Op-Ed: Australian organisations need federated authority to stay secure at scale

This direction aligns with what executives are already signalling. GitLab’s recent C-suite survey shows 90 per cent of leaders in Australia expect agentic AI to become the industry standard for software development within three years, yet their top concern is data privacy and security. The bottlenecks created by centralised authority will only hinder automation and innovation.

Why centralised security holds Australian businesses back

Traditional security models require CISOs to be experts across multiple business units that serve different audiences, each requiring a deep contextual understanding of the environment and its challenges. Data protection requirements, local regulations, and industry-specific compliance all introduce variations between business units.

In a federated model, technology leaders, whether from IT, engineering, or business units, have a deep understanding of the nuances of their assigned units. Their specialised knowledge helps to set a strategy that considers the right goals, technologies, workflows, and risks to deliver three immediate benefits that a centralised security authority can’t match:

Context-aware security oversight minimises friction and churn. Security decisions happen faster because they’re made closer to the action. Service and application owners already have the context and expertise to make optimal decisions within their scope of responsibility. Delegated authority allows companies to seize market opportunities, deploy new tools, manage fewer escalations, and reduce unnecessary friction or delays.

Flexible policies help teams adopt and benefit from emerging technologies. When governance cascades, security teams can evaluate how a new technology’s attack surface affects their business unit’s unique risk profile and set policies that define security boundaries based on data classifications and regulatory constraints. CISOs can establish broad organisational standards for a technology’s adoption, but their technical partners in the business ultimately own their unit’s implementation. The partnership approach ensures policies strike the right balance for productive adoption and avoid overly strict or broad security controls.

VIEW ALL

Scalable security authority accommodates organisational growth. Acquisitions, new product launches, or geographic expansions necessitate security teams to assume new workloads and specialised expertise. Properly balancing what to centralise and what to federate enables scale. Under careful policy governance, identity and data governance are domains in security that federate well with centralised technology platforms. Business units can realise the velocity benefits by having the autonomy to manage, delegate, and provision access to their services and capabilities.

Making the cultural shift work

For organisations prone to silos, rigidity, and top-down command-and-control cultures, adopting a federated model won’t be easy. The shift requires shared security ownership, with security leaders working as peers to ensure the adoption of new policies and frameworks goes smoothly. CISOs must establish standards and policies that account for the velocity and runtime operational realities of modern technology stacks if they want business units to adopt, not just be forced to comply with, security governance. Implementation partners must ensure their control structures are appropriate for the policy associated with their data classification.

In practice, that might look like a CISO setting data classification standards, while partner teams are responsible for implementing these standards as low-friction security policies and capabilities at the source of record for the data. Netflix’s security team is largely credited with pioneering the “Paved Roads” philosophy, achieving policy adoption success by building secure options that meet policy guidelines and making them the easiest ones for developers to use.

Outside of engineering, organisation-wide standards also need to offer flexibility and avoid becoming overly specific or narrow, so they remain relevant to each business unit. Self-service risk exception processes allow for special circumstances that consider the business context and impact, so security doesn’t unnecessarily hinder business unit functions.

The investment case for federation

As the role of the CISO continues to expand beyond its traditional scope, security investments are being judged not only on how well they reduce risk but also on how effectively they support broader business goals. Every dollar now needs to demonstrate measurable risk mitigation. Federation gives CISOs a more nuanced view of risk across business units, enabling them to drive outcomes that benefit the whole organisation.

As AI systems become more autonomous and deeply embedded in operations, the attack surfaces they create will quickly outpace the capacity of any centralised team to manage. For Australian enterprises, federation is not a future ambition but an operational requirement. It will reshape how organisations structure their teams, allocate budgets, and deliver security at scale.

For large, digitally complex businesses, the real advantage will come from how quickly they adopt federated authority and build a more collaborative security culture to support it. Organisations that embrace this shift early will be best placed to stay resilient, competitive, and trusted as AI-driven systems continue to expand.