Australian government agencies spend considerable effort auditing their own people and systems against security frameworks. They run maturity assessments. They map controls to the Information Security Manual. They train staff. And then they sign a contract with a software vendor whose product was never built with security in mind, and the risk walks in through the front door.
We've seen the pattern play out time and time again. Not sophisticated nation-state attacks slipping past elite defences, but ordinary vendor products with ordinary weaknesses, procured through processes that haven't asked the right questions.
In 2024, e-prescriptions provider MediSecure suffered a ransomware attack that exposed the personal and health information of nearly 13 million Australians. The breach originated from a third-party vendor. Medicare card numbers, prescription details, home addresses. The agency's own systems weren't the point of failure. The supplier relationship was.
Earlier this year, Canadian transcription firm VIQ Solutions admitted to a data breach after subcontracting sensitive work to an offshore company, exposing federal and state court files across five Australian jurisdictions. This wasn't a technical exploit. It was a contracting discipline failure in a government procurement chain.
These aren't edge cases. They're the predictable result of a system that holds internal teams to high standards while giving suppliers remarkably little scrutiny. In both cases, stronger questions at the point of purchase could have changed the outcome. Procurement is the first line of defence, not the last. Supplier assurance needs teeth throughout the life of a contract, not just at signing.
Secure by design is now consensus. The Cybersecurity and Infrastructure Security Agency in the US has published principles for software manufacturers. The UK has done the same, with a clear emphasis on accountable risk owners and usable security. Australia's own cyber.gov.au guidance reinforces the approach for software development. AISA supports secure by design as a practical discipline that improves delivery outcomes.
But in Australian government procurement, that consensus hasn't translated into consistent practice. Sourcing panels and tender evaluations rarely weight a vendor's security engineering maturity in any meaningful way. The people evaluating proposals are often not equipped or empowered to assess it. Security might appear as a line in a compliance checklist, but there's a significant difference between ticking a box and understanding whether a product was designed to be secure from the ground up.
Government is one of the largest technology buyers in the country. That purchasing power is a policy lever, and it's only partially being used for security outcomes.
To be fair, government does require security assurance from vendors. IRAP assessments, ISO 27001 certification and Essential Eight alignment are common procurement requirements, and rightly so. But these frameworks assess how a vendor operates - how they handle data, manage access, and run their infrastructure. They don't assess how a vendor builds.
An IRAP assessment will tell you a cloud provider has strong access controls. It won't tell you whether the application running on that infrastructure was threat-modelled during design, whether the vendor uses secure development practices, or whether they have a vulnerability disclosure program that actually works. Government is checking the operating environment while largely taking the product itself on trust.
This doesn't require a revolution. It requires asking better questions at the right time. Can the vendor demonstrate a secure development lifecycle? How do they manage vulnerabilities in their product? What happens when a security issue is found post-deployment? Who is accountable?
These are questions that procurement teams, contract managers and senior leaders can ask today, within existing frameworks. You don't need to be a security engineer to insist on answers. You do need to accept that this is part of your responsibility. And yes, this means investing in procurement capability, giving evaluation panels access to security expertise and the time to use it, rather than expecting generalists to absorb yet another assessment dimension without support.
The Australian Information Security Association, Australia's cyber peak, view is that practical, well-governed delivery needs a few things to be true: accountable risk owners for services across their lifecycle, security embedded early in discovery and design, supplier due diligence that goes beyond compliance checklists, and shared responsibility for product security written into contracts rather than disclaimed away.
Applied to procurement, this means someone in the buying agency owns the security posture of what they buy, not just what they build. It means evaluation criteria that treat security engineering maturity as a weighted factor, not a footnote. And it means contracts that don't allow vendors to disclaim responsibility for the security of their own products.
If you lead a procurement function, a digital delivery team or a government agency, you have a role in this. The most consequential cybersecurity decisions in government are often not made by security teams at all. They're made by people choosing which products and platforms to buy. That's not a criticism. It's a recognition of where the real leverage sits, and an invitation to use it.
