Across Australia and New Zealand, privacy teams are being asked to shoulder one of the most complex risk environments organisations have ever faced. Rapid technological change, expanding regulatory obligations, the rise of artificial intelligence and an unrelenting wave of cyber threats have combined to make privacy a central business issue. Not just a compliance function tucked away in legal or IT.

Yet despite this growing responsibility, many organisations are quietly pulling back on the very resources needed to manage these risks effectively.

ISACA’s newly released State of Privacy 2026 survey puts the numbers behind what many professionals are already feeling. Nearly two-thirds of privacy professionals in Oceania say their roles are more stressful today than they were five years ago. Technology change has become the leading source of pressure, followed closely by compliance challenges and resource shortages.

At the same time, budgets are heading in the wrong direction. Only eight per cent of Oceania respondents expect a privacy budget increase in the year ahead, while 60 per cent anticipate cuts.

This widening gap between expectations and investment should concern every business leader and board member.

Privacy directly affects an organisation’s reputation, customer trust, financial performance and governance standing. Data breaches carry immediate costs such as remediation, legal action or regulatory penalties, but the longer-term erosion of confidence can be far more damaging.

When privacy programs are under-resourced, the likelihood of failure increases. And the ISACA survey shows exactly where those failures tend to occur.

More than half of global respondents pointed to inadequate or poor training as a major cause of privacy breakdowns. Half cited the absence of privacy by design, which is focused on embedding privacy considerations into systems and processes from the outset. Nearly half pointed directly to breaches and data leakages.

I want to reinforce that these are not technical oversights. They are symptoms of organisations struggling to keep up with risk, using shrinking teams and limited funding.

The workforce challenge is equally stark. Globally, the median size of privacy teams has dropped from eight staff to five in just one year. Both technical and legal expertise are in short supply, with over half of respondents identifying significant skills gaps, particularly in emerging technologies.

To cope, many organisations are retraining staff from other disciplines or relying more heavily on contractors and consultants. While career transitions into privacy can be a positive development, they also reflect how difficult it has become to build stable, specialised teams in a tightening labour market.

Meanwhile, confidence in privacy programs is slipping, particularly in our region. Only 26 per cent of Oceania respondents expressed strong confidence in their organisation’s ability to protect sensitive data, well below the global average.

This matters because the risk landscape is only becoming more complex.

AI adoption is accelerating across industries, bringing enormous opportunity but also introducing new data risks, transparency concerns and regulatory scrutiny.

Against this backdrop, expecting smaller teams with fewer resources to manage enterprise-level risk is unrealistic.

Perhaps most concerning is the apparent retreat from foundational privacy practices. Fewer organisations report consistently applying privacy by design principles, and while security controls like encryption and data loss prevention remain widely used, even these are seeing slight declines.

On their own these shifts may appear minor, but over time they weaken an organisation’s overall resilience.

Privacy risk is now everyone’s responsibility across the organisation. It touches every business function from product development and marketing to HR, supply chains and customer engagement.

Boards and executives must quickly recognise that privacy capability is now as essential as financial controls, cyber security and operational resilience.

This starts with adequate funding, but it also requires clearer accountability. Privacy leadership needs a seat at the table where technology decisions are made. Risk assessments must extend beyond compliance to consider reputational, ethical and operational impacts. Training must be continuous and organisation-wide, not a once-a-year exercise.

Encouragingly, the survey also shows more organisations exploring the use of AI to support privacy functions, from automating compliance tasks to improving monitoring and risk detection. Used responsibly, these tools can help overstretched teams work more effectively. But they are not a substitute for skilled professionals and strong governance.

The message I hear from privacy professionals is straightforward - the job is getting harder, the risks are growing, and the resources are shrinking. That combination is not sustainable. Leaders who recognise this are already putting themselves in a stronger position. Organisations that invest in the right people, processes and technology, and embed privacy into everyday decision-making, will be far better placed to manage risk and maintain trust.

Jamie Norton is Vice Chair of the ISACA Board and Chief Information Security Officer at the Australian Securities and Investments Commission (ASIC). With more than 25 years of experience across government, commercial and international sectors, he specialises in cybersecurity, resilience and strategic risk management. Jamie has previously served as a Partner at McGrathNicol, advising executives and boards on navigating emerging technology risks; CISO at the Australian Taxation Office and has held leadership roles with NEC, Tenable, Check Point and the World Health Organization.