The Australian Cyber Security Centre’s Annual Cyber Threat Report 2024–25 found the average self-reported cost of cybercrime for businesses increased by 50 per cent, while critical infrastructure accounted for 13 per cent of reported incidents. APRA’s CPS 230 operational resilience standard is also raising expectations around governance, business continuity and third-party risk management.“The expectation now is not that businesses can prevent every incident,” Hines says. “It is that they can keep operating when something goes wrong.”That changes the way organisations approach AI projects. Security leaders need to be involved much earlier, resilience testing must extend to AI-supported operations, and security operations centres need to cope with rapidly growing volumes of AI-generated data and telemetry.John Hines, senior director, enterprise business, APJ at Lumen Technologies. “For Australian organisations, resilience is increasingly measured by execution,” Hines says. “Can you see risk early enough, isolate it fast enough, and continue serving customers while the issue is being resolved? That is the standard now.”Tony Kitzelmann, head of technology strategy, assurance & cyber and chief information security officer at Airservices Australia, says organisations operating critical infrastructure have already experienced that shift.“As organisations move core services onto interconnected digital platforms, the consequences of cyber risk shift,” he says. “It is no longer just about data loss or disruption, it can directly impact service continuity, safety outcomes, and public confidence.”That changing risk profile has altered cybersecurity’s role within the organisation.“Cybersecurity becomes inseparable from enterprise governance and operational assurance,” Kitzelmann says. “For us, it drove a shift from treating cyber as a technical control function to embedding it into how we govern, design, and operate technology.”Infrastructure under pressureAI is also exposing the limits of technology environments built for predictable workloads.“Many organisations are realising that AI is not just another application that can be layered onto existing infrastructure,” Hines says. “It changes how data is created, moved, and consumed across the business.”Technology environments originally designed around stable traffic patterns are now expected to support continuous data movement across cloud platforms, applications, edge environments and third-party providers.“The infrastructure rethink is really about readiness,” Hines says. “AI is more likely to deliver value where the foundations are resilient, observable and secure.”That extends to cyber risk. Organisations increasingly depend on cloud providers, software vendors, technology partners and suppliers, extending operational risk well beyond traditional organisational boundaries.Hines says third-party vulnerabilities can quickly become direct business risks in highly interconnected digital environments, reinforcing the need for continuous visibility across the broader technology ecosystem rather than periodic supplier assessments.Kitzelmann says visibility across those interconnected systems has become fundamental to both operational assurance and innovation.“In a safety-critical environment, visibility is non-negotiable,” Kitzelmann says. “Risk is no longer contained within organisational boundaries; it exists in the interdependencies between systems, data and third parties.”Without that visibility, organisations have a limited understanding of critical dependencies and the way disruption can spread across connected operations.“Visibility also enables safe innovation,” Kitzelmann says. “Organisations can adopt new technologies, including AI, and integrate new partners or platforms more confidently when they have a clear, real-time understanding of how systems are connected and where data is flowing. Without that visibility, both risk management and innovation become constrained by uncertainty.”Looking beyond preventionThe speed and sophistication of cyberattacks are also changing how organisations defend themselves.“Prevention remains an essential part of cybersecurity,” Hines says, “but organisations are recognising that it can no longer be the only line of defence.”Threat actors are increasingly using AI to adapt their tactics and compress the time between exposure and impact, reducing the opportunity for defenders to respond.Hines says intelligence gathered by Black Lotus Labs, Lumen’s threat research and operations arm, shows that some of the earliest indicators of malicious activity now emerge well before attackers reach an enterprise environment.“Effective cyber resilience, therefore, depends on being able to see threats upstream, before they arrive at the enterprise perimeter,” he says.By combining global threat visibility with managed detection and response capabilities, organisations can prioritise genuine threats, improve incident readiness and disrupt malicious activity before it escalates.For Airservices Australia, stronger monitoring and response capabilities have delivered benefits beyond cyber defence.“In a safety-critical context, strengthened monitoring and incident response provide one critical outcome: control under uncertainty,” Kitzelmann says.Improved monitoring has strengthened decision-making during incidents while giving leadership greater confidence to introduce emerging technologies.“When leadership and the board have confidence in monitoring, detection and response, there is greater willingness to adopt new technologies, including AI, because the organisation knows it can operate safely even if something unexpected occurs,” he says.“The key lesson, particularly in safety-critical industries, is that resilience and innovation must be designed together.”As AI becomes embedded across more of the enterprise, organisations that combine innovation with strong security, governance and visibility are better positioned to strengthen cyber resilience while continuing to deliver critical services.To find out more, please visit Lumen.
Securing the foundations of AI
Artificial intelligence is exposing a weakness that has little to do with the technology itself.












