpac): ROI is always really challenging when it comes to cyber investments.
The way that I’ve seen it work best is when you’re thinking about risk buy-down.
So there’s typically no dollar benefit with a cybersecurity investment – you’re avoiding general risks or buying down on risk. And so the way that I’ve seen it work, generally, really well is when you think about all the different threats and risks, and you take a threat model and you look at your residual risk level, and if there are certain things that you want to invest in to reduce your overall risk, the return on that investment is that you’ve bought down some of the risks or some of the threats that you might have been previously susceptible via that capability investment. That’s the way I’ve seen it work quite effectively.
Sometimes there’s a cost benefit as well if you’re making things more efficient or easier to work with, but those tend to be soft benefits from a pure balance sheet perspective. There’s also the reputational aspect as well, ultimately keeping your organisation out of the headlines has a benefit, but that’s quite difficult to measure in terms of day-to-day ROI.
Hannon (Mod): Isn’t reputation the new financial risk? Firstly, it’s unquantifiable and secondly, it sticks for a lot longer than a monetary loss, because once you’ve offset that and worn it, and the share price has dipped, the reputation hangs for such a long time – as we’ve seen from many recent incidents.
Ross [Mackenzie], you spoke a little bit about optimisation or buying risk down. I wonder if we can explore a bit more of what you’ve seen well out there in terms of optimising the money you spend.
Mackenzie (Westpac): There’s a few different thoughts that come to mind on that. From an investment portfolio perspective, there’s always more demand on the financial investments that you want to make each year than there is either capacity to deliver them or available funds for you to go and do all the things you want to do. So, there’s always going to be a set of priorities and options that you need to think of to most carefully balance your overall investment.
Coming back to what I was saying before, we try to think about how we maximise our investment by the maximum buydown of risk, which is generally how we think about things at Westpac.
We look at, for every dollar you spend, how much risk value that gives you back at the end of the day?
And then the other side of the equation is your teams and your operating expenses, so your BAU, effectively. And that is a constant challenge with balancing workload and capacity and demand. There are always infinitely increasing expectations and demand on our teams, from a BAU perspective. And burnout is real in the cybersecurity industry. I’m sure many of you are aware the constantly increasing threats and risks and vulnerabilities and the work involved in managing this. We’ve always got more work that we can possibly manage with our current set of people.
It’s therefore it is really important to think about how we manage our workloads, our demands, and our work-life balance. And that’s the other side of the it, how do you keep your BAU teams – not the one’s delivering new projects or capabilities – working to the demand and the capacity that they’re able to without burning people out? That’s a real challenge.
Lewis (NGM): I’d like to come back to something we discussed a little earlier in terms of the messaging to the board. While it is important for you talk about ROI and the priorities that senior decision-makers are responsible for, there is also a way to send a very strong message to decision makers. That’s through making the threats very real, making sure that they understand the relevance, the statistics, and the stories they hear.
An example I’d like to share with you, if we go back to last year, is with ransomware – something that was all over the headlines in 2024.
We had our meeting with our board and presented the usual metrics that they would come to see – the GRCs or KRI measures over the Green, Yellow, Red traffic light measures, with very little substance behind it other than checking it was the required reporting metrics. However, one thing we did in particular was that we went to our cybersecurity operations team and asked, ‘If you look at your tools, how many times can you say, with confidence, that you have detected some sort of event, attributable with reasonable clarity, to ransomware?” And they of course gave me a number.
We discussed the global view, the domestic view, the financial services view, and we ran some numbers all over it. And we found that, well, there’s this bad guy in the wild who’s presenting this risk to all these organisations. We took this to the board and said, ‘Did you know that an X number of events we can say, with confidence, is directly attributable to this particular threat actor?’
For our senior decision makers, that was quite a moment, because all of a sudden it’s gone from a story they read in the headlines, something happening to other people, to something that’s directly relevant to our business.
If you’re able to put things in a relevant context, it sends a message with greater clarity and a stronger message about the importance of maintaining investment in this space and the importance of maintaining a mature skillset in cybersecurity.
Rawat (Tokio Marine): When you’re in security, you have to be good at marketing. If you’re not a marketer, then no matter how hard you work, no one really sees what you’re doing unless an incident happens. And when that happens, you’re questioned about why it did. ◼️
This is an edited extract from the Threat Intelligence panel featured at the Future of Security, Sydney conference.
