CIO Cyber & Risk Network

A vendor independent forum to learn from and share with your peers

"I'd like to thank you for a fantastic discussion regarding cyber security, the discussion was facilitated very well."

The CIO Cyber & Risk Network Mandate:
To provide CIOs in Australian organisations with a forum in which to share their issues and approaches to cyber security and risk. The intended outcome is that organisations make better informed decisions to help protect their organisations, staff, customers and the economy.
Not all Australian organisations are fortunate enough to have a Chief Information Security Officer. But not having a CISO doesn’t mean the challenge of managing cyber risk goes away. IBRS clients have been telling us that the frequency with which they are being asked to report on cyber security to their boards has increased. Now, four times a year is the minimum, and the board members are asking better, more in-depth, questions. The CIO Cyber and Risk Network is a vendor independent forum for CIOs to share with and learn from each other.


  • Through interaction with your peers, gain an understanding of effective security practices.
  • Save time and effort by sharing policies, frameworks and security literature.
  • Discuss vendors and services from people who are using them or have moved on from them.
  • Discuss different approaches to security.
  • Raise ideas, challenges and solutions to the network of CIO's to provide their independent thoughts and advice.
Who Can Participate?
The CIO Cyber & Risk Network is a service for CIOs who are accountable for cyber security as part of their role. To ensure that trusted relationships can develop, and provide an experience of continuity within the group, CIOs invited to participate will not exceed 20 The CIO Cyber & Risk Network is an invitation only forum. This is to ensure that the forum is not swayed by vested interests, and that the participating CIOs are assured of the confidentiality of the discussion.


  • 4 gatherings per year. Each gathering will be for 5 hours; 4 hours as a formal facilitated discussion and a 1 hour informal session which is an opportunity for the CIOs to have the 1:1 and small group conversations to follow up to the formal session.
  • IBRS will facilitate each gathering.
  • IBRS will also coordinate any external guests.
  • All gatherings are closed door, and held under the Chatham House Rule.
  • A summary of findings is distributed after each gathering.
  • Participate in a distribution list of like minded CIOs.
  • Should a CIO not be available to attend a gathering, sending a direct report is possible but discouraged. If direct reports are sent too often, as determined by the group, the CIOs’ invitation to participate may be withdrawn and no refund will be offered.

About the Moderator

James Turner w114 h140

James Turner is the founder of CISO Lens and has specialised as a security industry analyst and advisor since 2005. James is IBRS alumni and was an advisor for IBRS from 2007-2018, and now facilitates the CIO Cyber & Risk Network on behalf of IBRS. James gathers, curates and disseminates information that is of strategic importance to the cyber risk management of Australia and New Zealand’s largest organisations. James publishes the CISO Lens Benchmark, an annual report providing independent, local and current data on budgets, team sizes and security functions and strategy. James also writes opinion pieces on strategic cyber matters for The Australian Financial Review.


CIO Cyber & Risk Network November 2019
The Cyber and Risk Network November gathering focused on the following areas:
1. Phishing. This is a conduit for both business email compromise, account takeover, and ransomware. A highly valuable control that a number of the participants recommended was the use of Multi-Factor Authentication (MFA).
- A vendor in this space that was discussed - although none of the participants had deployed it - was Menlo Security.
- Mimecast was also named as a vendor that a number of the participants were using, and also viewed favourably. The roadmap of Microsoft for security. This discussion included: licensing implications, vendor management and Microsoft Powerapps, and the impact of these in the enterprise environment.
2. Security awareness training. Various approaches to encouraging better security behaviour were discussed, including supporting senior executives and their families, through to finding the balance between awareness training and technical safety rails.
- One participant shared that security awareness training took their organisation from a click rate of 35% down to 15% in simulated phishing attacks.
- The participants also discussed the various approaches to dealing with those individuals that do not seem to respond to training and keep clicking.
3. Trusted insiders. Our guest speaker spoke about core issues to be aware of around trusted insiders potentially turning. A final recommendation from the guest speaker was to ensure that staff know that when they report anything to the organisation ("if you see something, say something") that they are showing the organisation that they can be trusted.


"At the February gathering this year, the CIOs had one particular conversation about the new Australian mandatory breach notification scheme that saved me weeks of work and thousands of dollars. It's an important area for me and I got the value of the annual membership right there."
Global CIO
“Our first Cyber & Risk Network meeting justified the participation time and energy. Networking and experience sharing is critical in cyber risk management, and getting first hand feedback and input for phishing simulation tools allowed us to make a better solution choice.”
APRA regulated CIO
CIO Cyber & Risk Network Schedule

March 5th 2020 - Sydney

CIO Cyber & Risk Network

To register your interest in the next CIO Cyber & Risk Network forum please complete the following form

Please let us know your name.
Please let us know your email address.
Please provide your company, or if personal, enter "Personal."
Invalid Input
Invalid Input
Invalid Input