A few weeks ago I was fortunate enough to attend the world's largest cyber-security event, RSA Conference, in San Francisco. This year was the 25th anniversary of the conference, and there were 40,000 attendees, and over 500 vendors exhibiting.
My experience at RSAC reflected my experiences at many other international cyber-security gatherings over the years. I have come to the conclusion that Australia has pockets of cyber-security leadership that are world-class, and in some instances, world-leading. But these pockets of capability - almost all at the top end of town - are insufficient for the nation's needs. 
In Australia we have a small number of organisations with big cyber-security teams, and established leaders with excellent bench strength in their direct reports. Principally, these pockets of cyber maturity are in the big four banks, and a hothouse of talent that has emerged in Telstra.
Each of these five organisations has cyber-security teams that exceed 200 people. By comparison, Google has over 500 security staff. These five Australian organisations are not the only pockets of world-class security practice and leadership, but they are by far the best-resourced in the private sector.
Not everyone has the resources of a bank to defend against cyber-attacks, but everyone is being attacked. This means that all business leaders must have an informed opinion on how their organisation is managing cyber risk.
In   March an internationally renowned cyber-security expert, and former security officer at the Pentagon, gave a briefing on current attack trends, saying US healthcare organisations have come under fierce attack. In these attacks, personally identifiable information about executives from different organisations had been explicitly harvested.
This information was then used for targeted attacks against these executives and their organisations.
In Australia, healthcare is just one sector where our cyber capabilities are sadly lacking. If you look across the ASX 200, you will find isolated instances of cyber-security maturity and leadership which stand out, because they are the exceptions. This is not sustainable, and it means we are trying to build our national economic future on uncertain ground. We're all in this together, but we behave as though it's someone else's problem.
I am not arguing that every organisation needs to hire a chief information security officer and a team of 200 security specialists; that's not practical. I am arguing that having an informed opinion of your organisation's exposure to cyber risk is essential to balance the "risk versus cost versus benefit" equation.
The first step is to admit that we all have the same problem. Just because you're not aware of having been attacked, doesn't mean you haven't been. The second step is to identify what role in your organisation is accountable for cyber-security. If a company already has a CISO, are they optimally used?
A chief information officer who cares about security is a good start, but effective cyber risk management requires continual interaction and collaboration with legal, IT, finance, risk, and operations. It's a business issue, not just an IT problem.
Third, it's vital to know what your information assets are.
What are the information assets that your organisation depends on? What would be the business impact if everyone in the world could access them? Or you couldn't trust the data in them? Or you couldn't access the data ever again? This will give you a good map of where your treasure is.
Fourth, there is an excellent approach called "the Five Knows of cyber-security", created by Mike Burgess and Rachael Falk at Telstra. The Five Knows are: know the value of your data, know where it is, know who has access to it, know who is protecting the data, and know how well the data is protected. Use these five points as questions to generate answers grounded in reality, not hope.
Once your organisation commits to improving its cyber maturity, you'll also realise you need to look outside your organisation with the intention of learning and sharing. For instance, there are useful resources available from ASIC to help guide thinking.
There is also a steadily growing collaboration among our most capable CISOs. The more workers that participate in security interest groups and conferences the better; their network of peers will be their best source of ideas and intelligence on the threat environment.
While cyber-security makes for bad TV, fortunately, it is an awesome team sport, and we have the makings of a great national team.
James Turner is a cyber-security adviser with IBRS, the founder private sector CISO forum CISO Lens and a spokesperson for the Australian Information Security Association.