As public sector agencies accelerate their cloud migrations and adopt software-as-a-service platforms, their cybersecurity strategies must also evolve — and fast.
According to CyberArk head of public sector Derek Moir, securing both machine and human identities is now critical to prevent systemic breaches, and must be elevated as a strategic leadership priority.
“We used to talk about firewalls and perimeters,” Mr Moir told InnovationAus.com publisher Corrie McLeod on The Commercial Disco podcast.
“But today, identity is the new perimeter. If we don’t get this right — especially in government — we’re leaving the door wide open.”
CyberArk, founded over 20 years ago, was a pioneer in privileged access management. Today, it provides a broad suite of identity security tools that help organisations tightly control who, and what, can access sensitive data and systems. That includes not just employees, but also AI bots, IoT devices, software containers and cloud-based services.
Mr Moir warned that too many agencies are still treating identity narrowly as something that applies only to humans. But the modern IT environment is increasingly populated by non-human identities.
“AI agents, chatbots, containers, IoT sensors – all of these have credentials, permissions, and access rights,” he said. “And yet, 62 per cent of organisations don’t even consider them as identities. That creates a huge, unprotected surface.”
He pointed to a 1,600 per cent increase in machine identity-related attacks as evidence that cybercriminals are exploiting this gap.
Worse, many agencies separate identity management from cybersecurity, with responsibility sitting in infrastructure teams or outside the remit of CISO leadership.
“Identity must be part of your cybersecurity strategy,” Mr Moir said. “It’s not optional. And it has to extend to everything with access to systems – not just people.”
Public sector agencies have made significant strides in digital transformation, particularly since the pandemic. But according to Mr Moir, governance gaps remain, and culture is often the barrier.
“We’re still seeing audit failures across state and federal agencies,” he said. “That’s not just a technology issue; it’s a leadership one.”
He pointed to examples where contractors had administrator privileges left active for over a year after leaving government roles. These legacy accounts are high-value targets and clear indicators of poor governance.
“A lot of the time, it’s about convenience,” Mr Moir said. “Additional identity checks can be seen as friction, so they’re avoided.”
“But if you don’t enforce just-in-time access or privilege elevation, you’re giving people more access than they need, for longer than they should,” he added.
He called for the Essential Eight framework, published by the Australian Cyber Security Centre (ACSC), to be adopted as day-to-day operational policy, not just audit-time compliance.
“We need to embed identity at the heart of how we meet the Essential Eight, not treat it as an afterthought,” he said.
He also said that artificial intelligence is now part of the threat landscape, especially when used to manipulate trust and mimic identity behaviours.
“AI is being used to mimic officials, spoof IT helpdesks, and socially engineer staff with alarming accuracy,” Mr Moir said. “The aim is always the same: steal an identity, escalate privileges, and exfiltrate data.”
What makes this trend more dangerous, he noted, is the scale enabled by AI. “It’s no longer one attacker doing reconnaissance – it’s bots doing it at massive speed,” he said.
Whether in commercial or public sector organisations, identity misuse is a common root cause of breaches. “It’s the same challenge across both sectors,” Mr Moir said. “And the same controls apply.”
The looming disruption of quantum computing raises another concern: the cryptographic standards currently securing government and enterprise systems are expected to become obsolete.
“Quantum computers will be able to break today’s encryption quickly and at scale,” Mr Moir warned. “So, the challenge isn’t just the tech – it’s knowing where your encryption lives.”
He cited a recent example where a government agency suffered a two-day outage when a single certificate expired, because no one knew it existed.
“That was just one certificate. Imagine when it’s all of them,” he said. “We need to get quantum-ready now, starting with a full inventory of digital certificates and encryption assets.”
While some agencies are beginning to assess their exposure, Mr Moir acknowledged that broader awareness is lacking.
“How high that visibility goes in government? That’s a good question,” he said. “But it’s a bigger problem than we’re ready to handle right now.”
Do you know more? Contact James Riley via Email.