Innovate Victoria 2025 Key Takeaways: Cyber Security and Risk Management

Importance of notify and recovery – gaining and keeping citizen trust

Danielle Pentony, Chief Information Security Officer, Australian Digital Health Agency
Mike Freeman, Cyber Consequence Coordinator, Department of Government Services Victoria
Blake Tierney, Senior Director, Corporate Affairs, DP World
Heng Mok, Chief Information Security Officer, APJ, Zscaler

• Transparent, timely communication is vital—but must be strategic, aligned, and emotionally intelligent.
  Breach response must balance public transparency with operational control. Communicating too early without understanding consequences can backfire; collaboration across agencies and with government comms teams helps shape clear, aligned messages that protect citizen trust while managing risk.

• Playbooks must be simple, flexible, and people-focused to enable swift recovery.
  Long, complex crisis plans often fail in real-time scenarios. Experts emphasised keeping plans short and actionable, building muscle memory through joint exercises, and prioritising mental health and role clarity within crisis teams. Streamlined executive decision-making structures are critical to prevent chaos.

• Sector-wide collaboration and community trust are the foundations of resilient recovery.
  From health-sector cyber champions to cross-sector ISACs, building collective defence and sharing threat intelligence is key. Strong partnerships between public and private organisations—based on mutual trust, not legal gatekeeping—enable faster, more coordinated recovery that serves citizens better.

Partnering more transparently with agencies and industry

Lieutenant General Michelle McGuinness CSC, National Cyber Security Coordinator, Department of Home Affairs

• Effective cyber incident response depends on trust, preparedness, and streamlined coordination.
  To avoid overwhelming entities with conflicting demands during a crisis, the Commonwealth has centralised engagement through the National Office for Cyber Security. McGuinness stressed the need to build institutional and interpersonal trust before an incident, supported by exercises, simplified reporting mechanisms, and a focus on victim-centred response.

• Communications can make or break incident response—technical success alone isn’t enough.
  Clear, coordinated messaging across government and stakeholders is critical. McGuinness highlighted how poor communications can unravel even the best technical handling of an incident, making comms strategy a core part of national cyber resilience.

• Diversity, inclusivity, and public-private partnerships are essential for cyber uplift.
  From expanding cyber participation for women and First Nations communities to enhancing Indo-Pacific collaboration and SME support, Australia’s strategy focuses on workforce diversity, skills pathways, and secure-by-design infrastructure. Cybersecurity must reflect the full breadth of Australia to serve and protect it effectively.

Can identity security win votes?

Nam Lam, Vice President, ANZ, Sailpoint

• Digital transformation increases cyber risk—identity security must evolve in parallel.
  As governments expand digital services, the attack surface grows, with over 60% of reported breaches involving compromised credentials. Identity security is critical to safeguarding access and reducing the likelihood of internal compromise.

• Identity security is more than logins—it governs who has access, to what, and when.
  Nam illustrated that beyond authentication, identity security controls and automates fine-grained access for both human and non-human users, preventing lateral movement and unauthorised entry into critical systems.

• Government agencies face complex identity challenges—and fixing them improves service delivery.
  From slow onboarding and legacy systems to multi-agency user duplication and MoG changes, poor identity management hampers productivity and security. Strategic investment in identity security supports safer, more efficient public services.

On Cyber Innovation

Ben Walker, Partner | Technology & Transformation Cyber, Deloitte

• Cybersecurity professionals are already innovators—and must lead secure innovation, not just protect it.
  Walker reframed innovation in cyber as not just about new tools or technologies, but about mindsets and approaches. He argued that cybersecurity teams are natural innovators, constantly finding smarter, leaner ways to safeguard systems in complex environments. As such, they are uniquely positioned to champion innovation across the broader public sector—by embedding security from the outset, not as an afterthought.

• Secure-by-design is essential for long-term success and resilience.
  Without security at the core, innovation efforts risk failure and long-tail costs. Walker urged cyber leaders to transition from gatekeepers to enablers—saying “yes, but...” rather than “no.” He highlighted the cascading consequences of insecure innovation, citing the extended aftermath of breaches, and called for a shift where security is seen as foundational to citizen trust, digital service delivery, and sustainable progress.

• Cybersecurity must flip the narrative and champion business enablement.
  Innovation is not about flashy tech—it’s about solving real problems at scale, efficiently and securely. Walker challenged cybersecurity leaders to become proactive partners in digital transformation, bridging the gap between secure practice and public value. By leading with risk-awareness and resilience planning, cyber teams can accelerate change, not impede it.

On Cyber Resilience

Jane Standish, Director – Digital Government Lead, CyberCX

• Cyber resilience is not optional—it's the operational baseline for public sector leaders.
  Standish stressed that cyber incidents are not hypothetical risks but persistent realities, particularly for state and local governments managing critical infrastructure and sensitive data. With espionage, cyber extortion, and business email compromise on the rise, resilience must be designed into systems, governance, and operations—across the before, during, and after phases of an attack.

• People remain both the vulnerability and the solution in cybersecurity.
  The majority of incidents CyberCX responded to in the past year were rooted in human error—weak credentials, phishing, and unpatched systems. Standish called for a shift in mindset from “tech-centric” to “human-enabled” security, underscoring the importance of workforce training, stakeholder communication, and embedding cyber awareness beyond the IT department.

• Strategic cyber readiness depends on planning, response agility, and cross-functional integration.
  Drawing from CyberCX’s DFI report and her experience in government, Standish laid out a resilience framework based on readiness (e.g. tested incident response plans, critical asset mapping), containment (coordinated response and continuity), and recovery (communications, post-incident review). Public sector leaders were urged to think proactively about response scenarios and strengthen internal capability and coordination to mitigate long-tail impacts.

Diversity in Cyber Security: Insights on the retention of women in the workplace

Jacqui Loustau, AWSN Executive Director, Australian Women in Security Network
Professor Matthew Warren, Director of the RMIT Centre of Cyber Security Research and Innovation, RMIT University

• Only 17% of Australia’s cybersecurity workforce is women—systemic change is needed to shift the dial.
  Drawing from a multi-phase national study, the speakers revealed that women remain significantly underrepresented in cybersecurity, especially in senior roles. Cultural and structural barriers—such as inflexible work practices, lack of mentorship, and masculine workplace norms—were identified as key retention challenges. Addressing these requires coordinated action from individuals, organisations, and government to build inclusive, supportive, and purpose-driven environments.

• Diversity initiatives must move from awareness to action, with measurable outcomes and sustainable design.
  The AWSN and RMIT research highlights that simply hiring more women is not enough—attention must be paid to advancement pathways, inclusive job design, and bias-free recruitment practices. Programs like the Victorian Women in Security leadership and technical upskilling cohorts, as well as cyber student placements in SMEs, show promising models for impact. Importantly, the next phase of research will evaluate whether such efforts are actually shifting long-term workforce diversity metrics.

• Inclusive cybersecurity is critical to building sovereign capability and national resilience.
  Warren and Loustau emphasised that gender diversity is not a moral issue alone—it’s a strategic imperative. Diverse teams bring broader perspectives and stronger problem-solving, which are essential in responding to complex, evolving threats. As cyber becomes a core national security domain, building a workforce that reflects the full talent pool is vital to Australia's ability to defend, recover, and innovate in the digital age.

Operational Resilience needs Cyber Resilience - What to do when the unexpected happens

Nathan Smith, Head of Security, APAC, Splunk

• Operational resilience is a strategic capability—especially for safeguarding public trust in unpredictable environments.
  Smith emphasised that incidents—whether cyberattacks, outages, or technical failures—are inevitable. For government agencies, the stakes aren’t just revenue loss, but critical service disruption and erosion of citizen trust. True operational resilience means being able to detect, respond, and recover rapidly, not just to technical failures but across the entire organisational fabric—from people to process to platforms.

• Visibility, collaboration, and automation are foundational to effective resilience strategies.
  Organisations can’t respond to what they can’t see. Smith underscored the importance of unified visibility across legacy systems, cloud environments, and IT/OT infrastructure. This must be paired with integrated detection and response capabilities, cross-team collaboration, and strategic automation—to reduce fatigue, enrich intelligence, and accelerate response without relying solely on manual intervention.

• Resilience must be planned, tested, and continuously evolved—not left in a drawer.
  Building a resilience blueprint means understanding critical assets, stakeholders, and dependencies, then testing plans through live simulations and involving third-party partners. A platform approach—capable of spanning cybersecurity, IT operations, and service delivery—is essential. Importantly, resilience is not just a technical imperative; it’s a whole-of-organisation mindset that enables governments to remain agile and responsive in the face of future uncertainty.

How can Agencies resource the cyber security they know they need?

Dr Greg Adamson, Portfolio Chief Information Security Officer, Department of Transport and Planning Victoria
Ramy Ibrahim, Cyber Security Advisor & Systems Support, Ports Victoria
Deepti Kasturi, Chief Information Officer and Acting Executive Director, Digital and Data, Victorian Building Authority, Victoria Building Authority
Vanessa Kyte, Cybesecurity Business Leader, OpenText

• Resourcing cybersecurity effectively starts with partnerships, pragmatism, and making risk relatable.
  In the absence of abundant budgets or headcount, panelists emphasised leveraging inter-agency collaboration, stakeholder engagement, and managed service providers (MSPs) to stretch capabilities. Rami Ibrahim illustrated how reframing cyber risks in terms of operational and community impacts (e.g. fuel access, port dependency) unlocked executive support. Deepti Kasturi and Greg Adamson highlighted secondments, resource sharing, and mutual advisory models as critical enablers for public sector uplift.

• Simplify priorities and focus cyber investments on what matters: data, people, and critical services.
  Vanessa Kite urged agencies to reduce complexity and shift from tool proliferation to purposeful alignment around protecting users and data. Rather than chasing tech trends, Greg Adamson warned against “AI hype” diverting attention from foundational risks. The consensus: identify your agency’s crown jewels and align cyber strategy and culture to defend them—not just tick compliance boxes.

• Culture, not just capability, determines long-term cyber resilience—and culture can't be bought.
  Uplifting cyber maturity means embedding secure-by-design thinking into daily workflows, not treating cyber as an IT silo. Kasturi detailed how persistence, trust-building, and team empowerment shifted VBA’s security culture over time. Panelists echoed the value of psychological safety and stress mitigation in cyber teams—removing unnecessary deadlines, valuing rest, and enabling people to perform under pressure without burnout. In tight fiscal environments, morale, trust and teamwork are your most powerful assets.

How to weaponise threat intel for protection

Dr Claire O'Neill, Detective Acting Superintendent, Australian Federal Police
Ash Smith, Principal Technology Strategist, CrowdStrike Australia and New Zealand

• Actionable threat intelligence is about context, not just indicators—understand motivations, ecosystems, and intent.
  The panel underscored the shift from relying on atomic indicators (e.g. IOCs) to contextual threat intelligence that highlights how, why, and where attackers operate. Claire O'Neill described how the AFP are using threat actor profiling and ecosystem disruption (e.g. bulletproof hosting takedowns) to anticipate attacks. Ash Smith reinforced that defending effectively requires insight into attacker tradecraft and infrastructure—not just signatures.

• Smaller agencies can punch above their weight by focusing on hygiene, collaboration, and intelligence integration.
  Lacking a dedicated CTI team shouldn’t be a blocker. The panel emphasised using cyber.gov.au, scenario exercises, and sector briefings (e.g. health) to close the capability gap. AFP stressed that most high-profile breaches stem from preventable missteps—like weak MFA, unpatched systems, and supply chain vulnerabilities. Practical partnerships, shared policy templates, and incident playbooks are key to transforming intelligence into protection.

• Cyber intelligence must be victim-centred, timely, and operationalised with clear business alignment.
  AFP reiterated that threat intelligence sharing should be safe, anonymised, and never punitive. The goal is to prevent repeated harm—whether through faster detection, global tracking of stolen data, or coordinated disruption. For organisations, the challenge lies in translating insights into real-time decision-making across IT and business units. Whether through automation, contextual triage, or policy-informed prioritisation, the emphasis was clear: intel only matters if it drives fast, informed action.

Navigating cybersecurity’s future: Achieving proactive security across Victorian Government agencies

Mick McCluney, ANZ Field Chief Technology Officer (CTO), Trend Micro

• Proactive cybersecurity starts with risk visibility and quantification.
  Trend Micro promotes a shift from reactive alert-based security to proactive risk exposure management. This means using rich telemetry across assets, identities, and cloud environments to assess, prioritise, and quantify cyber risk in dollar terms. For government teams, this enables more strategic conversations about cyber threats as business risks—elevating security from IT issue to executive priority.

• Contextual threat modelling enables predictive protection.
  McCluney underscored the need to understand relationships between assets, permissions, and data flows to map potential attack paths before breaches occur. By using advanced threat intelligence and predictive analytics, agencies can pre-empt lateral movement and safeguard critical systems more effectively. This arms security operations with foresight, not just hindsight.

• Cyber risk accountability must be shared across the organisation.
  A key advantage of quantifying risk is the ability to assign ownership—by project, department, or asset. This “democratisation” of risk fosters a culture where security is not siloed but embedded into every function. For Victorian public sector leaders, this offers a scalable model to drive cyber maturity and align security with broader operational and compliance goals.

Response and recovery: Best practices for government

Briant Kareroa, Sales Manager, Public Sector - ANZ, AC3

• Bridging cyber and operations teams is critical to realistic, resilient security.
  Carrero highlighted that many agencies struggle to meet rigid compliance mandates—like the ASD’s 48-hour patch window—because of disconnects between cyber and infrastructure teams. Instead of chasing perfection, leaders should focus on aligning security and operational priorities through shared platforms, collaborative processes, and practical risk-based decisions. This creates agility in remediation efforts without compromising core services.

• Sustainable vulnerability management demands a shift from numerical compliance to risk-informed prioritisation.
  Rather than reacting to endless vulnerability scans, organisations should assess threats based on real attack vectors, data exposure, and system criticality. This means accepting that some legacy risks must be carried and mitigated pragmatically—through ringfencing or compensating controls—while major application reengineering happens at a financially viable pace.

• Data availability must be central to security strategy, not an afterthought.
  High-performing agencies treat availability on equal footing with confidentiality and integrity. That requires accurate configuration databases (CMDBs), continuous system visibility, and active engagement with application owners to approve changes and allocate remediation resources. For public sector leaders, this means structuring cybersecurity around operational continuity—ensuring that in protecting systems, you don’t accidentally break them.

Building Resilience Against Modern Threats: Geo-Political Realities, the Protective Security Policy Framework and Victoria’s Cyber Strategy

Steven Woodhouse, Field Chief Information Security Officer (CISO) – Australia & New Zealand, Fortinet

• Cybersecurity is now inseparable from geopolitics—and Australia must prepare accordingly.
  As regional tensions rise, particularly involving China, Russia, Iran, and North Korea, cyber operations have become integral to statecraft, espionage, and warfare. Australia’s geographic proximity to contested zones like Taiwan and its alignment with allies (e.g. AUKUS, Five Eyes) increases its exposure. Woodhouse emphasised that understanding geopolitical motives behind cyber threats is crucial for agencies to align their security strategies with national defence imperatives.

• Cybercrime is a booming economy—outpacing many nations and disproportionately impacting SMEs.
  With cybercrime projected to be the third-largest global economy by 2027, agencies must acknowledge the scale of the threat. While small businesses are most frequently targeted, mid-sized entities bear the greatest financial losses. For public sector leaders, this underlines the importance of risk-based investment in cyber resilience, regardless of organisational size.

• Compliance frameworks must translate into practical, layered defence strategies.
  Woodhouse connected federal (PSPF) and state (e.g. Victoria’s Cyber Strategy) frameworks, arguing that while they align in intent, implementation often needs tactical focus. He urged organisations to embed resilience—not just compliance—through threat-aware planning, cross-sector collaboration, and adaptive technologies. Ultimately, strategies should be flexible, tested, and context-aware to counter evolving global and domestic threats.