Tick-box approach to cybersecurity falls short, warns Spirit CTO

A tick-box approach to cybersecurity falls short amid today’s threats and rising operational complexity, Spirit Group chief technology and information officer Caleb Bateman has warned.

Caleb Bateman, Spirit

With recent changes to Australian cybersecurity regulations, iTnews' sister publication techpartner.news invited selected cybersecurity firms in its MSP Index directory to put forward spokespeople to share their opinions about what organisations in Australia should prioritise when assessing or renewing cybersecurity services.

Bateman highlighted a gap between compliance expectations and operational reality.

Q: Are you seeing any significant tension between compliance requirements and what’s practical to include in cybersecurity contracts?

Caleb Bateman, Spirit: Yes, there’s always a degree of tension between compliance teams and operational teams when it comes to cybersecurity contracts. Compliance and GRC functions often approach the problem from a desktop analysis perspective, mapping requirements against frameworks and standards. That’s important work, but the challenge comes when those requirements are handed over to Security Operations (SecOps) or, more critically, Technology Operations (TechOps). That’s where the rubber hits the road, where business impact, and more importantly, people impact, becomes real. It’s one thing to define a control on paper; it’s another to implement and sustain it in a live environment without disrupting core services or overburdening teams. 

This is why it’s so important to work with partners who can grow their advice across technology, security, and compliance, and do so in a way that aligns with your business objectives and desired outcomes. Too often, organisations treat these domains as separate silos, which only reinforces the tension. A good partner doesn’t just tick compliance boxes or push security tools, they help you navigate the trade-offs, understand the operational impact, and make decisions that are sustainable in the long term. 

One of the first things to consider is what you outsource and what you keep in-house. That decision alone will shape the type of contract you need. If you’re outsourcing core security functions, you need clear accountability, response expectations, and integration points. If you’re keeping things internal, the contract might focus more on tooling, support, and advisory services.

Either way, the contract should reflect the reality of how your teams operate, not just what looks good in an audit.

Another key point is not to treat security and technology as separate streams. They’re deeply intertwined, and the best outcomes come when both are considered together. Look for a Managed Security Service Provider (MSSP) that understands this, one that can support both security and technology operations, and who can help you manage the tension between them. That doesn’t mean eliminating the tension entirely; some friction is healthy, but it does mean approaching it from a shared perspective. When your MSSP understands the operational impact of a security control, they can help you implement it in a way that drives value, not just compliance. 

Ultimately, the goal is to move from a checkbox mindset to a risk-aligned, outcome-driven approach. That means contracts need to be flexible enough to adapt as threats evolve but also grounded enough to provide clarity and accountability. It’s a balancing act, and one that requires collaboration across compliance, security, and technology teams, as well as with external partners. 

In short, yes, the tension is real. But it’s also manageable if you approach it with the right mindset and the right partners. The organisations that do this well are the ones that treat cybersecurity not just as a compliance requirement, but as a core enabler of trust, resilience, and long-term success. 

Q. Are cyber insurance requirements reshaping what goes into contracts – and if so, what should clients be watching for?

Caleb Bateman, Spirit: Yes, cyber insurance is absolutely reshaping how organisations think about their cybersecurity contracts, and not always in ways that are clear or consistent. One of the biggest challenges currently is the disparity in how different insurers value specific security controls and measures. What one insurer sees as a premium-reducing control, another might barely acknowledge. This inconsistency leads to confusion for clients, especially when they’re asked to tick boxes or answer yes/no questions without understanding how those answers affect their premiums or coverage. In some cases, insurers are unintentionally steering clients toward misinformed decisions, simply because the risk assessment frameworks aren’t aligned across the board. 

What’s often missed is that clients can, and should, be proactive in how they engage with insurers and brokers. Articulating the controls and measures they have in place, in plain language and with context, can make a real difference. It helps insurers better understand the organisation’s risk posture, and it gives brokers more leverage to negotiate terms that reflect the actual maturity of the client’s security environment. Too often, organisations assume the insurer will ask the right questions or interpret their setup correctly, but that’s not always the case. A bit of upfront clarity can go a long way. 

It’s also important to recognise that cyber insurance isn’t like traditional insurance. Property or health insurance is fundamentally about financial indemnity, a promise to pay after something goes wrong. Cyber insurance, on the other hand, is increasingly about incident response. It’s a promise to respond to an incident, and in today’s threat landscape, that means having the right people, processes, and technology on standby to contain the damage and get the business back on its feet quickly. That shift in purpose needs to be reflected in contracts. It’s not just about what’s covered, it’s about how fast and effectively the insurer can mobilise support when it matters most. 

This is where contract language needs to evolve. Clients should be looking for clarity around response times, access to specialist support, and coordination with internal teams. It’s not enough to know that an incident is covered; they need to know how the insurer will engage, who will be involved, and what the expectations are for communication and escalation. These details are often buried in policy documents or left vague, which can lead to delays and frustration during a crisis. 

Finally, there’s a broader strategic consideration. As cyber threats become more complex and insurers tighten their underwriting standards, organisations need to treat cyber insurance as part of their overall resilience strategy, not just a financial safety net. That means aligning insurance requirements with internal controls, third-party agreements, and board-level risk discussions. Contracts should reflect that alignment, with language that supports transparency, accountability, and rapid response. 

In short, cyber insurance is no longer just about ticking boxes or transferring risk. It’s about building partnerships that can stand up under pressure. Clients who understand that, and structure their contracts accordingly will be better positioned to navigate the next breach, outage, or ransomware event with confidence. 

Q. What’s a smart way for organisations to balance holding partners accountable while respecting their need to limit liability?

Caleb Bateman, Spirit: One phrase: shared responsibility. It’s the most critical concept for any business engaging with a service provider, especially in cyber security. When both parties understand that security is a shared responsibility, it sets the foundation for alignment, trust, and accountability. This mindset drives better outcomes because it shifts the conversation from blame to collaboration, and that’s where real value is created. 

The tension often arises when businesses expect a partner to take full ownership of security outcomes, while the partner is trying to limit liability. That’s understandable, no provider wants to carry unlimited risk, but it’s not realistic either. Security can’t be fully outsourced. Even with the best MSSP in place, the business still owns its data, its decisions, and its internal processes. That’s why contracts need to reflect a clear division of roles and responsibilities, with both sides contributing to the overall security posture. 

A good contract starts by defining what’s outsourced and what’s retained in-house. This shapes the scope of services, the expectations around performance, and the boundaries of liability. It also helps avoid grey areas where accountability can get lost. For example, if incident response is outsourced but internal teams still manage access controls, the contract should spell out how those two functions interact during a breach.  

• Who leads?  
• Who reports?  
• Who makes the call on containment?  

These aren’t just legal questions, they’re operational ones. 

It’s also important to choose a partner who understands that security and technology are not separate streams. Look for an MSSP that can support both, and who’s willing to engage in ongoing dialogue about how controls affect operations. The best partners don’t just deliver alerts and dashboards, they help you interpret them, act on them, and improve over time. They’re not just vendors; they’re part of your extended team. 

What does good look like:  

A contract that clearly outlines shared responsibilities, includes joint incident response protocols, and sets realistic expectations for liability based on actual risk exposure. It includes regular review points, collaborative planning, and a commitment to transparency. Both sides know what they’re accountable for, and there’s a mechanism to resolve issues without finger-pointing. 

And here’s what not good looks like:  

A contract that pushes all responsibility onto the provider, with vague language about “best efforts” and no clarity on how incidents will be handled. Liability caps are set arbitrarily, without reference to the actual value or risk of the services. There’s no shared understanding of how the business and the MSSP will work together when things go wrong, and when they do, it’s chaos. 

The most critical ingredient is collaboration. Contracts are just the starting point. What matters is how the business and the provider engage day-to-day, how they share information, respond to threats, and adapt to change. When that relationship is strong, liability becomes less of a sticking point, because both sides are invested in the outcome. 

In short, balancing accountability and liability isn’t about finding a perfect contract, it’s about building a partnership grounded in shared responsibility. That’s what drives resilience, trust, and long-term success. 

Q. For small businesses under real cost pressure, what’s the most effective way to structure cyber security partner contracts? 

Caleb Bateman, Spirit: It’s important to start by recognising that over 99% of Australian businesses are small to medium enterprises, and in 2025, many of them are under serious cost pressure. These businesses are focused on keeping their doors open, supporting their people, and investing in their core operations. Technology and security providers are often seen as a cost centre, not a value driver. That mindset needs to shift. When small businesses invest time in working with the right providers, they can unlock real value, not just in terms of protection, but in how their technology and security stack support day-to-day operations. 

A good provider will help align your workplace tools, connectivity, business applications, and security controls, reducing product sprawl and improving efficiency. That means your staff can work smarter, not harder. But to get there, contracts need to be structured with clarity, flexibility, and a shared understanding of outcomes. It’s not about locking in the cheapest deal; it’s about building a relationship that grows with your business. 

One of the best places for any Australian SMB to start is the SMB 1001 framework. It offers a clear and prescriptive approach to aligning your security and compliance controls with your technology environment. More importantly, it gives you a strategy to scale your contracts as your business grows. Rather than jumping straight into enterprise-grade solutions, you can build a roadmap that evolves with your needs, and your budget. 

When it comes to contracts, small businesses should also be asking their providers: If we invest in security, how do we realise the value of that investment? A good partner will be willing to invest in you too, whether that’s through flexible pricing, bundled services, or proactive support. It’s not just about selling a product; it’s about helping your business succeed. 

What does good look like? 

A contract that’s tailored to your business size and maturity, with clear deliverables, transparent pricing, and room to grow. It includes regular check-ins, performance reviews, and a shared commitment to improving your security posture over time. The provider understands your business context and works with you to align technology and security with your operational goals. 

And here’s what not good looks like:

A one-size-fits-all contract with rigid terms, hidden costs, and little room for dialogue. The provider treats you like a small fish, pushing generic solutions without understanding your business. There’s no clear path to scale, and no real partnership, just a transactional relationship that adds complexity without delivering value. 

Ultimately, the most effective way to structure cyber security contracts for small businesses is to start with value, not cost. That means choosing partners who understand your business, who are willing to collaborate, and who can help you build a secure, efficient, and scalable technology environment. In a landscape where threats are growing and budgets are tight, that kind of partnership isn’t just helpful, it’s essential. 

As Chief Technology and Information Officer at Spirit, Caleb Bateman leads the company’s Technology and Innovation division. He has 15 years’ experience in the Managed Service Provider (MSP) sector, specialising in secure workplace and network solutions. Throughout this time, he has led Microsoft Modern & Hybrid Work and Meraki Networking practices, gaining expertise in delivering secure work and network technologies.

See the directory of managed service providers (MSP) at techpartner.news.

Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice.