Cyber at the speed of machines: Why business must rethink its defences

Just 12% of cyber leaders are consulted early when strategic decisions are made. The result is a dangerous paradox: organisations are investing in innovation while under-investing in the guardrails that make innovation sustainable.

The 2025 EY Global Cybersecurity Leadership Insights Study, which surveyed more than 550 executives worldwide, shows that when cyber is embedded early, it typically contributes 11–20% of the value in major initiatives – adding tens of millions of dollars in measurable benefit.

But when it’s bolted on late, the risks are already locked in.

The pace of change outstrips cyber response

The cyber threat landscape is moving faster than most organisations can manage. Australia’s Cyber Security Centre receives a new cybercrime report every six minutes[KJ1] . Behind that headline-grabbing figure sit state-sponsored actors, ransomware gangs, hacktivists and opportunists, all evolving their tradecraft at machine speed.

Yet as threats accelerate, complacency continues to creep in. Budgets face downward pressure. Boards express concern but stop short of real investment. Too many leaders are fatalistic: assuming attacks are inevitable, they settle for minimum compliance instead of protecting their most valuable assets.

Meanwhile, artificial intelligence is being adopted at warp speed. New platforms are reshaping industries, agentic AI is embedded into business strategy, and leaders are rightly debating responsible AI and third-party risk.

But cyber uplift is falling behind technology change, widening the gap between innovation and protection.

From blocker to enabler

For the last decade, cybersecurity functions often carried the reputation of being the department of “you can’t” – slowing projects down in the name of protection.

Today’s opportunity is to enable innovation while protecting it. That means guardrails that let AI experimentation scale safely, and investment tied directly to business priorities.

The numbers are clear: value-focused cyber spend delivers 6.6 times the return of traditional security investment, according to the EY study. Far from a sunk cost, cyber is a strategic multiplier that can fuel growth, build trust and strengthen resilience simultaneously.

Simplify to strengthen

There is another opportunity for chief information security officers (CISOs): simplification.

Australian and New Zealand companies run an average of 30 different cyber tools. Every new tool expands the attack surface.

Around one in five cyber leaders have rationalised their stack, and nearly half are in the process of doing so. Optimising legacy technology and reducing the number of tools can remove duplication, reduce spending, improve visibility and unlock the full value of AI and automation.

Simplification frees resources so cyber teams can focus on what matters most – protecting sensitive data, enabling transformation and safeguarding reputation.

A moment in history

All the leading and lagging indicators point in the same direction. We are seeing more attacks, more often. We are seeing the damage they cause – from brand erosion to service outages and financial loss.

But this is also a moment of possibility. We now have technology that can help us fight cyber at the speed of machines.

With the right investment in AI and automation, cyber teams can get ahead of the threat curve. For CISOs, this is the moment to change their seat at the table: from compliance custodian to value creator. For boards, the message is just as stark: the letter “C” for cyber should come before ESG.

What’s next

This article opens our new EY series, Cyber at the speed of machines. Over the coming weeks, my colleagues will unpack what the latest research means in practice for different sectors:

• Meaghan Stackpole will explore the consumer sector, where cyber is the hidden layer of customer experience.
• Clement Soh will look at energy and resources, where the net-zero transition and convergence is creating unprecedented exposure.
• David Ruzicka will examine government, where cyber can be the litmus test for public trust.
• Louise Theunissen will focus on New Zealand, where operational leaders must step up to close the cyber gap.

The threats are escalating. But so is our ability to respond. Done right, cyber protects the enterprise and creates new value. The question is whether leaders are ready to move at the speed of machines.