CISO Melbourne schedule

In this 5-minute networking session, the goal is to connect with three new people. Enjoy the opportunity to expand your network!

As organisations race to adopt Generative AI, transitioning to an "AI Native" business model introduces unprecedented cyber security challenges. In this international keynote, discover how Mercari, Japan's largest C2C marketplace and one of Japan's first tech unicorns, is safely navigating the LLM revolution. We will explore the current state of agentic AI, common challenges, and essential frameworks, strategies and guardrails to govern and secure the modern agentic enterprise. By examining real-world security models through this case study, attendees will learn practical and actionable strategies to safely accelerate AI integration while ensuring effective controls are in place. 

AI agents are poised to transform enterprise operations, but they also introduce unprecedented identity and security challenges. In this session, HashiCorp and IBM will discuss the emerging risks associated with agentic AI and share a framework for securing autonomous systems through modern identity, access, and governance controls. Discover how leading organizations are preparing to scale AI adoption while maintaining security, compliance, and operational resilience.

Cyber incidents require coordinated decisions across security, risk, legal, and operations leaders.

Scenario: It is early in the business day at a critical infrastructure organisation that shares digital systems used for operations, decision-making, and external communication. A third-party technology provider has reported investigating unauthorised activity involving a system connected to customer records. At this stage, the scope, impact, and origin of the activity are not yet clear, including whether any sensitive data has been accessed or copied. Core services remain operational, but uncertainty is escalating and the executive team has been called together to decide what to do next with incomplete information.  

Panellists will take on executive roles during the exercise:

• Facilitator: Chirag Joshi CISO & Founder 7 Rules Cyber

• CISO: Anya Avinash Head of Cybersecurity Bank First

• CLO: Sarah Tinsley Former Chief Legal Officer & Company Secretary ex-Southern Cross Austereo

• CRO: Stephen Tiley Director Internal Audit & Risk Assurance Australian Red Cross Lifeblood

• CIO: Mariana Paun Chief Business Resilience Officer Zepto

AI is transforming how organisations operate, but it also introduces new security, compliance and data protection risks. From unsanctioned AI tools and risky prompts to the exposure of sensitive corporate data, traditional controls often lack the visibility needed to detect emerging threats.This session explores how security teams can strengthen detection and response capabilities for AI-related risks, helping reduce data exposure, improve governance and enable secure, responsible AI adoption across the enterprise. 

This session showcases specific AI use cases from each panellist that have reduced operational burden for security teams. The conversation will then explore what worked, what didn’t, and the lessons CISOs can apply to adopt AI safely, effectively, and with proper oversight.

• What unexpected challenges did you face, and how did you respond?
• Which governance or oversight decisions were critical for success?
• What practical lessons should other CISOs take away before adopting similar AI initiatives?

Moderator:

Amanda Ferguson Director AI Transformation & Strategic Partnerships Court Services Victoria

Panellists:

Igor Aleksenitser Head of IT Security Toll Group

Nigel Hedges GM – Cyber & Risk (CISO) Sigma Healthcare

Ash Diffey Vice President, ANZ Ping Identity 

Native cloud controls are no longer sufficient in an era of AI-driven attacks and multi-cloud fragmentation. This talk demands a fundamental shift: fusing security and resilience into a unified design principle. We explore how to move beyond disparate tools to a unified defence posture, ensuring consistent protection and resilience against sophisticated Bot and API threats across every environment.

Explore the tension between protecting the organisation and enabling innovation. Learn how top CISOs navigate tricky trade-offs and keep security aligned with business outcomes.

• How do you decide when to enforce controls and when to compromise?
• Can friction be productive, or is it always a blocker?
• What separates leaders who influence business outcomes from those who just enforce rules?
• How do you maintain trust while challenging business priorities?

Moderator:

Peter Baussman CTO Airlock Digital 

Speakers:

Muzamil Rashid Head of Cyber Security Mazda Australia 

Jason Hargenrader GM of IT Services, Infrastructure & Cyber Treasury Wine Estate

Mariana Paun Chief Business Resilience Officer Zepto 

Most breaches don’t occur because a tool failed. They occur because ownership, context, or response broke down. Despite unprecedented investment in cyber security technology, many organisations remain vulnerable. This presentation explores why, now more than ever, tools alone are not enough, and how human judgement, clear ownership, and decisive action ultimately determine security outcomes.

Even with AI integrated through outsourced or hybrid SOCs, organisations still face alert fatigue, slow response, and gaps in detection. This session shares a CISO’s journey managing AI-enabled security operations, highlighting the decisions, trade-offs, and lessons learned in strengthening defensive capability and ensuring effective incident response.

Speakers:

Dan Haagman CEO Chaleit & Honorary Professor of Practice Murdoch University

This session focuses on the real decisions behind adopting AI in security. Delve into how to get early wins, navigate common pitfalls, manage AI-driven risks, and implement governance controls while scaling responsibly. Unlike use-case sessions, this is about the journey and decisions that enable safe, practical AI adoption in complex environments.

This session features case studies and practical insights from working with enterprise customers to strengthen supply chain resilience. Discover how transparent communication, shared risk frameworks, and coordinated response strategies can reduce vulnerabilities and build trust across the ecosystem.

This session explores how to establish security capability and oversight from the ground up, creating structures, processes and roadmaps that grow with the organisation, communicate trade offs effectively, and balance risk, accountability and operational priorities, with practical lessons for scaling organisations.

As agentic AI systems become operational participants inside enterprise environments, organizations face a new governance challenge: controlling the authority, behavior and data access of autonomous systems operating across complex digital ecosystems in real-time, while enforcing operational boundaries. Scaling AI safely requires governance across identity, authority, behavior, and data, to enable innovation without unmanaged risk.
Join this session to learn more about:

• Understanding how agentic AI increases enterprise risk with autonomous digital actors
• Implementing real-time governance models to address authority drift and unintended AI behavior
• Applying a practical framework for secure users, AI and data for safe adoption

This session explores the practical challenges of embedding governance, balancing oversight with business priorities, and turning regulatory requirements into actionable strategies. Gain insights and lessons that make compliance purposeful, manageable, and meaningful for your organisation.

Digital trust is being redefined as identity threats grow more complex. From deepfakes and impersonation attacks to the rapid rise of non-human identities, the identity landscape is evolving. This session explores what these changes mean for verification and control and how security leaders can adapt their strategies to safeguard trust in a world where not every identity is who or what it claims to be. 

Human behaviour is often highlighted in security incidents, but the real risk lies in cognitive overload, decision fatigue, and misplaced confidence. The focus moves from mistakes to effective decision design and prioritisation. This session examines which decisions humans should retain, and how technology can absorb routine risk.

As AI-driven threats continue to compress the time between vulnerability discovery and exploitation, security teams are under increasing pressure to improve how they detect, prioritise and remediate risk at scale. This session explores how organisations are evolving exposure management to operate at machine speed, improving visibility, decision-making and response across increasingly complex environments. It will also highlight how Qualys' modern exposure management platforms support these outcomes at scale.

• AI‑Speed Detection: Leverage machine‑speed vulnerability detection and a unified inventory of internal and external assets to stay ahead of attackers.
• Hyper‑Prioritisation: Focus on what truly matters by combining threat intelligence, business context, and asset criticality, while validating exploitability against existing controls.
• Zero‑Day Remediation: Respond to zero‑days with operational resilience, using automated patching, mitigation, and continuous validation to shrink exposure windows.

Point-in-time assessments leave blind spots in supply-chain risk. In this session, we’ll explore how continuous monitoring and real-time telemetry can help reduce risk, improve resilience, and provide actionable insights. Using practical examples, Igor shows why episodic reviews fall short, how to track vendor and technology risks effectively, and steps to make continuous monitoring realistic and achievable.

Shared infrastructure vulnerabilities can cascade across organisations. This presentation examines DNS, CDN, and edge security, showing how to mitigate ecosystem-wide attacks, build resilient network architectures, and collaborate with partners and service providers to safeguard critical operations in today’s interconnected digital landscape. 

From tuning data into insights and enabling AI capabilities to defending them, few have experienced both perspectives. This session shares the unique insights gained from navigating these roles, highlighting where data potential and cyber realities intersect. Discover how to unlock opportunities responsibly and effectively. 

We begin with a fireside conversation to cut through the hype, then open the floor to the room. Expect candid views and healthy debate. Come ready to challenge John and Dan, test your own assumptions, and weigh in with your perspective. The aim of the session is for attendees to leave with understanding of some quick wins and where true value can be obtained.

• Are we creating a meaningful path forward, or introducing new problems at scale?
• Are we unlocking value, or accumulating technical and operational debt?
• What are organisations actually gaining from AI today?
• Where are the practical opportunities, risks and trade-offs for security leaders?
  

Speakers:

John Taylor Field CTO – APAC Mimecast

Dan Haagman CEO Chaleit & Honorary Professor of Practice Murdoch University 

Reflect on AI decisions from the past year, what’s changed, and share your thoughts on new challenges and opportunities.

1. Which AI decisions truly moved the needle?
2. How has AI adoption or governance changed in the last year?
3. What lessons on trust, risk, and accountability stick out?

This session provides practical guidance on structuring a program that prioritises remediation by risk, establishes clear governance and SLAs, delivers meaningful reporting to the board, and embeds continuous improvement.

Security processes are hampered by the complexity of accessing data spread across many tools. This data problem limits individual tool contributions, yielding incremental instead of exponential improvement. Join us to review common suboptimal security scenarios and explore how Asset Intelligence and Actionability can resolve this. We'll also cover its impact on current operations and the future effectiveness of AI.

Join this session to explore the grey areas of oversight, where judgement and decision-making matter more than checklists. This closing discussion is your chance to reflect on the day, debate the dilemmas, and leave with insights to guide real-world decision-making.

• What counts as “enough” oversight?
• How much assurance is reasonable?
• Who decides when controls are sufficient?

This keynote dialogue explores what global threat intelligence is revealing and what it means for organisations and national cyber resilience.

• How are cyber threats shifting, from state-linked campaigns to hybrid criminal activity?
• How can government and industry collaborate to detect and respond faster?
• How can global intelligence be translated into actionable strategies?
• What lessons from recent incidents should CISOs prioritise? What have we learned from 2025?

Facilitator:

John Ellis Global Head of Security Trust & Influence QBE 

Speakers:

Senior representative ASD 

As vulnerability volumes grow and exploit windows shrink, the speed of remediation has never mattered more. Yet most organisations aren't slow because they don't care — they're slow because nobody can answer the one question that stops every change board in its tracks: what will this patch break? This session shows how evidence-based remediation closes that gap.

• Why confidence scoring, deployment rings, and continuous visibility replace assumption with evidence
• Real examples from financial services and regulated sector organisations that closed the compliance gap
• Two actions to take on Monday that change the conversation with your change board

No system is completely secured and no plan survives every challenge. Join us for a candid, practical conversation that will challenge how you think about leadership, risk, and success in an unpredictable world.

• How do you decide what’s truly worth protecting?
• Can failure ever become an advantage?
• Which policies, processes, or habits add real value and what would you eliminate?
• What happens when your best defence still fails?
• What separates teams that adapt and thrive from those that crumble?

Moderator:

Anafrid Bennet CIO Great Western Water

Panellists:

Deniz Molokov CISO Downer

Jo Stewart-Rattray Australian CISO Advisory Board Corinium Global Intelligence

Alison Stretch GM Information Security Melbourne Archdiocese Catholic Schools  

AI runs on data, and every leader knows it’s no longer enough to simply lock information down. The real challenge is scaling AI securely and responsibly, without treating protection and progress as opposing forces. Yet today, only 14% of security leaders report success in doing both. In this keynote, the Cyera team will reveal the mindset shift forward-looking enterprises are making, to thrive in the AI era.

Explore the tough decisions behind vendor concentration in critical infrastructure, where over-reliance can amplify risk. This panel discusses how organisations assess, mitigate, and live with systemic dependencies.

• Which vendor dependencies keep you awake at night?
• When is reliance on a single vendor acceptable and when is it risky?
• How do you handle tough conversations with boards or regulators about concentration risk?
• What vendor surprises over the past year changed your approach?

Moderator:

Ian Pham CISO Victorian Managed Insurance Authority 

Panellists:

Varun Acharya CISO Healthscope

Ben Lester Head of Digital Security (CISO) St John of God Health Care

Dr Huon Curtis Head of External Affairs CI-ISAC Australia

Ciara Spencer Deputy Secretary, Law Enforcement & Domestic Security Department of Home Affairs  

Join this interactive session to wrestle with the tough choices CISOs face when cyber budgets are tight and every dollar counts.

• Which cyber initiatives get your first dollar?
• How do you balance investment between prevention, detection, and response?
• What’s a compromise you can live with and what’s a deal-breaker?

As corporate and operational environments become increasingly interconnected, securing the corporate infrastructure is essential for building a resilient operational framework. This session will explore strategies to mitigate risks, protect critical assets, and ensure business continuity through a strong security foundation.  

SOCs are central to cyber defence, but they are still a relatively young function. Control rooms, managing energy networks, transport systems, and emergency services, have decades of experience coordinating complex, high-stakes operations. This session challenges cyber security leaders to rethink SOC strategy through the lens of mature operational leadership, providing fresh perspectives on managing risk, investment, and executive decision-making in an increasingly complex cyber environment.

As reliance on satellite communications and GPS grows, so does systemic risk. This session examines how space-enabled services intersect with enterprise risk, and why security leaders need to factor space dependencies into their business continuity and cyber resilience strategies.

Today, staying ahead of cyber threats requires a proactive and adaptive approach. This session will focus on how organisations can optimise threat detection, response, and attack surface management to enhance visibility and build more resilient security operations.  

This structured solo debate examines quantum computing from both sides of the executive dilemma.

• Explores whether quantum disruption of RSA and ECC is closer than organisations are prepared for.
• Challenges assumptions around harvest-now-decrypt-later risk and long-lived data exposure.
• Questions whether large-scale quantum timelines justify immediate large capital investment.
• Examines the dependency of identity systems, PKI, certificates, federation, and trust chains on current cryptography.
• Reframes quantum not as a physics problem, but as a governance and architectural maturity test.
• Confronts whether organisations truly understand their cryptographic inventory and crypto agility.
• Provides a practical executive decision framework to navigate quantum uncertainty without hype or paralysis.

This session explores how to build an AI literacy programme that empowers your people to use AI confidently and safely. Learn practical approaches for training, cultural adoption, and governance to turn AI from a tool into a capability that supports smarter, more informed decision-making across your organisation.

CISOs are increasingly asked to justify cyber security budgets while managing uncertainty and risk. This session explores how to determine the right size of GRC investment under constrained resources, communicate risk and uncertainty effectively, and maintain credibility with boards and executives.

This session explores how to keep messages clear, consistent, and credible under pressure, from briefing executives and coordinating teams to managing regulators and public statements. Learn practical techniques to maintain trust, reduce confusion, and keep everyone aligned when the stakes are highest. 

As organisations shift more services and operations into SaaS and cloud environments, identity is no longer just a technical issue—it’s a business-critical risk factor. This conversation explores how technology and security leaders are navigating identity sprawl, trust, and operational resilience beyond the tools and dashboards.

• Where does identity risk show up first in the business?
• How can CISOs balance simplicity, user experience, and control?
• What is the best approach to managing both user and service accounts at scale?
• How can leaders maintain visibility over access, privilege, and lifecycle in cloud environments?

Moderator:

Winston Fernando Head of Cyber Security & Compliance Darebin City Council

Speakers:

Prof Abbi Sharma Chief Digital & Transformation Officer Victorian Government