Cyber security leadership becomes more specialised as organisations grow 

Cyber maturity does not increase evenly with organisation size. 

While larger organisations often have greater cyber security investment and more specialised resources, stronger governance and cyber security operating models are not guaranteed. Large, multinational organisations are far more likely to have dedicated cyber security leadership, including formal CISO roles responsible for cyber security strategy, governance and oversight.

However, strategic responsibility does not always come with control over resources. Only around a third of CISOs in this cohort hold direct responsibility for cyber security budgets, leaving a significant proportion (39%) shaping strategy without full budgetary authority.

The disconnect between the person best placed to understand cyber risk and the person controlling cyber security investment is a governance gap worth examining at board level when assessing organisational cyber resilience.

National businesses are more likely to rely on IT teams or broader cross-functional ownership, with fewer fully dedicated cyber security executives. 

As organisations grow, ensuring the right cyber security operating model, governance structure and allocation of resources becomes critical to maintaining long-term cyber maturity.

Outsourcing is a maturity bridge

While larger organisations generally display more formalised cyber leadership and governance structures, the data suggests that the relationship between scale and maturity is not linear.

The size of in‑house data security teams increases with organisation size, yet across all segments, organisations are more likely to maintain moderately sized teams (six to ten roles) rather than slightly larger teams of 11-15.

 This highlights a clear maturity (and capacity) gap, where larger businesses invest more heavily in specialised data security capabilities.

What we’re seeing may be distinct maturity patterns, where organisations with 201-1000 employees exhibit what can best be described as ‘getting ready’ behaviour. These organisations are large enough to experience real threat exposure and are likely to face governance expectations from insurance providers and other stakeholders. However, their internal team lacks the specialist expertise to manage the risk in-house. It takes time to build that capacity, so they use external support as a maturity bridge in the interim.  

The lower prevalence of outsourcing in both larger and smaller organisations supports this explanation. Larger organisations outsource less because many core cyber functions have already been in‑housed and embedded. Smaller organisations lack the resources to outsource more heavily and face lower governance expectations.

Managing third-party risk when outsourcing

While outsourced cyber security can help to fill gaps in your in-house capabilities, it is important to know the risks. In its Annual Cyber Threat Report 2024-25, the Australian Cyber Security Centre (ACSC) flagged third-party exposure as a systemic risk that must be actively managed alongside internal controls. 

Third‑party cyber risk arises where systems, data or operations depend on external providers such as managed service providers, cloud platforms, software vendors or outsourced security services. 

Australia has seen high-profile data breaches made possible by exploitable weaknesses in third-party platforms. It is thus critical to treat suppliers as part of your control environment. Under the Australian Privacy Principles (APPs), organisations remain accountable for personal information they disclose to third parties and must take reasonable steps to ensure vendors handle that information in a manner consistent with the APPs.

An effective third-party risk management framework should include:

  • Rigorous due diligence when selecting a vendor.
  • Regular audits and assessments of third-party security practices.
  • Clear contractual obligations concerning data protection and compliance.

When governed properly, outsourcing can accelerate cyber maturity. Without clear ownership and oversight, however, it can concentrate risk rather than reduce it.

Australian organisations prefer hybrid environments to cloud-native

Cloud adoption is widespread but varied in scale, with most organisations operating hybrid environments. Hybrid security models also dominate, while more advanced cloud-native and posture management tools remain less widely adopted. 

There is an opportunity here for organisations to deepen their security posture. Hybrid environments are inherently harder to secure consistently than single-model environments, and the complexity of managing controls across both worlds creates surface area that purely on-premises or cloud-native models do not.

Mid-sized companies lead in digital identity management

Identity management fundamentals are widely embedded, but here is where gaps start to appear.

Mid-sized organisations lead adoption across every identity management measure, including biometric authentication and passwordless authentication, by a meaningful margin. 

Lower adoption in smaller organisations makes sense, but it is surprising to see larger organisations fall behind, despite their greater resources and specialist in-house teams. 

Several factors could be at play. Licencing costs for software can be prohibitively expensive at enterprise scale, shifting the dial on cost-benefit analyses. And in large, complex organisations, rolling out new authentication policies across thousands of users, multiple systems and varied geographies is a significant change management exercise, causing adoption to be slower than in leaner organisations. 

This does warrant concern for larger organisations, as identity compromise remains one of the most common and consequential attack vectors. Organisations that have not fully closed their identity management gaps, regardless of size, are carrying more residual exposure than they may realise.

Chapter 3. Strategy, controls & governance

Considering whether to build or outsource your cyber capability? 

Speak with RSM's cyber specialists about selecting the operating model that's right for your organisation.

How can we help?

Continue reading...

Frequently asked questions about cyber security operating models

Organisations can manage cyber security internally, outsource specific security functions to specialist providers or adopt a hybrid model, with tailored support that works alongside internal teams. The right approach depends on your business size, risk profile, available internal expertise and operational requirements. 

Regardless of whether cyber security is managed in-house, outsourced or through a hybrid model, RSM Australia can help organisations strengthen their ability to protect, govern, respond and operate across their cyber security and IT environment

Outsourcing can provide access to specialist skills, advanced security technologies and around-the-clock monitoring that may not be practical to maintain internally. Many organisations achieve the best outcomes through a hybrid operating model that combines internal governance with external expertise. 
 

An effective operating model clearly defines ownership, governance, risk management, incident response and accountability across the organisation. It should evolve as the organisation grows and adapt to emerging cyber threats. 

RSM's enterprise risk management specialists help organisations strengthen governance and decision-making.

There is no universal approach. Larger organisations often benefit from dedicated internal capability, while many mid-sized organisations successfully combine internal oversight with external cyber security specialists. The most effective model is one that aligns with business risk, resources and long-term cyber resilience objectives.

Learn more about our cyber security and resilience services.

AI Security Assessment for Australian Organisations

RSM is pleased to offer its AI Secure by Design Review and Systems Assessment service that can help organisations identify, mitigate and manage their AI risks.