Published by Evan Sorby, Principal Consultant, Cyber Capability Education and Training, on June 30 2026
The conversation about cyber security among boards and executives across Australia has moved well beyond “are we secure?”. CyberCX has observed a shift in the way directors and executives are asking about cyber risk – such as whether the risk in legacy systems is understood, whether third party suppliers have been assessed, and whether the organisation has the correct security documentation drafted.
These are the right questions to ask. While many organisations have incident response plans documented and available, they must remain alert to the evolving threat landscape and emerging risks.
As Artificial Intelligence (AI) lowers the barrier to entry and increases the speed, scale and sophistication of cyber-attacks, documented plans are simply no longer enough. Threat actors are moving faster across the kill chain, which means that leaders need to make consequential decisions while technical confidence is still forming.
Despite this, what boards and executives often lack is evidence that their plans will work when they are needed most.
That need for tested readiness has now been reinforced by a joint statement from the Five Eyes cyber security agencies. The Five Eyes’ message is clear: advances in AI are changing the cyber threat environment, emphasising the need for organisations to take practical actions to prepare and be ready before incidents occur.
AI is shortening the path to impact
The Five Eyes warning is not about new threats alone. Most cyber incidents still begin with familiar vulnerabilities, such as exposed services, weak credentials, legacy systems, or poor segmentation. These problems are not new, but the difference is attackers can now work through parts of the attack lifecycle faster than many organisations are set up to respond.
For organisations, that matters, because today’s new reality is a shorter path from initial compromise to business impact. CyberCX’s 2026 Threat Report reflects this shift. For the first time, our incident responders saw threat actors using generative AI not only to create bespoke malware, but to effectively reduce the time between initial access and achieving their malicious objectives.
As a consequence, leaders may find themselves in situations where they must make fast decisions to secure their organisations without understanding the full technical picture of a cyber attack. This means executives and boards could be making decisions in response to an incident with less information than ever before.
During our engagements with organisations across government, critical infrastructure and the private sector, a common theme emerges when conducting initial discovery sessions. Many organisations have incident response plans that are either outdated, insufficiently detailed, disconnected from current business operations or have not been exercised with the leaders expected to execute them.
Too often we see organisations that consider themselves prepared to deal with a cyber incident because a document exists. But just as the joint statement for the Five Eyes agencies tells us, “It’s not enough to have controls. Leaders must be confident those controls will perform during a real incident.” In practice, the existence of an incident response plan is not evidence of preparedness in this AI enabled threat environment.
Consider this scenario: an organisation has a documented incident response plan, approved by the board some two years ago, but never tested against a realistic incident or a contemporary threat. A known flaw in a legacy system is sitting on the risk register, with a fix from the vendor scheduled in a few months’ time. Before that patch is released, a threat actor uses AI-assisted scanning to find and exploit the known weakness, shortening the time between vulnerability discovery and exploitation to almost nothing. The threat actor is now moving at machine speed through the cyber kill chain. Leadership reaches for the incident response plan, but the people, systems and service priorities it describes no longer match the organisation that they now must defend.
This scenario is not new, but the speed between exploitation and impact continues to shorten. In today’s environment, organisations must move beyond finding comfort in a set of static plans, which capture a moment in time, and move towards proactively – and regularly – testing their ability to execute that plan in a controlled environment with contemporary threat injects.
Cyber resilience must extend beyond the security function
The Australian Institute of Company Director’s Cyber Security Governance Principles position cyber security as a board-level governance issue. The Five Eyes statement points in the same direction: “cyber resilience is integral to advancing business continuity, market confidence, and long-term value.”
Effective cyber resilience starts with a simple assumption: prevention may fail.
When it does, organisations must decide how much uncertainty they are willing to tolerate before acting on their response plans. In an AI accelerated threat environment, these decisions are made often under significant pressure, with incomplete information and limited time.
This is where leadership-level tabletop exercises create value. They give boards and executives a safe way to test plans and procedures before those decisions carry real consequences.
A well-designed exercise goes beyond the paper based plan. It clarifies who has authority, how escalation works, and what information leaders need, identifiying gaps while there is still time to fix them.
What should boards and executives ask now?
Boards and executives should ask these three questions.
1. Are we ready?
Does our incident response plan reflect the business we are today, not the one we were two years ago? A plan drafted before a major migration, acquisition, change in the threat posture, or changes in key personnel may no longer match how the organisation actually operates, or who is empowered and authorised to make critical operational decisions.
2. Have we tested it?
Has the board and executive team actually sat in and participated in a simulated incident response exercise, or only signed off on the plan that management prepared? Testing means rehearsing the decision leaders alone can make, when to declare a crisis, when to notify regulators, how to manage public confidence and organisational reputation against a realistic and contemporary scenario.
3. What did we learn?
Did the exercise surface real gaps, or just confirm what we wanted to hear? The value is in uncomfortable findings, and whether they were assigned to accountable owners and tracked through to closure, rather than noted in a report that no one revisits.
The bottom line
The alarm from the Five Eyes agencies should be read as a leadership preparedness and readiness test.
With AI compressing the time between vulnerability, compromise and business impact, boards and executives need regular evidence that their organisations are proactively postured and ready to deal with the inevitable.
CyberCX designs and facilitates leadership and board-level cyber incident response exercises tailored to your organisation’s threat profile, industry and regulatory environment, helping executives build confidence, identify gaps and strengthen resilience before an incident occurs.
To learn how CyberCX can help your organisation validate its preparedness and build readiness, contact our Cyber Capability, Education and Training team.
