In this 50th episode of Future Secured, Sandro Bucchianeri, Chief Security Officer at National Australia Bank, takes us inside the uncomfortable reality of modern cybercrime: attackers operate with no boundaries, no legislation, and no regulators. They move fast, change partners instantly, and treat targets as simple commercial opportunities.
On the other side are highly regulated organisations like banks, operating under SOCI, ASIC, APRA and ASD guidance, trying to defend customers, critical infrastructure and national confidence while navigating layers of governance, compliance and risk management.
Sandro contrasts the brutal simplicity of criminal negotiations, “What’s your cut? Yes or no?”, with the complexity defenders face when uplifting controls, coordinating across global teams and working with government, ASD and industry peers to share intelligence and respond to DDoS campaigns, phishing, ransomware and AI-driven threats. From his early motivation to “protect people from bad things happening” through to leading cyber and physical security at NAB, he unpacks why security fundamentals, collaboration and communication still decide who wins.
Takeaways
- Cyber criminals don’t respect boundaries — they ignore legislation, regulators and ethics, and focus purely on speed, profit and opportunity.
- Criminal negotiations are fast and transactional — simple cuts, no paperwork, and instant switching to the next willing partner if you say no.
- Defenders operate in a regulated world, balancing SOCI, APRA, ASIC and ASD expectations with service uptime, customer trust and board accountability.
- Compliance is a by-product of good security — ticking boxes on frameworks alone does not make an organisation secure.
- Most major breaches still come back to basics — patching, privileged access, identity and access management, segregation of environments and backup discipline.
- Nation-level resilience depends on collaboration — banks, government and international partners sharing indicators of compromise, DDoS patterns and threat intelligence in real time.
- AI and automation are a double-edged sword — used by attackers to improve phishing, deepfakes and social engineering, and by defenders to scale detection, response and analysis.
- Security culture and education matter as much as tools — from frontline branch staff stopping scams to “security champions” and cyber awareness woven into everyday work.
- Building the talent pipeline starts early — Sandro argues for cyber as an extracurricular pathway in schools, uplifting marginalised youth and diverse talent into cyber roles.
- Resilience is personal as well as technical — faith, family, boundaries and perspective shape how leaders carry the constant pressure of defending at scale.
C