Cyber Voices

Australian Information Security Association (AISA)

Welcome to CYBER VOICES, where we highlight and celebrate the diverse voices of the Australian cyber community. From top-ranking CISOs and government officials to threat hunters and vulnerability analysts, if there’s a voice to be heard, you’ll hear it on CYBER VOICES. Join us as we delve into the stories, insights, and expertise that shape the world of cybersecurity in Australia.

  1. 1d ago

    Breachonomics Redux: Grant McKechnie on the Untold Cost of a Data Breach

    On this episode of Cyber Voices, host David Savva-Willett is on the ground at Canberra CyberConnect 2026, AISA's inaugural event in the nation's capital, sitting down with Grant McKechnie for a conversation that CFOs and board members need to hear. Grant is Managing Partner at Cyber Resilience Group and a two-decade CISO veteran of Endeavour Group, Telstra and NBN. He was named one of the top 10 CISOs in Asia Pacific in 2022 and has built greenfield cyber security functions across some of Australia's most critical infrastructure. Today at CyberConnect he has returned with Breachonomics Redux, a follow up to the passion project he has been researching for the past four years on the untold economic and human impacts of a data breach. We get into the share price data behind major Australian and global breaches, from Medibank's 198 days back to parity to Live Nation's share price actually climbing after a breach affecting 560 million records. Grant unpacks why the market is becoming ambivalent, why Australian penalties never match the crime, and why trust and communications have overtaken share price as the impact he now leads with when advising boards. We also dig into how threat actors are adapting (including calling the regulators on their own victims), why information sharing has quietly gotten worse even as we appear to share more, the three critical first hires when building a cyber function from a blank page, the underrated art of finding a board sponsor before you need one, and the crucial difference between what belongs in an ARC pack versus a full board pack.  If you have a CFO or a board member in your life, this is the one to forward on

    Breachonomics Redux: Grant McKechnie on the Untold Cost of a Data Breach
  2. Jul 8

    Rain, Hail or Shine: Chris Stannage on Cyber Run Club, Community and Mental Health

    This episode is a little bit different. Yes, my guest works in cyber security, but we are not here to talk about breach containment or zero trust architecture. We are here to talk about the people behind the industry and what it actually takes to show up and do this job sustainably. Chris Stannage is a Scottish born, Melbourne based Senior Account Executive at Illumio, a former competitive rugby player, and the founder of Cyber Run Club, a monthly gathering at the Tan that brings cyber professionals together for movement, fresh air and honest conversation with zero pressure and zero sales pitches. We chat about the lunch that sparked the whole idea, the strictly sales free ethos and why it works, the organic connections made along the way (including an analyst picking the brain of a CISO mid jog), mental health in our industry and why talking early matters, what competitive rugby taught Chris about teams and discipline, and his unlikely path from a microbiology degree to cyber sales. Cyber Run Club meets on the last Thursday of every month at the Tan in Melbourne. Walk, jog or run, everyone is welcome, from students to CISOs. Find the group by searching Cyber Run Club on LinkedIn. A note on mental health: our conversation is general in nature and we are not experts in this space. If anything in this episode raised something for you, support is available. Lifeline 13 11 14 or lifeline.org.au. Beyond Blue 1300 22 4636 or beyondblue.org.au.

  3. Jul 1

    Emily Holyoake on Security Culture, Human Risk and Canberra Roundabouts

    Recorded live at the inaugural Canberra CyberConnect 2026, David sits down with Emily Holyoake, Executive Director and co-founder of Not A Standard and one of the creators of the SAFE Framework, a multidisciplinary approach that brings cyber security, criminology and behavioural science together to map how adversaries exploit people, technology and systems. Emily is a proud Wurundjeri woman and a passionate advocate for neurodiversity in cyber. In this conversation, Emily unpacks the thinking behind one of the best titled talks on the program, Navigating Human Risk: What to Do When Your Security Culture Handles Like a Canberra Roundabout. She explains why great security culture is really a design problem, when you want people safely on autopilot and when you want them to slow down and think, and why phishing simulations so often do more harm than good. Along the way she makes the case that humans are our greatest asset rather than the weakest link, that looking after our people is the best defence against insider risk, and that we all need to be wrong more. Whether you are a new CISO building your first 30-day plan or you simply want to bring your security program back to the people it serves, this one is full of practical and genuinely human thinking. Please note this episode contains a brief reference to suicide. If anything in this episode affects you, support is available in Australia through Lifeline on 13 11 14 or at lifeline.org.au. If this conversation resonates with you, subscribe to Cyber Voices on your podcast app of choice and leave us a five-star review. It helps others find the show. Cyber Voices is the official podcast of the Australian Information Security Association (AISA).

    Emily Holyoake on Security Culture, Human Risk and Canberra Roundabouts
  4. Jun 24

    The Sword Cuts Both Ways: Professor Toby Walsh on AI, Mythos and the New Normal in Cyber

    On this episode of Cyber Voices, host David Savva-Willett is at Canberra CyberConnect 2026, AISA's inaugural event in the nation's capital, for a wide-ranging conversation with Professor Toby Walsh, one of the world's most influential voices in artificial intelligence. Toby is a Professor of AI at UNSW Sydney and Chief Scientist of UNSW AI. He has advised the United Nations and heads of state on the limits we need to place on AI, and his outspoken stance on the military uses of the technology famously earned him an indefinite ban from Russia. In this conversation, Toby and David dig into what AI really means for cyber defenders right now. They discuss Anthropic's Mythos and the wave of decades-old zero-day vulnerabilities now being uncovered, why this is the new normal rather than a one-off event, and how AI has democratised offensive capability so that sophisticated attacks no longer require deep technical expertise. They also explore the questions that matter most for security leaders: whether defenders are really losing the AI arms race, why dwell time has collapsed from 200 days to a smash-and-grab measured in hours, the rise of shadow AI arriving both top down and bottom up, the sovereignty risk when powerful tools are released only to a select few, and the lessons from the Canvas breach where attackers did not hack the front door, they simply logged in. Toby also lifts the lid on the ideas behind his latest book, The Shortest History of AI: Six Ideas Are All You Need to Know, including why AI is a 70-year overnight success and why the human brain, running on the power of a dim light bulb, still puts our most advanced machines to shame. Whether you are a CISO being asked to govern AI while still learning it yourself, or simply trying to separate the signal from the hype, this is a clear-eyed and occasionally very funny look at where AI and cyber security collide. Topics covered: Why AI is a double-edged sword for cyber, threat and defence at onceAnthropic's Mythos and the discovery of zero-day flaws nearly 30 years oldHow AI has lowered the barrier to entry for sophisticated attacksWhether defenders are losing the AI arms raceDwell time collapsing from 200 days to under two hoursShadow AI, and how security leaders can actually govern itSovereignty risk and the case for stronger regulationThe Canvas breach and the era of just logging inSix big ideas from The Shortest History of AI Cyber Voices is the official podcast of the Australian Information Security Association (AISA).

    The Sword Cuts Both Ways: Professor Toby Walsh on AI, Mythos and the New Normal in Cyber
  5. Jun 17

    When Everything Is On Fire: Shane Fitzsimmons on Leading Through Crisis

    Recorded live at CyberConnect Canberra 2026, Cyber Voices host David Savva-Willett sits down with Shane Fitzsimmons AO AFSM, Managing Director of SAF Leading Advisory, former Commissioner of the New South Wales Rural Fire Service and inaugural Commissioner of Resilience New South Wales. David grabbed Shane straight off the main stage, minutes after his opening keynote on leadership in unprecedented times. Few people understand leadership under sustained pressure the way Shane does. He led New South Wales through the Black Summer bushfires, the floods that followed, biosecurity threats, critical infrastructure incidents and a global pandemic. His message to a room full of cyber leaders is strikingly simple. No matter the crisis, we are all part of a people organisation, and people are the anchor. Across the conversation Shane and David explore why a security leader's most important job is translation, turning complex and jargon heavy detail into plain language that paints an accurate picture for the board and the community. They dig into leadership as a culture rather than the sole purview of the person at the top, why trust and shared values have to be banked in the quiet times before any siren sounds, and why the most powerful thing a leader can say in a crisis is "I don't know, but I will find out." Shane also shares hard won lessons on looking after people in sustained pressure roles, the kind of burnout that incident responders and volunteers know all too well, and his belief that professionalism has nothing to do with whether you are paid. The pair turn to resilience and the discipline of learning from others rather than waiting for the crisis to find you, the value of after action reviews that capture what went well and not just what went wrong, and the knowledge transfer that readies the next team to step up. He closes with a single piece of advice for any cyber leader walking into the boardroom in the middle of an incident. Listen, keep it real, drop the ego, and let people know you care. This is an episode for every level of a security team, and one worth sharing well beyond our industry. If it lands with you, subscribe to Cyber Voices on your favourite podcast app and leave us a five star review. Full show notes are in the episode description.

    When Everything Is On Fire: Shane Fitzsimmons on Leading Through Crisis
  6. Jun 10

    Turning Off the Tap: Andrew Haschka on AI, Vulnerabilities and the Software Supply Chain | GitLab

    In this episode of Cyber Voices, the official podcast of AISA, host David Savva-Willett is joined by Andrew Haschka, Field CTO for Asia Pacific and Japan at GitLab, for a candid look at the question almost every enterprise is wrestling with right now: how do we let developers move faster with AI without flooding production with vulnerabilities we cannot keep up with? With more than two decades across cyber security, cloud and digital transformation, and prior leadership roles at Google and VMware, Andrew advises organisations and governments across the region on delivering software securely and at speed. At the heart of the conversation is what Andrew calls the AI paradox. AI can make writing code dramatically faster, yet the flow on effects in testing, security validation, compliance and release often slow teams down, because the volume of code rises while the team stays the same size. Much of that AI generated code is drawn from the internet, where not everything is secure by design, so vulnerabilities can increase exponentially. Andrew and David explore the memorable goal of one CISO to turn off the tap of vulnerabilities running in production, and why prevention beats endless triage. From there the discussion moves to the consumerisation of AI and the sprawl of unmanaged tools, the importance of a traceable system of record that evolves into a knowledge graph, and the defender's advantage in the arms race between teams shipping AI assisted code and attackers using AI to find weaknesses. Andrew makes the case that a defender whose AI understands the specific code base, threat model and compliance posture will spot what a generic attacker AI misses. Andrew also unpacks what secure software supply chains look like in an AI assisted world, from integrity and attestation to provenance and traceability, and shares practical guidance for any security leader being asked to enable AI for their development teams. His advice centres on building intelligent orchestration across three layers: a unified data layer and system of record, strong control and access with purpose built agents, and a governed experience delivered through an AI gateway rather than uncontrolled sprawl, all with humans firmly in the loop. It is a practical and forward looking conversation for any CISO, engineering leader or developer trying to capture the benefits of AI without inheriting a new generation of risk.

    Turning Off the Tap: Andrew Haschka on AI, Vulnerabilities and the Software Supply Chain | GitLab
  7. Jun 8

    The Chair's Check In: Michael Burchell on AISA at the Halfway Mark of 2026 | CyberConnect Canberra

    In this episode of Cyber Voices, the official podcast of AISA, host David Savva-Willett sits down with Michael Burchell, Chair of the Australian Information Security Association, for a mid year check in on the state of Australia's peak body for cyber security. Recorded on the floor at the inaugural CyberConnect Canberra in the nation's capital, it is a candid look at where AISA sits at the halfway point of 2026, and, fittingly, it is Michael's very first podcast. The conversation opens with the reimagining of the event itself, the move from CyberCon Canberra to CyberConnect Canberra, and why a smaller, more curated and more local gathering is the right way to connect industry and professionals with government on regulation, consultation and cyber strategy. Michael and David also reflect on the proud tradition of the Australian Parliament House dinner in the Great Hall. From there the discussion turns to the year so far for an association now representing more than 14,000 members. Michael shares an update on the professionalisation town halls held around the country, the launch of the new Learning Portal for ongoing professional development, the scholarship program and its diversity work alongside partners such as AWSN, and the board's new long term strategy built around strategic pillars and a horizons approach. He also looks ahead to the SEC days still to come in Sydney, Adelaide, Perth and Darwin, and to the flagship CyberCon in Melbourne, with early bird registrations now open. Above all it is a thank you to the volunteers and branch committees who, in Michael's words, are the reason the association exists at all. Links to resources mentioned in this episode AISA professionalisation pilot, including the key questions and responses Michael mentioned: https://aisa.org.au/public/Public/News_and_Media/Professionalisation/Professionalisation.aspx AISA Learning Portal, available now to all members (accessed through the AISA member area) https://www.aisa.org.au CyberCon Melbourne, early bird registrations open: https://www.cyberconference.com.au/  Australian Women in Security Network (AWSN): https://www.awsn.org.au/

    The Chair's Check In: Michael Burchell on AISA at the Halfway Mark of 2026 | CyberConnect Canberra
  8. Jun 3

    Nicole Stephensen on Privacy Impact Assessments and Securing Personal Information | BrisSEC 2026

    In this episode of Cyber Voices, the official podcast of AISA, recorded live on the floor at BrisSEC in Brisbane, host David Savva-Willett sits down with Nicole Stephensen, a strategic risk and privacy professional recognised for her local and international expertise in privacy program management and her work as an expert witness on the reasonable steps needed to secure personal information across its lifecycle. Nicole is a Fellow of the Australian Information Security Association (FAISA) and a leading member of the International Association of Privacy Professionals (IAPP). Fresh from a panel alongside Queensland Privacy Commissioner Alexander White and IDCARE interim Group CEO Charlotte Davidson, Nicole unpacks what a privacy impact assessment really is, why it belongs in every cyber security toolkit, and what happens when organisations skip it. She also shares a memorable reframe from the panel: think of a privacy impact assessment less like a yes or no gate and more like a navigation system. The question stops being can we do this and becomes how do we get there safely, steering around the potholes, roadblocks and unnecessary costs along the way. The conversation explores where privacy and security overlap and where they differ, the reasonable steps expected under Australian privacy law, the recent alignment of Queensland privacy law with the federal approach, and the most common mistake of all, which is simply not doing a privacy impact assessment when you could. As Nicole explains, a good PIA does not have to be onerous or expensive, with free toolkits and templates available from both the federal and state privacy regulators. Links to resources mentioned in this episode: Federal resources, from the Office of the Australian Information Commissioner (OAIC): Guide to undertaking privacy impact assessments https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments Privacy impact assessment tool (the free, adaptable template) https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-impact-assessment-tool 10 steps to undertaking a privacy impact assessment https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/10-steps-to-undertaking-a-privacy-impact-assessment Queensland resources, from the Office of the Information Commissioner (OIC): Privacy impact assessments (step by step guide) https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/privacy-impact-assessments Undertaking a Privacy Impact Assessment (the full guideline) https://www.oic.qld.gov.au/guidelines/for-government/guidelines-privacy-principles/privacy-impact-assessments/undertaking-a-privacy-impact-assessment PIA templates, including the threshold privacy assessment and the PIA report templates https://www.oic.qld.gov.au/information-for/information-privacy-officers PIA assessments from the Queensland OIC: https://www.oic.qld.gov.au/government/privacy/privacy-impact-assessments

    Nicole Stephensen on Privacy Impact Assessments and Securing Personal Information | BrisSEC 2026

About

Welcome to CYBER VOICES, where we highlight and celebrate the diverse voices of the Australian cyber community. From top-ranking CISOs and government officials to threat hunters and vulnerability analysts, if there’s a voice to be heard, you’ll hear it on CYBER VOICES. Join us as we delve into the stories, insights, and expertise that shape the world of cybersecurity in Australia.

You Might Also Like