Melbourne, Victoria · CISSP · CISM
Boutique advisory across cybersecurity, AI governance, and technology risk, helping organisations adopt emerging technology with confidence, clarity, and strategic oversight.
CISSP · CISM
About
I have spent more than a decade helping organisations navigate the strategic implications of technology, translating cybersecurity, AI, and operational risk into decisions leadership teams can act on with confidence.
My experience spans ASX-listed companies, global brands, regulated industries, and government-contracted environments. I have built security functions, led transformation initiatives, advised executives and boards, and implemented governance frameworks including ISO 27001, NIST, ASD Essential 8, and FAIR risk quantification.
The strongest organisations are not defined solely by controls or compliance maturity. They are defined by clarity, culture, and resilience. Much of my work focuses on helping organisations build practical security cultures that support innovation rather than restrict it.
Outside of work, I am a competitive ocean sailor. In 2025 I raced aboard Cyan Moon, which won PHS Division 2 and PHS Overall in the Rolex Sydney to Hobart. The race has a way of teaching things that don't surface until much later, often when you're dealing with something at work and suddenly recognise a familiar pattern about uncertainty, trust, or when to hold a course and when to change it. I am also a volunteer firefighter with the CFA, which has shaped how I think about decision-making under pressure and what it means to show up for something larger than yourself.
I am based in Melbourne and currently open to senior cybersecurity leadership roles and board advisory opportunities.
Certifications
Perspectives
Every organisation I have worked with has wanted to solve security by buying something. A better SIEM. A more advanced EDR. A shinier dashboard. And every time, the real risk has been the same thing: the people inside the organisation who do not understand why any of it matters.
Technical controls are necessary. They are not sufficient. A phishing email does not care how sophisticated your email gateway is if someone clicks the link anyway, and they will, unless they understand what they are looking at and why it matters to them personally.
The 60% reduction in phishing failure rates I achieved at Envirosuite did not come from a new tool. It came from a deliberate, sustained effort to make security feel relevant, connecting the abstract concept of cyber risk to the daily reality of the people who were, in practice, the most important line of defence.
Culture is not soft. It is the hardest and most durable security control an organisation can build. And it is the one most often left off the budget.
Most board conversations about AI start in the wrong place. They start with risk: what could go wrong, what we need to protect against, what our liability is. Those are not bad questions. They are just not the first questions.
The first question is simpler: what could this genuinely do for the people we serve? Until a board has a clear and honest answer to that question, the risk conversation has no foundation. You cannot govern a technology you have not decided to engage with.
The organisations that will do most for the people they serve in the next decade will be the ones whose boards asked better questions earlier. Not "how do we prevent AI from causing harm?" (though that matters) but "how do we move toward AI wisely, so the benefit reaches the people who need it?"
My instinct, in any boardroom conversation about emerging technology, is to be an enabler. Not reckless, but genuinely oriented toward the possible, not just the protective. That is a different kind of contribution than most technology advisors bring to a board table.
I have been a volunteer firefighter with the CFA for a number of years now. People sometimes ask how that connects to my professional life. The honest answer is: more than almost anything else.
Firefighting teaches you to make decisions when you do not have complete information, when conditions are changing faster than your plan, and when the cost of hesitation is higher than the cost of being imperfect. It teaches you to trust the people beside you, because in that environment, trust is not a nice-to-have. It is structural.
Security leadership, at its best, works the same way. You will never have complete information about a threat. You will never be able to prevent every incident. What you can do is build an organisation that responds well, one that has the culture, the clarity, and the capability to move quickly and intelligently when something goes wrong.
The CFA also reminds me, regularly, why the work matters. Showing up for something larger than a professional outcome changes how you think about purpose. I try to bring that into every leadership role I take on.
The race humbles you, but not in an obvious way. It doesn't shout the lessons. It plants them quietly and lets you get on with things. They tend to surface much later, often when you're dealing with something completely different and suddenly recognise a familiar pattern.
Preparing for the race isn't about ticking boxes or chasing a perfect plan. It's about familiarity. Doing things often enough that when conditions turn messy, your hands move before your head has time to question anything. What looks like instinct from the outside rarely is.
Out there, certainty doesn't exist. There are only educated guesses, some better than others. Weather predictions change, gear breaks in unexpected ways, and experienced sailors get caught out. You learn to be ready for whatever happens, without overanalysing or reacting emotionally. Navigation captures this well. All the sophisticated models and simulations rarely survive first contact with reality. You commit to a course, but you stay mentally ready to change it. Letting go of a decision when circumstances shift isn't failure. It's part of doing it well.
Winning wasn't something you could chase directly. The result felt more like a byproduct than a target. It happened because everything else lined up: hours of preparation done long before the start, decisions made with incomplete information, people trusting each other while tired and uncomfortable, and a constant willingness to adjust instead of forcing a desired outcome. Cyan Moon, Rolex Sydney to Hobart 2025, PHS Division 2 and PHS Overall winner.
Advisory
I work with organisations navigating complex technology decisions across cybersecurity, AI adoption, digital governance, and operational risk. My role is to help leadership teams move forward with clarity, balancing innovation, resilience, governance, and commercial reality.
The work spans strategic cybersecurity leadership, AI governance advisory, executive risk translation, security transformation, and organisational resilience. I bring experience across ASX-listed companies, regulated environments, global brands, and fast-moving technology businesses.
My instinct is to be an enabler, not a stopper. The question I bring to a boardroom is not what could go wrong. It is how do we move forward wisely.
Matt Kardas · Melbourne, VIC
Engagement areas
Strategic cybersecurity advisory, AI governance, executive mentoring, board engagement, technology risk leadership, and boutique consulting engagements across regulated and mission-driven sectors.
Get in touch
I am always open to a direct conversation, whether about a role, a board opportunity, or simply an exchange of ideas.