Skip to main content
Submit RFP

      In an era where digital threats are evolving at an unprecedented pace, the role of government and public sector security professionals has never been more critical. As custodians of citizens' trust, these professionals are tasked with the monumental responsibility of safeguarding the digital landscape. This involves both reacting to cyber threats and proactively strategising to stay one step ahead. 

      We have outlined three pivotal cyber security considerations for the government and public sector. These are critical focus areas with actionable strategies for leaders and their security teams to fortify resilience, drive innovation, and uphold trust in an ever-changing environment. 

      Consideration 1: Supercharge security through automation

      Enhanced security through automation is less a choice and more an imperative for multiple reasons:

      • the public sector is not immune to the global skills shortage in cyber security. It often has to compete with the private sector to retain talent with the required knowledge and expertise. The public sector tends to lose talent to the private sector, creating a vacuum of knowledge and expertise.
      • the public sector is under pressure for being too big. By investing in security automation, public sector organisations can help improve operational efficiency, reduce manual errors, and optimise resource utilisation, ultimately enhancing overall productivity and effectiveness. 
      • public sector organisations are continuing to expand their digital presence and adopting new technologies such as Generative AI. This can bring enhanced efficiency but also greater complexity. As agencies scale their security operations, they should be able to adapt to evolving threats and technologies without significantly increasing costs.

      Complexity of security ecosystems: Automation typically entails integrating various existing tools, systems, and processes. This is complex and requires thorough coordination. Compatibility issues, competing data formats and a lack of standardised interfaces can hinder seamless integration.

      Skills and resource gaps: Implementing automation within security processes requires specialised skills and resources around different technologies, programming, and scripting. Many agencies should ramp up or acquire their ability to effectively design, implement and maintain these solutions.

      Lack of awareness and adoption: Many organisations simply do not see the benefits of security automation or may be resistant because of perceived risks. Overcoming these challenges and fostering buy-in from stakeholders can be critical for a successful implementation.

      With the growing range of threats, prioritising what cyber security teams should focus on is key. Chief Information Security Officers (CISOs) should filter the noise to allocate resources to the most vulnerable areas. Cyber security leaders can start by defining the vision and strategy for automation in the context of larger organisational goals such as cost reduction and increased productivity. The next steps would be to determine execution through build versus buy decisions and ensure skills for continuous implementation. 

      With the growing range of threats, prioritising what cyber security teams should focus on is key. Chief Information Security Officers (CISOs) should filter the noise to allocate resources to the most vulnerable areas. Cyber security leaders can start by defining the vision and strategy for automation in the context of larger organisational goals such as cost reduction and increased productivity. The next steps would be to determine execution through build versus buy decisions and ensure skills for continuous implementation. 

      Consideration 2: Identity is owned by individuals, not institutions

      Many organisations continue to rely on manual or physical identity to process transactions, which can be inconvenient, inefficient, and full of security risks. When implemented correctly, digital identity can help alleviate these concerns, providing users with a secure and privacy-respecting experience that enables them to conduct online transactions anywhere at any time. This not only helps save time and effort for the system users but also streamlines the process for the institution.

      The NZ legal framework for digital identity is called the Digital Identity Services Trust Framework Act 2023, which came into effect in July 2024. Any organisation that provides digital services to its customers should understand the intent of the new framework. The Framework explicitly creates the conditions for public and private sector collaboration to build and provide services for organisations, citizens, and consumers. The primary purpose of the Framework is to create trust. For citizens, it’s particularly about trust in how their identity information is used. For businesses and other organisations, it’s about being able to trust assertions about identity and other information associated with an entity.

      Key concepts within the Framework include:

      • People control their identities – as per DIA’s website “People can decide what personal information to share, including when, how, and who with.” Much of how we design identity systems moving forward will need to adhere to this core concept.

      • Personal information will not be held in a centralised database. This means that information remains distributed, and any system needs to be highly connected. This will make the overall ecosystem significantly more resilient, if not more complex. An important part of this approach is that most identity information does not need to be stored and should never be stored.  

      • Moving away from storage is possible because digital identity service providers can assert identity on the users’ behalf in real-time – it’s no longer the responsibility of the citizen or the agency. This reality, combined with the users now being in control, will be the two biggest functional drivers of designing future identity systems; and should be considered in most fuure IT transformations.

      • Accredited identity service providers must meet a new identity management standard. Standards also apply to how public organisations manage identities. All standards are about reducing the occurrence of fraud and theft.

      Many organisations remain in the early stages of adapting their systems and processes to keep individual identity front and centre. Integrating digital identity into broader cyber security and resilience strategies is not just a technological imperative, but a crucial step toward more inclusive, efficient, and secure government and public services.

      Privacy concerns: Digital identity challenges persist, including excessive data collection, insufficient security measures and lack of transparency. Individuals are increasingly apprehensive about the potential misuse of personal information and unauthorised access to their stored data. Moving forward, addressing these concerns will be paramount, particularly in light of the requirements laid out in the Digital Identity Services Trust Framework Act 2023, which requires organisations to ensure the implementation of robust privacy safeguards and transparency measures to protect individual privacy rights.

      Security risks: Digital identity systems have become a target for malicious actors because of the value of the information that is being processed. Strengthening security measures, implementing robust authentication mechanisms, and protecting against unauthorised access continue to be ongoing challenges for digital identity systems.

      Enabling interoperability: It is vital to ensure that identity data can be securely and reliably accessed across different systems and/or jurisdictions. Defining an approach for consistent and reliable data exchange across different services and points of care remains challenging.

      User adoption: Building trust and encouraging user adoption of digital identity solutions can be challenging, especially among individuals unfamiliar with or sceptical of digital technologies. Educating users about the benefits, security features and privacy protections of digital identity can be essential to promoting broad acceptance and adoption.

      Enhanced individual empowerment: Giving individuals control over their digital identities can lead to greater engagement and trust in online services, aiding the adoption of e-government services.

      Innovative authentication technologies: New identity verification technologies, such as biometrics and blockchain, offer innovative ways to secure identities while respecting individual ownership. These technologies can enhance both the security and the convenience of accessing services.

      Adoption of zero-trust frameworks: Identity is a key supporting pillar of the zero-trust model. By implementing a robust digital identity, organizations can make large strides toward enhancing their overall security posture with strict access controls and continuous credential validation.

      Inclusivity and accessibility: Digital identity promotes inclusivity by providing equal access to services for all individuals, including those with disabilities, limited mobility or marginalized backgrounds. User-centric design principles and accessibility features help ensure that citizen services enabled by digital identity can become more inclusive and accessible to diverse populations.

      Some government bodies are already leading the way on identity management by rolling out official personal digital wallets and defining minimum requirements for identity service providers. One of the keys is to maintain a flexible approach that accommodates emerging technologies and new regulations. 

      Consideration 3: Cybersecurity and resilience aren't mutually exclusive

       

      Cyber-attacks and security incidents can disrupt critical government and public services, leading to significant economic, social, and political consequences. As government agencies collect, store, and manage vast amounts of sensitive information, including citizen records, financial data, and national security intelligence, cyber security is integral to public safety and national security.

      Organisations should acknowledge that many cyber incidents are inevitable and commensurate investment across the lifecycle (i.e., prevention, detection, response, and recovery) is necessary to help ensure true resilience in the event of a breach.

      Among government and public sector agencies, the integration of cyber security and resilience into organisational strategy remains a work in progress, with varying degrees of preparedness across different entities. This is largely because the sector’s approach to cyber security tends to be more reactive than proactive, often focusing on immediate threat mitigation rather than long-term resilience planning in the early stages of development. This is further compounded by resource constraints and a lack of engagement at a strategic level by security teams. With adequate resilience, government agencies can help minimise disruption and ensure operational continuity.

      Integrating cybersecurity and resilience into organisational strategy: Given how cyber security and resilience have been seen as disparate elements, the challenge lies in embedding cyber security and resilience as related foundational elements in overall strategic planning.

      Dynamic cyber and IT landscape: The ever-evolving nature of cyber threats, coupled with rapid advancements in technology (e.g. AI, the Internet of Things), continues to introduce new security risks and challenges for organisations. Building cyber security resilience requires adapting to these changes, implementing security controls, and helping to ensure that security measures keep pace with technological innovations, which is often a challenge with budgetary constraints.

      Compliance and regulatory requirements: Compliance with evolving regulatory requirements also presents a challenge for organisations. Meeting regulatory obligations such as PSR (Protective Security Requirements) while maintaining a strong security posture and operational efficiency requires careful planning, implementation and monitoring of security controls.

      Vendor and supply chain risks: Organisations often rely on third-party vendors, suppliers, and service providers for critical infrastructure and services. However, these third-party relationships can introduce additional cyber security risks. Managing vendor risks and ensuring the security of the supply chain are key challenges for building cyber security resilience. The siloed approach to managing vendors across government brings the added challenge of duplication of effort where multiple agencies use the same vendor.

      Integrating cybersecurity into business processes: Building cyber security resilience offers a unique opportunity to closely align organisational objectives with cyber resilience strategies. By doing so, agencies can proactively identify, prioritise, and address security risks that directly impact operational continuity and success. This alignment also enables agencies to enhance overall operational agility, innovation, and efficiency in an increasingly digital landscape.

      Enhancing collaboration: Building resilience requires collaboration and information sharing across agencies. By sharing threat intelligence, best practices and lessons learned, agencies can improve their collective cyber security posture, detect emerging threats more quickly and respond more effectively to attacks. Existing government information security knowledge sharing forums could benefit from further support from leaders in government to prioritise collaboration and become more action oriented.

      Building the right culture: Through continuous education and training, organisations can reinforce the role various team members can play in ensuring robust cyber security and resilience. This is particularly important for agency leaders outside of the cyber space. Where directors and trustees are trained to consider cyber risks to their organisations, senior executives often stay within their area of expertise. The culture element plays a critical role in cyber security breaches and resilience measures in the government and public sector as people are at the heart of operations and engagement with the public is often a key part of employees’ roles.

      For resilience, leaders are encouraged to develop a roadmap for how organisations can or should respond in the event of an attack next week, next month or next year. With periodic reviews, plans and frameworks can remain aligned with the evolving threat landscape.

      Supporting our clients in Aotearoa to digitally transform, thrive, prosper, and compete on a global scale.
      Read more
      Matthew Evetts
      Matthew Evetts

      Partner - Digital & Cyber

      KPMG in New Zealand

      We offer a broad array of digital solutions, including cyber cloud assessments, privacy automation, third-party security optimization, AI security, and managed detection and response.

      Get in touch with any questions about cyber security in the public sector.