At the CISO Critical Infrastructure Melbourne conference, similar themes emerged across multiple sessions. Organisations are investing in security, yet many are still operating without a clear understanding of their data, access, and risk.
This matters because 45% of global cyber-attacks target critical infrastructure. These environments are complex and interconnected, which makes visibility difficult and response slower.
Security capabilities are in place, but many organisations still can’t clearly answer what data they hold, who can access it, or where their highest risk sits.
Why are traditional security tools no longer enough?
Traditional security tools are no longer enough because they provide signals without sufficient context to interpret them.
Environments with mature security stacks are still generating large volumes of alerts that can’t be clearly prioritised.
Activity is visible, but the impact isn’t always clear.
Across sessions, this showed up as:
-
-
Alerts triggered across multiple systems with no clear link to business impact
-
Security teams focus on system activity rather than data exposure
-
Difficulty distinguishing between routine behaviour and actual risk
-
A recurring scenario involved alerts being generated from operational systems without clarity on what data those systems contained. Teams could detect activity but couldn’t determine whether it affected critical operations or low-risk systems.
The Verizon 2025 Data Breach Investigations Report highlights that many breaches continue to exploit known vulnerabilities and credential-based access. Alerts and exposures are often detected, but without context, it’s difficult to determine which ones represent actual risk.
What we’ve seen at The Missing Link is similar, where teams are managing high volumes of alerts without clear prioritisation. Structured security maturity assessments are often used to establish that clarity and focus effort on where it matters.
Why is context important in cyber security?
Context allows organisations to prioritise risk based on impact, rather than activity alone.
Many organisations still struggle to answer basic questions about their data. Discovery on its own doesn’t provide enough information to support decision-making.
Establishing context requires clarity on:
-
-
What data exists
-
Where it is stored
-
Who is responsible for it
-
Who currently has access
-
Several examples involved sensitive data being identified but not assigned clear ownership. Without ownership, decisions around access and protection are delayed or not made at all. As a result, ownership and access are not always clearly defined.
Access permissions often remain unchanged as roles evolve, resulting in broader access than intended over time.
How is AI changing cyber security risk?
AI is increasing the visibility of existing gaps in data governance and access control.
-
-
82% of organisations are using AI
-
23% have reported credential exposure
-
80% have experienced unintended actions
-
These outcomes reflect underlying issues:
-
-
Over-permissioned environments
-
Limited data classification
-
Inconsistent governance
-
This wasn’t due to new system behaviour but existing access settings. Microsoft’s Work Trend Index 2024 highlights that AI is exposing overshared and over-permissioned data across many environments.
Because AI systems operate on established permissions, they make underlying access decisions more visible. AI hasn’t introduced new categories of risk but has increased visibility into existing ones.
Why are legacy security approaches becoming difficult to manage?
Legacy security approaches rely on manual processes and static rule sets. These approaches become harder to manage as environments expand.
-
-
60% of breaches involve known vulnerabilities
-
Remediation typically takes between 60 and 150 days
-
Vulnerabilities are often identified, but remediation is delayed due to coordination across teams and systems.
Common factors include:
-
-
Multiple teams are responsible for different systems
-
Manual validation and remediation processes
-
Large volumes of findings with limited prioritisation
-
In some cases, remediation requires coordination across infrastructure, application owners, and third-party providers, which extends timelines and makes prioritisation difficult. As a result, identified risks remain unresolved for longer than intended, even when they are well understood.
This is often compounded by the tools themselves, which still rely on complex rules and manual input, adding to the operational overhead.
Why is identity now central to security?
Identity defines how access is granted, maintained, and reviewed.
Access decisions determine how users and systems interact with data.
Key focus areas include:
-
-
Understanding who has access to critical systems
-
Reviewing whether access is still required
-
Monitoring how permissions change over time
-
Examples included dormant accounts retaining access to critical systems and identity systems being restored late during incident recovery.
Permissions are often granted correctly, but not reviewed consistently as environments change.
Over time, this results in access persisting beyond its intended use, increasing exposure without clear visibility.
Key takeaways from CISO Critical Infrastructure Melbourne
-
-
Organisations have tools, but limited clarity
-
Context is required to prioritise risk
-
AI is exposing existing gaps
-
Identity and access require more attention
-
Simpler approaches are easier to manage
-
Moving from understanding to action
Most organisations already have security controls, tools, and processes in place. The challenge is connecting data, access, and risk in a way that supports decision-making.
At The Missing Link, this starts with building a clearer view of what data exists, who has access to it, and where risk is concentrated. From there, security efforts can be prioritised more effectively using the controls already in place.
If you’re not confident in those answers today, it’s worth reviewing how your environment is structured and where visibility gaps may exist.
