Bridging the Cybersecurity Divide Between the Haves and Have-Nots: Lessons from Australia’s CISO Community | A Conversation with Andrew Morgan | Redefining CyberSecurity with Sean Martin

Nov 5, 2025

Andrew Morgan, a seasoned cybersecurity leader and former detective, shares insights on the pressing issue of the cybersecurity divide between well-resourced and underfunded organizations. He emphasizes the critical need for basic security hygiene and resilient planning for smaller entities. Morgan discusses Australia's cyber maturity, effective peer collaboration, and how AI can enhance awareness and training. He argues for the importance of building meaningful partnerships and champions a culture-first approach to risk management, highlighting the real-world impact of cyber failures.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Cyber Needs Risk-Centered Culture

Morgan argued cyber should be driven by culture and informed by risk, not treated as an IT subset.
He said governance, risk, and compliance must be the centerpiece of security programs.

INSIGHT

Tool Sprawl Masks Real Risk

Overbuying tools without strategy creates overlap, noise, and false confidence for smaller orgs.
He recommended threat-modeling assets and quantifying risk in business terms before buying tech.

ANECDOTE

AU CISO Tribe Experience

Andrew described the AU CISO Tribe: a 200-member peer community for mainly SME, education, and healthcare CISOs.
He praised active chats, threat channels, and practical sharing including government intelligence briefings.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

⬥GUEST⬥

Andrew Morgan, Chief Information Security Officer | On LinkedIn: https://www.linkedin.com/in/andrewmorgancism/

⬥HOST⬥

Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com

⬥EPISODE NOTES⬥

The cybersecurity community has long recognized an uncomfortable truth: the gap between well-resourced enterprises and underfunded organizations keeps widening. This divide isn’t just about money; it’s about survivability. When a small business, school, or healthcare provider is hit with a major breach, the likelihood of permanent closure is exponentially higher than for a large enterprise.

As host of the Redefining CyberSecurity Podcast, I’ve seen this imbalance repeatedly — and the conversation with Andrew Morgan underscores why it persists and what can be done about it.

The Problem: Structural Imbalance

Large enterprises operate with defined budgets, mature governance, and integrated security operations centers. They can afford redundancy, talent, and tooling. Meanwhile, small and mid-sized organizations are often left with fragmented controls, minimal staff, and reliance on external vendors or managed providers.

The result is a “have and have not” world. The “haves” can detect, contain, and recover. The “have nots” often cannot. When they are compromised, the impact isn’t just reputational — it can mean financial collapse or service disruption that directly affects communities.

The Hidden Costs of Complexity

Even when smaller organizations invest in technology, they often fall into the trap of overtooling without strategy. Multiple, overlapping systems create noise, false confidence, and operational fatigue. Morgan describes this as a symptom of viewing cybersecurity as a subset of IT rather than as a business enabler.

Simplification is key. A rationalized platform approach — even if not best-of-breed — can deliver better visibility and sustainability than a patchwork of disconnected tools. The goal should not be perfection; it should be proportionate protection aligned with business risk.

The Solution: Culture, Collaboration, and Continuity

Cyber resilience starts with people and culture. As Morgan puts it, programs must be driven by culture, informed by risk, and delivered through people, process, and technology. Security can’t succeed in isolation from the organization’s purpose or its people.

The Australian CISO Tribe provides a real-world model for collaboration. Its members share threat intelligence, peer validation, and practical experiences — a living example of collective defense in action. Whether formalized or ad-hoc, these networks give security leaders context, community, and shared strength.

Getting Back to Basics

Practical resilience isn’t glamorous. It’s about getting the basics right — consistent patching, logging, phishing-resistant authentication, verified backups, and tested recovery plans. It’s about ensuring that, if everything fails, you can still get back up.

When security becomes a business-as-usual practice rather than a project, organizations begin to move from reactive defense to proactive resilience.

The Takeaway

Bridging the cybersecurity divide doesn’t require endless budgets. It requires prioritization, simplification, and partnership. The “have nots” may never mirror enterprise scale, but they can adopt enterprise discipline — and that can make all the difference between temporary disruption and permanent failure.

⬥RESOURCES⬥

Inspiring Post: https://www.linkedin.com/posts/andrewmorgancism_last-night-i-was-fortunate-enough-to-spend-activity-7383972144507994112-V3Zr/

⬥ADDITIONAL INFORMATION⬥

✨ More Redefining CyberSecurity Podcast:

🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast

Redefining CyberSecurity Podcast on YouTube:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/

Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact

⬥KEYWORDS⬥

sean martin, andrew morgan, australia, ciso, risk, resilience, cybersecurity, business continuity, governance, compliance, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.