Three conversations with Sydney-based technology leaders last week all started the same way: “We’ve got AI tools, but they’re not moving the needle.”
Gareth Davies of research2.au invited Des, C-Suite/Executive Leader, currently an Engineering Delivery Executive at the Commonwealth Bank of Australia #CBA for a discussion on the 2026 challenges faced by his team and enterprise function in a large, extremely complex, highly-regulated and very visible institution.
In this, the first of three conversations, the “Why?” question is applied. Terms are defined in the general and the specific, the current state of play in #DevSecOps as the function is known at the #CBA is understood and the proposed solution introduced.
In the next two conversations, the “What” and “How” will be considered.
How information technology has reduced productivity by the empowerment of bureaucratic and regulatory “busy-bodies”.
Example number 1: 50 years of finding a flat.
1976
Process Chain
Walk about, try to find real estate agent through fog of beer.
Visit a few places (in old mini) where undergraduate students (boys) are welcome – not many it must be said.
Sign up. Eye shotgun owned by landlord with suspicion.
Move in with lp’s, cassettes, bedding etc. in back of Dad’s (or somebody else’s Dad’s) car as mini too small.
Plug in electric bar heater, fix holes in bathroom window and break ice when needing shave.
Spend rent money on beer and cigarettes.
Summary
Time taken – couple of days. Experience – okay what do you expect? Paperwork – what’s that?
1986
Process Chain
Arrive at Tullamarine Melbourne, early morning January.
Spend morning at new job.
Go to Turnbull Cook on Toorak Road in South Yarra. Andrew shows us round a couple of whizzy flats.
Sign up. A few details printed on a dot matrix printer from their PC rental software (Peak productivity).
Move in. Duvet (doona) in plastic bag.
Spend rent money on rent.
Summary
Time taken – one day. Experience – fabulous. Paperwork – 10 minutes tops, pay with EFTPOS.
2026
Process Chain
Spend a week browsing through www.realestate.com.au, trying to get the saved searches right, fiddling with tens of parameters, sorting on various criteria. What fun. Better than smoking just.
Prepare applications – reams of personal information disclosure and uploading identity documents. What for? Busy-bodies.
Prepare program of visits, e-mails, texts, invites, flying all over. Print it out.
Turn up for viewings. Some very bizarre behaviour including taking a picture of a washing machine, the girlfriend in a wardrobe and getting in a panic when a door won’t open. #surftoserf
Sign up, pay up – huge bond and rent in advance.
Receive torrent of e-mails and texts about other properties and other things.
Delete all personal information a.s.a.p.
Move in.
Summary
Time taken – four or five days – do young people have to do this? Experience – bewildering. Paperwork? Piles of it.
Given that an organisation may wish to make an informed decision about their cyberdefence concerns, the following approach can deliver a coherent evaluation.
In the APRA practice guide, CPG 235, a “fractal” primitive of data processing is defined. This logical data-life cycle “primitive” suggests the following cybersecurity concepts:
Perimeter protection – a component of data-capture
Zero-trust – data processing, retention and publishing
Data Centric Security – data processing, retention and disposal given that publication suggests outputs beyond the domain into the data-capture of a related data process.
Figure 1. CPG 235 Data Processing “Fractal” PrimitiveFigure 2. CPG 235 Data Processing “Fractal” primitive, decomposed to the next level of resolution.
A simple business plan can be created for each “primitive”, described by cybernetic analysis estimating the cost of risk mitigation and the contingent provision required in the event of a catastrophic event. Some of the details required for this exercise may already be present as they are an output from other work e.g. privacy impact assessments.
Figure 3. Illustrative “business plan” with expenditure and provisions. Variables including time-scales, line-item detail can be adjusted as required by circumstances.
Expenditure in tooling and expertise etc. can then be allocated to the protection of these assets, the data processed and the supporting infrastructure, ranked by the cost of remediation of a catastrophic event.
Such existing sophistication or its elements already exist in many entities, for example, financial institutions but can be replicated or adapted to be of use in more modest circumstance. The analysis can be either as high or as low in resolution as required.
Through a focus on monetary values, matched to the charts of account or financial plans, the argument for cyberdefence investment can be made more easily to managerial colleagues from non-IT disciplines.
To complete the exercise, a test against contemporary jurisdictional regulation can be conducted through examination of the scheme of expenditure. Given that incidents will always occur, the question can be asked: “Is this a reasonable response that would be deemed a prudent act of stewardship when viewed by internal and external parties?”.
In conclusion
The outlined approach, where the questions “Why” and “What” are separated from the “How” enables an informed consideration and thus decision-making framework for the deployment of cyberdefence. Communication between management disciples is facilitated and measurable financial outcomes can be identified and subsequently evaluated for future refinement of the domain e.g. technology upgrade, process automation.
Cyber Defence – Protecting the productive assets of the organisation. The Why, What and How.
iTWire “Reads”
Cyber Security
Cyber and “AI”
All
Totalled “Reads”
8,618
12,923
21,124
Percentage “Reads”
40.80%
61.18%
100.00%
Figure 1. well illustrates that which exercises the readership of iTWire in the most recent week considered. Cybersecurity and “AI” are aggregated as, in the articles published, there is nearly always a reference to the “cybersecurity” construct in “AI” articles. Articles on “AI” that explicitly do not have been excluded.
Why is cybersecurity (for this purpose, consider cybersecurity as the means to achieve cyber defence the business function – the protection of company assets). worthy of such attention? Perhaps it is not, depending on your point of view: “Former Optus CEO lands top role at Australian Unity“
Managing Cyberdefence
What is the appropriate response of an organisation to the risk of cyberattack? Simplistically categorised, possible approaches are as follows:
Ignore or rationalise and tidy up the mess if the worst comes to the worst
Do as little as possible given the regulatory framework in the jurisdictions of concern
Proactively embed defences within the organisation at points of vulnerability with reference to the balance sheet of technological assets within the purview of the organisation.
The judgement to be made, is whether the cost of the “mitigation” e.g. insure, engineer of the risk, outweighs or not the cost of the clean-up e.g. provision for contingent expenditure on the balance sheet. Imperatives within the public sector and institutions maybe differently expressed but let us say are of the same general form.
Sometimes, the cost of mitigation will be so high within the strict if not reasonably interpreted parameters of the legislation e.g. EU:GDPR, that Number 2 will be out of reach even with a well-orchestrated Number 3 approach.
Number 2 will do
Consider the “Enforceable Undertaking” imposed by the OAIC against the Commonwealth Bank of Australia, a singular institution within the nation. It can be argued that compliance to the APA 1988 requires, as a pre-requisite, secure data handling. It is unclear whether the CBA was negligent or ignorant of the consequences of this assertion viewed against the position of the regulator. Was it cheaper to fix up the mess or to take a priori, as is clear in the language of the regulator, reasonable steps to protect the interests of the individual as manifested in their personal information.
Number 3 the place for me
Nothing can be taken for granted, let alone a presumption of 100% protection against cyberattack given the continuously evolving eco-system of actors within the domain.
How to spend the money? Even with the most diligent attention, existential threats are likely to emerge from the set of low-frequency, high impact events that are often (Nicholas Taleb’s “The Black Swan”) unconsidered or discounted.
Emerging constructs, such as “zero-trust”, “data-centric protection” and “AI” informed protections may offer the Chief Information Security Officer (“CISO”) an expanded portfolio of focused, granular and thus more efficient means of defence than previously available.
What do the Signals say?
Australian GDP in 2025 is approximately AUD2.7 trillion per annum in the year 2024 to 2025.
The Australian Signals Directorate (“ASD”) produces an annual commentary report on its activities; from this report 2024-2025:
“The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) responded to over 1,200 cybersecurity incidents – an 11% increase from last year. In FY2024–25, ASD’s ACSC received over 84,700 cybercrime reports – an average of one report every 6 minutes. For businesses, the average self-reported cost of cybercrime per report was up 50% overall ($80,850).”
A calculation from these reports suggests that the cost of cybercrime during the year was 84.700 * AUD80,850 = AUD6.8 billion, so say circa 0.26 percent of GDP.
AUD6.8 billion is quite a lot of money but not a particularly significant percentage of GDP. It may not be sufficient to cause a noticeable reduction in productivity growth. Paradoxically, the attention required for the protection of data assets may deliver value, tangible or unseen within the profile of information technology and other business costs.
Cyber Defence Budgets in Australia – What is known?
An estimate for the investment on cybersecurity in the Australian economy is AUD5 billion per annum, sourced from AustCyber. It has been asserted without a statement of evidence that this amount needs to increase to AUD10 billion.
The key question raised appears to be whether the known or unknown unknowns of “AI” technology adoption will drive increased cyberdefence expenditure in entities outside those focused on the development and deployment of information technology itself.
The total cost to the Australian economy of cyberdefence is therefore, at best an estimate, around AUD10billion (not including the suggested increase referenced above) – cost of crime remediation plus investment. This is circa 0.45 percent of Australian GDP in 2025. A rough-cut estimate is that cybersecurity constitutes 4-5 percent of Australian I.T. spending. This proportion might change given the current wave of data centre infrastructure spending or not.
There are a number of questions left unanswered by the ASD report that might assist determining the most effective future path of “I and E” on cyber defences:
What is the existing “I and E” in cyberdefences in the economy by sector? How effective is this cost in the prevention of remedial expense in these sectors?
What improvement – reduction in the cost of reported cybercrime – could be expected by increased “I and E” in cyberdefences? What is the relationship between these two variables? How best to deploy further investment? i.e. idiomatically, Any low-hanging fruit, best-bang-for-the-buck.
How can “I and E” be streamlined to meet current threats outside a provision for significant increases in the destructive efficiency of cyberattacks? How are these two concerns inter-woven?
Who is doing Number 1, Number 2 and Number 3? In which sectors of the economy? In which sectors of the economy is cyberdefence a significant productivity friction?
In Conclusion
Cybersecurity appears to be a focus of strong interest in the iTWire community. It is possible to estimate the current overall “I and E” of cybersecurity and the cost of cyberattacks in the Australian economy with reasonable confidence but more analysis is required to determine the efficiacy of current expenditure and the most effective ways in which money can be spend in the future in the performance of cyberdefence.
The picture is complicated by the arrival of emerging technology categories of cybersecurity tools and “AI” technology in both sides of the conflict.
In our next article, an approach is considered that can deliver an understanding of the efficacy of cyberdefence “I and E”, assist in the discussion of the domain across non-IT management dsiciplines and enable the informed deployment of new technology and methods in the protection of productive organisational assets.
Cybersecurity company Trend Micro has released its annual Security Predictions Report for 2026, “warning that the coming year” will mark the true industrialisation of cybercrime.
GUEST OPINION: The recent GTG-1002 campaign is not just another breach – it is a watershed moment in offensive cyber operations. For decades, cybersecurity was a game of time, where human attackers needed days or weeks to weaponise code, giving breathing room to patch. Now the exploit window has collapsed to zero.
