The Crisis of Competence.
Compliance optics have replaced technical ability in our leadership ranks. Long-term, this will harm Australia’s national resilience.
Dean Kastelic
Principal Consultant
Australia’s cyber industry is suffering from a crisis of competence. A growing demand for “compliance optics” has replaced the technical abilities required to actually solve the problem.
We see senior cyber roles – Head of Cyber, Director, CISO – filled by risk practitioners who, frankly, have no idea how to mitigate the risks they report. They are masters of the risk register, fluent in policy language, and present well in executive settings. But they lack the deep technical knowledge to understand adversary techniques or architect a program to defend against real-world threats.
“This has created a ‘competence vacuum’ at the highest levels.”
The Result: The Watermelon Effect
(Risk)
Green on the Outside
The board sees “mature” dashboards, completed risk assessments, and clean audit reports.
Red on the Inside
Riddled with technical gaps, misconfigurations, and flaws a skilled adversary will exploit.
How Did We Get Here? The “Safe Hire” Paradox
This trend wasn’t born from a single decision but from a systemic failure in how we hire.
1. GRC as the “Default” Track
Vetting deep technical skill is difficult. Vetting GRC qualifications (CISA, CISM, CRISC) is easy. Hiring managers default to the “safe” GRC background because it’s a known quantity.
2. The “Malleable Hire” Paradox
Boards prefer leaders who speak the language of risk and finance. A technical specialist sounds alarming (“in the weeds”). A GRC practitioner with a “mature” dashboard sounds reassuring. As a bonus, they are less likely to report on the chaos of legacy IT systems they don’t understand.
As GRC becomes the main pipeline to leadership, we are systematically filtering out the technical experts who actually build and break systems.
The Real Cost of “Compliance Theatre”
Financial Waste
Budgets poured into low-value “activity” while core systems remain vulnerable.
False Confidence
The “competence illusion” lulls the board into a false sense of security.
Legal Risk
When a breach occurs, relying on non-technical leadership exposes directors to negligence claims.
This isn’t just a theory. Ask this simple question: Would a GRC-led program have stopped the Qantas breach?
No. The root cause wasn’t a lack of policy; it was a failure of specific technical controls. Controls that a GRC analyst would miss, but a cyber architect would spot instantly.
“I am so confident in this thesis, I will make this guarantee: Show me a GRC-led program, and I guarantee our red team will find a way in. If not, I’ll eat an entire watermelon.”
The Path Forward: “Threat-Anchored Design”
The solution is not to try and turn GRC practitioners into cyber specialists. That’s fitting a square peg in a round hole. The real solution is to redefine “real” cyber leadership: A technical strategist who can speak the language of the board.
The New Vetting Framework for Boards:
- Can this leader describe the last three major breaches (like Qantas or Medisecure) at the technical control level?
- Can they whiteboard a defensible architecture for our cloud environment right now?
- Can they demonstrate threat modelling by conducting a kill-chain analysis?
This is the standard we must demand. By anchoring every decision to a specific, understood threat, we distil our efforts down to what actually matters.
It’s time to stop funding the illusion and start building defensible programs.
Test Your Program’s Efficacy
Is your program a “Watermelon”? Get the diagnosis in 3 minutes.