Why Outsourcing is Australia's Achilles' Heel in Cybersecurity with Mark Lee

Mark Lee analyzes Australia's cyber resilience, highlighting risks from third-party reliance, internal capability gaps, and the emerging threat landscape for AI and financial platforms

Australia's cyber resilience is not determined by the strength of its largest organizations, but by the systemic vulnerabilities created by an over-reliance on third-party providers and a lack of internal technical maturity.

In today's interconnected digital landscape, this hypothesis is increasingly becoming our reality. To explore the critical gaps in Australia's cybersecurity posture, we speak with Mark Lee, Vice President of ISC2 Sydney Chapter, and a seasoned expert who argues that the nation's security is being undermined from within.

Lee points to a dangerous combination of outsourced capabilities, ineffective governance, and emerging threats in sectors like AI and fintech as the primary challenges. Join us as we dissect the uneven state of readiness and what it will take to build genuine, national cyber resilience.

Interview with Mark Lee

What sectors do you believe are most vulnerable to cyberattacks in the coming years?

In the coming years, AI technology companies and online financial platforms are likely to be among the most vulnerable sectors to cyberattacks in Australia.

Many AI companies are startups focused on rapid business growth and innovation, yet they often manage sensitive customer data and behavioural insights, making them attractive targets. Threat actors could potentially leverage these companies’ own AI capabilities and datasets to conduct highly targeted and adaptive attacks against other organisations.

Similarly, some online financial platforms operate outside Australian jurisdiction while partnering with local financial institutions to provide overseas services. These platforms may not be fully regulated under Australian law, raising concerns about the effectiveness of their cybersecurity measures and governance, and making them susceptible to attacks that could impact both customers and partner organisations.

How do you see the current state of cybersecurity readiness across Australian organizations?

The current state of cybersecurity readiness across Australian organisations is uneven. While sectors such as finance, healthcare, and critical infrastructure have made significant investments in cybersecurity, readiness across other industries remains limited. The credential-stuffing incident at AustralianSuper highlighted that security cannot be confined to major sectors alone, as threat actors often exploit vulnerabilities in smaller or less-secure business partners to access larger organisations through lateral movement techniques.

Overall, many Australian organisations are becoming more aware of these risks, but there is still a need to broaden cybersecurity focus, strengthen supply chain security, and build maturity across SMEs and non-regulated sectors to improve national cyber resilience.

What are the biggest threats facing Australian companies today in terms of cyber risk?

One of the biggest cyber risks facing Australian companies today is the lack of maturity within internal IT teams to maintain critical technical capabilities. Many organisations are overly reliant on external consultants and outsourcing providers to operate essential business systems and processes.

This dependence introduces significant vulnerabilities, as insufficient governance and weak cybersecurity controls among outsourcing suppliers can compromise both customer data and business operations. Furthermore, relying on remote governance models to oversee internal technical and cybersecurity functions has been shown to be largely ineffective, according to most outsourcing risk assessment reports.

In summary, the combination of limited internal capability and over-reliance on third-party providers remains a major threat to Australian organisations’ cybersecurity posture.

How effective do you think government initiatives and frameworks are in improving national cybersecurity resilience?

Government initiatives and frameworks play an important role in improving national cybersecurity resilience, but their effectiveness is influenced by how well organisations implement them internally. While frameworks provide guidance, standards, and best practices, many Australian companies still face challenges such as limited internal IT and cybersecurity maturity and over-reliance on external consultants or outsourcing providers.

These gaps can undermine the intended benefits of government initiatives, as insufficient governance and weak cybersecurity controls among third-party suppliers create vulnerabilities that threaten customer data and critical business operations. Moreover, remote governance models for overseeing internal technical and cybersecurity functions have generally proven ineffective in practice, according to outsourcing risk assessments.

In short, government frameworks are essential, but their impact depends on organisations capacity to embed cybersecurity culture, build internal expertise, and effectively manage third-party risks.

How are companies balancing cybersecurity investments with other IT priorities?

Companies are increasingly recognising that cybersecurity investment must be integrated into IT projects from the earliest stages rather than treated as a separate or final step. Aligning cybersecurity initiatives with international frameworks and industry best practices allows organisations to build robust capabilities efficiently while balancing other IT priorities. For instance, in software development, some organisations still perform security assessments only during the pre-production phase, which can lead to costly rework, project delays, and increased risk due to late identification of vulnerabilities.

A more effective approach is to embed cybersecurity into the design phase and leverage security-enhancing tools such as Interactive Application Security Testing (IAST). IAST provides real-time feedback to developers, allowing them to identify and remediate vulnerabilities as they code. This proactive strategy not only improves security but also streamlines project management and ensures that cybersecurity investments are applied efficiently alongside other IT priorities.

What role do you think AI and automation will play in strengthening Australia’s cyber defenses?

AI and automation are set to play a critical role in strengthening Australia’s cyber defenses. AI’s predictive capabilities enhance threat detection, pattern recognition, and anomaly identification, enabling organisations to respond to attacks more quickly and effectively. Furthermore, AI can continuously learn from new attack scenarios, supporting the creation of role-specific security awareness training and improving overall cyber resilience.

However, the deployment of AI and automation must balance convenience with risk. Many AI models lack transparency in design and operation, leaving organisations uncertain about decision-making processes or data handling. Since most AI solutions are cloud- or SaaS-based, customers may have limited control over multi-model systems or self-learning algorithms used by providers.

Automation also carries potential risks, as untested or unsuitable AI models can produce unexpected or severe outcomes when deployed in production. To mitigate these risks, organisations must implement strong governance, transparency, and validation processes, ensuring that AI-driven cybersecurity solutions remain reliable, secure, and aligned with organisational risk tolerance.

What emerging technologies or trends do you see shaping the next wave of growth in cybersecurity?

Emerging technologies such as quantum-enabled AI and quantum-enhanced blockchain are set to shape the next wave of growth in cybersecurity. Quantum-enabled AI can process and generate information at unprecedented speed, presenting both opportunities and potential threats, particularly in threat detection, analysis, and automation.

In parallel, blockchain-based identification and authentication are evolving with quantum computing advancements. Traditional blockchain immutability relies on distributing identical ledger copies across thousands of nodes, so altering one node does not affect the rest.

Quantum technologies can further strengthen this model by: Generating true random keys through quantum processes, improving digital signatures and identity management. Replacing vulnerable algorithms with post-quantum cryptographic (PQC) schemes, including lattice-based, hash-based, or multivariate signatures.

These innovations have the potential to transform identification and authentication, making digital ecosystems more secure and resilient. Notably, the UAE and Hong Kong have already begun implementing blockchain-based solutions for identity and access management (IAM), laying the foundation for quantum-resilient digital infrastructures.