As agencies accelerate digital transformation and experiment with new technologies, the pressure to move faster is growing. But speed without security can create just as many problems as delay. In this interview, Stephen Woods, Chief Information Security Officer, Department of Justice WA, reflects on how government can support innovation without losing control of risk, why supply chain exposure and AI-driven vulnerability discovery are rising concerns, and what it takes to build guardrails that allow experimentation to happen safely. Stephen will speak at Government Cyber Security Showcase Western Australia 2026 in the keynote “Securing Innovation Without Stalling It” on Tuesday, 25 August 2026 from 12:50 PM to 1:10 PM. The session will look at how agencies can embed security into new initiatives from the outset, balancing risk, compliance and delivery pressures while enabling secure scale.
Explore the event: Overview page | Agenda page | Registration page
Public Sector Network:
What does securing innovation without stalling it actually look like in a government context?
Stephen Woods:
It is a difficult path. There is a lot of pent-up demand for new technology, and it is changing rapidly, especially with generative AI. In Stephen’s view, agencies need to be looking at these technologies and taking advantage of them, but the real challenge is working out how to do that securely and at speed inside a large bureaucracy that is often slow to adopt new technology. The goal is to protect the environment while still allowing innovation to happen quickly enough to keep pace.
Public Sector Network:
What are two or three cyber risks you are most focused on right now, and why?
Stephen Woods:
The first is supply chain risk. Stephen points to the techniques threat actors are using to get into environments through weak points in the broader software and development ecosystem, including open-source dependencies, credentials exposure and poisoned code. In his view, this creates an entry point that can expose organisations at scale.
The second is education around AI. That is not just about developer teams. Stephen says organisations need to bring the whole department up to speed, including citizen developers and other staff using increasingly accessible technology, so they understand how to do that securely and in line with policy.
The third is the speed and capability of new AI tools themselves. He notes that AI agents can now identify and chain vulnerabilities together far more quickly, which increases the urgency around patching, mitigation and moving away from older platforms with known weaknesses.
Public Sector Network:
So how do you move with speed while keeping the risk under control?
Stephen Woods:
For Stephen, it starts with guardrails. That means more than simply saying yes or no to a proof of concept. It is about being clear on the rules of engagement: making sure credentials are not shared, that proper development and test environments are in place, that there is a safe playground for experimentation, and that staff understand what those guardrails actually mean in practice. Logging and monitoring also matter, because agencies need enough visibility to know whether people are using tools in a compliant way.
He also notes that this is harder in legacy environments, especially where organisations are dispersed and the separation of roles, access, environments and logging is not always as clean as it needs to be.
Hear Stephen Woods at Government Cyber Security Showcase Western Australia 2026 in the keynote “Securing Innovation Without Stalling It.” His session will explore how agencies can embed security early, balance risk and delivery pressures, and use automation and integrated platforms to reduce complexity and support secure innovation.
Explore the event: Overview page | Agenda page | Registration page
Public Sector Network:
Has the cyber landscape changed over the last couple of years in a way that is affecting how you approach risk?
Stephen Woods:
Yes. Stephen says this year feels like a tipping point. Legacy technology and tech debt have been known issues for some time, but the pace at which those weaknesses can now be exploited has increased sharply. He points to the growing capability of AI-enabled tools to chain vulnerabilities together and accelerate attack pathways, which in turn raises the level of risk and changes how urgently organisations need to respond. In his view, that risk is higher than it was this time last year, and even higher than it was six months ago.
At the same time, he sees opportunity in those same tools. Some of the technologies increasing pressure on defenders can also help organisations mitigate the problem faster.
Public Sector Network:
That sounds like a balance between adopting new tools and making sure education and governance keep up.
Stephen Woods:
Exactly. Stephen describes decision-making in this space as difficult because the technology is moving quickly, and it takes time to understand it well enough to establish governance and make good calls. Communicating those decisions clearly across a large organisation is another challenge again. There are licensing issues, pent-up user demand, and the reality that people are already using some of these tools. The job is not simply to lock everything down, but to bring people on board, make them compliant, and still allow innovation to happen.
He also makes the point that agencies cannot afford to assess one technology deeply and then assume that will be the only tool people use. The pace of change is too high for that. What matters more is having consistent principles that can be applied across a fast-changing set of technologies, even if that is much harder to do in practice than it sounds.
Public Sector Network:
How much harder does this get when you factor in third parties, contractors and the wider ecosystem?
Stephen Woods:
Stephen says this is one of the hardest parts to define clearly. Information is shared across contracts, consultancies, developers, other agencies and non-employees, and AI use can cut across all of those arrangements. A consultancy might be using AI to help produce a report, while a contractor might be using it in code development. That raises difficult questions around boundaries, credentials, shared access, compliance and where responsibility starts and ends.
He notes that supply chain risk does not stop at third parties. In some cases it reaches fourth and fifth parties, which makes visibility and control even harder. At the same time, privacy and responsible information sharing reforms are creating more pressure to get secure information-sharing right across the ecosystem.
Public Sector Network:
What is another priority risk area on your radar right now?
Stephen Woods:
Post-quantum readiness is another current priority. Stephen points to the challenge of identifying where encryption is being used, getting ready to move to post-quantum standards, and managing certificate rotation more frequently. For him, one of the most significant concerns is the idea of “gather now, decrypt later” — the possibility that information collected today could be decrypted in the future as capabilities improve.
Public Sector Network:
What do you hope delegates take away from your session at GIW WA Cyber?
Stephen Woods:
The key message is that innovation and security cannot be treated as opposing forces. Agencies need to move faster, but they need to do it with stronger foundations, clearer guardrails and a better understanding of how fast the risk environment is changing. That means embedding security early, not layering it on after the fact, and making sure both governance and education keep pace with the tools people are already trying to use. This takeaway is drawn from the themes Stephen returns to throughout the interview and from the focus of his keynote session.
Join Government Cyber Security Showcase Western Australia 2026 to hear Stephen Woods unpack how agencies can secure innovation without stalling delivery.
Explore the event: Overview page | Agenda page | Registration page
Help your peers
Share what you've learned with fellow public servants