Australian Public Sector Cyber Readiness in May 2026: A Frank Assessment
Australian public sector cyber security has been the subject of substantial policy attention since the major incident sequence of 2022 and 2023. Multiple frameworks have been updated, capability mandates have been issued, and budget commitments have been made. The May 2026 picture is one of meaningful progress on some fronts and persistent gaps on others, and the gap between policy ambition and operational reality is wider than it should be.
The Australian Cyber Security Centre’s various uplift programmes have produced measurable improvements in the participating agencies’ baseline security posture. Asset visibility, basic vulnerability management, multi-factor authentication coverage, and privileged access management have all moved forward across the Commonwealth and most state public sectors. The improvements are real and the cumulative reduction in routine attack surface is meaningful.
What hasn’t moved as much is the harder layer — application security, identity governance at the granular level, third-party risk management, and operational technology security in the agencies that operate physical infrastructure. The reasons aren’t unique to public sector — these are hard problems everywhere — but the policy framework around them has been less effective than the framework around the more tractable basics.
Where the genuine progress has happened
Multi-factor authentication coverage. The proportion of public sector users who access systems via MFA, including for legacy systems that previously lacked it, has expanded substantially. The remaining gaps tend to be specific edge cases (vendor service accounts, machine-to-machine credentials, legacy applications with technical constraints) rather than the broad coverage gaps that existed three years ago.
Asset and configuration management. The agencies that have invested in proper configuration management infrastructure have achieved meaningful uplift in their ability to know what they have, what state it’s in, and where the changes are happening. The gap between the better and worse agencies on this dimension is substantial, but the better ones have moved forward genuinely.
Patch management cadences. The deferral of critical patches for operational reasons remains a problem in some agencies but the worst patterns of multi-month deferrals on critical-rated vulnerabilities have largely been addressed. The remaining issues are more about specific systems with operational dependencies than about systemic patch management failures.
Sector-level threat sharing. The functional cooperation between major Commonwealth departments and the participating sector partners on threat indicator sharing has improved over the past 24 months. The mechanisms for getting useful threat intelligence to defenders quickly enough to act on it are working better than they were.
Where the gaps persist
Identity governance at granular permission levels. The number of public sector users with access permissions exceeding what their roles require remains substantial in many agencies. The role engineering work that would tighten this is unglamorous, time-consuming, and politically difficult. Most agencies that have started it are years from finishing it.
Third-party and supplier risk management. The dependencies on commercial vendors, cloud service providers, software suppliers, and managed service partners are extensive across all major public sector agencies. The visibility into these third-party security postures, the contractual frameworks for managing risk, and the operational integration with vendor security incidents are all uneven. The major public sector incidents of 2022 and 2023 routinely had third-party components, and the structural drivers of that risk have not been fully addressed.
Operational technology security in agencies that operate physical infrastructure. Water utilities, energy infrastructure operators, transport agencies, health system operators all have OT environments alongside their corporate IT environments. The security maturity of OT environments lags corporate IT environments substantially in many agencies, and the integration risks between OT and IT remain a significant exposure.
Application security. The custom-built and customised software portfolios in major public sector agencies are extensive, and the security testing maturity for these systems varies enormously. The agencies with mature application security practices are doing well; the agencies without are routinely producing vulnerabilities that competent security testing would have caught.
The skills issue
The public sector cyber security workforce continues to be a structural constraint. The pay gap between public sector cyber roles and private sector equivalents has narrowed over the past two years but remains real. The retention of senior cyber security staff in public sector roles is harder than it should be, and the institutional knowledge loss when senior staff leave compounds the difficulties for the agencies that retain capability gaps.
The graduate and entry pipelines have improved through investments in cyber security training and through partnerships with universities and TAFEs. The workforce coming through is better-prepared than it was a decade ago. The bottleneck has shifted from “where do we find people” to “how do we keep them once they have a few years of experience”.
The policy framework
The Australian Cyber Security Strategy update of 2024 produced a clearer governance framework for public sector cyber security than existed previously. The accountability structures, the reporting requirements, and the resource commitments are more coherent than they were under the prior arrangements.
The execution remains uneven. Some agencies have used the strategy framework as a serious driver of organisational change. Others have used it as a compliance exercise that produces reports without producing material risk reduction. The variance reflects both leadership quality at agency level and the underlying complexity of the agency operations.
The policy reviews of the Privacy Act, the Critical Infrastructure framework, and the various sector-specific regulations have produced an increasingly complex landscape of overlapping obligations. The agencies that have invested in coherent compliance and risk management programmes are working through it. The agencies that haven’t are accumulating compliance debt that will eventually need to be addressed.
What I’d watch
Three things over the next 12 months.
The implementation of the Critical Infrastructure positive security obligation reviews. Multiple agencies and sector regulators have substantial work programmes to implement the obligations. The execution quality will tell us whether the framework produces material risk reduction or remains primarily a reporting exercise.
The cyber resilience of the public sector AI deployments now coming online. Agencies are increasingly using AI tools — Microsoft Copilot, similar productivity assistants, custom AI applications — across their workforce. The security implications of these deployments are real and the governance frameworks are still being established. The first major public sector AI-related security incident is probably a matter of when, not if, and the response to it will shape policy direction.
The success of the workforce uplift initiatives. Multiple programmes are aimed at building public sector cyber security capability, both through internal training and external partnership. Whether these programmes produce sustainable capability gains, or whether the trained staff continue to migrate to private sector roles at high rates, will determine whether the structural workforce gap actually narrows over the medium term.
The honest summary: Australian public sector cyber readiness in 2026 is meaningfully better than it was in 2022 but still substantially below where the policy ambition would place it. The progress is real. The remaining gaps are real. The work continues.