With recent changes to Australian cybersecurity regulations, iTnews’ sister publication techpartner.news invited cybersecurity providers to nominate spokespeople to share their perspectives on what organisations should focus on when assessing cybersecurity contracts.
Brennan’s head of cybersecurity, Peter Soulsby, warned organisations against thinking they can outsource their risk.
Q: Are you seeing a need for many organisations in Australia to update how they assess cybersecurity contracts – if so, why, and what is one thing they should focus on now?
Peter Soulsby, Brennan: Yes. Contracts are often too vague. Be specific in your ask in the contract. If you aren’t sure what you’re asking for, get an external party in to help. The parties you invite to respond to RFPs and ultimately contract with need to know what you’re after, with no surprises or ambiguity.
Q: Are you currently seeing a common cybersecurity contract blind spot or red flag you think is being missed too often?
Peter Soulsby, Brennan: The expectation that you can outsource your risk is a false and misleading one. Cybersecurity is a journey with joint accountability and responsibility between multiple parties. Contracts that try to ignore this led to failure for all parties privy to the contract.
Q: Are you seeing any significant tension between compliance requirements and what’s practical to include in cybersecurity contracts?
Peter Soulsby, Brennan: Yes. Too often these days compliance requirements trump good cybersecurity practices, and contracts reflect that skewed priority. Lots of businesses are asking for the wrong thing as a result. We need to remember that compliance does not equal security.
Q: With CPS 230 and other regulatory pressure on third-party risk, are you seeing any knock-on effects for cybersecurity agreements?
Peter Soulsby, Brennan: Third-party risk assessments, and now even fourth-party risk assessments (the supply chain of your supply chain) are coming more into focus. We need to think of a more pragmatic way of assessing this risk. Questionnaires with hundreds of possible answers are onerous and should be avoided.
Q: Do you see any unresolved issues when it comes to how cybersecurity contracts cover SaaS data protection – such as with Xero, HubSpot, Salesforce or other common tools?
Peter Soulsby, Brennan: Yes, this is still too reliant on the assumption that a contract and a big SaaS provider is good enough. If the SaaS provider houses data and or processes which are core to your business, you need to go further than a contract and use tools that dynamically assess third-party risk.
Q: Incident response and recovery can make-or-break a cybersecurity partnership. What’s one contract clause organisations should insist on – particularly with ransomware reporting now in focus?
Peter Soulsby, Brennan: Organisations often focus on outsourcing their risk, especially with cybersecurity. I’d argue that a key clause that is missing in contracts is ensuring cybersecurity providers hold their clients to account, as opposed to the other way round. Cybersecurity providers know what good looks like. The contract should ensure that they are consistently sharing best practices with their clients.
Q: Are cybersecurity contracts keeping pace with the reporting and assurance needs of boards and business leaders – or are they still too IT-focused?
Peter Soulsby, Brennan: No, neither is the reporting or metrics on contracts. However, often the more modern contract clauses are not practical or ready to be implemented so it’s a bit of a chicken and egg race at the moment.
Q: Are cyber insurance requirements reshaping what goes into contracts – and if so, what should clients be watching for?
Peter Soulsby, Brennan: Yes, it absolutely is. Few organisations know what they get when they sign up for cyber insurance. There is often overlap in what they ask the market for in RFPs, such as incident response, and as such there is often duplication of spend and conflicting roles. Organisations need to know what cyber insurance gives them, it’s often a lot more than they realise.
Q: What’s a smart way for organisations to balance holding partners accountable while respecting their need to limit liability?
Peter Soulsby, Brennan: Don’t think for a second that you can outsource your risk. By doing so, you enter into contracts that have no meaning in practical and legal terms, and you abdicate your responsibility as a business. By engaging cybersecurity providers, you get the best of what’s available in the market, but you don’t remove your risk.
Q: For small businesses under real cost pressure, what’s the most effective way to structure cybersecurity partner contracts?
Peter Soulsby, Brennan: Before entering a contract, ask yourself if it’s necessary. Spending your budget on 3 contracts and doing them well is better than divvying up the same budget on 6 contracts and doing them poorly. When you’re sure you are investing in the right contract and capability, work with the provider to ensure the terms are mutually beneficial. Don’t sour the relationship with the provider before it has starter.
Brennan is an Australian technology systems integrator which designs, procures, maintains and delivers technology systems.
Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice.
See the directory of managed service providers (MSP) at techpartner.news.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Forrester's Technology & Innovation Summit APAC 2025
Digital Leadership Day Western Australia
Government Cyber Security Showcase Western Australia
Government Innovation Showcase Western Australia
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
_(5).png&h=271&w=480&c=1&s=1)
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
