IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Fortinetfinals 098
#
Firewalls
#
DR
#
Digital Transformation

Closing the visibility gap in board-level cyber risk

Wed, 21st Jan 2026
By Cornelius Mare, Chief Information Security Officer, Australia, Fortinet

Operational performance dominates boardroom discussions, as many organisations that have spent years on digital transformation now question whether their technology investments delivered the efficiency, resilience, and visibility directors expected. For most, the answer is unclear.

Boards are operating in an environment where risk and technology change faster than governance. Slow innovation, legacy systems, and unclear ownership of cyber risk make it difficult to confirm whether controls are working as intended. These weaknesses leave blind spots across data, cloud, and third-party environments that attackers continue to exploit. What boards need is clear visibility of their assets, systems, and responsibilities to maintain effective oversight.

Artificial intelligence (AI) introduces new variables to board-level risk. Many companies have invested heavily, yet few have achieved measurable gains in efficiency or resilience. Employees experimenting with AI tools independently often report better results than formal programs. This divide between structured adoption and individual use creates inconsistency and exposes organisations to new risks such as shadow AI and data leakage.

Shadow AI mirrors the earlier issue of shadow IT, where employees used unapproved applications that exposed businesses to data and compliance risks. Unclear policies can lead to sensitive information entering unverified systems, increasing privacy and regulatory exposure. Boards must prioritise frameworks that manage how AI is integrated and used across the organisation.

Boards need to establish AI strategies that improve performance while maintaining control. Governance and guardrails must be in place before AI becomes part of daily operations. That means understanding where data goes, how it is stored, and whether the tools being used can be trusted.

There are three key elements for boards to consider:

1. Slow technology adoption. Boards must address long-standing issues of technology debt and slow adoption across Australia. Many organisations struggle to realise productivity gains because their systems are outdated. Replacing legacy infrastructure and introducing automation require significant time and investment, while short-term performance pressures make it difficult to balance modernisation with stability.

2. Workforce shifts. The employee shifts in the workforce present further challenges as experienced leaders retire and younger professionals enter the market. New entrants bring stronger awareness of AI tools, while established leaders hold critical institutional knowledge. Boards need to manage this transition by maintaining governance and security standards while adapting to new ways of working.

3. Automated threat actors. Threat actors are automating attacks to move faster and target more systems, expanding exposure even as their methods stay largely unchanged. Phishing and social engineering have become more convincing, using AI tools such as WormGPT and FraudGPT to generate targeted content. The fundamentals, patching systems, segmenting networks, managing identities, and maintaining visibility, remain the strongest defences.

Beyond internal challenges, geopolitical instability, supply chain exposure, and competition also shape risk. External pressures are outside a board's control, while governance, technology debt, vendor risk, and competitiveness remain within it. Boards that align with established frameworks and assess exposure regularly respond faster and recover stronger during disruption.

Good governance is about execution. Frameworks such as the Australian Signals Directorate's (ASD) Essential Eight and the National Institute of Standards and Technology (NIST) Cybersecurity Framework already provide structure; however, boards must ensure these controls work in practice through testing, visibility, and accountability.

Regular simulations and scenario testing reveal where decision-making falters and where delays occur. These exercises expose weaknesses in escalation paths and clarify ownership. Governance plans that remain untested for years are assumptions, not safeguards.

Cybersecurity governance is now inseparable from operational performance. It defines how quickly the business can respond to an incident, restore systems, and protect customer data. Cybersecurity deserves the same scrutiny as legal, financial, and operational risk because it affects all three. Measuring performance through clear metrics, such as detection speed, recovery time, and policy compliance, gives boards a realistic view of resilience.

Boards that treat governance as a living, tested process are better equipped to manage risk and lead with confidence. Boards that understand where their data is, how their controls perform, and how people respond under pressure can manage risk proactively rather than react to it.

Related stories
Identity Digital leader named in CRN 2026 Channel Chiefs
Flare sees rapid MSSP uptake of external threat intel
Canva brings brand-safe design generation into ChatGPT
Expereo & Cato unite to simplify global WAN security
Quantum Machines to build flagship quantum hub in Chicago

Top stories

Constructive unveils secure-by-default Postgres platform
QDX opens EXESS quantum chemistry engine to academics
AI has raised the stakes: Why strategic communications remains human-led in 2026
BigHammer.ai unveils AI agents to replace data stacks
Targa Telematics tops Europe fleet market, bets on AI