AI, Ransomware, and Governance Gaps: Inside Australia’s Cybersecurity Crisis with Marco Figueroa

Threat researcher Marco Figueroa unpacks Australia’s cyber crisis: supply chain risks, talent gaps, and the shift from compliance to resilience

As Australian businesses face a ‘perfect storm’ of cyber threats, from AI-driven ransomware to third-party supply chain breaches, the gap between compliance checklists and genuine resilience has never been more dangerous.

In this exclusive interview, Marco Figueroa, an industry-leading security research expert and Senior Manager, Cyber Security, Risk and Compliance at Australian Institute of Company Directors, dissects Australia’s escalating crisis. Drawing on his reverse engineering and threat intelligence background, Figueroa reveals why recent attacks on Qantas, universities, and critical infrastructure expose systemic failures in governance, talent, and proactive defense.

He maps a path beyond the ‘checkbox mentality’ toward adaptive security, where Zero Trust, threat hunting, and cyber workforce innovation collide. Will Australia evolve fast enough? Figueroa’s insights are a wake-up call.

Interview with Marco Figueroa

What are the biggest cybersecurity threats currently facing Australian businesses, and how are organizations adapting to these challenges?

Australia’s cyber threat landscape is deteriorating, with a growing body of publicly available evidence highlighting the scale and persistence of malicious activity targeting local businesses and universities . Core threat vectors, business email compromise, social engineering and phishing, ransomware, and third-party vulnerabilities—continue to be actively exploited by cyber criminals.

A recent breach involving Qantas, attributed to a third-party service provider managing access to its customer relationship management platform, serves as a stark reminder of the risks embedded across the supply chain. This incident closely mirrors widespread retail sector breaches reported in the UK between May and June 2025, suggesting coordinated targeting of critical systems across markets.

Concerningly, many Australian organisations, including institutions in the superannuation sector, continue to operate without basic cyber hygiene practices. Multi-factor authentication (MFA), a control mandated under the Australian Signals Directorate’s Essential Eight, remains absent or inconsistently applied across key digital assets.

These gaps are not only technical weaknesses, but these also represent broader challenges in cyber governance and risk oversight.

Regrettably, in 2025, Australia’s higher education sector emerged as a high value target in the eyes of cyber criminals, highlighting deep-rooted vulnerabilities in institutional identity systems, third-party dependencies, and basic cyber hygiene.

The breaches at Western Sydney University, University of Western Australia, and the alleged exploitation involving University of Sydney’s development assets underscore a dangerous trend: threat actors are increasingly bypassing traditional perimeter defences by exploiting single sign-on (SSO) platforms, developer misconfigurations, and third-party supply chain exposures.

As education institutions continue to digitize rapidly and integrate external platforms, cybersecurity must become a core component of university governance, not just an IT issue. Risk visibility, proactive threat hunting, and full-stack security monitoring are no longer optional. The sector must adapt, or risk continued disruption to student trust, research integrity, and national digital resilience.

Cyber threats continue to evolve in scale and sophistication, Australian businesses must move beyond compliance checklists and embrace proactive, risk-informed security strategies. Prioritising foundational controls, third-party assurance, and security-by-design practices is no longer optional as it is essential for resilience, trust, and long-term competitiveness.

How is the Australian government addressing the increasing demand for cybersecurity professionals, and what role do educational institutions play in bridging the talent gap?

Educational institutions play an increasingly critical role in this effort. Universities are partnering with government and industry to co-design curriculum that is aligned with real-world needs, emphasizing hands-on learning, certifications, and practical experience through internships and cyber labs.

Leading institutions, such as UNSW, RMIT, and Edith Cowan University, are developing centres of excellence in cybersecurity education and research, offering specialized degrees and micro-credentials that reflect the evolving threat landscape.

Australia stands at a crossroads in the global cybersecurity race. The 2023–2030 Australian Cyber Security Strategy lays out an ambitious goal: to position the nation as a world leader in cybersecurity by 2030. Central to this vision is a robust workforce, cultivated through strategic government investment and innovative education.

The Australian Government is backing its ambition with tangible support: initiatives such as the A$70 million Cyber Security Skills Partnership Innovation Fund and the APS Data, Digital and Cyber Workforce Plan 2025-30 highlight a genuine, whole-of-government push to attract, nurture, and retain cyber talent. The multi-shield defence model is at the heart of this approach, ensuring Australia’s cyber capacity is resilient and future ready.

Despite these efforts, Australia faces a significant shortfall: between 30,000 and 200,000 cyber professionals will be needed over the next decade. Meeting this demand is not just a numbers game, it’s about equipping individuals with practical, industry-relevant skills.

Universities and vocational providers are rising to this challenge. Collaborative initiatives like Cyber Security Education Australia (CySEA) are harmonising curriculum, driving professional development, and responding dynamically to industry needs.

Innovative programs, ranging from virtual internships and mentorships to TAFENSW’s micro-learning modules and NSW’s Cyber Ambassador and Industry Placement schemes, are opening real-world pathways for students, seamlessly connecting education with employment.

Yet, Australia’s approach must be more than incremental, it must be integrative. Public investment, educational innovation, and cross-sector collaboration must work in concert to close the cybersecurity skills gap. Without bipartisan policy support and a shared sense of urgency across business and government leadership, progress risks stalling. The persistent shortage of job-ready professionals and repeated high-profile breaches underscore the dangers of complacency.

If Australia wants to secure its digital future and lead globally, it must accelerate efforts, aligning strategy, policy, investment, and education to build the cyber workforce its digital era demands. This is not merely government business; it is the shared mission of every professional, educator, and policymaker determined to secure Australia’s cyber future.

What are the most significant regulatory and compliance challenges Australian companies face in securing their digital infrastructures, and how can they navigate these complexities? 

Beneath the bold ambitions of Australia’s 2023–2030 Cyber Security Strategy lies a complex challenge: not just growing a world-leading cyber workforce, but also steering a course through an ever-shifting maze of regulatory and compliance obligations. For Australian businesses, whether multinational or SME, the stakes have never been higher.

Data breaches and ransomware attacks dominate headlines, and the penalties for failing to secure digital infrastructure extend far beyond fines, threatening corporate reputation, public trust, and even national security. To succeed, companies must not only invest in technology and talent, but also understand and adapt to the intricate web of laws, standards, and sector-specific requirements that define the Australian regulatory landscape.

Australia’s regulatory environment for digital infrastructure security is shaped by a tapestry of laws, frameworks, and guidelines, each with its own scope and implications. Navigating this landscape requires clarity around the following core components:

• Privacy Act 1988 and the Notifiable Data Breaches (NDB) Scheme: Demands mandatory notification of eligible data breaches, robust data governance, and adequate security controls for all organisations handling personal data.

• Security of Critical Infrastructure Act 2018 (SoCI Act): Imposes heightened risk management, incident notification, and government access obligations on operators of critical infrastructure across sectors including energy, water, telecommunications, and healthcare. Recent amendments significantly expanded its reach.

• Australian Signals Directorate (ASD) Essential Eight: Provides a baseline framework for mitigation strategies, widely adopted across the public sector and increasingly referenced in industry best practice.

• Australian Prudential Regulation Authority (APRA) CPS 234: Mandates that regulated entities in the banking, insurance, and superannuation sectors maintain robust cyber resilience and promptly notify APRA of material information security incidents.

• Australian Securities and Investments Commission (ASIC) Obligations: Requires publicly listed companies to disclose material cyber incidents and maintain adequate risk management frameworks.

• Sector-Specific Regulations: Sectors such as healthcare (under the My Health Records Act), finance, and education face unique compliance requirements, adding further layers of complexity.

One of the most significant challenges is the fragmentation of regulatory requirements. Companies must often comply with overlapping or conflicting obligations, especially those operating across multiple sectors or jurisdictions. The expansion of the SoCI Act, for example, has brought organisations that previously focused solely on the Privacy Act into the critical infrastructure regime, requiring new approaches to risk assessment and reporting. 

Cyber threats are dynamic, and regulations are evolving to keep pace. The Australian Government’s active review of privacy laws and plans for a new Cyber Security Act signal further changes on the horizon. Companies must invest in ongoing monitoring and flexibility to adapt swiftly as requirements shift.

With the introduction of the NDB scheme, APRA CPS 234, and SoCI Act amendments, organisations face a mosaic of incident notification obligations, each with varying definitions, thresholds, and timelines. Failure to meet these requirements risks regulatory investigation and reputational damage.

Australian regulators increasingly expect companies to manage cyber risk beyond their own walls. APRA CPS 234, for example, holds entities accountable for the security controls of third-party vendors. Yet, visibility and assurance over complex supply chains remain a persistent challenge.

The well-publicised shortage of skilled cybersecurity professionals in Australia exacerbates compliance challenges. Smaller organisations, in particular, may struggle to interpret regulatory requirements, implement effective controls, and respond to incidents in a timely manner.

Striking a balance between regulatory compliance and the rapid adoption of digital technologies, including cloud, AI, and IoT, can be difficult. Overly rigid approaches may stifle innovation, while laxity risks non-compliance and breaches.

Here goes my 7 Strategies for Navigating Regulatory Complexity:

1. Embedding regulatory obligations and security into organisational culture is the foundation. Executive leadership must champion a “security by design” mindset, ensuring that digital transformation projects consider risk and regulatory requirements from the outset.

2. Addressing the talent gap is essential. Investment in cyber skills training, industry certifications (such as CISSP, CISM, and ISO 27001 Lead Implementer), and partnerships with academic institutions help build internal capability. Leveraging government initiatives (like the A$70 million Cyber Skills Fund) can accelerate workforce readiness.

3. For complex or sector-specific compliance, engaging external advisors and legal counsel with deep regulatory knowledge can bridge gaps in in-house expertise. Managed security service providers (MSSPs) can help SMEs achieve compliance more cost-effectively.

4. Developing a comprehensive and endorsed Australian Government compliance matrix that maps overlapping requirements across the Privacy Act, SoCI Act, APRA CPS 234, and relevant state/territory laws can help organisations identify duplications, streamline reporting, and avoid conflicting responses during incidents.

5. Clear incident response plans that account for the notification timelines and thresholds of all applicable regulations are critical. Regular testing, tabletop exercises, and simulated breaches can ensure readiness and compliance under pressure.

6. Adopt frameworks for assessing and monitoring suppliers’ security controls—such as ISO/IEC 27001 and the ACSC Essential Eight. Formalise vendor contracts to include security and notification obligations and undertake regular audits across the supply chain.

7. Active participation in industry groups, government consultation processes, and regulator-led forums enables companies to stay ahead of upcoming changes. Early engagement allows organisations to contribute to shaping practical, effective regulation.

With the rise of remote work and digital transformation, what specific cybersecurity measures are Australian organizations prioritizing to protect both their networks and their employees?

As remote work and digital transformation become entrenched in Australia’s economic fabric, organisations are making decisive shifts in their cybersecurity strategies to protect both their digital infrastructure and workforce. The priorities are no longer just technical, they are strategic, board-level imperatives.

1. Embracing Zero Trust Principles:Australian enterprises are adopting Zero Trust Architecture to mitigate the risks of perimeter-less networks. This includes but not restricted to, enforcing strict identity verification through multi-factor authentication (MFA), least-privilege access, and continuous validation of user activity, regardless of device or location.

2. Securing the Endpoint and Workforce:With a distributed workforce, identity is the new perimeter. Organisations are investing in Identity Protection and Extended Endpoint Detection and Response (XEDR)  to ensure visibility, control, and rapid incident response across remote environments.

3. Cloud Security and Resilience:The shift to cloud-based operations has elevated the focus on cloud security, data encryption, and secure access frameworks like SASE (Secure Access Service Edge). Organisations are embedding security into digital transformation efforts from the outset rather than retrofitting protections.

4. Human Risk Management:Recognising the human element as a persistent vulnerability, companies are enhancing cyber awareness training, simulating phishing attacks, and using behavioural analytics to identify anomalies that could signal insider threats or compromised credentials.

5. Governance, Risk, and Compliance (GRC)Regulatory alignment is critical. With reforms to the Privacy Act and ongoing expansion of the Security of Critical Infrastructure (SOCI) Act, Australian organisations are strengthening data governance, incident response protocols, and board-level reporting structures to maintain compliance and stakeholder trust.

6. Public-Private Collaboration:Forward-thinking organisations are participating in threat intelligence sharing initiatives like the Australian Cyber Security Centre (ACSC) and Joint Cyber Security Centres (JCSCs) to proactively respond to emerging threats and align with national security priorities.

Cybersecurity in the age of remote work is no longer just an IT issue, it’s a business resilience issue. Australian organisations are prioritising strategies that are agile, scalable, and rooted in a risk-based approach. The leaders of tomorrow are those who embed cybersecurity at the core of their digital strategy, enabling trust, continuity, and competitive advantage in a volatile threat landscape.

How do Australian cybersecurity companies balance the growing need for innovation with the increasing pressure to maintain strict data protection standards and safeguard user privacy?

Australian cybersecurity companies are navigating a complex but vital dual mandate: to innovate at speed while maintaining the highest standards of data protection and user privacy. This balance is not only achievable, but also becoming a defining feature of Australia’s competitive edge in the global cybersecurity landscape.

Leading firms are embedding cloud first, privacy-by-design and security-by-default principles into the product development lifecycle, ensuring that innovation does not come at the expense of trust. From AI-driven threat detection to cloud-native security platforms, innovation is being shaped by regulatory foresight, ethical considerations, and a user-first approach to data governance.

Moreover, Australia’s evolving legal landscape, particularly reforms to the Privacy Act and the expanded Security of Critical Infrastructure (SOCI) Act, is pushing cybersecurity companies to develop solutions that are not only technically advanced but also fully compliant and auditable. 

This is reinforcing a culture of “secure innovation”, where agility and fitness of purpose are not opposing forces, but complementary pillars of modern product strategy.

Collaboration is also key. Many firms are working closely with government bodies, regulators, and industry groups to co-develop frameworks and share threat intelligence, accelerating innovation while ensuring alignment with national security priorities.

Ultimately, the most successful Australian cybersecurity companies are those who treat trust and innovation not as trade-offs, but as mutually reinforcing drivers of sustainable growth and global relevance.