Cyber confidence vs cyber readiness
It is clear that Australian organisations are taking cyber security more seriously than they were 18 months ago. Budgets have increased, organisations are insured and controls are both in place and being tested regularly.
Even better, those controls are working 95% of the time. Mostly. The business world saw there was a threat and put up a wall for protection. Job done, right?
Unfortunately, cyber threats are a risk that requires ongoing vigilance. There also appears to be a significant gap between how organisations perceive their security posture and their actual readiness.
Australian organisations appear overconfident in their ability to protect customer data
97% of organisations express confidence in their ability to protect sensitive customer data.
This confidence is almost identical across small, mid-sized and large organisations, despite the fact that their actual exposure, incident rates and maturity levels are not.
If you recall, one in five of these organisations experienced a data breach in the past year. Among the largest organisations, almost half reported ransomware exposure, and a third of those that experienced attacks sustained some level of damage despite having controls in place.
Clearly, confidence is not an indication of capability. Instead, we are seeing how capability is being perceived.
This misalignment between perception and reality is deeply concerning. Unearned confidence can quickly become a liability.
Most organisations feel prepared for Australia’s new SOCI Act
Overall, 90% of surveyed organisations describe themselves as prepared to meet Australia's Security of Critical Infrastructure (SOCI) Act requirements, including Essential Eight compliance and mandatory data breach notification obligations.
Mid-sized firms express the highest confidence, with 93% reporting preparedness and 54% describing themselves as "very prepared."
Large organisations are more cautious. Organisations with greater exposure to the operational complexity of the SOCI Act may be more aware of the significant effort and maturity required to achieve full compliance.
Methodological note on data limitations: Not all respondents are subject to the SOCI Act, and some may have reported preparedness by virtue of not needing to comply. The SOCI Act applies to 11 sectors, which do not map precisely onto the industry categories used in this survey. Only around a fifth of respondents work in sectors with a clear, direct obligation under the SOCI Act. A further two thirds operate in sectors where applicability depends on the specific nature of their business.
Confidence becomes a risk factor when it outpaces operational reality
The problem is not that Australian organisations feel confident. The problem is uniform confidence despite uneven maturity. Large organisations facing the highest incident rates express only marginally less confidence than those facing the lowest.
If we think in terms of the wall analogy we used earlier, this is the situation:
Every organisation is a village that has built a wall for protection. Everyone has different resources available, so these walls come in all different sizes and materials. Some hired builders to construct the walls, others did it themselves. Some set guards to detect intruders, others thought the wall was enough. Some trained their people on recognising intruders and what to do if intruders got in. Others just paid for stronger walls.
The walls are constantly under attack, and about one in five villages have lost their treasure because attackers got in. Despite all of these differences, the vast majority of villages think their treasure is safe.
Turn confidence into cyber resilience
Confidence alone doesn't reduce cyber risk. Organisations need evidence that their governance, security controls and response capabilities can withstand real-world cyber threats. RSM's cyber specialists help organisations assess cyber maturity, identify capability gaps and build practical strategies that strengthen long-term resilience.
Turn confidence into cyber resilience
Confidence alone doesn't reduce cyber risk. Organisations need evidence that their governance, security controls and response capabilities can withstand real-world cyber threats. RSM's cyber specialists help organisations assess cyber maturity, identify capability gaps and build practical strategies that strengthen long-term resilience.
Jump back to..
Frequently asked questions about cyber maturity and cyber readiness
Cyber maturity measures how effectively an organisation manages cyber risk through governance, security controls, people, processes and technology. Mature organisations continually improve their cyber capabilities rather than relying on technology alone.
RSM's Cyber Security & Resilience Services help organisations assess their current cyber maturity and develop practical roadmaps for continuous improvement.
Organisations can feel confident in their cyber security without having independently validated their controls, governance or incident response capability. Regular assessments, testing and independent assurance provide a more accurate measure of cyber readiness than confidence alone.
RSM's Information and Cyber Security Risk specialists help organisations identify gaps between perceived capability and operational readiness.
Cyber readiness should be measured through governance reviews, security assessments, incident response exercises, employee awareness testing and ongoing monitoring of cyber risks. A structured assessment helps organisations prioritise investment and improve resilience over time.
RSM's Cyber Security & Resilience Services work with organisations to benchmark cyber capability and strengthen long-term resilience.
Cyber threats, technologies and regulatory expectations continue to evolve, meaning yesterday's controls may not provide adequate protection today. Regular cyber maturity assessments help organisations identify emerging risks, validate existing controls and support informed investment decisions.
RSM's Information and Cyber Security Risk team helps organisations evaluate cyber maturity and implement practical improvements aligned with business objectives.
Boards should seek independent evidence that cyber controls, governance and incident response arrangements are working as intended. Regular reporting, scenario testing and cyber maturity assessments provide greater assurance than relying on confidence alone.
RSM's Cyber Security & Resilience Services help boards and executive teams strengthen governance and build measurable cyber resilience.
AI Security Assessment for Australian Organisations
RSM is pleased to offer its AI Secure by Design Review and Systems Assessment service that can help organisations identify, mitigate and manage their AI risks.