Over the holidays, we'll be bringing you some earlier episodes of our Boardroom Confidential podcast.

This time, it's Andy Penn, a director with Coles and Trustee for the National Gallery of Victoria. He also spent seven years as the CEO of Telstra and previously served as the chair of the federal government's Cyber Security Strategy Expert Advisory Board.

We talk about: lesson for boards on cyber security, advice on effective Chair-CEO relationships, and governance at the National Gallery of Victoria.

Co-chair of Supply Nation and Fortescue director Penny Bingham-Hall joins Boardroom Confidential to unpack some of the major issues facing today's boards: harnessing AI's predictive power, overseeing cyber risk in a "when, not if" world, and lifting climate governance from compliance to capability.

We also explore the craft of a high-performing board (diverse, collegiate, agenda-sharp), how to build a deliberate portfolio career, and why First Nations procurement is a powerful, practical lever for impact.

Key Themes:

• AI readiness starts with data — know what data you hold, who owns it, and whether your architecture can use it.
• When cyber hits: plan, then get out of the way — management runs the incident; the chair streamlines comms.
• Climate governance in action — treat year one of mandatory reporting as a learning year; close data gaps early.
• Board craft — diverse yet collegiate boards, agenda discipline, safe debate
• Portfolio building — define your value proposition, test culture and values fit, and be deliberate about mix.
• Procurement for impact — First Nations supplier engagement as a practical pathway to Reconciliation.

Click here for video versions of our podcasts on YouTube

Presented by Okta

Cyber security has become a core governance issue, not just an IT problem. In this episode, Mathew Graham, Chief Security Officer for Asia–Pac at Okta, explains why identity is now the front line of security — and what that means for directors. He outlines how cyber risk has shifted from firewalls to cloud systems, remote work and interconnected supply chains, where most breaches now begin with compromised credentials.

Mathew clarifies the board's role in setting risk appetite, shaping a culture of security, and holding management accountable through clear, risk‑focused reporting. He challenges common misconceptions ("compliant = secure") and highlights the danger of relying on a single tech provider.

He also explores AI's dual edge — accelerating attacks and strengthening defence — and why non‑human identities like bots and AI agents must be secured. Finally, Mathew shares practical steps: stronger MFA, regular simulations and one big question every board should ask — who has access to our most critical data?

Key Takeaways:

· From tech issue to business risk — why cyber has moved from the server room to the boardroom, with identity now the critical perimeter.

· Board vs management roles — the board sets the "what" and "why" (risk appetite, culture of security); management owns the "how".

· Good cyber reporting — concise, risk-focused dashboards over jargon-heavy reports; red flags when leaders can't answer "who has access to what?".

· SMEs and NFPs — how resource-constrained organisations can use ACSC guidance, baseline controls and targeted investment to lift their posture.

· AI as accelerator — attackers using AI for better phishing, faster vulnerability discovery and malware, while defenders use AI for anomaly detection.

· Non-human identities & supply chain risk — bots and AI agents as new identities to secure, and why many major breaches now start with a third party.