Is Australia’s digital sovereignty now a strategic necessity?

As cyber threats grow and skilled professionals remain in short supply, the public sector is being urged to look more seriously at Australian-owned IT partners to build secure, scalable systems that keep control onshore.

Increasingly, Australia’s digital sovereignty challenge is no longer just a policy ambition.

For public sector agencies facing escalating cyberattacks, mounting compliance pressures and a chronic IT talent shortage, it’s become a strategic necessity.

This means governments at both federal and state levels should be shifting their procurement preferences toward sovereign IT providers – firms that offer not only deep technical capabilities, but also local accountability, cultural fluency and alignment with frameworks such as the Essential Eight and the Information Security Manual (ISM).

The Essential Eight, developed by the Australian Signals Directorate, provides mitigation strategies for protecting systems against cyber threats, while the ISM sets out best practice security controls for government agencies.

These frameworks are vital, but complex, requiring specialised knowledge and operational discipline.

This shift comes as the federal government’s Buy Australian Plan (BAP) and Digital Sourcing Framework is laying the foundations for reshaping the way technology partners are selected.

The BAP is designed to support local industry and ensure that taxpayer dollars are reinvested in Australia’s economy, while the Digital Sourcing Framework encourages agencies to favour providers that meet criteria around sovereignty, value, innovation and responsiveness.

In 2022‑23 alone, the Commonwealth spent $74.8 billion on goods and services, with more than $7 billion of that allocated to computing, software and communications services. There is now a compelling case for a growing share of this spend to be directed to Australian providers who can deliver secure services at scale.

That’s creating opportunities for firms like Brennan, an Australian systems integrator that has long served the enterprise sector and is now expanding its government footprint.

Brennan’s acquisition of Canberra-based CBR Cyber in March has significantly strengthened its cyber credentials and opened new doors in the public sector.

"By acquiring CBR, we are now far more accessible to government agencies and have cleared experts on hand to deliver the secure services they require. It’s fast-tracked our ability to serve government,” says Peter Soulsby, head of cybersecurity at Brennan.

“We have since accelerated the build of a sovereign SOC that will be able to deliver the highest levels of protection to the government. This investment will also benefit the hundreds of existing customers we service through our hybrid SOC today.”

Peter Soulsby, Head of Cyber Security, Brennan

The integration of Brennan’s national infrastructure and CBR Cyber’s public sector expertise positions the firm as a viable alternative to global systems integrators – offering scale and sophistication, but with boots-on-the-ground service and governance anchored in Australia.

But as Soulsby points out, demand for cyber expertise is rapidly outpacing supply.

"The real issue isn’t capability gaps, it’s volume," he says. "Everyone in cyber is working 30 to 40 per cent harder just to keep up. Demand has outstripped the system’s ability to deliver. The only way to catch up is by introducing new cleared, capable talent, which is not an easy task.”

The security workforce pipeline remains constrained by slow-moving processes, he says, requiring a co-ordinated effort between federal and state governments, and education providers, to build a domestic talent stream.

“But that’s a four- to five-year lead time," Soulsby adds.

Shared services models are gaining appeal as organisations adopt frameworks such as the Essential Eight or ISM. However, the user experience has become essential to implementation - if controls hinder day-to-day workflows, users may resort to workarounds, ultimately undermining security rather than enhancing it.

"Shared models help avoid this by bringing in tested IP and learnings from other implementations, so agencies don’t repeat past mistakes."

This pragmatic approach also extends to sovereignty itself.

"Sovereign IT isn’t just about location, it’s about resilience. In a future geopolitical scenario where we can’t rely on foreign partners, we must be able to support ourselves."

Peter Soulsby, Head of Cyber Security, Brennan

“Investing in sovereign IT is also an investment in Australian roads, education, and jobs, because tax and spending stay onshore. And cultural and operational alignment is especially crucial when responding to fast-evolving threats. Agencies need real-time agility – not just paper compliance – and access to cybersecurity experts who understand the local context.

Delivering that kind of agility increasingly requires more than just technical fixes. This mindset – of embedding security from the outset – is fast becoming the modus operandi for leading local operators.

“We don’t sell dreams. We deliver outcomes,” says Andrew Weir, federal manager at CBR Cyber. “And increasingly, that means designing systems where cybersecurity is built in from the start – not bolted on after the fact.”

As Soulsby notes, demand for locally based expertise will only grow as agencies seek tailored, context-aware support that navigates an increasingly complex cyber landscape.

"We may see a further 10 to 20 per cent spike over the next 12 to 18 months. With global supply chains increasingly unreliable, the safest way forward is to do this locally despite the economic complexity."

As agencies continue to modernise, sovereign partnerships offer a pathway that is not only secure and compliant, but also adaptive, resilient and deeply aligned with Australia’s national interests.

Read the article in full, and for free, here.