The recent cyberattack on Qantas is not just a headline – it reflects a truth many organisations are reluctant to face: We are not as in control as we think we are. Despite decades of investment in cybersecurity, a single phone call to a third-party helpdesk was enough to compromise a national airline.
This incident underscores a pressing need for boards and executive teams to revisit foundational questions: Do we truly understand our digital exposure? Are we managing cyber risk as a business risk, or as a technical silo? And crucially, are we prepared for what comes next?
Key Lessons here:
- Third-party risk is first-party risk. The breach originated not within Qantas’s core systems, but through a vendor. Supply chain security must be treated as integral, not peripheral.
- Cybersecurity is a human issue. The attack succeeded through deception, not code. This highlights the need for continuous education, not just technical defences.
Questions for Management: A Reflective Framework
Too often, boards ask: Is the organisation secure? The better question is: Does the organisation understand where it’s exposed, and is it honest about it?
Let’s reframe the conversation. Here are key questions that matter now:
- Asset Awareness: Do we know where our critical data reside? Not just in our systems, but in the hands of vendors, contractors, and forgotten cloud instances.
- Risk relevance: Are we tracking the risks that are relevant to us or just the ones that are easy to measure? How do we ensure our risk register reflects emerging threats?
- Risk appetite: Is our cyber risk appetite statement a living guide, or a compliance artefact?
- Financial Framing: Can we express cyber risk in financial terms (not just in firewalls)? What would a breach cost us – not just in fines, but in trust, operations, and recovery?
- Control Weaknesses: Where are we most vulnerable, and what are we doing to reduce those weaknesses systematically – beyond PowerPoint?
- Effectiveness Metrics: Do we have metrics that tell us what’s really happening – not just what we hope is happening? Can we provide both lead (e.g. phishing simulation failure rates) and lagging (e.g. incident response times) indicators of control effectiveness?
- Third-party Oversight: How are we managing the risk we’ve outsourced? And are we sure we haven’t outsourced responsibility along with it? Are we relying on paper-based assurances, or evidence-based audits?
- Insurance Adequacy: Is our cyber insurance coverage fit for purpose in today’s landscape?
These are not tick-box questions. They require honest, sometimes uncomfortable, reflection.
AI in Cybersecurity: Opportunity and Risk
AI is increasingly embedded in security programs, offering real benefits:
- AI can analyse vast datasets to detect anomalies faster than human analysts.
- Machine learning models can anticipate attack patterns based on historical data.
- AI can flag unusual user behaviour, helping detect insider threats or compromised accounts.
- AI can triage alerts and even initiate containment actions, reducing response times.
However, AI also introduces new risks:
- AI systems themselves can be targeted, manipulated, or used to generate more convincing phishing attacks.
- Over-reliance on AI can mask underlying weaknesses in governance, process, and culture.
- AI models can be black boxes, making it harder to explain or audit decisions, especially in regulated environments.
The danger isn’t AI itself – it’s the mindset that comes with it. The belief that we can automate our way out of structural weaknesses. That we can plug in a tool and call it transformation. AI is not a bandage for broken governance. It’s not a substitute for culture. And it’s certainly not a reason to stop asking hard questions.
AI should be seen as a force multiplier. It can enhance but not replace the basics of foundational security hygiene: asset management, access control, incident response, and a culture of security.
From Crisis to Capability: What Now?
Cyber resilience is not a destination, but a discipline. It requires:
- Leadership Engagement: Cybersecurity must be owned at the top. Boards should demand clarity, not comfort.
- Scenario Planning: Assume breach. Test your response. Simulate the worst day, not the best case.
- Transparency and Trust: Communicate openly with customers and regulators. Trust is easier to lose than to regain.
- Continuous Learning: Treat every incident – yours or others’- as a learning opportunity. What would we do differently?
Organisations that manage cyber risk well tend to do a few things differently:
- They treat cyber as a business risk, not an IT problem.
- They invest in understanding, not just in tools.
- They measure what matters, even when it’s uncomfortable.
- They simulate failure, not just success.
- They talk about risk in the language of the business.
- They build resilience, not just defences.
This isn’t easy. It requires humility, curiosity, and a willingness to challenge the status quo.
But it’s the only way forward.
Cybersecurity is not just an ICT issue. It is a business risk, a leadership challenge, and a societal concern. One that requires constant reflection, relentless questioning, and the courage to act on what we find.
It is also a call to action – to lead with clarity, to invest in resilience, and to treat cybersecurity not as a cost, but as a core enabler of trust in the digital age.
