Key Takeaways: Government Cyber Security Showcase South Australia 2026

Chair Opening

Angelo Friggieri — Executive Director, Public Sector Industry Lead, CyberCX

1. Cyber has moved from the back room to the centre of public trust. It used to be the domain of IT professionals decoding acronyms — Essential Eight, SOC, SIEM, IAM, EDR. Now it sits at the centre of how government delivers for community, especially in SA where the submarine program, AUKUS and a defence horizon planned to 2040 turn IP, research, health and small-business suppliers into pathways for adversaries. "We are only as strong as our weakest link across that ecosystem."
2. This is the moment forcing a return to basics. Shadow IT now wears a chat-window interface. AI-enabled threats are a forcing function for vulnerability management, patching and secure-by-design — and an invitation to use AI deliberately on both sides of the equation.
3. Tomorrow's risk is shaped by today's unresolved decisions. Three asks back to the room: stop chasing "the future of cyber" abstractions and decide what to do differently tomorrow; find a partner outside your usual circle; and be honest about the hard parts — legacy, funding, workforce gaps, supplier risk, AI governance.

Cybercrime That Hits Home

Adrian Daly — Detective Chief Inspector, Financial and Cybercrime Investigations Branch, South Australia Police · Detective Chief Inspector Michael Newman — Crime Intelligence Services, Queensland Police Service · Michael Billett — Deputy Director, Cyber Threat Intelligence and Incident Management, Office of the Chief Information Officer, Department of Treasury and Finance · Angelo Friggieri (Facilitator) — Executive Director, Public Sector Industry Lead, CyberCX

1. The "it won't happen to me" mindset is the system's biggest blocker. SAPOL reviews a fresh mix of victims every morning — 16-year-olds in sextortion cases, residents losing $700,000 to investment scams, businesses with compromised email. SA mirrors national figures almost exactly: 7% of cybercrime against 7% of population. "It's not a matter of if you get scammed — it's a matter of when."
2. Awareness without behaviour change is just noise. Most campaigns tell people what not to do — they should tell them what to do, with the impact of Slip Slop Slap. Singapore measures campaign effectiveness with baseline, mid- and post-campaign surveys; Australia largely doesn't. And where car-crash victims have a known recovery pathway, cyber victims have no streamlined psychosocial support path.
3. Reporting works — but only if people know where to go and what to expect. Multiple channels (ReportCyber, Scamwatch, local stations) confuse victims, and not all loop back to investigators. SA's model is tight — ∼5,500 reports and $34M in losses YTD, with daily triage and immediate victim contact — running against the AFP-led JPC3's 72-hour financial kill chain. Faster reporting through ReportCyber means a higher chance of keeping money onshore.
4. Collaboration is cyber's quiet competitive advantage. Cyber detectives speak across Australian states daily versus every 6–12 months for traditional crime. Worth borrowing: Japan's 7,000 volunteer phishing-site hunters; the Netherlands' offender-prevention continuum starting at age 8; Singapore's cyber-agency-with-police model; the UK's cyber-in-business-continuity drills. "The crooks don't know boundaries — and we shouldn't either."

Identity-Driven Cyber Defense

Will Harrington — Identity Strategist APJ, SailPoint

1. The Qantas breach was an identity failure, not a "cyber" one. 5.7 million records were exfiltrated after a third-party Manila contact centre had a service-desk password reset without re-authentication, an over-entitled production account, and no out-of-band manager verification. "Identity management is having a bit of an identity crisis."
2. Identity has four types — most agencies only catalogue one. Humans, machines (service accounts, RPAs, bots), third parties (cleaners, day-rate nurses, offshore operators) and agents (the fastest-growing class). Essential Eight, NIST, ISO 27001 and APRA CPS 234 all apply.
3. Depth of identity is what makes a SOC alert decision-ready. Linking authoritative source → identity → entitlements → data → activity lets the system answer "who has access to board papers who isn't on the board?"— and feeds two-way signal-sharing with the SOC via the Shared Signals Framework.
4. Agentic identity is the next unsolved control plane. APRA's early benchmark holds: every agent traceable to an accountable person and a defined tool relationship — the same joiner-mover-leaver pattern as a machinery-of-government change.

From Strategy to Impact

Sarah Mason — Deputy Director, Cyber Strategy, Policy and Engagement, Office of the Chief Information Officer, Department of Treasury and Finance

1. Why SA went whole-of-state, not government-only. Cabinet approved SA's first whole-of-state cyber security strategy in June 2025, widening the original government-only plan after the Premier's March 2023 economic statement positioned cyber as core to SA's prosperity, AUKUS opportunities and reputation as "a partner of choice in an insecure world." A four-quadrant stakeholder analysis pulled in adjacent owners (State Records, Crown Solicitor's Office, Office for Data Analytics, emergency management) and stakeholders who didn't yet know they should be involved.
2. Strategic foresight is how the strategy was actually built. Working with Dr Ariella Helfgott's Strategic Foresight Unit, the November 2023 workshop distilled eight critical uncertainties and four scenarios to 2031 — a "living the dream" leader state, disinformation eroding democratic trust, global conflict reshaping priorities, and concentrated investment widening digital divides. "Some have proven sadly to be quite prophetic." The vision: a cyber-resilient state delivered across three horizons, six years and 220 agency-led actions.
3. Halfway through Horizon 1 — progress, unexpected wins, an unsolved measurement problem. 55% in progress, 30 completed, 10 awaiting lead-agency assignment. Deliveries include SAPOL's permanent cyber incident reporting team behind ReportCyber, DTF's whole-of-government cyber operating model and SA Cyber Security Framework, and Cert III/IV in cyber added to subsidised training lists. The honest open problem is linking activity to measurable outcomes — disentangling whether higher reporting means more incidents or better reporting.

Statewide EMR — Securing Connected Health

Wendy Sutton — Director Clinical Information Systems, SA Health · Alastair McDonald — Director, Strategy and Architecture, Digital Health SA, Department for Health and Wellbeing · Bryan MacDonald — Lecturer/Course Co-ordinator - Digital Health, RMIT University · Angelo Friggieri (Facilitator) — Executive Director, Public Sector Industry Lead, CyberCX

1. SA now has Australia's only true single-record EMR. Ten years of work delivered one electronic medical record covering every SA hospital — metro and regional — with all clinical groups on the same record across every device. Patients no longer tell their story twice; discharge summaries reach GPs electronically within four hours of leaving an ED via My Health Record.
2. Security needs to shift from per-vendor controls to standards-based architecture. A standards-based model — IRAP, Commonwealth standards, the SA Cyber Security Framework — replaces vendor-by-vendor cyber evaluation at the door. A parallel consolidate, rationalise, standardise program is tackling roughly 1,500 legacy applications. The working architecture is three-tier: systems of record protected at all costs, systems of engagement where innovation moves faster, and an interoperability layer between them. Recent third-party incidents all traced back to human error.
3. Digital literacy — not tech-savviness — is the unsolved adoption problem. More than 1,000 clinical students cycle through a single RMIT digital-health unit each year, almost none arriving with an understanding of their privacy and data-sovereignty obligations. "Tech-savvy isn't the issue — digitally literate is."
4. Treat EMR as change management — and lean on the Commonwealth for the next regulatory lift. Stick at it; don't run it as an IT project; co-design with all stakeholders. The next federal lift needed is SOCI Act expansion: ICU hospitals are critical infrastructure today, but the blood bank and pharmacy feeding them aren't — "you're only as strong as your weakest link."

Beyond Static Governance — Identity Security in the Agentic Era

James Darwin — Principal Solutions Engineer, Okta · Daniel Hughes — Chief Information Officer, Department for Education, South Australia

1. AI agents are insider threats — and the data is already catching up. A recent SaaS-platform breach saw attackers take over an ungoverned, over-permissioned agent and reach full Google Workspace access. IBM's cost-of-a-breach report found 20% of breached organisations attributed the incident to a shadow-IT agent, with 65% of those leaking PII. A 10,000-user agency with five agentic platforms generates ∼150,000 authorisation decisions a day.
2. Four identity-security gaps every agency should map. Shadow agents (staff signing up, SaaS embedding AI without opt-out); over-permissioned agents with admin access and long-lived keys; no user context behind generic credentials; no chain of custody when something goes wrong.
3. Treat the agent as a first-class identity — human owner, zero standing privileges, full logging. Register every agent as a workload principal with a named human owner. Use a token-exchange service to issue short-lived, task-specific tokens. The CISO diagnostic: where are my agents, what can they connect to, what can they do?
4. What this looks like in practice — SA's EdChat. Built in 2023 as a walled-garden generative-AI environment for SA students and staff, now deployed to ≈40,000 staff and ≈45,000 secondary students, with educators building and sharing their own agents. Identity tells the system a Year 7 user from a Year 12 user and adjusts the response accordingly — flipping the conversation from "are kids using this to cheat?" to "what's the educational benefit?"

Securing the Digital Frontier — Lessons from the World's Cybercrime Front Lines

Detective Chief Inspector Michael Newman — Crime Intelligence Services, Queensland Police Service · 2024 Churchill Fellow

1. The threat is now an economy in its own right. If global cybercrime were a country, it would be the third-largest economy in the world — projected at US$11.9 trillion in 2026, with ∼US$74 billion in ransomware damage and ∼A$33 billion lost by Australian businesses annually. The adversary mix has shifted from lone actors to organised transnational syndicates and state actors. An under-used asset: the AFP's cyber liaison officers, posted across at least five countries.
2. A "fire alarm" for vulnerable Australian organisations — the UK Police Cyber Alarm. A passive DMZ collector captures firewall metadata only, aggregating into a real-time view of attack patterns and emerging vulnerabilities. In one case it flagged a Northumberland sawmill's CCTV system running admin/admin credentials; in another it surfaced a critical vulnerability within 13 minutes. Proposal: SA pilots a local PCA node, sharing intelligence with state police, ACSC and ASD.
3. The operational engine room — joint incident response and operational sprints. Singapore runs a dual-track model: the cyber agency handles technical remediation while police runs the investigation in parallel. Australia's JPC3 is the foundation, but the missing format is the operational sprint used by US NCFTA and Europol EC3 — investigators, analysts and private-sector experts co-located for up to a month. Proposal: SA hosts an operational-sprint hub.
4. Upstream protection — borrowing Hong Kong and Singapore's friction-by-design. Hong Kong's Scameter pauses transfers to flagged mule accounts with a pop-up warning; Singapore's Project Astro layers automated SMS alerts on top. Proposal: SAPOL and SA financial institutions partner on a localised Scameter-style API plus SMS alert. "Cyber resilience is a digital village problem."

SA Government Cyber Women's Panel — Pipeline, Retention and Culture

Emily Wingard (Facilitator) — Director, Cyber Security/ICT Services, Department for Education · Lina Condon — Security Architecture and Engineering Manager, South Australia Police · Ritu Sharma — Principal Cyber Security Industry Development Adviser, Critical Technologies, Department of State Development · Geetika Bassi — Cyber Security Specialist and ITSA, SACE Board · Sarah Mason — Deputy Director, Cyber Strategy, Policy and Engagement, OCIO, Department of Treasury and Finance

1. There is no single door into cyber — and SA's pipeline is starting to reflect that. Panel members entered via external audit, software engineering, the Royal Air Force, technical support and a court IT-trainee role. Programs working in SA today: a 25-trainee SA Government cyber traineeship, the DTF Academy (now with a cyber stream), Cert IV in Cyber Security on DSD's subsidised list, and the Flinders Washington Internship Program. The recurring gap is internal pathways — service-desk staff who want to move into cyber but don't know how.
2. Retention is reciprocity, meaning and levers beyond salary. People leave when growth and contribution aren't visibly reciprocated. The under-used lever the panel kept returning to is internal CISO-style rotation programs, with cross-agency and international secondments next. Public-service identity is a quiet but powerful retention force, and flexible working has a measurable effect. During a recent incident, an onsite counsellor drawn from the Employee Assistance Program was rated by staff one of the highest-value supports the organisation provided.
3. Cyber culture beyond compliance — leaders set the floor. Treat cyber as a core business risk in every important meeting, not a once-a-year compliance module. Take the fear out of reporting — what staff hear after a click determines whether the next person reports at all. Research showed people still click even when an email is labelled "this is a phishing email"; click-rate alone won't change behaviour. Graduates aren't arriving with an understanding of information value — treat information like money.
4. Collaboration is improving — but agencies still need permission to share what's working. The whole-of-state cyber strategy is the visible forcing function. The honest gap: the cyber security advisory group is still mostly OCIO-driven; agencies can contribute but don't, partly cultural, partly fear of being judged. What works is movement of people — an OCIO team member is currently seconded to SA Health to support its cyber program.

Tomorrow's Risk, Today's Decisions

Julie Wadham — Director of Partnerships South Australia, Australian Cyber Security Centre · Scott Julian — SA Lead, Cyber Security Engagement, National Office of Cyber Security · Miranda Shaw — Chief Information Security Officer, Australian Bureau of Statistics · Rami Tawil — Senior Security Solutions Engineer, Rapid7 · Angelo Friggieri (Facilitator) — Executive Director, Public Sector Industry Lead, CyberCX

1. The vulnerability avalanche from frontier AI is months away, not decades. Frontier AI models are deconstructing the risk frameworks the profession has run on for a decade — chaining previously deprioritised vulnerabilities at machine speed into exploit paths the defence didn't account for. Intelligence is telling SA agencies that from July onwards an "avalanche" of vulnerabilities will start cascading; Counter Strike's most recent figure puts vulnerability-to-exploitation at four minutes. Patching agility is now a business imperative, not a nice-to-have.
2. Legacy IT and post-quantum cryptography are the two unfunded risks already visible. Legacy IT remains an ACSC top-four push: "using an old screen door these days is not going to continue to be safe." The single biggest takeaway from the ACSC: undertake a cryptographic inventory now — locate where current crypto sits across cloud, applications and servers, and prioritise migration. "Saying 'it's not until 2029 or 2030' would be a massive mistake."
3. Conformance over compliance — and resilience-led conversations with the business. "You can be compliant and still get popped." The Essential Eight is moving to a principles-based Essentials Series, with a consultation paper imminent. SOCI reforms have already moved that way, and Home Affairs is now layering Systems of National Significance with the newer Systems of Government Significance. When a vulnerability lands, the operational conversation must happen in plain language with data custodians: "what does one or two hours of downtime to patch actually look like in customer terms?"
4. AI for defenders — and the whole-of-economy uplift problem. ASD's latest guidance — AI for Cyber Defenders— is the first time federal government has actively recommended adopting AI on the defensive side, with guardrails. The working US Department of State model puts AI agents alongside human SOC analysts, with the human pressing the final button. SA's defence supply-chain depth means primes, Defence SA and ASD are now jointly designing programs for SMEs that can't lift themselves. Storytelling is the under-used CISO lever — benchmarking against compromised peers and attributing the difference to specific controls is one of the most powerful ways to keep board sponsorship intact.
5. Rapid-fire — what we'll regret tomorrow. Rami: failing to enable people — "if you don't give me Copilot at work, I'll open Claude on my phone." Julie: delaying the post-quantum cryptographic inventory. Scott: not using threat intelligence to detect, prevent or prioritise — "otherwise it's just noise." Miranda: not aligning AI ambition with real cyber risk appetite — "frank conversations needed when they're far apart."

Closing Reflections — From IT Security Manager to National Defender

Angelo Friggieri — Executive Director, Public Sector Industry Lead, CyberCX

1. The day's three reframes. Cybercrime is a crime story — the substance is harm to human life. Connectivity is the dividend and the risk — every new connection extends the supply chain. Defence applies to every sector — "a CIO's enterprise remit doesn't capture what a lecturer puts on a personally-credit-carded AWS account."
2. The structural conversation cyber leaders still need to win. Cyber still mostly reports through the CIO, which means most organisations treat it as an IT problem. The task: find partners — policy, operations, finance, executive — to elevate the conversation to the C-suite and board, framed as critical-system significance and organisational resilience. "You are not security managers — you are defenders of our national security and the resilience of our nation."
3. The homework. Get back to basics on vulnerability management, patching and compliance fundamentals; use AI deliberately, securely and in production on both sides of the equation; and change the budget conversation so it's framed around resilience and national interest, not licence renewals. SA delegates asked the most questions and pushed hardest for collaboration of any city this season — "keep that, that's fantastic."