COMPANY NEWS: As we wrap up Cybersecurity Awareness Month, many organisations are once again taking stock of their defences, investing in new tools, reviewing policies, and running refresher training. These are all positive steps, but they only address part of the problem.
The real gap in cybersecurity is not technology — it’s mindset. Despite rapid advancements in AI-driven detection, automation, and governance tools, breaches and compliance failures keep rising. According to the Office of the Australian Information Commissioner (OAIC), Australia recorded 1,113 data-breach notifications in 2024 — the highest annual total since mandatory reporting began in 2018 and a 25% jump from 2023.
While the focus continues to be on having the right software in place, the real challenge is in creating better alignment across every layer of the organisation, from front-line employees to the boardroom.
Cybersecurity must shift from a technical issue that is managed by IT, to a strategic issue that demands shared accountability, clear communication, and an embedded culture of security.
From compliance to culture
Too often cybersecurity is treated as a compliance checkbox, managed by security or IT teams and periodically reviewed by executives. But compliance does not guarantee protection. A business can check every box on a policy document and still be vulnerable if its employees don’t understand why cybersecurity matters or how their individual actions contribute to overall resilience.
Embedding security into culture means going beyond awareness by helping employees see cybersecurity as part of their job and integrating it into daily workflows, training, and decision-making processes across all departments. When security becomes second nature, the organisation not only reduces risk, but also fosters trust. Employees are more likely to identify and report potential threats, allowing the organisation to respond more quickly and effectively, shifting from reactive to a proactive cybersecurity practice.
Leadership alignment matters most
Strong alignment between leadership, risk, and technology teams drives cyber resilience more than any security budget ever could. The organisations that manage cyber incidents effectively are those where the board has a clear understanding of its cybersecurity role, executives prioritise open communication, and technical teams are empowered to act quickly.
The rise in regulatory scrutiny, such as ASIC’s increasing focus on cyber governance, underscores the need for shared responsibility and accountability. Boards are now expected to demonstrate not only oversight but also fluency in cybersecurity risk. That means asking better questions, ensuring visibility across systems, and integrating cyber metrics into broader governance frameworks.
When leadership alignment exists, cybersecurity moves beyond IT and becomes an essential part of business, strategy, decision making and organizational resilience.
Bridging the human-technology divide
Technology will always evolve faster than human behaviour. That’s why the most effective cybersecurity programs strike a balance between investment in tools and investment in people. A company can deploy the most sophisticated threat detection system available, but if employees are still clicking on phishing links or sharing sensitive data over unsecure channels, the defences fall apart.
Bridging that divide requires more than technical training. It requires a multifaceted approach that includes empathy, communication, and culture-building. Leaders must make cybersecurity a common language, not a specialist dialect. By understanding employees’ challenges and perspectives, organizations can develop more effective security practices that are tailored to their needs. Organisations must create an environment where employees feel both responsible and supported, where security is part of everyday conversation, not just an annual awareness campaign.
As we move beyond Cybersecurity Awareness Month, it’s time for organisations to redefine their understanding of maturity. True maturity goes beyond the number of tools deployed or the speed of incident response. It’s measured by how well security principles are embedded, understood, and practiced across the business.
The most secure organisations are those that think of cybersecurity as a shared value that underpins trust, resilience, and long-term success.
Monica Landen is CISO at Diligent.
http://itwire.com/strategy/the-cybersecurity-gap-lies-in-mindset,-not-technology.html