One involved an NSW Treasury staff member allegedly exfiltrating a large volume of sensitive documents. Another, less locally visible but widely discussed in security circles, involved North Korean actors posing as legitimate IT workers to gain access to organisations from the inside.
On the surface, these cases look very different. One involves a trusted insider. The other involves deception at the point of entry. But through the lens of dozens of conversations I’ve had recently with CISOs across federal, state, and local government, they point to the same underlying reality:
Insider risk is changing and our traditional mental models are struggling to keep up.
While these cases are frequently discussed through a public sector lens, the underlying dynamics are not unique to government. Similar patterns have emerged across financial services, healthcare, technology, and other highly regulated industries. What distinguishes public sector environments is not the nature of the risk itself, but the operating conditions under which it must be managed, broad access, enduring trust models, shared platforms, and public accountability.
For a long time, insider risk was framed narrowly: a disgruntled employee, a malicious intent, a clear breach of policy. Many security programmes are still built around that assumption.
What CISOs increasingly describe, however, is a much broader and more complex landscape.
In the alleged NSW Treasury case, the individual reportedly had legitimate access. The activity may not have immediately stood out as “wrong” in a traditional sense. In the North Korean fake IT worker cases, access was granted because the individuals appeared qualified, passed recruitment processes, and blended into normal operational workflows.
In both scenarios, the point of failure is not simply who the person was, it’s how much trust modern systems must extend by default, and how difficult it has become to distinguish malicious behaviour from legitimate work in real time.
One thing that comes through clearly when speaking with CISOs is that trust cannot be eliminated from public sector environments or from other large, complex organisations that rely on delegated authority and professional judgment.
Central agencies, policy teams, health systems, and regulators all rely on people being able to move quickly across systems, data sets, and responsibilities.
This creates a reality where:
• Access is broad, because the work demands it
• Activity volumes are high, because the pace is relentless
• Oversight is constrained, because teams and budgets are finite
The North Korean fake IT worker cases highlight how trust can be abused before someone even becomes an insider. The Treasury case highlights how trust can be misused after access has been granted.
Different paths, same challenge.
Several CISOs described a shift away from thinking about access purely in binary terms — authorised versus unauthorised — toward thinking about behaviour over time.
In modern environments, especially with cloud services, collaboration platforms, and automation:
• Downloading large volumes of data may be part of the job
• Working odd hours may reflect delivery pressure, not malice
• Using powerful tools is often expected, not exceptional
This makes insider risk less about breaking rules, and more about identifying when patterns drift from what is expected or safe — something that is far harder than blocking a clear attack.
The fake IT worker cases add another layer: what appears to be a “trusted employee” may in fact be a carefully constructed identity, operating entirely within authorised boundaries.
One striking theme across recent CISO conversations is a growing acceptance that intent is difficult (sometimes impossible) to determine early. What matters operationally is visibility.
Not intrusive surveillance, but the ability to answer basic questions with confidence:
• What does normal activity look like for this role?
• When does scale, timing, or behaviour begin to change?
• Do we see activity in context, or only in isolation?
In highly constrained environments, many agencies have strong policies but limited visibility. Others have invested in monitoring but struggle to apply it proportionately without disrupting delivery. This unevenness matters, because insider risk often accumulates quietly.
By the time something clearly “looks wrong,” the impact may already be significant.
Another insight that comes up repeatedly is the role of leadership mindset.
Where cyber risk is framed primarily as fear, punishment, or failure, people become more cautious about raising concerns, slowing investigations, or asking uncomfortable questions. Where risk is treated as a design and governance issue something to be surfaced and managed collaboratively, issues tend to be detected earlier.
This applies equally to internal staff and to hiring, onboarding, and third-party engagement. The North Korean fake IT worker cases are a reminder that recruitment, identity assurance, and ongoing verification are just as much part of cyber resilience as firewalls or detection tools.
It would be inappropriate to draw conclusions about any specific incident while investigations are ongoing. But taken together, these cases invite broader reflection not just for Treasury, but across government.
They highlight questions CISOs are already grappling with:
• How do we balance trust and oversight without paralysing delivery?
• How do we design roles and access assuming humans — and identities — are imperfect?
• How do we invest in visibility when resources are finite?
• How do we support teams to notice subtle signals without creating a culture of suspicion?
These are not questions with simple answers, and no single framework or tool resolves them entirely.
Whether it’s a central agency, a hospital, a regulator, or a council and increasingly large organisations beyond the public sector, the underlying conditions are similar: constrained resources, expanding digital reach, reliance on shared services, and growing human dependency.
The CISOs I speak with are not looking for silver bullets. They are looking for practical ways to strengthen visibility, clarify accountability, and adapt leadership approaches to a world where insider risk is no longer an edge case, but a normal condition to be managed thoughtfully.
Recent cases do not redefine the problem.
They underline how constant and widespread it is.
For speaking and interview opportunities on cyber leadership topics, feel free to reach out to Maddie Abe.
Join us to share your insights at our upcoming events:
CISO Melbourne 2026 + OT Security Melbourne + Cloud Security Melbourne + AppSec & DevSecOps Melbourne
CISO Canberra 2026 - a public sector focused conference