Building cyber resilience in Australia's public sector

The Australian public sector is navigating an increasingly complex environment. Geopolitical shifts, state-sponsored actors and sophisticated cyber threats are putting added focus on protecting sensitive government systems. At the same time, agencies are expected to safeguard citizen data while also meeting evolving regulatory and audit requirements.

These challenges also present an opportunity to strengthen resilience, adopt modern approaches to identity and access management, and build greater confidence in the systems that support essential services for citizens. Achieving this requires trusted partners — not just technology suppliers — who can help agencies build long-term cyber resilience.

Assurance and practical resilience

For government leaders managing sensitive workloads, there must be assurance that the solutions they are implementing meet the rigorous requirements of the Australian Government Information Security Manual (ISM). At the heart of this effort sits the Information Security Registered Assessors Program (IRAP). The IRAP assessment is more than a compliance checkbox — it accelerates secure deployments, shrinks procurement cycles and streamlines architecture reviews.

CyberArk’s recent completion of the IRAP assessment at the Protected level, for example, gives CISOs, CTOs and compliance officers the confidence that they are working with a partner whose controls meet the highest national standards for government environments. It also means agencies can deploy technology knowing that critical controls are already in place — strengthening resilience against evolving threats while ensuring compliance.

Yet assurance is only part of the challenge. Agencies also need to keep pace with evolving threats. To address this, the Australian Cyber Security Centre (ACSC) developed the Essential Eight, a maturity model that helps organisations progress from foundational practices to more adaptive implementations. Its focus is sharp: tackling the attack vectors government faces most often — identity compromise, privilege misuse, malware and endpoint exploitation.

The scale of the challenge is underscored by CyberArk’s Identity Security Landscape Report 2025, which found that 87% of organisations experienced at least two successful identity-centric breaches in the past year. With identity now the attacker’s preferred entry point, the Essential Eight’s emphasis on controls such as restricting administrative privileges, enforcing multi-factor authentication and hardening applications is not just best practice — it is essential to resilience.

For many agencies, however, applying the Essential Eight consistently is easier said than done. Agencies must manage the sprawl of human, machine and AI identities across hybrid environments, often while still relying on legacy systems. At the same time, they need to balance resilience with the demand for efficient citizen services — a combination that adds significant complexity. CyberArk works closely with agencies to operationalise the Essential Eight through a modern, risk-based approach to identity security. By embedding Zero Trust and least privilege principles, agencies can proactively defend against identity-based attacks, accelerate digital transformation, and demonstrate compliance while strengthening resilience at scale.

Navigating complexity with the right partner

IRAP and the Essential Eight are not the only frameworks in play. Agencies must also align to the Protective Security Policy Framework (PSPF), APRA CPS 234, ISO 27001 and regular Auditor-General reviews. Meeting these overlapping requirements can strain already limited resources.

This is where a partner’s role becomes critical. CyberArk helps agencies cut through this complexity with a unified identity security platform designed to reduce fragmentation and support audit readiness. It does so by applying policy-based automation to enforce MFA and privilege controls, providing immutable logging and reporting to demonstrate compliance, and integrating with the broader security ecosystem through its C3 Alliance — a network of leading technology providers delivering pre-integrated, certified and jointly supported solutions. In doing so, it acts as a bridge between policy mandates and operational reality, giving agencies the clarity and consistency they need to focus on outcomes.

For government leaders, the way forward is clear. The Essential Eight should be approached as a long-term roadmap to resilience rather than a tick-box exercise. Working with IRAP-assessed partners that can demonstrate certification, interoperability and ecosystem collaboration allows agencies to make identity security the foundation of cyber resilience. Every identity — human or machine — must be recognised as a potential risk vector.

In an era of escalating threats, agencies must be secure and auditable. Frameworks like IRAP and the Essential Eight provide the structure, but trusted partners provide the expertise to make them work in practice. With the right guidance to implement identity-first strategies, government leaders can navigate complexity, meet compliance expectations and strengthen public trust in Australia’s digital government future.

Top image credit: iStock.com/da-kuk