Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 342 Deep Dive: Daniel Churches | The Impact of Personal Liability in Cybersecurity and Security Professionals
Leadership | Microsegmentation
First Aired: November 11, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with Daniel Churches, Director in Sydney at ColorTokens, as he explores the sweeping impact of new Australian legislation imposing personal liability on company directors for cybersecurity breaches. Daniel breaks down the shifting landscape for CISOs and senior security leaders, the end of self-regulation, and how shared risk at the board and executive levels is altering market behaviour. He discusses the challenges around resource constraints in security teams, the crucial role of business continuity planning, and the importance of articulating measurable value to organisational leadership. We also examine how the legislation is driving changes in funding priorities, motivating cross-functional engagement, and preparing organisations to better withstand breaches in an evolving threat environment. Daniel shares his optimism about the future, emphasising both the increased pressure and potential for positive, industry-wide change.

Dan is an Australian and Asia Pacific Sales Leader with over 25 years’ IT experience in Hardware and Software Solutions and Services, Business Development, GTM planning and implementation, Large Complex Negotiations and Executive Relationships. He has worked for IBM, NTT Global and Verizon Enterprise Solutions driving business and building teams in Hardware, Software, Professional Services, Managed Services, Hybrid Cloud, PaaS, SaaS, Data Analytics, Security and Digital Transformation solution sales.

As a Sales Director with ColorTokens, Dan is driving market penetration, brand development, partner engagement and client services and support. He is responsible for industry and buyer alignment and understanding of the ColorTokens “Breach Ready” messaging focusing on halting the spread of ransomware and malware attacks across IT/OT, IoT and Legacy environments providing customers a viable Cyber Resilience ‘Uptime’ compliance capability they can report to market.

Vanta’s Trust Management Platform takes the manual work out of your security and compliance process and replaces it with continuous automation—whether you’re pursuing your first framework or managing a complex program.
Visit Vanta

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Daniel Churches [00:00:00]:
It’s no longer a solo act. As a CISO or someone in a senior security role, you need to turn around and understand with this new legislation how you can move the chess pieces differently. And that shared risk I was just talking about into the right roles and the right people.

Karissa Breen [00:00:29]:
Joining me now is Daniel Church’s director in Sydney at Color Tokens. And today we’re discussing the impact that personal liability has on the industry, but on security, individuals too. So, Dan, thanks for joining me again and welcome.

Daniel Churches [00:00:49]:
Thank you, Chris. It’s always a pleasure spending time with you. I appreciate the time. Thanks so much.

Karissa Breen [00:00:53]:
Okay, so there’s a lot sort of going on in my mind at the moment and I’m keen to get into this with you. Obviously you’ve got strong opinions on this. You’re looking at things from various angles, talking to people out there in the market across Australia. So maybe let’s start with shutting your business down to investigate what is going on is now no longer an option in Australia.

Daniel Churches [00:01:15]:
Yeah.

Karissa Breen [00:01:15]:
So let me extend a little bit more. Recently, it’s known that the federal legislation has been passed requiring companies to report cyber attacks, ransomware payments, which in turn holds company directors personally liable for their organization’s capability to withstand a breach and maintain minimum organizational viability. Now, obviously that was a lot, but I wanted to get it out because that’s what we’re going to be talking about, looking at different angles, prodding and poking it. So talk me through it.

Daniel Churches [00:01:46]:
Yeah, there’s a couple golden nuggets in there to unpack, aren’t there? You know, if you think about it, the federal government doesn’t really like to push in too much. In enterprise and industry, obviously they do have regulation and standards and such, but the first place they seem to go is self regulation and hope that the industry self corrects. Right. And so it’s no different around cybersecurity. But the onslaught of attacks has forced the government’s hand. Enterprise and government agencies have done their best to try to keep up with the inbound attacks and the various, the changing nature of attacks. But it’s proving that self regulating hasn’t worked because businesses invest only up to their obligations, only up to the standard, only up to what the guidelines the government sets. And sometimes you have to stretch beyond those standards because the market moves so quickly.

Daniel Churches [00:02:39]:
The threat vectors are changing so Quickly that just adhering to standards as an obligation to legislation won’t really do your business the justice you should be doing, particularly if you’re a director and you’re responsible. And so the government had to take a position and pass legislation that stipulated that if you are the director of an organization and if you’re in the past, if there was a breach or some sort of security event, you could point to your cybersecurity team and say it was those guys over there, the CISO or whomever. And Joe Longo at ASIC or somebody on his team called this cyber washing where the directors could wash their hands of any responsibility, saying that they had stipulated or implemented what they were obliged to do and that it didn’t work, it wasn’t necessarily their fault. And now that’s all changed. Government says, actually, you know, you’re the director of the organization, the responsibility lies with you around the resiliency of your organization, the ability to withstand a breach and to recover from a breach. And so now with this new legislation, it forces the hand of leaders and directors. They really do have to get on top of maintaining organizational viability. They have to be able to report to market that they’ve withstood a breach or have the capacity to maintain viability and recover from a breach, and it’s no longer a position they can take.

Daniel Churches [00:04:02]:
But just pointing to the security team and saying, well, we tried to implement these things, they have to really articulate the steps they’ve taken in regards to business continuity planning and organizational viability. And if they don’t, they can now be held personally liable. So, you know, you can’t hide behind corporate liability insurance. You now will be held personally liable. You can lose your job. And we’ve seen that here in Australia, you can be personally held for fees and the dollars can be substantial. And they can also bar you from holding a leadership position, board level positions, director level positions. So your career can really take a huge, huge hit.

Daniel Churches [00:04:44]:
Now when legislation is passed along these lines, it changes behavior in the marketplace. And so in my position, if I’m positioning a solution to help an organization take on perhaps a new tool, a new software tool to help bolster up their cybersecurity capabilities. The people that I speak with, they’re looking at all sorts of tools, they’re looking at all sorts of solutions that are going to help protect an organization. And I’m just another one of those guys. So what I see is happening now is that the Cecils and the security people I speak with now have a different pathway to taking on a new vendor, new projects, because the leadership within an organization is now taking a different focus, allocating different project funding. Maybe it’s not coming from the securities budget, but it could be coming from chief risk officer’s budget, around business continuity planning. So everything has shifted on the corporate side around how solution tools, new options in the marketplace around cybersecurity and cyber resiliency, how they’re being brought into a corporate fold and laid into a corporate cybersecurity strategy. And that’s the change that has occurred because of this new legislation.

Daniel Churches [00:06:00]:
It’s changing behavior and people are making new decisions because of all the fees and penalties and liabilities and reporting and obligations that they have. And I haven’t even mentioned cyber insurance companies that also are putting the same amount of pressure on leadership for their organizations to better withstand a breach attempt. And we’ve only been talking about government, but if organizations adhere to this new legislation, they’re going to also be able to tick a lot of boxes that their cyber insurance companies expect them to tick around cyber resiliency strategies. So there’s a lot of upside to this, a lot of pluses that is now in the marketplace and driving investment and driving behavior.

Karissa Breen [00:06:38]:
Okay, so there’s a lot going on now. I have a lot of questions. I want to zoom out and then start at the top, work our way down. So if you what do you think about this overall? Do you think it’s a good thing for the industry? Think it’s a bad thing? Are you indifferent or are you not sure? And talk me through each of those positions.

Daniel Churches [00:06:58]:
Well, on the whole, of course it’s a good thing, no doubt about it. And I suppose if we stay zooming out like you’re saying, on the whole it means that government is setting the bar, being more clear in what their expectations are. It’s that typical scenario with at a federal level, they say what they expect you to do, but they don’t necessarily say how. Government doesn’t like to dictate terms. So that that high level government says what you are now expected to hold to is this high bar around cyber resiliency, how you get there, they might point to NIST and they might point to Essential eight and they might point to other aspects of the cybersecurity stack and micro segmentation’s in there, but they don’t stipulate specifically how they leave that to you. But nonetheless, this is a good thing on the ground in real terms, when I’m speaking to CISOs and speaking to senior Cybersecurity leads. They see it also that they now have a little bit more access to funding because it’s put a change in the mix of where budgetary spend is coming from. But it hasn’t changed demonstrably on the ground because these CyberSecurity teams, these IT operation teams, they’re still very, very stretched.

Daniel Churches [00:08:10]:
Those guys don’t have enough resources, there’s not enough skills in the marketplace today to fill all the empty chairs so that these businesses can really address their requirements whether it’s cyber or not. So these men and women are still under a lot of pressure to meet the demands of the organization with the limited resources they have. So it comes down to that partner relationship that they have with the systems integrators and this whole model about the way they can address the corporate requirements in real terms. That hasn’t changed a whole lot on the ground. It still comes down to a guy like me and the team that we have here at Color Tokens to be able to position a solution like this and demonstrate the value, understand the urgency on the client side and how we can address their concerns around headcount and resources and ongoing support and in partnership with our GSI’s or in partnership with our local partners, how we can support and service the deployment and, and manage risk, all of those moving parts to that on the ground. Direct face to face engagement haven’t changed a whole lot. And that’s just the nature of the beast of a sales engagement. But what has changed is now there’s new impetus, there’s probably access to more funding because of the pressure from director level on down, forcing change within an organization.

Daniel Churches [00:09:26]:
So it’s a good thing, but the journey is still out there that you still have to step in, you still have to define value, you still have to be able to articulate how you can measure that value back to the organization. How they can measure it in terms of cost takeout, reduced losses of downtime when they’re withstanding a breach attempt, how they can measure that with their cyber insurance premiums, how they can report to market and maintain their brand recognition for the capacity to withstand a breach and protect client data. All of that will come out in the wash. But yeah, it’s good in the big game, big picture, but it’s still hard yaka, hands and feet in the trenches putting a story forward and getting project allocation funding and implementing a tool like this.

Karissa Breen [00:10:14]:
So my mind goes to and I’ve used this analogy before for someone else recently I interviewed when you’re working in Cyber. Typically, you’re the type of caliber of person who really loves the space. So if I look to a firefighter, you know, when you become a firefighter and you’re a kid and you’re like, I want to protect people from fires and all this other stuff so they don’t burn and die and lose their family, and it’s really sad. People don’t really become a firefighter for the sake of it. They have to love it. And I sort of think the same sort of applies in terms of the aptitude and adoption towards cybersecurity. But would you say that now? Because we’re putting a lot of pressure on these people. Are we going to see people peel off now because they’re like, look, I’m trying to do my best to protect people and customers in a company, but I don’t know if I can personally now be held liable for a lot of these things.

Karissa Breen [00:11:07]:
Are we. Are we at a, you know, crossroads? What’s going to happen here?

Daniel Churches [00:11:11]:
That’s such an interesting question, Carissa. I know of countries around the world where they’re holding CISOs personally liable with even prison terms. I mean, that’s dramatic, right? That’s not Australia, obviously. But in Australia, the pressure remains very high for CISOs. We’ve all spoken about burnout for those individuals who take those roles. You’re right in the way you opened up the question, that idealized role to be able to help and to be in a position to be part of the machinery to help an organization. But when you’re left out there on the tip of the branch all by yourself and everybody wants to dump repercussions in your lap, the burnout’s immense for some of these guys, and also you’re seeing them step away from it. So that leaves then a lot of that accumulated IP and experience skill set walking out the door, which is exactly what the industry does not need right now.

Daniel Churches [00:12:04]:
I think with this new legislation, it spreads some of that risk within the corporation to the director level and the risk officer level, which means the CISO is no longer carrying all of that by themselves. I don’t think that makes their job any easier. It just means that from a career and a risk perspective, the. The load has been shared. So it should make it a little less daunting for them when they’re facing some of the challenges around real breach scenarios and the recovery and the business response and then recovery. I think it would mean that they might not feel quite as exposed as they might want to have in the recent past.

Karissa Breen [00:12:44]:
So the part that gets me is, so basically just say you are sizo and yes, you’re spreading the risk now, which what you’re saying, right, other people are going to be held liable, fine. But then just say a breach happens and then it’s kind of like, well, how long’s a piece of string? Because it’s like, well, we had reasonable endeavors, we had best intentions, et cetera, all these legal type words to protect our customers. But if you’re a siso and your director or board or whoever is only giving you X amount of budget to do something, and that couldn’t be met because you had to forego a whole bunch of other things and tools or people or whatever it is, it’s kind of like we’re at a moot point here. So, you know, then I don’t think it’s kind of fair to be like, oh, well, it’s a size person’s role. Because then it’s one of those things. Especially you start getting up the chain and you’re not a cyber tech person by trade. You don’t really understand it. They might think, oh, $30,000 per year is a lot of money on cybersecurity.

Karissa Breen [00:13:45]:
But then other people would argue against that. Right? So it’s kind of like, how do we get to the point where most people may think that, oh, I think we’ve invested enough into this, but it is, it is a very gray area. So I’m keen to get some of your insight on this.

Daniel Churches [00:14:02]:
You caught a couple of different threads in there, but one of the threads I would speak to first up, for speaking directly to security people in this profession on the client side, whether it’s a risk officer or a CISO or, you know, it, data management and risk and management, is that because of this new legislation, they need to know how to now better navigate internally to get the rest of the business to step up and join them on those oars and pull in the right direction, it’s no longer a solo act. As a CISO or someone in a senior security role, you need to turn around and understand with this new legislation how you can move the chess pieces differently. And that shared risk I was just talking about, into the right roles and the right people. So you need to be able to go to your chief risk officer, your CFO and your CEO. And if you have access to board, go board level as well. And you need to be able to articulate it in terms that they can understand, not just speaking about the liability kind of stuff, but also speak about how you can measure the value of some of the tools you could bring into the organization to enable the organization to better withstand breach, attempt to attain those levels of cyber resiliency that are now mandated by legislation. And so what I’m saying there is nothing new. Many, many CISOs already attempt to engage at the C level and already are trying to push their way in to carry that conversation.

Daniel Churches [00:15:32]:
But now they have a new arrow in their quiver, which is the board level and directors. They have to listen now because they’re on the line for this. I think now would be the time to really map out your engagement strategy internally within the business, managing upwards. Take some schooling, go online, figure out what works best within your industry to articulate the measurable benefits, how you determine or get some coaching in within your organization, even at the CFO level. What do they need to see from you and how do they need to consume the data you’re going to share with them so that they can help the decision making process and really lean into this new legislation as a way by which to move the company in the direction you know, you need to go to hit those new marks that are part of the legislation that’s recently been passed.

Karissa Breen [00:16:23]:
So I want to go back to a comment you made earlier around cyberwashing and let’s go back in time. Would you say historically the hundred percent, it’s been like, oh well, we sort of duped a little bit of our security team. I’ve heard these comments from senior leaders out there that have said like people are just getting by with sort of the minimum, right? At the end of the day, Dan, no one wants to spend money on stuff they don’t have to, right? So it’s like if we can scrape by, we’re fine. But then do you think historically the these powers of the bee, whatever you want to call them, top dogs, have then just passed the buck to the security person and these people are left holding the baby.

Daniel Churches [00:17:01]:
That was the way it’s been for a long time. I remember over the past few years I would try to engage at the CEO level and speak about how are you trying to orchestrate breach readiness within your organization to withstand a breach. How are you, are you leaning into business continuity planning? How are you readying the business to deal with an unplanned outage? Call a breach an unplanned outage. And quite honestly, Chris, many of the senior leaders that I spoke with or speak with, they say, oh, I don’t know, that’s the cyber guys, that’s the security team. And in my mind to isolate a cyber event to only one part of your business and not see the scope and the impact of that event across your business and then build in your organizational readiness to do that is a failing. But historically, you know, over the years it security was left to the security guys bada boom. That’s the way it worked right now when I speak with them and I speak in terms. So tell me about your unplanned outage planning.

Daniel Churches [00:18:02]:
Let’s talk about your business continuity plans and that whole framework. Well that’s a conversation any director understands and any chief risk officer understands. And so then I speak to them about architecting to remediate. Can you build into your business continuity planning the idea of unplanned outage as a cyber attack? And so what’s your minimum risk threshold about how much of your business you’re going to bring down to a stop as a response to the breach attack? So today businesses think their defensive position with EDR and NDR is met and they think that’s sufficient to try to protect the inbound breach attempt. And then when you ask them so in the event of an actual full blown breach, what are your responses to that? And they say, yeah, well we shut it down or we shut down whole network segments. And my quick response to that is, you’re shutting down devices and systems that were not compromised. So why are you shutting down parts of your business that should stay up and running and maintain viability? Why don’t you just shut down the breach attempt, quarantine that and let the rest of your business function and then I align that to a business continuity plan or framework which talks about uptime and viability, which talks about power outages or 5, 9, and then just lay in a cyber resilience plan to your business continuity framework and then the penny starts to drop for them. And so you want to flip the conversation with these senior leaders that you want to maintain your unaffected parts of your business to stay up and viable while you contain a breach and get back to pre breach organizational functioning as quickly as possible as you would with any unplanned outage.

Daniel Churches [00:19:40]:
And today you can architect for that. You can do that quite reasonably with tested tools in the marketplace. Micro segmentation is the one I’m pointing at. But you can have this conversation. And so I’m coaching CISOs and senior security guys to take this business continuity conversation on the other side of the fence to the risk and to the directors and coach them on how we can just lay in risk tolerance downtime maintaining minimum viability while we respond to breaches and then improving our capacity to recover and get back to organizational viability or functioning as quickly as possible. I’m doing all that kind of coaching. So therefore I’m hoping to help the CISOs take that argument internally, go seek that funding over there with the risk officers and the directors, get the project approved and then implement that next level cybersecurity capability to help the business withstand the breach, attempt and meet all this new legislation that’s recently been passed.

Karissa Breen [00:20:37]:
So I want to keep going with the off handing of the responsibility because I think this part’s really interesting. And it’s interesting because if you’re a senior person, board director, you’re working in a big ASX listed company and you don’t blow the budget because you were like, hey, I’m not going to give a couple of million bucks to the cyber team because if I give it to them, this is historically speaking, I’m then probably not going to get my bonus for the year because I’m the CFO and that’s what I’m KPI’d on right now. The game’s changing. So do you think. And then it’s easy to offend if something happens. Oh well, you know, we’ve got the cyber team here. I was giving that look at this money that I’ve already spent. But now would you say it’s going to force people’s hand? So if you’re a cfo, you’re a CRO, you’re whoever in this organization, it’s going to force your hand to care about cyber because you’re now in this, you’re in it and you’re responsible as well.

Karissa Breen [00:21:29]:
So are we going to start to see people become a lot more interested in cyber security because now they’re on the hook?

Daniel Churches [00:21:35]:
Yeah, well, the short answer is yes and then the long answer is yes. So look, they’re already focused on cyber security. It’s not to think that they are not looking at it and they’re already allocating funding because it gets a lot of attention. But what’s going to sharpen up is the capacity to articulate what steps they’re taking to meet legislative obligations today around cyber resiliency. And then you have to define cyber resiliency. So the CFO wants to redefine cyber resiliency in measurable terms. The CEO needs to be able to say it ticks boxes. From a legislative and a reporting perspective, each of them has a way, a lens or perspective on what does cyber resiliency mean to that organization.

Daniel Churches [00:22:17]:
But with this new legislation, the focus is a little sharper now because they need to really grasp the tools that are in the marketplace that help them meet those new thresholds. And if done correctly, the new thresholds can be articulated in measurable terms to the cfo, to the CEO so that they feel comfortable that if it comes down to an actual breach, they know how to communicate to the market, they know how to communicate to shareholders, to board, they know how to communicate to asic. And all of this communication stuff is built into your business continuity planning. It’s all part of an existing framework that an organization has. So with the right kind of coaching, they’ll know what they need to address. They’ll have their measurables that reflect the responsibilities that they have in their roles. And so these are the next steps that they’re getting their arms around now because some of this legislation is only a few months from October last year, from May, July this year. So they’re getting their arms around it now.

Daniel Churches [00:23:17]:
But I’m already seeing it. We’re already having this level of conversation helping them find the right responses and answers to the new obligations they have. So it is changing behavior internally.

Karissa Breen [00:23:28]:
So now following this through a little bit more, let’s talk about uptime, downtime. You mentioned before, go make the resiliency piece. So CFO is going to care about how much money the business makes, how much money we’re burning, right? Simply speaking. So I was talking to someone the other day, it was global size of a large vendor and we were talking about downtime for an airline in Los Angeles, roughly a million bucks US per hour. These people are impacted by it. Now people are going to start listening because that’s a lot of money. Now the other problem is the flow on effect of okay, well now we’re down, we can’t operate aircraft. It has a flow on effect with other airports.

Karissa Breen [00:24:05]:
This is just one example. And then we’ve also got now got people contacting our call centers, going off their head, you haven’t missed my kids wedding, something’s happened. So there’s a lot of other ancillary impact. Correct. And items that perhaps people aren’t maybe attributing to just the downtime side of things. So what’s your then position on all of this? Because at the end of the day, if I just look at a CFO who’s now got the responsibility, they’re going to go, well, we have to keep operational because we can’t lose a million bucks an hour. Because something’s happening.

Daniel Churches [00:24:42]:
So organizations have always looked at that, that we can’t afford to lose a million bucks an hour yet alone. 200 grand an hour yet alone, you know, 20 grand an hour. No organization wants to tolerate that kind of an impact. But you know how you said a minute ago, let’s take a step back. If you think about federal government, the federal government measures these things too in economic impact to the country. And the Australian federal government has passed this legislation recently because they will no longer allow the country to take the imminent economic body shots and hits that the country has been taking. And I don’t need to rattle off all the breaches that have occurred here in Australia over the past couple of years. It’s the same around the world.

Daniel Churches [00:25:24]:
But from a federal level, if you look at airlines going down, if you look at telecommunications going down, if you look at insurance going down, if you look at medical going down, the economic impact to your country is profound. So the federal government stepped in and passed legislation that’s driving behavior, full stop. That’s it. Federal government looks at an organization and says, yeah, you might be losing millions and millions, you need to take care of your house. But we’re going to stipulate what you need to do in the way you manage your business. And we’re going to start setting some new bars that you guys have to hold to. So, yeah, corporations don’t want to lose a million bucks an hour. No airport wants to.

Daniel Churches [00:26:01]:
Airlines, industry wants to lose that kind of money. But federal government stepped in and said, no, we don’t want you losing it either. And we’re going to start setting up, we’re going to change the game a little bit. There’s a whole new raft of measures that will be coming from the federal government over the next couple of years. They’re still going to be putting out standards that are expected in the marketplace. It’s a moving plate at the moment of policy settings and standards that are going to be coming to market because the landscape keeps changing around the cyber risk for organizations. The ripple effect is so profound. I have a phrase that I come up with which is, if you ask a CISO what’s the greatest impact from a breach attempt or an actual breach? And they’ll tell you that it’s not the breach that’s the greatest impact, it’s the cleanup.

Daniel Churches [00:26:44]:
And if you ask a CEO what’s the greatest cost of an actual breach? And they’ll tell you it’s not paying the ransomware, it’s the cleanup, the forensic process. Of going in and trying to understand where the breach occurred, what was the breakout time, where did they move in your environment, how did they get to your crown jewels to try to understand all that? And it can take months. And that’s really what kills businesses, not the actual breach. With a micro segmentation solution, you can articulate exactly where the impact of the first penetration was, the first breach, the devices that were compromised, the attack pathway, you can see all of that, because if the tool’s been used correctly, that’s also what stopped the breach and you were able to point to the containment and that then reduces your recovery period and allows your organization to get back up on its feet and functioning. So I think in real terms, government, businesses now have a tool in their hands that can allow them to withstand breaches, recover from breaches, and maintain viability in measurable terms and reach those profit targets, reach those revenue targets, and continue to function profitably and from a federal government level, maintain that economic stability that they have to have.

Karissa Breen [00:27:55]:
How do they measure the economic impact? Is there any sort of, have they said anything how they’re measuring this? So even when the first Optus outage happened, which was an outage, wasn’t even a cyber issue, right. I got called up by an Australian newspaper saying, hey, we’d like your commentary because we couldn’t do anything either. And like, obviously we’re a smaller fish than a large enterprise in Australia, but there was still an impact. Couldn’t even contact anyone. Can’t use, because I use everything in a browser. So my Internet didn’t work. I had to go to my in laws house and use their neck. So in a different, you know, isp.

Karissa Breen [00:28:29]:
So how have they started to say, well, this is the economic impact across Australia?

Daniel Churches [00:28:35]:
Well, I mean, they have statistics that they could quote you about the impact down to the private individual like you and I, and the impact it has on us when our credentials have been stolen, when our personal details are out on the dark web, when we get bombarded with spamware and emails and calls, and somebody inevitably falls into that trap and loses tens of thousands, if not more, to some scam that’s measured in the Australian marketplace. And that kind of impact is devastating to families. That’s families. And the federal government sees this and steps up, not just corporations and enterprise, but then the human impact on that, right? There are some statistics I can quote here. You know, there’s a cyber attack every six minutes in Australia, 94,000 incidents happening annually. I mean, but quoting statistics, people’s eyes glass over because they hear stats all the time and it just kind of loses its impact. Right? But the federal government knows, and enterprise knows the real impact in dollar terms and you’re talking tens of billions of dollars annually in Australia. What’s also interesting around this is the impact to an organization to recover from a breach.

Daniel Churches [00:29:46]:
And just a second ago, in that you have to do the forensics process to try to clean it up so that you can get back up and running. Right now, the recovery period from a full blown breach can be an average of 260 odd days. That means your business is operating at suboptimal levels for almost a year post a breach. And if you have that many breaches happening in the country across enterprise and federal agencies, and all of them post a breach, are operating hobbled and underperforming, the economic impact is hugely measurable. So it’s something that’s got the attention of the federal government, hence the legislation that’s come out. So they know how to track it, the numbers are real. To quote it all here wouldn’t really be relevant to this conversation because it’s just more stats. But businesses understand it, federal government does, and that’s why they’re driving change.

Karissa Breen [00:30:43]:
So why wasn’t this implemented before then? So you’re like, yes, this is a good thing. Obviously there’s a bit of gray in this answer, but why was this implemented before? Or is it one of those things before we had seat belts and cars? It’s like, okay, one person’s died, another person, thousands of people have died. We have actually got to do something. Is it the federal government’s backs against the wall, We’ve got to do something now. Is it at that point where we just can’t keep going like this? I mean, we’re in 2025 and we’ve got these large enterprise businesses, billion dollar companies that are just getting crippled.

Daniel Churches [00:31:14]:
Yeah, but I think it’s unfair to say that the federal government and enterprise weren’t doing something. They’ve been looking at this for decades to try to stay on top of it, but it changes so fast. You’ve heard this from all the other conversations you have, as I have and many of your list, our list here on this podcast. They know that the landscape and the thread vectors are changing so, so quickly. And now you add AI to that, it’s impossible to stay on top of. That’s why this is just that next level of legislation being passed to drive change in the marketplace, responding to the constant influx of threats and attacks that are coming at us. It’s not unique to Australia. It’s happening around the world.

Daniel Churches [00:31:53]:
It’s just that, you know, what we’re seeing now is how Australia is responding. But that’s just the dance. That’s the nature of the beast. It’s changing so quickly that we have to constantly stay vigilant and ready to flex when we need to as well, which is what’s happening.

Karissa Breen [00:32:07]:
And I do get your point that, yes, people have tried, but is it one of those things as, where’s that saying, like, you can attract more with honey than you do with vinegar. So if people start, is it going to rub people the wrong way? Like, I’ve been trying to do things right for the last 10 years and I can’t. I’ve been breached. I can’t help it. We made a mistake. Something happened. I don’t know, like. So, yes, I get the sentiments, but is this going to maybe do the opposite of what they got? I mean, I’m just looking at all.

Daniel Churches [00:32:31]:
No, as a matter of fact, I think just the opposite of that. I think you’re going to find senior leadership that are relieved that now with this legislation, they can turn to the board and say, we need to invest and we need to do it along these lines. I would imagine there’s plenty of directors and senior leaders out there that couldn’t get board spending approval across some of the projects they wanted to implement to better prepare their organization to withstand breach attempts. I reckon there’s some relief now in leadership teams, CISOs and risk officers with enterprise organizations that can finally lean into something that’s being stipulated by the federal government so that they can get the changes they want to drive within their businesses. They can just simply point to legislation and say, well, we have to do it now. And then they force the hand of leadership to appropriately fund these projects and make the changes they know that serve their business well.

Karissa Breen [00:33:23]:
Yeah, this is interesting, isn’t it? And I think that you. I mean, look what you’re saying. You’re right. It’s going to be. Time is going to be on our side to see what’s going to happen, how it’s going to unfold. So if you were to look forward now, Dan, how do you. This is going to unfold. So now we’re in this current situation.

Karissa Breen [00:33:40]:
Yes, we can hypothesize, we can sit here and we can speculate, et cetera. But what do you think really, at the end of the day, now that these companies, the government, federal government’s holding their feet to the fire. How do you think it’s going to play out?

Daniel Churches [00:33:53]:
It’s easy to feel a little bit overwhelmed right now with all the change that is being spoken about regarding AI and all the change that is being spoken about around the utilization of AI within businesses. And it’s easy to feel like we’re losing our grip on this. But actually we’re not. I’m not that pessimistic at all because fundamental, the foundational pillars that help businesses withstand the buffeting blows and hits that come, those pillars are in place and they still serve very, very well. And so then that comes down to leadership. How you organize your team around you, of senior leaders within your organization, how you cascade that down through the organization, not just culture, but actual frameworks. I keep referring to business continuity as my example, but your capacity to drive that kind of internal capability to communicate, to lead, to point to problems, problem resolution. All of those functional, foundational pillars to a healthy organization are going to be the places we need to go as we navigate these next few years of AI and AI security threats, because those are the aspects that will see us through.

Daniel Churches [00:35:11]:
We’re going through changes today in the world, whether it’s it or otherwise. But staying with enterprise and corporations is what we’re doing. We’re going through changes. Well, businesses have been going through changes for decades. Businesses have been adapting to change in market, marketplace trends, technology for decades. And they’ve been able to accommodate and grow and meet that demand and sustain and be viable and successful. The only thing that’s changing now is how fast it’s moving and then the nature that is AI, how fast it’s going. But we have the capacity to build that into our modeling, our frameworks and to take these steps on this journey.

Daniel Churches [00:35:50]:
And we will come through it. Because that’s what businesses do. They survive. They come through it. We will come through this. I know I’m sounding like I’m proselytizing and preaching here. I don’t mean to, but I’m just not as dark about these next few years. As things firm up with AI and the new threats that come with that, I see us finding our way because I speak to a lot of very intelligent people way, way above my level.

Daniel Churches [00:36:13]:
These guys see all the moving parts. They connect the dots. They’re pulling in the right brain power and firepower to manage. So I’m actually quite optimistic for the next few years. I’m actually not only optimistic, but I know there will be challenges and I know there’s going to be some hits. We’re going to Continue to see them. But I’m also kind of excited to see how we come through these next five years to 2030, how we ready ourselves for industry, how we ready ourselves with AI, how we ready ourselves with Quantum, and how we ready ourselves from a cybersecurity capacity to meet these demands. I’m very optimistic and I’m very much looking forward to being a part of it.

Daniel Churches [00:36:53]:
And color tokens, the whole message around micro segmentation will be, definitely be a part of, of how we all move forward together. It’s going to be, it’s going to be very interesting and exciting, but I’m optimistic.

Karissa Breen [00:37:05]:
So I spoke to one of my industry contacts and they said, a vendor said to them, hey, well, because of personal liability, the whole spiel that we’ve just spoken about today, they use that to try to obviously progress their deal. So do you think now, and it’s just more a question, if people are using just that to try to get people to convert, to use their product, buy their product, whatever it is, how does that sit with you? Is that gonna, are people gonna start getting agitated or what are we dealing with here?

Daniel Churches [00:37:37]:
Fair question. Look, if you’re a rookie and you go in and you just try to press that little pain point, you might get swatted back. But if you bring a bit of composure to the conversation and you, you bring a bit of substance to it and speak in terms of measurable benefits that you can add to the organization, how an implementation of a new tool like micro segmentation can help reduce your risk. If you flesh it out, if you put that on the table in the form of, say, a business case, that’ll enable that person to turn around within their organization and present it internally to get approval to proceed with the project. If you take all the old steps you should have been taking about enabling people on the client side to understand the measurable value, the measurable benefits of this solution. That’s what we should have been doing all along. Now you’re just adding micro segmentation, cybersecurity into that mix and pointing to why there’s a more pressing concern for them to proceed with something like this because of new legislation. I don’t think you’re going to, I don’t think you’re going to upset anybody if you come to them with a problem and a solution at the same time.

Daniel Churches [00:38:41]:
But if you just step up and try to press your finger on a sore spot around legislation without any substance, I think you’re, I think you’re going to make your game hard for yourself.

Karissa Breen [00:38:49]:
And lastly, Dan, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Daniel Churches [00:38:54]:
Well, thank you kb. That’s nice of you. I probably kind of did it a second ago where I spoke about being optimistic. Yeah, it’s hectic right now and we all are looking at AI and the insecurity and the uncertainty about how that’s going to all level out and when the dust cloud clears, where will we all be? But I see us navigating our way through this. I see us coming to grips with risk and risk management. And I see the next few years being an amazing moment in time for us to participate not only in the cybersecurity component of enabling organizations, governments to function, but also taking advantage of all the promise that is it and technology today. It’s easy to point to where the holes are and where the flaws are and where the potential, you know, downside might be. But boy, if you just spend a little bit of time and look at the possible upsides, they far outweigh the downsides.

Daniel Churches [00:39:51]:
And so let’s be on that side of the line and let’s participate in this the next few years. And micro segmentation plays a role, but cybersecurity overall as an industry segment within it is going to be such an interesting space over the next few years. I’m happy to be a part of it. I’m looking forward to it.

Share This