At CISO Sydney 2025, industry leaders revealed a stark reality: many organisations believe they have their cyber risk under control, but beneath the surface, unseen vulnerabilities persist. These gaps do more than expose businesses to attacks; they weaken long-term security resilience.
Paul Thomas (Axonius), Ilya Polyakov (NSW Department of Planning, Housing, and Infrastructure), and Daniel Tripovich (Australian Cyber Security Centre) all highlighted key security gaps organisations continue to overlook. These blind spots do more than make businesses vulnerable to attack. They weaken long-term security resilience.
Three major issues stood out:
- 1. Flawed risk assessments create a false sense of security.
- 2. Overly complex security architectures can increase rather than reduce risk.
- 3. Failure to implement ACSC’s Essential Eight is leaving businesses open to cyber threats.
Let’s explore why these blind spots persist and how organisations can take a more strategic approach to cyber resilience.
1. The risk illusion - why businesses are getting it wrong
Paul Thomas (Solutions Architect, Axonius) explained how many businesses overestimate their security readiness due to flawed risk management practices.
His session, "The Risks in Risk Management," outlined common mistakes that create cyber blind spots:
- Cognitive biases – risk assessments are often influenced by confirmation bias, anchoring bias, or overconfidence in existing controls.
- Incomplete or outdated data – many organisations rely on stale, inaccurate, or limited data when evaluating cyber risk.
- Flawed methodologies – some companies claim to use quantitative risk assessment but are actually relying on subjective, qualitative opinions.
Cyber risk management should be data-driven, dynamic, and continuously updated. Business Intelligence (BI) tools can help correlate risk factors across multiple sources, providing a clearer picture of vulnerabilities. A structured Governance, Risk, and Compliance (GRC) framework ensures that risk decisions are aligned with business priorities, security controls, and regulatory requirements.
The Australian Signals Directorate (ASD) provides additional guidance on risk management frameworks to help businesses strengthen their cyber security posture.
2. Complexity is the enemy - when security architecture works against you
According to Ilya Polyakov (Chief Security Officer and Head of Identity Management, NSW Department of Planning, Housing and Infrastructure), many organisations assume adding more security controls will improve protection when in reality, complexity often increases risk.
His session, "Demystifying Security Architecture," highlighted how poorly structured security environments create unseen vulnerabilities:
- Disconnected security layers – a fragmented security stack can create visibility gaps, making threat detection harder.
- Overlapping or redundant controls – security investments often lack strategic alignment, leading to inefficiencies rather than stronger defences.
- Lack of Enterprise Security Architecture (ESA) – Without a structured security strategy, organisations struggle to balance risk, compliance, and business growth.
Rather than simply adding more security tools, businesses should focus on integrating and streamlining their security architecture. Security controls should reduce risk, not introduce operational friction.
As illustrated below, a well-structured security architecture aligns enterprise security, business solutions, and security solutions into a cohesive framework. When these elements are disconnected or misaligned, gaps emerge, making threat detection and risk management significantly harder.
Figure 1. A well-structured security architecture integrates enterprise security, security solutions, and business security frameworks into a cohesive system. When these elements are disconnected, gaps emerge, increasing risk and reducing visibility.
Conducting a security controls review can help identify gaps in security architecture and eliminate inefficiencies.
For organisations looking to align security strategies with best practices, frameworks like NIST and MITRE ATT&CK provide structured guidance on cyber security architecture.
3. The real-world impact - what the ACSC is seeing right now
Daniel Tripovich (Assistant Director General Incident Management, Australian Cyber Security Centre) revealed that many businesses are underestimating the speed and scale of cyber
Key findings from ASD's latest data:
- 31% increase in reported public vulnerabilities.
- 87,400 cybercrimes were reported in a single year.
- Ransomware and supply chain attacks remain top threats.
Despite these risks, many organisations still fail to adopt the ACSC’s Essential Eight, which remains one of the most effective cyber resilience frameworks.
Rather than treating the Essential Eight as a compliance checklist, businesses should approach it as a comprehensive security strategy. A maturity-based approach—starting with admin privilege restrictions, multi-factor authentication (MFA), and patching—delivers the highest immediate impact.
For businesses struggling with implementation, structured security solutions can help ensure consistent, effective adoption of the Essential Eight.
The Australian Cyber Security Centre (ACSC) offers detailed guidance on implementing the Essential Eight Framework effectively.
Bringing it all together – risk, architecture, and compliance must align
The biggest takeaway from CISO Sydney was clear: risk, security architecture, and compliance must work together, not in isolation.
Siloed security efforts lead to gaps that attackers exploit. To build a stronger defence, organisations should integrate:
✔ Ongoing risk assessments that adapt to new threats.
✔ Security architecture that is streamlined, not overcomplicated.
✔ Essential Eight maturity as a security strategy, not a compliance checkbox.
Strategic next steps for business leaders
Many organisations are already investing in cyber security, yet vulnerabilities remain. Without a structured approach to risk, architecture, and compliance, businesses remain exposed to cyber threats.
To reduce cyber blind spots, businesses should:
- Conduct regular security control reviews to align risk, compliance, and architecture.
- Simplify security architecture through integrated network and endpoint security.
- Implement the Essential Eight with a structured approach to improve cyber resilience.
Businesses struggling with security maturity can benefit from structured frameworks like Governance, Risk & Compliance (GRC), Security Controls Review, and ASD Essential 8 as a Service to ensure cyber resilience is continuously evolving.
Need expert guidance? Let’s talk.
Navigating compliance can be complex, but The Missing Link can help.
Get in touch today to protect your business and stay secure in 2025 and beyond.
