Why we need to redefine cybersecurity success to support CISOs

Every six months, the OAIC releases its Notifiable Data Breaches statistics, which have long been relied upon as a means of gauging the current state of cybersecurity across Australian industries. An increase in notifiable breaches is met with concern and criticism, whereas the opposite is true for a decrease.

My two cents? The cybersecurity landscape has changed and continues to change beyond recognition in the past five to 10 years, and yet, these measurements remain largely the same. Transparency is important and valuable, yes, but this only goes so far.

In today’s post-breach world, cyber attacks are inevitable and very much a part of doing business. So instead of focusing on the number of breaches, we need to be looking at the nature of breaches, and how these were managed.

It would not be prudent or realistic to expect organisations to disclose how they manage every single breach — as this may make them a greater target for hackers, expose them to more attacks, and impact their reputation. But we can change the way we as an industry determine cyber success, and focus on implementing internal changes within businesses to this same end.  Below are three things to consider.

1. Create a mindset shift from the top down

Every year, cybersecurity risks are listed among the top things worrying the C-Suite. KPMG’s ‘Keeping us up at night’ 2025 report showed that addressing cyber risks (42%) was seen as the second biggest challenge for Australia’s business leaders.

But in my view, many business leaders’ anxiety is focused on the wrong thing — the breach itself. Relying solely on the OAIC Notifiable Data Breaches as an industry measurement, which focuses on breach volumes, only serves to further entrench that fear.

It is almost a certainty that your organisation will be targeted by and likely compromised by an adversary. When senior leaders accept this reality, it creates a culture of resilience, rather than one of fear. This means companies are prepared when the inevitable happens, as they are focused on breach containment, rather than prevention. If we as an industry can work to educate senior executives on the true measure of cyber resilience, we will all be able to sleep better at night.

2. Turn the pressure down on CISOs

The fear of breaches and volume of such gets pushed down and places unnecessary strain on CISOs along with ethical dilemmas raised when pressure is applied to downplay or not share. While there is increasing strategic involvement and expected accountability at the board level, the focus often remains with the CISO. The reality is — they simply cannot prevent all breaches; it is too much to expect of mere mortals. The hybrid attack surface is too big, and the velocity and ferocity of attacks are too great.

Combine this unrealistic expectation with post-breach job losses in Australia, and you have highly stressed security teams that are headed for burnout. Not only this, but they become focused on strategies like prevention, which may protect them from personal liability, but is not in the best interest of achieving true cyber resilience for their organisation.

At our 2025 Illumio World Tour event in Sydney, cybersecurity leaders from some of Australia’s most well-known businesses agreed that breaches themselves should not be seen as failures, and that this could be a contributing factor for CISOs having such short tenures. These leaders agreed that we need to focus more on resilience, and less on breach volume, to turn down the heat on our critical and highly valued security workers.

3. Look at real measures of resilience

The OAIC figures are helpful in that they now show the number of individuals affected by breaches and the challenges in identifying a breach. It often provides leverage for funding and investment in cybersecurity programs as well as valuable peer learnings and collective defence. However, it is also important to look at how successful organisations were at stopping breaches before they became disastrous.

Public reporting on these things may not be possible, or even advisable, but you can certainly set up internal measurements and KPIs to dig deeper. The board should be asking questions like: Were the hackers able to move laterally across our IT estate? If so, was our most sensitive data protected? Did we need to cease operations during the breach, or were critical services still available for our customers? Were we successful in containing the attack to minimise the impact?

Looking into these factors, instead of the number of breaches, will help you get a more accurate picture of your organisations’ ability to withstand inevitable attacks.  So, are the OAIC Notifiable Data breaches numbers useful to gain transparency, learn from and use to reinforce cybersecurity investment? Yes. But it is important that organisations do not rely on these measurements alone, and work to shift the mindset and measurement of cybersecurity success. This will not only better support our essential cybersecurity workers, but make the whole industry more resilient.

Top image credit: iStock.com/matejmo