This article is included in the 2025 edition of Cyber Australia, AISA's annual cyber security magazine written for the industry, by the industry. Cyber Australia is released at AISA's Australian Cyber Conference in Melbourne each year.
Recent events and reports continue to highlight a sobering reality: Strong cyber security isn’t just about technology — it’s about leadership, culture, and people.
In late July 2025, the Australian Prudential Regulation Authority (APRA) issued a formal reminder to superannuation fund board chairs, reinforcing their obligations under Prudential Standard CPS 234, which was a direct result of credential-stuffing incidents affecting several funds earlier in the year.
APRA’s guidance instructed entities to review their current security controls and, where robust authentication such as multi-factor authentication (MFA) is missing or inadequate, and where this was the case, notify APRA of any material control weaknesses within a determined timeframe and take corrective action.
This directive is more than a regulatory checkbox. It signals a shift: Boards and executives are increasingly expected to play an active role in maintaining cyber security resilience. The days of leaving security solely to the IT department are over. Without executive leadership driving security governance, internal uplift efforts risk becoming directionless or ineffective.
This theme of inadequate governance is echoed in the NSW Auditor-General’s Cyber Security Insights 2025 report. Despite having cyber security policies in place, many NSW Government agencies remain exposed.
The report found that 69% of ‘Protect’ controls under the NSW Cyber Security Policy weren’t fully implemented, and 152 high or extreme risks remained unresolved. Alarmingly, 59% of agencies lacked independent assurance over their cyber self-assessments.
The private sector isn’t immune either. Many organisations fall into the same traps — relying on policies and frameworks without embedding cyber security into the fabric of business operations, failing to assign clear accountability, and neglecting to treat cyber risk as an enterprise-level concern.
The common denominator? A lack of governance, assurance, and investment in people.
Security readiness is not built solely through tools and frameworks. It is sustained through a well-informed, accountable leadership team, a strong governance model, and a culture of cyber awareness across all levels of the organisation.
Independent assurance is critical — not only to validate current controls but to provide stakeholders such as our leadership, executives and boards with the confidence that their strategies are being executed.
Ultimately, for organisations to maintain security readiness in an environment of increasing threats and regulatory scrutiny, we must focus on building resilient organisations from the top down. This means investing in our people — from directors to delivery teams — to ensure they have the capability, authority, and awareness to manage cyber risk effectively.
Cyber resilience isn’t a destination. It’s an ongoing journey, and leadership must lead the way.
Make progress with skills and knowledge gained through cyber security training with Lumify Work. These include the half-day Cyber for Leadership, Executives and Boards workshop. Access our cyber security brochure for a map of courses and certifications.
