Key Takeaways: Government Cyber Security Showcase Victoria 2026

Chairperson’s Opening Remarks 

Angelo Friggieri, Executive Director, Public Sector Industry Lead, CyberCX 

• The opening positioned cyber as a pillar of national resilience, not an IT function: the organisations in the room run the essential services Australians rely on (health, transport, research, utilities, government services), so cyber leaders are now part of the “defence fabric” that protects society’s continuity, not just systems and data.
• The threat model was framed as shifting from loud, headline-driven breaches to quieter, longer-running intrusions with sabotage potential: the real concern is adversaries who dwell in networks for weeks to months (and in extreme cases well over a year), learning and staging—often alongside financially motivated and state-based actors operating in parallel.
• The “compliance to confidence” message was that tick-box security is no longer enough: resilience requires continuously understanding the environment and validating what’s been “fixed” (e.g., retesting after remediation), prioritising real risk over paperwork, and collaborating across agencies so defensive effort aligns to what matters most for public trust and national stability.

Securing Innovation Without Stalling It 

Ian Pham, Chief Information Security Officer, Victorian Managed Insurance Authority 

• Cyber risk aversion was reframed as a maturity journey: early-career security focuses on “stop everything dangerous,” but leadership maturity is learning which risks are real, which are manageable with controls, and how to enable progress without defaulting to being the organisational “killjoy.”
• Security was positioned as a business enabler when it aligns to enterprise risk and outcomes: leaders should understand the full risk register (people, financial, operational, opportunity) and reframe security investments in terms of what they unlock (e.g., “secure APIs to safely scale AI adoption”) rather than tools for their own sake—so funding and buy-in follow the organisation’s purpose (e.g., “help Victoria thrive”).
• Governance and assurance were called out as the real bottleneck, not innovation capability: delivery teams can build pilots quickly, but approvals still move at committee speed, so the practical fix is pre-approval patterns, “one-to-many” assessments, security embedded from day one, and selective use of AI to automate governance artefacts—paired with disciplined foundations (data quality + access controls), sandboxed rollout, and ongoing testing/monitoring to scale safely.

Zero Trust and AI - Strengthening Security, Reducing Complexity and Driving Innovation 

Thomas Castell, Regional Director, Zscaler 

• The talk positioned “data everywhere” as the modern government security reality (SaaS, cloud, endpoints, BYOD, third parties), where the biggest practical risks are still familiar but amplified: credential phishing, cloud misconfiguration, insider/accidental leakage, unsanctioned SaaS sprawl, and AI tools ingesting sensitive information that can’t be “taken back” once shared.
• Zero trust was framed as the operating model to regain control in that environment: trust is brokered per user-to-app connection (authenticate, authorise, micro-segment), while continuously inspecting data in transit—shifting the mindset to “least information is the new perimeter” (reducing what is shared, not just securing what is accessed).
• AI was presented as both the accelerant and the control lever: generative/agentic adoption is inevitable (with higher stakes as systems start taking actions, not just producing text), so organisations need to understand and govern their “information universe” first—using automated, AI-assisted data classification and policy enforcement (for data at rest and in transit) to monitor GenAI usage, stop sensitive uploads/exfiltration, and build resilience before the next wave of agentic systems and higher-consequence automation.

Panel Discussion: Operational Technology & Cyber – Bridging the Visibility Gap 

Dr Greg Adamson, Portfolio Chief Information Security Officer, Department of Transport and Planning Victoria 

Anafrid Bennet, Chief Information Officer, Head of Technology, Security and Property, Greater Western Water  

Rue Maharaj, Cybersecurity Defence Management, Melbourne Water 

• The discussion highlighted that IT/OT convergence is expanding the attack surface: previously isolated control systems are now being exposed to modern threats like ransomware and “living off the land” techniques, even though many OT environments were never designed to tolerate that kind of intrusion or downtime.
• A key theme was that separation and segmentation are still doing a lot of heavy lifting in transport OT risk management: keeping OT environments unlinked (even between OT domains like traffic lights vs ticketing) reduces lateral-movement risk, and “connecting everything into one flat network” was framed as a major anti-pattern.
• The takeaway for critical infrastructure leaders is that modernisation must be purpose-led and safety-led, not FOMO-led: security teams need to explain risk in plain language (“speak truth to power”), recognise OT’s higher duty of care (no “fail fast” mindset), and treat resilience as both pragmatic regulation (e.g., SOCI structure + partnerships) and an emerging challenge—because OT vulnerability backlogs are growing even when attackers aren’t yet monetising them at scale.

Securing Efficiency: Identity and Agentic Systems for a Smarter Victorian Public Service 

Will Harrington, Identity Strategist APJ, SailPoint

• The presentation highlighted the “efficiency gap” the VPS report is trying to close (e.g., $5B in savings over five years) through concrete citizen and workforce friction points—like the multi-site, document-heavy kinder enrolment process and the slow onboarding of VPS staff—where “swivel-chair” admin creates cost, delay, and errors.
• The core argument was that identity governance and lifecycle management is a prerequisite for reform at VPS scale: a central identity, authoritative HR sources, and automated joiner/mover/leaver processes become critical when you’re restructuring hundreds of entities, consolidating boards/committees, and shifting staff across departments—because every move is also a security and access-risk moment.
• Agentic AI was positioned as the next layer that can automate cross-system workflows (for citizens and for staff), but only if it’s secured like a privileged actor: agents need explicit access controls, traceable ownership of service accounts (static or ephemeral), tight data boundaries to prevent leakage/hallucinated cross-domain exposure, and monitoring to reduce Shadow AI—ideally supported by an AI Centre of Excellence setting guardrails without stifling productivity.

Closing Panel Discussion - Governing at the Speed of AI: Ensuring Control, Accountability and Trust 

James Fell, Executive Director Information Security and Data Governance, Court Services Victoria 

Chantele Kovacevic, Manager, Digital Governance & Risk, Department of Jobs, Skills, Industry and Regions 

• AI adoption across government is outpacing governance and oversight: without strong visibility into what tools are in use (especially when vendors introduce AI features by default), “Shadow AI” becomes the practical risk and control challenge.
• The governance response doesn’t need a brand-new framework, but it does need a faster, more adaptive operating model: reuse existing privacy, security, architecture, and risk controls, assess at the use-case level (not repeatedly at the platform level), and avoid creating another layer of tick-box compliance that can’t keep up with the pace of change.
• A responsible deployment pattern is emerging in high-sensitivity environments: apply a structured assurance framework (plus privacy and information security assessments), restrict risky user behaviours where possible (e.g., limit open-ended prompting), validate outputs using closed-case testing and parallel runs, and keep a human accountable for final decisions—using AI to improve efficiency, quality, and staff wellbeing (including reducing vicarious trauma), rather than automating legal or health decision-making.