EXPLORING AISA CYBERCON 2025 - AND WHAT'S AHEAD IN AUSTRALIAN CYBER
e2 Cyber • November 10, 2025

CyberCon 2025 Insights and Takeaways with Payton Vercoe

Every year, the Australian Information Security Association (AISA) Cyber Conference brings together Australia’s brightest minds in technology, government and industry to explore what is shaping the future of cyber security. This October, Melbourne attended and spoke at CyberCon 2025, and for e2 Cyber Consultant Payton Vercoe, it was more than a professional event. It was an opportunity to immerse himself in the pulse of an industry that is constantly evolving, adapting and redefining what protection and resilience mean in a digital world.


“It’s the one week where the entire industry stops to take stock of itself,” Payton reflected. “You get to see not only where cyber is heading, but how the people in this field are thinking, learning and leading change.”


The conference brought together thought leaders, researchers and practitioners from across Australia and abroad. The diversity of attendees created an environment where perspectives clashed, converged and inspired new ways of thinking about security challenges. For Payton, the most powerful takeaway was not purely technological, it was human.


Shifting the Focus of Security

Over the three days in Melbourne, sessions and keynotes spanned the full spectrum of modern cyber security. Payton highlighted that while tools and frameworks remain indispensable, the human element is increasingly the true differentiator in organisational resilience.


“There’s this old perception that cyber is all about code, firewalls and software,” he said. “But at CyberCon, what really stood out is how much emphasis is now placed on the human element, on culture, communication and collaboration. Technology moves fast but people are what make it meaningful.”


A recurring theme across the conference was behavioural cyber security, the idea that organisations need to understand human behaviour, not just system behaviour, if they are going to defend effectively against phishing, social engineering and insider threats. Payton observed that the sessions which blended technical insight with real-world behavioural analysis made the most impact.


“The workshops on human-centric risk weren’t just theoretical,” he explained. “They showed how small actions by staff can prevent a breach or, conversely, how an overlooked behaviour can create a critical vulnerability. It’s a reminder that security isn’t a tool or a system, it’s a practice embedded in every decision people make.”


He also underscored the role cyber leadership plays in cultivating that awareness, “Cyber is no longer just a technical concern. It’s strategic, cultural and emotional. Leaders who can connect the technical side with human behaviours are shaping the future.”


Workforce Evolution: The New Cyber Professional

One of Payton’s biggest takeaways from CyberCon was how the workforce landscape in cyber security is changing, not just in volume, but in composition and expectation.


“There’s a definite shift happening. We’re seeing more people from non-traditional backgrounds entering the industry, teachers, psychologists, veterans, analysts, and they’re bringing a diversity of thought that’s reshaping what a ‘cyber professional’ looks like,” Payton said.


This was evident in the Careers Village, one of the conference streams designed to connect talent, employers and mentors. The focus wasn’t just on recruiting people who already tick boxes, but on enabling people who have curiosity, adaptability and behavioural intelligence to contribute.


“People don’t just want to work in cyber, they want to grow in it. They want to understand the impact of their work and to contribute to solutions that matter. That’s a huge shift from the past, where roles were more about maintaining systems and ticking boxes,” he explained.


Payton also noted that mentoring and professional development were hot topics at the event. Organisations are recognising that cultivating curiosity and capability internally is just as important as recruiting externally.


“The workforce of the future isn’t defined solely by certifications or years of experience. It’s defined by a mindset, one that embraces learning, resilience and adaptability in an industry that changes daily.”


AI, Automation and the Trust Factor

Artificial intelligence and automation dominated many discussions at the conference. However, the narrative was measured and pragmatic, rather than hype-filled. Payton emphasised that technology is amplifying people, but not replacing them.


“AI isn’t replacing people, it’s amplifying them,” he said. “But it’s also forcing us to re-evaluate what we trust and why. Just because a system flags an alert doesn’t mean the right action has been taken. Humans are still making the judgement calls.”


In sessions focused on AI’s role in threat detection, incident response and even offensive security, Payton observed that while machines can process vast amounts of data with speed, understanding context, intent and consequence still requires human insight.


“There’s a balance between efficiency and ethics,” he explained. “Everyone’s excited about AI’s potential, but there’s also a realisation that the more autonomy we give to systems, the more careful we need to be with governance, bias and transparency.”


He was particularly struck by conversations around AI explain-ability and accountability. As AI systems start to make decisions, organisations need to ask: Who is responsible? How do we audit a process that evolves continuously?


“Trust isn’t just about the technology working correctly. It’s about understanding how decisions are made and ensuring accountability remains,” he said. “This is going to be a major focus for the industry over the next five years.”



Policy Meets Practice: A Conversation Maturing

A further major theme at CyberCon was the alignment of policy, governance and operational practice. Payton walked away with a strong sense that the gap between regulation and execution is narrowing.


“There’s always been a gap between policy intent and operational reality,” Payton noted. “But this year, it felt like those worlds were finally starting to talk to each other. The conversations weren’t just about what regulations say, but about how organisations can actually apply them in a meaningful way.”


Sessions included government representatives, regulators and industry leaders discussing frameworks like the Australian Cyber Security Strategy 2023–2030, APRA CPS 234 and the Essential Eight maturity model. The conference theme “Transform to Evolve” was clearly playing out in how these frameworks were being referenced, not simply as compliance checklists but as foundations for capability building.


He stressed that collaboration is now a cornerstone of resilience. Organisations are being encouraged to move beyond compliance and toward building capability.


“The approach is less about ticking boxes and more about creating lasting, measurable security improvements,” he said. “It’s a shift from defensive thinking to proactive partnership, and that is a critical evolution in Australia’s cyber landscape.”


Culture First: Embedding Security into Business DNA

If there was one consistent message threading through the conference, from keynote to workshop, it was that technology and frameworks alone are not enough. Payton emphasised that culture is where resilience lives.


“Technology can only take you so far,” he explained. “At the end of the day, breaches exploit behaviour. People are both the greatest strength and greatest vulnerability in any system. Building a security culture is about turning awareness into action, and action into habit.”


He highlighted examples shared in sessions where organisations successfully transformed their security culture: cross-department exercises, scenario-based simulations and internal communications campaigns that framed cyber security as part of professional identity rather than a checklist.


“What stood out is how leaders can influence culture by showing up visibly, reinforcing behaviours and rewarding good practices,” Payton said. “It’s not about more policies. It’s about making security part of how people think and act every day.”


This cultural lens also has direct recruitment implications. Organisations are now seeking individuals who do more than execute tasks, they want people who can model the behaviours they want, engage teams and contribute to a broader security narrative.



e2 Cyber at the Conference: Presenting and Connecting

At CyberCon Melbourne this year, e2 Cyber didn’t just attend, we actively contributed. Our consultants, Matt Kiss and Ben Rogalsky, led a sessions in the careers village which focused on CV structuring and candidate readiness.


Payton reflected on their session and its value.


“Matt and Ben did phenomenal presentations around CV structuring and things like that,” he said. “It was excellent to have the opportunity to see them present as e2 Cyber. Then the three of us sat down for a little bit of extra time at the end during our lunch break and helped a number of candidates structure their CV in a way we would expect to see them presented as recruitment consultants.”


This aligns directly with e2 Cyber’s philosophy. Recruitment in cyber security isn’t just about ticking boxes. It’s about helping individuals show their value, shape their narrative and connect with cyber roles where they can thrive. Payton noted:


“Seeing candidates in that environment and helping them refine what they bring to the table, that was as powerful as any keynote.”


Emerging Threats and Strategic Imperatives

CyberCon Melbourne 2025 also served as a stark reminder of the pace and sophistication of cyber threats. From deepfakes and AI-driven reconnaissance to supply chain attacks and identity exploitation, virtually no corner of the landscape was untouched.


“It’s easy to get overwhelmed by threat reports,” Payton said. “But what I took away is the importance of prioritisation and preparation. The organisations that succeed are not the ones that try to do everything, but the ones that understand their risks, build resilience and empower their people to act.”


He noted a compelling line of argument from presentations that even as perimeter defences remain relevant, much of the risk is internal or infiltrated via trusted supply-chain relationships.


“Teams that communicate clearly, understand their roles and have trust in leadership can respond faster and more effectively than those that rely solely on tools or processes,” he said.


Industry Leaders and Workforce Architecture

Several high-profile sessions cited at CyberCon Melbourne reinforced the strategic shift in workforce architecture and enterprise security. Among them:


Luke McGrath, Assistant Director at the Department of Home Affairs, spoke about the 2023-2030 strategy review and the embedded role of the National Cyber Office in providing constant feedback loops with enterprise and building a cyber workforce roadmap


Jacqui Loustau, Executive Director at AWSN, outlined how to build teams with “diversity by design” to avoid echo chambers and address the pipeline of 30,000 unfilled roles


Martina Mueller, Head of Cyber at Coles Group, presented how embedding cyber into workforce architecture and culture is becoming non-negotiable even for large retail organisations


Jakub Zverina, Program Manager at Cyber CX, shared insights into root causes of vulnerabilities including development security, identity lifecycle and configuration and patch management


Tim Brown, CISO at SolarWinds, shared lessons from the SolarWinds supply chain breach, emphasising cross-functional collaboration, active leadership presence, and the creation of a “Secure by Design” culture. He highlighted how rapid response, transparency, and workforce resilience are critical in managing high-impact, time-sensitive cyber incidents.


These sessions strengthened the trend Payton observed, workforce design, role prioritisation and embedded security across business functions are now central to enterprise cyber strategy.


Practical Pathways for Employers and Hiring Managers

Based on Payton’s reflections, e2 Cyber recommends employers and hiring managers act on the following pathways:


Design role families and career lattices

Build advertised roles that show progression, training and development pathways rather than rigid requirements that filter out entry-level talent.


Hire for diversity of thought and background

Look beyond traditional cyber experience. The most effective teams now include analysts, researchers, educators, veterans and people who bring lived experience and diversity of solving problems.


Embed AI literacy but maintain fundamentals

Role descriptions should incorporate practical AI tool use, but not treat it as a substitute for identity management, secure development and configuration hygiene.


Embed security into product and operational teams

Cyber security cannot live solely in a central security team. It must be woven into engineering, operations and business functions so that secure design becomes standard practice.


Prioritise incident readiness and communications skills

Senior hires should be assessed on how they perform during crisis scenarios, as well as their ability to communicate technical risk to non-technical stakeholders.


Partner with education and build internal development

Align job role design with partnerships with tertiary education, TAFE and training providers. Build cadetships, internships and structured on-job learning so entry-level talent can transition into roles.


These pathways reflect the shift Payton witnessed, from compliance frameworks and technical boxes to cultural adoption, capability building and people-centred security practice.


Implications for Candidates

For those seeking roles in cyber security, Payton’s message is clear:


Clean up your online footprint

In a live session, Payton used ChatGPT to discover how much was publicly available about him. “It was a wake-up call,” he said.


Build demonstrable project experience

Contribute to open source, volunteer in a small business or do realistic capture-the-flag work that you can discuss in interviews.


Practical identity and access experience matters

Organisations are hiring for identity lifecycle work, not just MFA checkboxes.


Upskill in AI tools and explain your application responsibly

“Show examples where AI assisted your work without replacing your judgement.”


Prepare your CV to emphasise outcome, not just tools

Payton noted in the session run by our team the importance of clear, recruiter-friendly CVs that highlight impact and value.


At e2 Cyber, Payton described how the recruitment conversation is evolving:


“Clients are asking questions about culture, adaptability and communication as much as technical expertise. The workforce of the future will need to bridge gaps between governance, technology and people. That’s where we see huge opportunities for both candidates and employers.”


Looking Ahead: Security as a Living Practice

As CyberCon Melbourne 2025 drew to a close, Payton left with a renewed sense of purpose and optimism. The themes of trust, adaptability and human connection were woven through every session and conversation, signalling an industry that is not just advancing technologically but maturing culturally.


“If there’s one thing I took away, it’s that cyber is not standing still,” he reflected. “We’re not just defending systems anymore, we’re building environments where security is part of how we think, communicate and innovate.”


He noted that optimism was a defining sentiment of this year’s conference. After years of pressure and rapid change, the industry’s focus is shifting from reaction to reinvention.


“There’s a lot of talk about burnout and pressure in cyber, but what I saw was energy, curiosity and collaboration. People are leaning in again, they’re excited to be part of the solution.”


For e2 Cyber, Melbourne reinforced a simple but powerful principle, cyber security is ultimately a people business. Technology, policy and strategy matter deeply, but the true differentiator will always be the professionals who drive culture, innovation and resilience.


“As the industry looks to 2026, the focus is crystalised. Organisations that embed security in their culture, invest in their people and balance technology with human insight will lead the way. That’s what CyberCon 2025 made abundantly clear,” Payton concluded.


Keen to explore what's in store for you or your team with our dedicated cyber recruitment specialists?

Let's Chat
Woman with glasses coding on computer monitors.

CYBER SECURITY IN TRANSITION: FROM COMPLIANCE TO CULTURE

By e2 Cyber October 14, 2025
Australia’s cyber landscape is shifting from compliance to culture, where leadership, accountability and resilience define the evolution of cyber security.
e2 cyber director Jacob Bywater sits in interview at desk with sepia filter and curtains

CYBER SECURITY - A TOP TO BOTTOM BUSINESS PRIORITY

By Jacob Bywater August 26, 2025
Jacob Bywater shares why Australian cyber security is everyone’s responsibility in a company, where businesses can go wrong, and how to build cyber resilience.
e2 Cyber’s Matt Kiss, smiling while being interviewed with laptop

STATE OF CYBER SECURITY JOB MARKET AUSTRALIA: 2025 AND BEYOND

By e2 Cyber August 6, 2025
What's the state of the cyber security job market? We explore the impacts in 2025 and beyond, in an in-depth interview with e2 Talent Consultant Matt Kiss.
More Posts