Security is paramount in the Public Sector – does your private sector vendor get it? 

In my last article, I discussed the value that can be driven by robust public/private partnerships and the importance of a constructive, transparent, well-defined relationship so each side gains value from the arrangement. You can read the article here.

Now, I’ll take an in-depth look at the issues that can help or hinder effective public/private sector relationships, starting with the importance of security.

One barrier to stronger public private sector partnerships may be a lack of understanding around the critical role security plays in the Public Sector.

First let’s dive into what we mean by security. Why is it that governments and their agencies, face higher risks than private companies? Let’s look at the following reasons:

1. Protecting national interests Government agencies hold sensitive data relating to national security, defence, intelligence, infrastructure, and diplomacy. Breaches could compromise Australia’s safety and sovereignty.
2. Safeguarding citizen information The Australian Public Sector (APS) manages vast amounts of personal information (health, taxation, identity, benefits). Security ensures privacy and prevents misuse, fraud, or identity theft.
3. Maintaining public trust Citizens expect government services to be safe and reliable. Strong security underpins confidence in digital services and online engagement with government.
4. Compliance with law and policy Agencies must meet legislative requirements (e.g. the Privacy Act, Protective Security Policy Framework (PSPF), and Information Security Manual (ISM)) that set minimum standards for protecting people, data, and assets.
5. Resilience against evolving threats The APS is a high-value target for cyberattacks, espionage, and insider threats. Strong security ensures continuity of government operations and services, even under attack.

What is meant by “security” in the APS context?

In the Australian Public Sector, security is a broad concept that goes beyond just IT or cyber. It generally means:

1. Protective security – safeguarding people, information, and physical assets from harm, loss, or misuse.
2. Cyber security – protecting ICT systems, networks, and data from cyber threats, intrusions, and attacks.
3. Personnel security – ensuring staff are trustworthy and suitable to access sensitive government resources (through security clearances and vetting).
4. Physical security – controlling access to government buildings, facilities, and physical assets.
5. Information security – protecting classified and sensitive data (both physical and digital) to prevent unauthorised access or disclosure.

Together, these areas form a holistic security framework, often guided by the Protective Security Policy Framework (PSPF), which sets out principles for managing risks to people, information, and assets.

Key differences: APS vs private enterprise security

While both the Australian Public Sector and most private enterprises take security very seriously, there are differences in the areas that require focus and how this is regulated and managed.

1. Purpose and accountability

• APS: Security is about protecting national interests, sovereignty, and citizens. Agencies are accountable to Parliament and the public.
• Private enterprise: Security is usually about protecting commercial interests, customers, and shareholders. Accountability is to the board, investors, and regulators.

2. Types of threats

• APS: Faces state-based threats, espionage, terrorism, insider risks, and high-value cyberattacks, since government information is of national and international interest.
• Private enterprise: Faces commercial risks, such as fraud, ransomware, intellectual property theft, and reputational damage — often financially motivated.

3. Frameworks and standards

• APS: Must comply with mandatory government frameworks like the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM).
• Private enterprise: Generally follows industry standards (e.g., ISO 27001, NIST) or sector-specific rules (e.g., APRA CPS 234 for finance, PCI-DSS for payments). Compliance is often risk-based and not as prescriptive as APS rules.

4. Information sensitivity

• APS: Deals with classified and sensitive national information (e.g., defence, intelligence, diplomacy). Data loss could threaten national security.
• Private enterprise: Holds confidential business or customer data (e.g., intellectual property, financial records). Data loss impacts competitiveness and trust, but not usually national security.

5. Personnel security

• APS: Staff undergo security clearances (Baseline, NV1, NV2, PV) with strict vetting, ongoing monitoring, and insider-threat programs.
• Private enterprise: May conduct background checks (police checks, reference checks), but usually not at the same level of rigour unless handling government contracts.

6. Physical security

• APS: Embassies, defence sites, and government offices require high-level physical protections against espionage, protest, or terrorism.
• Private enterprise: Physical security is more about protecting offices, assets, and staff safety – often less complex than APS requirements.

7. Transparency

• APS: Breaches and incidents may need to be reported publicly (and scrutinised by the media, Parliament, or inquiries).
• Private enterprise: Breaches may be disclosed only when legally required (e.g., Notifiable Data Breaches scheme), and reputational considerations often drive how much is revealed.

In short, private vendors need to fully understand these differences between public and private sector and be prepared to proactively and consistently meet expectations, knowing it does attract extra associated cost and effort. The private sector organisation needs to have a willing mindset and robust processes to undertake additional levels of compliance. This may require a capability uplift within its own business operations to align its processes and people to public sector frameworks.

This may include:

• Obtaining clearances, the level will depend on roles. Clearances are judged on a ‘need to know’ principle, not just access or job title.
• Team members with clearances must be cautious about sharing information on public sector clients. Private organisations, accustomed to freely discussing client information, may need to adapt this approach.
• Following Government frameworks such as PSPF which is backed by law (Criminal Code Act 1995.)
• Ensuring they recognise and disclose early any conflicts of interest between public interest and commercial interests.
• Private vendors must ensure that public sector issued equipment, such as laptops are not left unattended, even amongst non-cleared colleagues.

At Sensei, we have developed practices that align with these expectations.

• Our Project and Portfolio Management software, Altus, operates within public sector’s own Microsoft Tenant so all access and administrative rights are controlled by the agency, not us as a third party.
• Our Team has undertaken AGSVA training, has the requisite security clearances and follows AGSVA notification policies such as disclosing travel movements.
• As specialists in Portfolio and Program Management (PPM), Sensei inherently respects the fundamentals of good governance, disclosure, risk management, issue identification and management, managing budget and tracking measurable outcomes.
• And by implementing Altus as the PPM software for public sector agencies, we further strengthen both our clients and our security position due to the guardrails Altus software provides.

We appreciate that even within the Public Sector agencies access to information between departments and divisions also needs to be carefully managed.

• For the above reason, Altus is a solution that processes and stores data completely within the agencies own Microsoft tenancy. This allows them to home their operations in a location that produces the best data sovereignty outcome for their regulatory/governance requirements.
• Within Altus we also provide the capability to provide secure layers between roles within agencies. Extending beyond our standard security user role access, we utilise Business Units to handle complex requirements down to individual Project, Program and Portfolio access. This enables flexibility for separation of access to data, reflecting the need-to-know principle.

In summary, when working with the Australian Public Sector security is about protecting Australia’s people, information, and resources from threats, ensuring trust in government services, and safeguarding the nation’s interests. Every private vendor should approach this seriously in their public private sector partnership.

Ready to align with public sector standards? Discover how Sensei can support your journey by getting in touch today!