Yet according to ASD’s ACSC, 2024 marked the highest number of data breach notifications in any year since Australia’s Notifiable Data Breaches scheme commenced in 2018 (ASD’s ACSC Annual Cyber Threat Report, 2025). More visibility has not meant fewer incidents. The question security leaders need to ask is why.
Key Takeaways
- Enterprise organisations now manage an average of 61 discrete security tools, yet tool proliferation has not produced proportional improvements in security outcomes — it has introduced complexity that directly enables control failures.
- The average enterprise SOC receives thousands of security alerts daily, with industry research consistently finding that 25–44% go uninvestigated. This is not a resourcing problem; it is a structural one.
- Compliance frameworks and periodic assessments produce point-in-time snapshots of security posture. The threat environment moves continuously. This gap is a design flaw, not a staffing shortfall.
- High-profile Australian breaches — including Optus (9.8 million customers in 2022) and Latitude Financial (14 million records in 2023) — occurred at organisations that had made substantial investments in security capability, highlighting that investment alone does not equal resilience.
- Organisations routinely rate their own security maturity higher than the evidence supports. Research from Panaseer found that 84% of organisations suffered a breach linked to control failures in the past twelve months, even as CISOs expressed confidence in their defences.
The Problem With More
The logic has been intuitive: if attackers exploit gaps in visibility, the answer is more visibility. Add a SIEM. Layer in an EDR platform. Connect a threat intelligence feed. Deploy a vulnerability scanner. Integrate a cloud security posture management tool. Repeat. Over time, the enterprise security stack has expanded to reflect this reasoning — and the results have been, at best, ambiguous.
Enterprise organisations now manage an average of 61 different security tools, each generating siloed dashboards, alerts, and unique reporting parameters (Panaseer 2026 Security Leaders Peer Report). An earlier IBM and Palo Alto Networks study found the average sat at 83 tools from 29 different vendors (Cybersecurity Dive, 2025). Whether the number is 61 or 83, the operational reality is the same: teams are expected to derive coherent signal from a sprawling, largely manual process of correlating outputs across systems that were never designed to talk to each other.
The Panaseer research is particularly pointed on this. 84% of organisations suffered a breach caused by a failure in security controls in the past twelve months, and 75% of those involved a combination of two or more control failures (Panaseer 2026 Security Leaders Peer Report). Crucially, the same research found that organisations lost the equivalent of 73% of their annual security budget to the fallout from those hidden gaps (Panaseer 2026 Security Leaders Peer Report). These are not organisations that neglected their security programmes. They are organisations that invested heavily — and still could not translate that investment into reliable control assurance.
Orro works with organisations across complex, distributed environments where this pattern is well-established. The challenge is rarely a shortage of security data. It is the absence of a coherent mechanism for determining which of that data reflects genuine exposure, and what to do about it in sequence.
When Alerts Become Noise
The volume problem in security operations has become systemic. An average SOC now processes more than 11,000 security alerts per day (StartUs Insights / Palo Alto Networks data, 2025). A separate analysis found the typical figure closer to 4,484 alerts per day, with almost half going uninvestigated due to capacity constraints (Netenrich, 2025). Across multiple surveys, between 25% and 44% of all security alerts go uninvestigated (Cyber Sierra, 2025). The SANS 2024 SOC Survey found that 66% of SOC teams reported they cannot keep pace with the volume of alerts they receive (SANS, 2024; cited in Dropzone AI).
The human cost of this dynamic is significant and tends to be underweighted in strategic conversations. According to the SANS 2024 SOC Survey, 70% of SOC analysts with five years of experience or less leave their role within three years (SANS 2024 SOC Survey; cited in MSSP Alert). The ISC2 2024 Cybersecurity Workforce Study found that two-thirds of cybersecurity professionals reported higher stress levels, with excessive workload cited as the primary driver (ISC2, 2024). High SOC turnover creates a compounding problem: experienced analysts who leave take with them the institutional knowledge of what normal looks like — the contextual intuition that distinguishes a genuine anomaly from another routine false positive. Their replacements enter a higher-volume, higher-complexity environment with less capability to navigate it.
The irony embedded in this situation is that each additional security tool typically adds its own alert stream. The architecture intended to reduce risk incrementally raises the noise floor, making the signal-to-noise problem progressively worse. A study published in ACM Computing Surveys found that 51% of SOC teams feel overwhelmed by alert volume, with analysts spending over 25% of their time handling false positives (ACM Computing Surveys, 2025). The tools are working as designed. The problem is that the aggregate of their outputs has exceeded human capacity to act on them in any meaningful way.
Compliance Is Not the Same as Security
Many organisations have come to rely on compliance frameworks — audits, certifications, regulatory assessments — as proxies for security maturity. The logic is understandable. Compliance provides structure, external validation, and a defensible position in regulatory or governance conversations. It is also structurally insufficient as a security programme in its own right.
Australia’s experience with high-profile breaches has made this point with uncomfortable clarity. The 2022 Optus breach exposed the personal information of 9.8 million customers — approximately 40% of the Australian population — through an unauthenticated API endpoint that should not have been publicly accessible. Class actions filed in the Federal Court alleged that Optus failed to comply with its data handling obligations despite having documented security practices in place (Clifford Chance, 2024). Latitude Financial, similarly, suffered a breach in 2023 that initially appeared to affect 328,000 customers before expanding to 14 million records — at a total remediation cost of $76 million (Independent Australia, 2024). As researchers from Monash University have noted, organisations in these situations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place (Monash University / Mirage News, 2025).
This pattern — investment and asserted capability, followed by material breach — reflects the compliance-security gap in practice. Passing an audit demonstrates that controls existed and were documented at a specific point in time. It does not validate that those controls were deployed consistently across all assets, that they remained effective as the environment changed, or that they would hold under real attack conditions. The SOCI Act and the Privacy Act 1988 set minimum obligations for critical infrastructure operators and organisations handling personal data, respectively. Meeting those obligations is necessary. It is not, by itself, sufficient.
Point-in-Time Assessment in a Continuous Threat Environment
Annual penetration tests and quarterly vulnerability scans have long formed the backbone of many organisations’ assurance practices. The logic is reasonable: periodic, structured assessment provides a baseline, demonstrates due diligence, and produces findings that can be tracked and remediated. The problem is the assumption embedded in the model — that the interval between assessments is short enough for the findings to remain meaningful.
It is not. The IBM Cost of a Data Breach Report 2024 found that the global average time to identify and contain a breach was 258 days — a seven-year low, reflecting genuine improvement, yet still representing most of a calendar year (IBM, 2024). For industrial sector organisations — which include utilities and critical infrastructure operators of the kind Orro regularly supports — the average rose to 272 days (199 days to identify, 73 to contain) (IBM Cost of a Data Breach, Industrial Sector, 2024). Breaches involving multi-environment data, including shadow data across cloud and on-premise systems, took an average of 283 days to identify and contain and cost more than USD $5 million (IBM, 2024).
These figures expose a structural mismatch. A new vulnerability may be published and actively exploited within days of disclosure. A misconfiguration may be introduced during a routine change window. A credential may be compromised through a phishing campaign that bypasses all existing controls. None of these events announce themselves ahead of an annual assessment cycle. The threat environment is not periodic — it is continuous — and a security programme built on periodic assurance is architecturally misaligned with the nature of the problem it is intended to address. This is not a criticism of the practitioners running these programmes. It is a description of an inherited design constraint that many organisations have not yet confronted directly.
The Maturity Illusion
Security maturity self-assessment presents a persistent and well-documented challenge. Organisations tend to rate their own capabilities more favourably than external measurement would support — a pattern that is partly human, partly institutional. Leadership teams are not inclined to report security as deficient when budgets have grown and tooling has expanded. Boards tend to interpret investment as progress. The visible signals — dashboard coverage, policy documentation, compliance certifications — are interpreted as indicators of capability.
The Panaseer 2026 Security Leaders Peer Report found that 84% of organisations suffered a breach caused by a control failure in the past year (Panaseer, 2026), even as CISO confidence in defences remained relatively high. The 2022 Panaseer Security Leaders Peer Report found that 82% of respondents had been surprised by a security event that evaded controls they believed to be in place (Panaseer, 2022; cited in Infosecurity Magazine). Surprise, in security terms, is a failure state. It indicates that the organisation’s internal picture of its own posture did not reflect actual conditions.
ASD’s ACSC, in its 2024–25 Annual Cyber Threat Report, explicitly recommended that organisations adopt an ‘assume compromise’ mindset (ASD’s ACSC, 2025) — an acknowledgement that defensive confidence can itself become a vulnerability. The threat environment does not accommodate the period of certainty that organisations often assume sits between assessments and audit cycles. The breach has frequently already begun.
Evidence Snapshot: What the Data Shows
Tool proliferation is not improving outcomes
- Enterprise organisations now manage an average of 61 security tools, each generating siloed alert streams and dashboards. Panaseer 2026 Security Leaders Peer Report
- 84% of organisations suffered a breach caused by a security control failure in the past twelve months, with 75% involving two or more simultaneous control failures. Panaseer 2026 Security Leaders Peer Report
- Security breach fallout consumed an equivalent of 73% of organisations’ annual security budgets. Panaseer 2026 Security Leaders Peer Report
- An IBM and Palo Alto Networks study found the average enterprise manages 83 security tools from 29 vendors, with fragmentation impeding integration and response. Cybersecurity Dive, 2025
Alert volume is exceeding human capacity
- Average SOC alert volume exceeds 11,000 per day in enterprise environments; between 25–44% of all alerts go uninvestigated. Palo Alto Networks data cited in StartUs Insights, 2025; Cyber Sierra, 2025
- 66% of SOC teams report they cannot keep pace with alert volumes. 70% of analysts with five or fewer years of experience leave within three years. SANS 2024 SOC Survey
- Two-thirds of cybersecurity professionals report elevated stress levels; excessive alert load is the primary driver. ISC2 2024 Cybersecurity Workforce Study
Detection timelines remain long
- Global average breach lifecycle: 258 days to identify and contain (IBM 2024). Industrial sector average: 272 days. Multi-environment breaches: 283 days. IBM Cost of a Data Breach Report, 2024
- Australia recorded its highest annual total of notifiable data breaches in 2024, with 595 notifications in the second half of the year alone — a 15% increase on the prior six months. ASD’s ACSC Annual Cyber Threat Report 2024–25
From Visibility to Validated Exposure
The security industry has produced an extraordinary quantity of monitoring capability. The visibility problem, in the narrow sense of whether organisations can generate data about their environment, is largely solved. What remains unsolved — and what the evidence above describes — is the gap between generating that data and validating it into a prioritised understanding of actual exposure.
Visibility tells you what is there. It does not tell you which of what is there represents a viable attack path, how that compares to the same picture from last week, or which remediation action would produce the greatest reduction in realistic risk. Those questions require a different kind of process — one that connects asset visibility, control validation, and threat context into a continuously updated model of actual exposure rather than a static snapshot.
ASD’s ACSC’s most recent annual report called on organisations to move beyond reactive incident response and toward proactive, assumption-of-compromise postures (ASD’s ACSC, 2025). That shift demands more than adding another tool to an already complex stack. It demands a fundamental change in how organisations think about the relationship between security investment and measurable risk reduction. Organisations that are still building their security programmes around periodic assessments, dashboard confidence, and compliance benchmarks are, by design, operating with a picture of their risk that is incomplete and increasingly stale.
The gap between perceived and actual security posture is not a minor calibration issue. For organisations managing critical infrastructure, operational technology, or significant volumes of sensitive personal data, it is a material exposure — one that current approaches are structurally unable to close.
If your organisation’s security investment isn’t translating into measurable risk reduction, Orro works with security leaders to identify where visibility ends and validated exposure reduction begins. Explore how exposure validation frameworks are changing modern security operations.
Sources & Further Reading
Cited sources
- ASD’s ACSC. Annual Cyber Threat Report 2024–25. Australian Signals Directorate, October 2025. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
- Panaseer. 2026 Security Leaders Peer Report. Panaseer Limited, 2025. https://resources.panaseer.com/reports/2026-security-leaders-peer-report/executive-summary
- Panaseer. 2024 Security Leaders Peer Report. Panaseer Limited, 2024. https://panaseer.com/resources/reports/2024-security-leaders-peer-report
- IBM. Cost of a Data Breach Report 2024. IBM Security / Ponemon Institute, July 2024. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs
- IBM. Cost of a Data Breach 2024: Industrial Sector. IBM, 2024. https://www.ibm.com/think/insights/cost-of-a-data-breach-industrial-sector
- SANS Institute. 2024 SOC Survey. Cited in Dropzone AI, 2025. https://www.dropzone.ai/blog/how-to-address-cybersecurity-alert-fatigue-with-ai
- ISC2. 2024 Cybersecurity Workforce Study. ISC2, 2024. https://www.isc2.org/research/workforce-study
- Cybersecurity Dive. Security tool consolidation boosts efficiency, threat mitigation. January 2025. https://www.cybersecuritydive.com/news/consolidation-security-tools/738912/
- Trend Micro / ACM Computing Surveys. Alert Fatigue in Security Operations Centres: Research Challenges and Opportunities. ACM, 2025. https://dl.acm.org/doi/10.1145/3723158
- Monash University / Mirage News. From Cyberwashing to Strong Digital Security. 2025. https://www.miragenews.com/from-cyberwashing-to-strong-digital-security-1423642/
- Clifford Chance. Class Actions in Australia — Breach of Privacy Claims. October 2024. https://www.cliffordchance.com/insights/resources/blogs/group-litigation-and-class-actions/2024/10/class-actions-in-australia-breach-of-privacy-claims.html
- Panaseer. 2022 Security Leaders Peer Report (76 tools finding). Cited in Infosecurity Magazine, 2022. https://www.infosecurity-magazine.com/news/organizations-76-security-tools/
Further reading
- ASD’s ACSC. Best Practices for Event Logging and Threat Detection. August 2024. https://www.cyber.gov.au
- Office of the Australian Information Commissioner. Notifiable Data Breaches Report: July–December 2024. OAIC, 2025. https://www.oaic.gov.au
- APRA. CPG 234 — Information Security. Australian Prudential Regulation Authority. https://www.apra.gov.au
- Netenrich. SOC Analyst Burnout: Is It Putting Your Organisation at Risk? November 2025. https://netenrich.com/blog/soc-analyst-burnout
- LexisNexis. Data breaches usher in a new era for Australian class actions. 2023. https://www.lexisnexis.com.au/en/insights-and-analysis/practice-intelligence/2023/data-breaches-usher-in-a-new-era-for-australian-class-actions
