Australian organisations are paying more attention to vendor risk, but many still have gaps in how they assess suppliers, protect SaaS data and translate cyber security risk for business leaders, according to the founder of Brisbane-based Aegis Cybersecurity, Luke Irwin.
Irwin said organisations should look beyond point-in-time questionnaires and contract checklists, and take a closer look at who has access to their systems, how critical SaaS platforms are backed up, and whether suppliers’ suppliers are creating risk.
Aegis Cybersecurity is one of the firms invited by iTnews’ sister publication techpartner.news, to share views about what organisations should consider when assessing or renewing cybersecurity services.
Q. Are you seeing a need for many organisations in Australia to update how they assess cyber security contracts – if so, why, and what is one thing they should focus on now?
Luke Irwin, Aegis Cybersecurity: Vendor risk management programs are gaining more traction and visibility as businesses become more aware of the risks present. It has been said that all cyber risk management is supply chain risk management (bug in the code, misconfigurations, etc). The acknowledgement that who and what you allow into to access your organisation systems and services has a direct impact on your security posture has been highlighted via high profile breaches such as Qantas, Medibank and Latitude, to name a few.
Organisations need to conduct security assessments on members of their supply chains and should resources permit, even the vendors of your vendors’ assessments – it is a supply chain after all. Being aware of and understanding the risks associated with the organisations you engage with can help you improve threat profiles and risk assessment. The more you know, the better you can structure a defence.
Q. Are you currently seeing a common cyber security contract blind spot or red flag you think is being missed too often?
Luke Irwin, Aegis Cybersecurity: Something often missed is a mandatory requirement to inform in the event of a breach, ideally within 24 or 48 hours of confirmation of a breach event – and even prior to informing the relevant authorities, so your firm can take reasonable steps to protect its systems/data/platforms and prevent further breaches.
Q. Are you seeing any significant tension between compliance requirements and what’s practical to include in cyber security contracts?
Luke Irwin, Aegis Cybersecurity: Nobody likes filling in a cyber security questionnaire when a client asks for it. While there are a variety of assessment tools on the market, they all have their pros and cons. There has also been an uptick in organisations treating ISO27001 as a box ticking compliance effort, not a genuine plan-do-check-act process implementation (i.e. not embedding the cultural changes needed to make ISO work well). As a result, they are certified and compliant with the standard, but still have a very poor security posture – in essence diminishing the value of ISO27001 and lowering its perceived value.
This is both the strength and weakness of the ISO27001 standard. If you are taking it seriously, you can develop a well-managed, governed, and effective cyber security posture that uplifts your processes, brand, and operational efficiencies and creates further revenue enablement opportunities.
Q. With CPS 230 and other regulatory pressure on third-party risk, are you seeing any knock-on effects for cybersecurity agreements?
Luke Irwin, Aegis Cybersecurity: There has been a bit of an uptick in vendor risk management. While I have not seen the deployment or management of larger scale initiatives in that space, there is certainly more attention being paid to vendors selected during the tender/RFI/RFP/selection process. Questions are being asked earlier prior to engagement, and in a couple of cases there have been requests coming through from new clients/prospects to get them to ISO or SOC 2 as a priority to meet a contractual requirement – i.e. their client has given them X months to get it done.
While it would be preferable that organisations take a proactive approach to cyber security risk, movement is movement, and if it is the procurement cycle that moves the needle then so be it – but it is better to go into that process already being at a level of security maturity exceeding your competitors.
Q. Do you see any unresolved issues when it comes to how cyber security contracts cover SaaS data protection – such as with Xero, HubSpot, Salesforce or other common tools?
Luke Irwin, Aegis Cybersecurity: So many MSPs and other providers do a great job at backing up O365 and the SharePoint systems, but how many actually backup Salesforce? Xero? Are they not critical systems for the business? What do the engagements with those SaaS vendors say around backups? Do they meet the RPO, RTO, MTD needs of the client? This is part of the wider discussion around recoverability and continuity of the business. If you are not backing up all the relevant information and testing that it can be recovered, you are not running a business, you just have a very expensive hobby.
Q. Are cyber security contracts keeping pace with the reporting and assurance needs of boards and business leaders – or are they still too IT-focused?
Luke Irwin, Aegis Cybersecurity: There is still a wide industry perception that cyber is an IT problem. IT and cyber are not the same and the outcomes of IT and cyber are often at odds with each other. IT is driven by cost, performance, and availability, cyber security is driven by confidentiality, integrity, and availability. We agree on availability, but the rest we are at odds.
Speaking with my peers, there is still a perception that the security function is subordinate to the IT function, generally demonstrated by way of reporting chain, is the CISO into the CIO or CTO. The CISO should be reporting either into the CEO, CFO, or CLO (legal). This often comes about as many security leaders still speak tech to non-techs – and that does not generate traction, it generates resentment as while they are speaking about the latest threats, risks, CVE’s etc their audience does not listen as they do not understand – and if they do not understand they will not engage and support.
We need to focus more on speaking the language of the business. If you are not, you are just using language and terms that make you feel smart and diminishes and demeans your audience who are experts in their field just not yours.
Luke Irwin is the founder and principal consultant at Brisbane-based Aegis Cybersecurity, providing advisory services focused on fractional and virtual CISO engagements, governance, risk and compliance and operational resilience. He has more than two decades of experience in information technology, covering ICT operations management and cyber security.
Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice.

iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
Integrate 2026
Security Exhibition & Conference



