How Much Security Is Enough? I’ve Been Asking for 22 Years.

In March 2026, the Australian Institute of Company Directors polled 673 directors at their Governance Summit. 58% named cyber as their number one geopolitical risk. Not trade wars at 10%. Not energy security at 17%. Cyber.

That same month, the Armis Global Cyberwarfare Report found that 72% of Australian organisations had reported cyberwarfare incidents to authorities, up from 56% the prior year. The highest of any country surveyed.

Australia knows what the problem is. The awareness gap is closed.

And yet: two thirds of Australian organisations say their average ransomware payout exceeds their entire annual cybersecurity budget. 70% were hit by an AI-generated or AI-led attack in the past 12 months. Again, the highest of any country.

The concern is genuine. The conviction is there. The funding hasn’t caught up.

I’ve been watching this gap between awareness and action for over two decades. The question at the centre of it hasn’t changed.

2004: “Security, Striking the Right Balance”

In May 2004, I authored an article for PwC Perspectives. I opened with a question that clients kept asking me:

“As a security and risk professional, I am often asked: ‘how much security is enough?’ It seems a simple enough question, but it manages to trip up so many people.”

— PwC Perspectives, May 2004

Twenty-two years later, it still does.

In that article, I made the case that security would always be viewed through a commercial lens, whether organisations liked it or not:

“Security is widely perceived as a ‘tax on doing business.’ The day the required security investment outweighs the income of the business, we may as well close up shop and go home.”

That framing bothered people in 2004. It still bothers people now. But it was true then and it’s true today. Boards don’t fund security because it’s the right thing to do. They fund it when the cost of not funding it becomes commercially unacceptable.

The core argument I made in 2004 was about proportionality. Not every organisation needs to achieve best practice across every security domain. What they need is best fit:

“It is becoming more common for organisations to strive for a ‘best fit’ solution as opposed to obtaining ‘best practice’ in every security matter. Conforming to best practice is an extremely expensive exercise that does not necessarily deliver business benefits equal to or greater than the expenditure required to get there. A best fit model is about understanding what the risks are, and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying best practice processes regardless of the associated risk.”

Best fit required something most organisations didn’t have in 2004: executive engagement with security as a business function.

“It is vital for the executive team to buy into the security structure, to have significant awareness of security related matters, and to encourage a security conscious culture within the organisation. Without executive level support, the Chief Security Officer will be a sole voice without authority. This, of course, will lead to the breakdown of a successful security function.”

And executive engagement was almost non-existent. We measured it:

“In 2004, 62% of security organisations still reported to the CIO/IT, while only 16% reported to the CEO and only 2% had a security committee overseeing information security.”

Two percent.

Security was a technical function buried under IT, reporting to people who saw it as an infrastructure line item. The idea that a board would have a dedicated security committee overseeing information security was, in 2004, almost unheard of.

I wrote those warnings 22 years ago. Some of them have aged well. Some have barely moved.

2017: The Same Question, Thirteen Years Later

By 2017, I was CISO at IRESS, a global financial technology company. The threat landscape had escalated dramatically. Nation-state attacks, ransomware as a business model, supply chain compromises. The sophistication and frequency of attacks bore no resemblance to what we faced in 2004.

I wrote a piece for Global Trading magazine. The opening was almost identical to what I’d written thirteen years earlier:

“As a security and risk professional, I am often asked: ‘how much security is enough?’ It seems a simple enough question, but it manages to trip up so many people. So what is the right answer? Is there a nice sound bite that one can give? Well, not really.”

— Global Trading, 2017

The same question. The same answer. No easy formula. No magic number.

What had changed was the complexity of the challenge facing security leaders:

“In a dynamic environment of increasing security threats, firms have a big challenge on their hands to ensure they continue to: Get their security governance structure right and clearly articulate roles and responsibilities. Obtain executive level buy-in and sponsorship. Base security investments on risk. Use security as a business enabler, not just a cost. Establish a security awareness programme. Continue to assess and adjust their security capabilities to changes in the environment.”

Every one of those challenges existed in 2004. By 2017, the stakes behind each of them had multiplied.

The best fit argument hadn’t changed either:

“It is becoming more common for organisations to strive for a ‘best fit’ solution as opposed to obtaining ‘best practice’ in every security matter. It’s about being commercial and pragmatic in the way security is managed.”

But I’d learned something in the thirteen years between the two articles. Technical controls are necessary. They are not sufficient. What actually defines your security posture is something far harder to build and far harder to measure:

“Your company culture is what will ultimately define your security posture and its effectiveness.”

At IRESS, I’d had the opportunity to build a security function from the ground up and test that belief:

“Three years ago, we set up a dedicated global information security team tasked with protecting our environment and those of our clients’. We recruited specialist subject matter experts who could educate others and keep up with ever-evolving cyber threats and techniques. The team was integrated into the business, not set apart as a traffic cop.”

Integrated into the business. Not a separate police force. Not a compliance checkbox. A team that understood the business objectives and could explain why security investment protected those objectives, not just the network perimeter.

The hardest part of that job was the same thing I’d written about in 2004. Getting the board to invest required giving the board something they could evaluate:

“Defining metrics of the effectiveness of information security and providing that to the board to get their buy-in on commensurate information security investment.”

By 2017, the question was the same. The principles were the same. The gap between asking the question and answering it had not closed.

2026: What’s Changed and What Hasn’t

Nine more years have passed. I now advise boards and executive teams across financial services, mining, real estate, and professional services through Cyber Impact. I’ve seen the inside of dozens of organisations’ security postures. Some are genuinely impressive. Many are not.

Here’s what has changed.

The threat has been transformed by AI. 70% of Australian organisations were hit by an AI-generated or AI-led attack in the past 12 months, according to the Armis report. This category of attack did not exist when I wrote the 2004 article. It was barely emerging in 2017. It is now the dominant threat vector. Adversaries are using AI to generate phishing at scale, to identify vulnerabilities faster than defenders can patch them, and to create deepfakes convincing enough to bypass identity verification. The speed and sophistication of attacks has fundamentally shifted.

The regulatory landscape has matured significantly. The Security of Critical Infrastructure Act, the Essential Eight, mandatory breach disclosure requirements. Australia now leads the world in cyber incident reporting. That 72% figure from Armis is not an accident. It reflects a regulatory environment that has moved from voluntary to mandatory, and organisations that are, for the most part, complying.

Board awareness has caught up. 58% of Australian directors naming cyber as their number one geopolitical risk would have been unthinkable in 2004, when 2% of organisations had a security committee. It would have been unlikely even in 2017. The conversation has moved from “should we care about this?” to “this is the thing that keeps us up at night.”

Here’s what hasn’t changed.

Board expertise has barely moved. Only 29% of boards have a director with a cybersecurity background, according to the Splunk CISO Report. In 2004, 2% had a security committee. We’ve gone from 2% to 29% in 22 years. That’s progress, but it’s glacial, and it means 71% of boards are making funding decisions about a risk they’ve named as their number one concern without anyone at the table who can evaluate those decisions.

The communication gap between CISOs and boards persists. The IANS 2026 Benchmark Report found that 82% of directors rate CISO compliance reporting as satisfactory. But only 47% are satisfied with how CISOs articulate the impact of evolving threats. The board is hearing “we’re compliant.” It’s not hearing “here’s what this costs us if we don’t act.” Compliance is a floor. It has never been a ceiling. And the gap between those two things is where breaches happen.

Security is still widely treated as a cost centre. Only 18% of executives view cybersecurity as a standalone budget. For the other 82%, it sits within IT, shared services, or some other operational line item. The same structural problem I identified in 2004, when 62% of security reported to the CIO, persists in a different form. The reporting line may have shifted. The mindset hasn’t.

And the question “how much security is enough?” still trips up everyone.

The Gap That Matters

Australia doesn’t have an awareness problem. That debate is over. 58% of directors ranking cyber as their top risk settled it.

Australia doesn’t have a reporting problem. 72% reporting to authorities puts us ahead of every other country surveyed.

What Australia has is an expertise problem at board level.

“The conviction is there. The funding gap exists because most boards don’t have the expertise to evaluate whether their cyber budget is adequate, whether their CISO’s risk assessment is accurate, or whether the investment they’re making is proportionate to the threat they face.”

That gap, between knowing something matters and knowing what to do about it, is the same gap I wrote about in 2004. It’s the same gap I wrote about in 2017. It’s the gap that turns a $5 million security budget into a line item that nobody at the table can properly interrogate.

I’ve been in this conversation for 22 years. The central question still hasn’t been answered. Not because it’s unanswerable, but because the people who need to answer it still don’t have the right expertise in the room when the decision is being made.

That’s not an awareness problem. It’s a governance one.

Mark Vos is the Founder and CEO of Cyber Impact, providing executive advisory to Boards and C-Suite on cybersecurity, AI governance, and risk management. He has over 30 years of experience across global banks, listed companies, and government, including roles as CISO at IRESS, Director at PwC and Partner at EY.