Introduction

“The adversary doesn’t need a new attack vector, just an old weakness you never fixed.”

Over the past 12 months, Australia has experienced a surge of high-profile cyberattacks impacting industries such as aviation, superannuation, and higher education. While each incident is individually significant, together they reveal a deeper issue, a systemic failure in executive cyber governance.

The breach narratives may vary, but the patterns are consistent: symbolic leadership gestures, reactive containment, unclear third-party roles, and poorly coordinated communication strategies. What we’re seeing is not just an increase in cybercrime, but a lack of preparedness in the boardroom. For all the technical analysis and post-breach assessments, what’s being overlooked is this: these are not just system failures; they are leadership failures. The rhetoric is polished, but the thinking is reactive. The controls are absent, and the narrative reveals more about executive misunderstanding than attacker sophistication.

Strategy by Optics, Not Design

Across the board, symbolic gestures have replaced meaningful strategy. From executives shortening holidays to hurried reviews of internal data storage policies, the response playbook appears designed for press conferences rather than for prevention. Leaders talk about “learning from past breaches” or “reviewing data handling practices,” but seldom is there evidence of genuine operational changes in preparedness.

Instead of implementing systemic reform, we see post-incident announcements with vague intentions, suggesting internal data hosting as if that were a silver bullet, or claiming that “we took it seriously” without showing what serious action looked like before the breach. This is strategy by optics, not by design.

Misplaced Focus, Misunderstood Risk

A recurring theme in these responses is a basic misunderstanding of how cybersecurity works. Executives often confuse data minimization or internal storage with breach prevention. However, cyber resilience doesn’t depend on where the data is stored; it relies on how it’s protected, accessed, segmented, and monitored.

Purging inactive records is basic hygiene, not a strategy. Moving data “in-house” without a solid security framework is just shifting risk, not lowering it. Focusing on superficial fixes reveals a lack of understanding of layered defence principles, identity governance, and attack surface management.

Silence Where There Should Be Clarity

Perhaps the most concerning pattern is the lack of transparency when third-party failures occur. Vendors are often the weakest link, yet many organizations choose to hide rather than reveal the breach pathway, citing investigations or legal risks.

This silence undermines public trust and overlooks a vital chance to push the ecosystem toward higher standards. Without transparent accountability across supply chains, risk stays spread out and unmanaged. Naming third parties isn’t about blame; it’s about fostering ecosystem responsibility.

Crisis Response, Minus the Discipline

In every recent incident, the crisis response maturity has been inconsistent at best. Communications have often been delayed or vague, leaving customers in the dark for days. Updates tend to lack clarity. Most importantly, there is little sign of executive-level simulation, rehearsal, or scenario planning.

A modern breach response requires more than just technical triage; it calls for coordinated efforts among security, legal, communications, and executive teams. Without established crisis protocols, leadership responses are often reactive and can worsen the damage.

The Four Failure Signals

These incidents reveal four common leadership blind spots:

1. Optics over action – Symbolic moves don’t replace system hardening.
2. Tactical hygiene over strategic reform – Deleting data isn’t a defence model.
3. Opaque vendor accountability – Silence only empowers fragility.
4. Underprepared executive teams – Without simulation, there is no real resilience.

What Needs to Change Now

It’s time to shift from reaction to governance.

To meet today’s cyber challenges, organisations must elevate cybersecurity to a board-level concern, ensuring regular updates on risk posture and threat intelligence. Leadership should go beyond just contractual compliance and actively demand third-party resilience. Executive teams need to participate in realistic simulations that replicate the tactics of real-world adversaries, rather than relying solely on theoretical drills. Above all, adopting a stance of radical transparency is vital, owning failures, recognizing weaknesses, and communicating openly and early.

Cyber Isn’t a Department, It’s a Leadership Competency

These are not isolated failings. They’re a reflection of an outdated leadership model struggling to keep pace with modern digital threats. Until boards and C-suites treat cybersecurity not as a delegated IT issue, but as a core leadership domain, breaches will continue to outpace boardroom preparedness. The next breach will not be a surprise. But how leaders respond and whether they evolve will determine whether it’s just another incident or an irreversible turning point.