Australian governments are the nation’s largest spenders on ICT, but they’re failing to maximise the leverage that market power gives them to drive improved cybersecurity and more secure supply chains. Government can harness its spending power to not only improve its own cybersecurity, but to drive better cybersecurity throughout the wider economy. However, current approaches are fragmented and having limited impact, so a concerted national effort is needed, underpinned by major strategic changes in approach.

This study is based on interviews with key stakeholders in government and industry and a review of openly available material on government procurement approaches. While the focus is on Australian government procurement, state and local government procurement is considered where appropriate.

Key recommendations:

• The Australian government and the state and territory governments should establish a single coherent set of security standards expected from suppliers.
• The standards need to be more than just a tick-the-box exercise to set a minimum standard—they should provide multiple levels through which suppliers can seek to progress by continuous improvement.
• In order to protect sensitive data, secure managed enclaves should be used to minimise exposure to the risks of individual suppliers’ ICT systems.