[Opinion] What Australia needs in 2026 from cyber security

By James Turner on Jan 29, 2026 3:41PM
[Opinion] What Australia needs in 2026 from cyber security
James Turner.

[This article was first published in December 2025 by James Turner.]

Another year is about to tick over, and Australia’s cyber defence posture continues to evolve, but mostly in rhetoric rather than in practice. We have matured in what we believe needs to be done, yet the delivery of those capabilities remains underdeveloped. In 2026, that execution gap will become impossible to ignore.

There are three strategic shifts we need to make. None are impossible but, as with most things, if it was easy it would already have been done.

Firstly, as the internet and technologies continue to evolve, and as criminals continue to capitalise on this sprawling complexity, we need to make security simpler. To help make things vastly easier for staff and customers, Australia should embrace passkeys, which remove the need for passwords and substantially help protect people against phishing scams. No security is perfect but passkeys are a substantial improvement over what is currently presented to Australians from most of our local online services.

Widespread deployment of passkeys goes directly to helping reduce friction for customers, many of whom would love to do the right thing but find technology challenging.

Also, software vendors should strongly reconsider charging extra for single sign on. Charging extra for expanded business value is fine, but charging extra for security is rapidly falling out of favour with enterprise buyers because it puts a financial barrier in front of national security and safety. It's like charing extra for seatbelts and airbags. 

Secondly, Home Affairs will soon be unveiling the Cyber Incident Review Board (CIRB). This body will be conducting no-fault investigations into significant cyber incidents in Australia, and we need their findings to be deep insights into culture and structure so that safety and security can be ingrained in how things are done.

It’s essential that CIRB has practitioners with real world experience that can shape its recommendations to be pragmatic.

The CIRB's true value will materialise when its lessons are rapidly adopted by regulators and, ideally, the AICD. This will ensure that painful incidents lead to systemic change. The process of addressing cultural and structural root causes must be done in collaboration with regulated entities to ensure the regulations achieve genuine risk reduction instead of being performative.

This mechanism of taking outputs from CIRB and feeding them into regulators will provide a form of quality control for our national immune response. After all, to know and not to do, is not to know.

Thirdly, Australia has a very serious concentration risk among our third-party incident responders, especially Mandiant, CrowdStrike and CyberCX/Accenture. This means that if we have a widespread incident that simultaneously affects several large organisations, a sector, or is indiscriminate, then we do not have enough third-party incident respondents to support our companies.

These firms already operate near maximum utilisation, which is a sensible business model in normal times, but disastrous when multiple large incidents strike at once. These third-party providers do not have infinite scale and this must be acknowledged and planned for.

While I do not believe that Australia has a current cyber skills shortage, what I'm talking about is the difference between steady state operations versus surge capacity. Consequently, when a bad day hits we will not have enough trained and experienced incident responders to go around. Further, US firms could be directed by their government to prioritise support of US entities if the incident is global.

Government must work closely with the private sector to gain a comprehensive understanding of what capacity currently exists, and a plan to ensure critical systems are each allocated sufficient incident response resources before the bad day hits.

This work must be done soon because with rising Indo-Pacific tensions, failing to plan and prepare is planning and preparing to fail.

These three ideas are not the only things that need to be done, but each is critical. Each will make an outsized difference for Australia’s online security and safety.

Let’s make 2026 a year of cyber security action instead of hoping that merely awareness will suffice when the bad day comes.

James Turner is the managing director of CISO Lens, which describes itself as the "premier information sharing and analysis community for cyber security executives from the largest organisations in Australia and New Zealand."

techpartner.news provides a platform for guest opinion articles such as this one to foster debate within the IT industry. The views expressed in these guest opinion articles are those of the author and do not necessarily reflect those of techpartner.news or its publishers.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
cyber australia cyber incident review board james turner ciso lens passkeys security single sign on

Partner Content

Beyond the box: How Crayon Is Redefining Distribution for the Next Era
Beyond the box: How Crayon Is Redefining Distribution for the Next Era
Guiding customers on the uneven path to AI adoption
Guiding customers on the uneven path to AI adoption
New Microsoft CSP rules? Here’s how MSPs can stay ahead with Ingram Micro
New Microsoft CSP rules? Here’s how MSPs can stay ahead with Ingram Micro
Why Renew IT Is Different: Where Science, AI and Sustainability Redefine IT Asset Disposition
Why Renew IT Is Different: Where Science, AI and Sustainability Redefine IT Asset Disposition
Shared Intelligence is the Real Competitive Edge Partners Enjoy with Crayon
Shared Intelligence is the Real Competitive Edge Partners Enjoy with Crayon

Sponsored Whitepapers

Protect the data your business relies on
Protect the data your business relies on
Cut through the SASE confusion
Cut through the SASE confusion
Stay protected as cyber threats evolve
Stay protected as cyber threats evolve
Defend Your Network from the Next Generation of AI Threats
Defend Your Network from the Next Generation of AI Threats
The race to AI advantage is on. Don’t let slow consulting projects hold you back.
The race to AI advantage is on. Don’t let slow consulting projects hold you back.

Events

Kickstarter 2026
Kickstarter 2026
techpartner.news MSP index - Melbourne
techpartner.news MSP index - Melbourne
Pipeline 2026: Game Changers
Pipeline 2026: Game Changers

Most read articles

David Beal to unpack big client shift at Pipeline 2026

David Beal to unpack big client shift at Pipeline 2026
Fast50 rankings revealed at gala awards in Sydney

Fast50 rankings revealed at gala awards in Sydney
Save-the-dates for Pipeline 2026: We're levelling up to Hamilton Island in May!

Save-the-dates for Pipeline 2026: We're levelling up to Hamilton Island in May!
Pipeline 2026: Brad Fittler to talk game-changing moments at Pipeline 2026

Pipeline 2026: Brad Fittler to talk game-changing moments at Pipeline 2026

Log in

Email:
Password:
  |  Forgot your password?