The end of cybersecurity

Whitepaper

In the modern era of cybercrime, the likelihood of any organisation falling victim to an attack is not a matter of if, but when.

27 March 202512 mins

Download Resource

With nation states actively weaponising cyber-attacks as part of their ongoing information warfare activity, and criminal gangs exploiting cutting edge artificial intelligence (AI) technologies to launch increasingly sophisticated attacks, defenders face a variety of threats that are complex in their execution and relentless in their volume.

If any organisation is to withstand this onslaught, it must view cyber threats as a critical business risk and develop a defensive strategy that extends beyond detection and protection to encompass response and recovery.

That also means ceasing to view cyber risk as somehow being different to any other risk that an organisation faces.

To put it bluntly, it’s time to stop talking about cyber security, and start talking about business resilience.

Standing strong in the face of cybercrime was the core focus of an executive security discussion conducted by Iron Mountain in Sydney in March 2025. Featuring leading representatives from the Australian and international cyber security community, the discussion covered the extent of current threats and the best-practice approaches that organisations could take to strengthen their defences.

The good organisations treat it as a genuine business risk, and it starts with recognising that the threat is real, active, and wishes you harm. This risk cannot be outsourced to the IT team.

Marcus Thompson

Cyber security as a business strategy

Digital systems are the beating heart of twenty-first century organisations, and any disruption can quickly unfold into an existential crisis. Their defence warrants the same attention as any other significant business risk.

But for many organisations, a distinction remains between how they manage business risk and cyber risk, with responsibility for cyber consigned to specialised teams that are far removed from broader risk management activities.

Aligning business and cyber risk strategies is a challenge that all parties must own, but which can be made easier by building bridges between people with different responsibilities, knowledge, and skill sets, to create areas of shared interest. This often starts with finding a common language.

I would stop having conversations about ‘cyber security’ and start having conversations about what I want to do with my business and the dependencies that come from that. Digital infrastructure can then be aligned to those business objectives in the same way that we have always done for people, intellectual property, and strategy(ies). A conversation that starts with the business plan is a conversation that everyone understands.

Chris Inglis

A conversation that starts with the business plan allows digital systems and their defence to be viewed within the context of how they contribute to the organisation’s goals. All parties can understand the importance of digital systems as well as their vulnerabilities. They can create risk management strategies that represent the true risk to the business, and then make better decisions regarding defensive strategies and investments.

Importantly, this alignment reduces the likelihood of cybersecurity becoming an impediment to innovation. When cyber controls are implemented in line with business strategy, they can become an enabler of faster and safer transformation.

Security need not be a barrier to the organisation’s speed and agility.

Melissa Osborne

Defining a cyber strategy in this top-down fashion ensures it is understood and managed at the highest level, in the same manner as any other risk.

Cyber defence is not about defending an organisation’s IT infrastructure. It is about extending and empowering the business in a world that is dependent on IT.