Why Australia is spending so much on risk management

Risk budgets are on the rise in Australia, with spending on information security and risk management products and services set to hit nearly AU$6.2 billion in 2025 — a 14.4% increase on the previous year, according to Gartner research released in March.

What has happened in Australia to cause this?

A string of major incidents has pushed cybersecurity up the agenda. The Optus and Medibank breaches exposed millions of customer records, while a ransomware attack on IVF provider Genea leaked sensitive patient data. ASIC is now taking legal action against HSBC over alleged failures to prevent scams, marking a shift toward regulatory enforcement. Small businesses are also under pressure, with cybercrime losses reaching AU$300 million annually, yet most lack tailored insurance. Meanwhile, phishing rates among Australian employees remain nearly double the global average — all reinforcing the urgent need for stronger risk management frameworks.

Is cybersecurity still dominating boardroom conversations?

Yes — and with good reason. For the second year in a row, cybersecurity tops the list of technology priorities for organisations in Australia and New Zealand, according to Gartner’s latest CIO survey. A full 88% of regional respondents identified it as their number one investment focus for 2025.

This level of attention reflects the convergence of three forces: a fast-evolving threat landscape, growing regulatory obligations and a chronic shortage of skilled professionals. The result is a risk environment that’s both high-pressure and high-priority.

Why are security services taking such a large share of the budget?

Because many organisations simply can’t manage the workload alone. Security services — including consulting, professional advice, and managed services — will account for nearly AU$2.9 billion of total spend next year, making it the largest category. That’s a 16.1% increase from 2024.

This trend speaks directly to risk managers: when internal teams are stretched thin, outsourcing becomes a vital way to shore up defenses, ensure resilience, and meet compliance obligations. For many, it’s less about saving money and more about buying time, expertise, and coverage.

What’s driving the renewed focus on application and data security?

One word: AI. The rollout of generative AI tools like ChatGPT has upended traditional security assumptions. Organisations are now investing in areas like application security, data protection, and infrastructure hardening — not only to secure their own AI use but to defend against adversaries who are also leveraging these technologies.

“Security leaders are adapting their roadmaps and experimenting with AI in cybersecurity,” says Richard Addiscott, VP Analyst at Gartner. But this experimentation brings its own risks — and will require tighter governance and sharper oversight in the year ahead.

Is AI investment paying off yet?

Not always. Early adopters of AI in security have seen mixed results. The hype around game-changing automation has given way to a more realistic focus on incremental gains — particularly in threat detection, workflow automation, and compliance reporting.

Gartner predicts that by 2027, 90% of successful cybersecurity AI projects will be tactical rather than transformational. For risk managers, this means managing expectations and focusing on outcomes that add real operational value.

What disruptions should risk managers prepare for next?

Gartner warns of fresh turbulence ahead. New AI agents, untested technologies, and increasingly sophisticated attack methods will challenge even the most well-resourced teams. Meanwhile, vendors will continue to push AI-driven solutions that may or may not deliver on their promises.

In this environment, risk managers will need to stay pragmatic. Budgets are growing, but so are the demands. The challenge is to ensure that every dollar invested in risk management brings the organisation closer to resilience, not just compliance.

What does this mean for global risk managers?

Australia’s experience is a warning shot for risk managers everywhere. As AI adoption grows and cyber threats evolve, the line between local incidents and global risk is fading.

Regulatory responses are tightening, attackers are getting smarter, and stakeholder expectations are rising. The takeaway: proactive investment in resilience, skills, and strategy is no longer optional — it’s the new baseline.