James Henderson

An ecosystem approach to delivering digital identity in Australia

At the heart of the convergence between people and technology is digital identity – a delicate combination of experience and protection. Convenient and inclusive but secure and scalable.

Whether in the government corridors of Canberra or the enterprise boardrooms of Brisbane, digital identity is moving up the agenda item list across public and private sectors in Australia.

This is an approach accelerated by the adoption of cloud and mobile solutions yet curtailed by a rising threat landscape targeting sensitive data and personal credentials.

Somewhere in the middle is a market assessing how and when digital identity will be maximised. Is Australia on the cusp of change or stubbornly sceptical?

“That’s a big question,” acknowledged Phil Goldie. “But I would definitely say that this calendar year will prove to be a pivot point from an identity market perspective, particularly here in Australia.”

L-R / CW: Phil Goldie (Okta); Craig McGregor (Okta); Phil Siefert (CyberCX); Katy Gallagher (Minister for Finance, Senator); Noel Allnutt (Sekuro) and Danny Flint (KPMG Australia)

On paper, Goldie – speaking in his capacity as Vice President and Managing Director of Australia and New Zealand (A/NZ) at Okta – outlined that the reasons for such a pivot in industry focus are “very obvious” based on current market dynamics.

Identity is gaining ground because of:

  1. A rise in major breaches
  2. An increase in government focus
  3. A corporate commitment to consolidation

That’s the headline statement but underneath the surface, these core market factors are dovetailing to create heightened demand for digital identity solutions and strategies. Responding to increased end-user appetite is an ecosystem of vendors and partners – skilled up and in sync with both government and enterprise sentiment.

Rise in major breaches, identity targeted

For Goldie, Australia as a nation is “always under attack” – an assessment illustrated by an ongoing spate of high-profile attacks at an estimated annual economic cost of $33 billion.

The long-list includes DP World (November 2023), Latitude Financial (March 2023) and Atlassian (February 2023), in addition to Optus (September 2022), Deakin University (July 2022) and Red Cross (January 2022).

Meanwhile, the financial impact of a data breach on organisations in Australia is approximately $4.03 million. Taking an average of 204 days to identify an attack in the first instance, companies then require an additional 73 days to contain breaches.

“The major breaches of the past 12-18 months show that this is unfortunately becoming more common and more complex,” Goldie said. “That’s raising the profile of identity as a core technology because what is often stolen or compromised in the majority of these breaches is identity at a customer level.

“Then in a number of instances, the breach itself is happening due to a weakness in identity – not universally but certainly in many attacks that make the news.”

As a result, identity as a topic has been elevated out of a technical audience setting and into the boardroom arena.

According to KPMG, 84% of Australian CEOs consider cyber crime as the “main threat to growth” during the next three years, with 41% currently “underprepared” for an assault on corporate systems.

“Boards want to understand what’s been stolen and that’s often what we value most as organisations – the identity of our customers,” Goldie added.

As shared by Danny Flint – Partner, National Lead for Identity and Access Management at KPMG Australia – the corporate conversation has now shifted from “if to when” as businesses build resilience against an inevitable wave of attacks.

Discussions have shifted from restriction and prevention to a detailed understanding of data in the context of personally identifiable information (PII), placing increased importance on privileged access management (PAM).

“There’s more depth and nuance around where data is,” Flint shared. “PAM has become an elevated topic which has been picked up by cyber insurance companies. They can quantify the cost of a breach and therefore the cost of the premium.

“Organisational maturity is now being judged and measured whereas it wasn’t before – this has changed the market dynamic.”

Fundamental architectural decisions are now bubbling back to the surface, whether that be in-depth views of data stores, access rates, least privilege (PoLP) or zero-trust considerations.

“During the past 18 months, we’ve been busy through our advisory practice as organisations attempt to get their heads around the size and scale of the problem,” Flint noted.

“This isn’t a quick fix and because of that, transformation activity has stopped in places. But that cycle is ending and businesses are beginning to move forward. Three years ago, the market wanted bespoke solutions but now that’s changed – no customisation, just best practice.”

Demand for advisory expertise specific to identity has also accelerated at CyberCX, reflective of a spike in corporate maturity among board members.

“This maturity has given rise to large investments within this space,” explained Phil Siefert, Director of Strategic Alliances and Partnerships at CyberCX.

Danny Flint (KPMG), Phil Siefert (CyberCX) and Noel Allnutt (Sekuro)

“But many of our customers were in a relatively mature state anyways. Next-generation firewalls were deployed, Security Operations Centre [SOC] capabilities were strong and endpoint laptops were patched.

“Yes, work is always ongoing but this represents a much improved state due to the increased support from the board and senior management.”

All systems go in government, legislation passed

In the public sector, digital identity is fast becoming the cornerstone of government service delivery in Australia – a focus supported by work from Victor Dominello and the Tech Council of Australia as leading voices of authority.

The Digital ID Bill passed the Senate in March with the aim of putting in place the legislative framework to create an economy-wide Digital ID system in Australia, backed by “strong privacy and security safeguards” via accredited providers.

According to Katy Gallagher – Minister for Finance, Senator – recent data breaches have illustrated the importance of keeping Australian’s safe online.

“Digital ID makes it safer and easier for Australians to prove who they are online,” Gallagher said.“Australians will be sharing less personal information, which is held by fewer organisations, that are subject to stronger regulation – reducing the chance of identity theft online.”

A further $288 million has been provided to the scheme in Budget 2024, bringing total funding for the initiative to nearly $1 billion.

“The government’s focus on cyber security generally and identity more deeply has been key,” Goldie said.

“They are driving a very ambitious agenda around both and deserve credit for stepping up, especially how they reacted during some of the early breaches when the Albanese government came in. They’ve arrived at policy positions but also leaned in and helped organisations.”

Goldie was quick to accept that policy and funding in isolation is futile, commending government work in “proactively engaging” with the industry at the point of breach.

“That’s a strong example of the government being proactive in saying, ‘this is a problem that needs to be solved at a more national level’,” Goldie explained.

“But think about how identity is used in a variety of different ways in the day-to-day aspects of everyone’s life. The islands of identity that exist today – whether state government, federal government or in commercial businesses, plus consumer services – it’s a complex area.”

While the legislation will take time to kick into action, the move sends a clear market signal that customer experience is crucial but in parallel, so is enhanced cyber security.

“Identity has become the genesis of decision making for security and productivity decisions in Australia,” added Noel Allnutt, CEO of Sekuro. “It’s beyond a hot topic and is now a top priority to get right to maintain sustainable secure platforms.

“Our identity practice is run by industry leading CISOs and experts. We are aligned to zero-trust best practice and have an ecosystem of leading vendors that complement our identity practice.”

Identity in the context of enterprise consolidation

In Australia, identity is now widely considered as the primary enterprise security entry point for consumer and workforce applications. The stakes are high for organisations – this is a high risk but high reward game at the top end of town.

“Responsibility and ownership is also changing,” Siefert observed. “If you look at the personas responsible for identity in the past – it’s been under operations, in the office of the CIO, with security and also influenced by HR.

“Now it’s coalescing under the responsibility of the CISO, who holds a more holistic view in terms of security. This is driving the agenda forward well because projects are spinning up faster – funding and budget cycles are quicker to meet increased demand.”

Equally however, business conversations are also centred on extracting cost from the process in the pursuit of improved efficiency. As an estimate, a 1000-seat organisation in Australia could carry as many as 30-40 security tools and solutions.

“Licensing is impossible to manage and many are not being utilised at 100%” Siefert explained. “How can we consolidate? That’s the key question.”

Katy Gallagher (Minister for Finance, Senator)

According to Moxie Research – which surveyed 208 IT security decision-makers in Australia during April 2024 – reducing business costs and improving efficiencies (60%) ranks as the top strategic priority for organisations during the next 6-12 months.

In the context of consolidation, the enterprise is in aggressive agreement that multiple security vendor products create:

  • Increased project costs: 86%
  • Additional risk / exposure: 85%
  • Implementation challenges: 83%
  • Operational challenges: 80%
  • Unnecessary complexity: 79%

“Cost is a constant conversation with every customer,” Goldie said. “This is ultimately about securing the enterprise and that continues to be the balancing dichotomy for organisations – how do we drive efficiency but not make any security trade-offs?”

As outlined by Moxie Research, seeking external consultation and guidance on cyber strategy (75%) remains a leading area of focus for local companies, triggering a need to align with market-leading cyber security partners (78%).

“There’s an element of ‘have and have nots’ at play currently,” Flint assessed.

Despite the direction of travel, acceptance still exists among many businesses that getting identity right is “too big of a job”. The legacy decisions of the past 10 years remain debilitating – the compromises of yesterday combined with the lack of funding today makes a path forward tomorrow appear out of reach.

“The conversation is about simplification, getting the basics right,” Flint outlined. “The main demand we’re seeing is through that enterprise layer around consolidated platforms which ticks a lot of boxes in terms of ease of implementing and lowering the cost of ownership.”

There’s also less system integration cost in the mix, Flint acknowledged.

“We don’t shy away from that,” he clarified. “We want out clients to be secure for cheaper and that’s our role in the ecosystem.”

Once cost through consolidation is addressed, only then can transformation in the true sense of the word begin to take shape.

“Then we can move away from just cost and security and start to enable digital transformation,” Siefert advised. “Take our joint work with the AFL. The AFL iD is powered by Okta and CyberCX, allowing 20,000 members secure access to a number of digital products and applications.”

Pivoting to partners, enhancing ecosystem growth

At this stage of growth, vendors at the current size and scale of Okta – total revenue was $2.3 billion in USD during FY24, an increase of 22% year-over-year – switch market focus from direct to indirect.

Solving a market problem through a high-product fit naturally expedites global expansion and generates increased inbound demand.

Scaling quickly as a direct vendor is logical during the early phases and follows the path of many in the industry, especially in the software-as-a-service (SaaS) space. Notably, Okta’s subscription revenue came in at $2.2 billion during the past 12 months, an increase of 23% year-over-year.

“But then you reach a pivot point,” Goldie detailed. “And that is generally driven by a need to achieve broader access to the market but equally, because customers are demanding this. It’s not enough to just show up as a product, the market needs us to show up as part of an ecosystem.”

Value in the ecosystem extends to strategic partners such as CyberCX, KPMG and Sekuro among others – deeply ingrained into advisory services and managed security services. This is alongside technical and go-to-market integrations with alliance vendors like CrowdStrike, Netskope and Zscaler.

“As part of our natural evolution we’re switching to a partner go-to-market strategy much more aggressively,” Goldie confirmed. “This is a big commitment for Okta and represents an important part of how we scale but also provide better value to customers.”

Central to such efforts is the appointment of Craig McGregor as Director of Partners and Strategic Alliances across A/NZ at Okta.

“This is a very deliberate shift,” Goldie said. “Yes, Craig as part of that strategy but also across all our different functions – deeply embedding our partnering approach throughout the entire business.”

Drawing on more than 25 years of industry experience, McGregor arrives with a rich background in partnering and security. On both sides of the Tasman, channel leadership roles have spanned Sophos, Mimecast and SailPoint, as well as Check Point Software Technologies, Symantec and Adobe.

Phil Goldie and Craig McGregor (Okta)

“In joining Okta, I had a simple criteria,” explained McGregor, who started with the business in April.

“Firstly, is the market opportunity strong and are we in an industry leadership position within that? Will that open doors at both customer and partner levels? Secondly, is there a strong emphasis on customer relevancy and therefore, partner relevancy?

“Okta ticked both of those boxes and our partner-first strategy is already evident in these early days – it’s pervasive throughout the whole organisation and will be our primary route to market to win new business in a scalable and sustainable manner.”

Switching gears at a successful direct vendor is seldom easy however. For McGregor, a key part of the internal process is consistent messaging and communication about the importance of embracing the ecosystem.

One significant factor is that as of today, Okta is a $2.3 billion business operating in a market housing $80 billion of investment potential. This isn’t a crowded space for partners to evolve offerings around identity, whether by industry or solution specialisation.

For example in government, the Digital ID Bill is set to open up new doors into verifiable credentials and biometrics which in turn will create demand for third-parties to build tailored products. Alternatively, zoning in on customer experience and pure-play security for the workforce are also viable paths to growth.

“Each company will take a different lens and try to solve different aspects of the problem but the market isn’t limited,” Goldie affirmed. “It’s opportunity rich.”

For example, KPMG formed a strategic alliance with Okta in August 2023 as part of plans to scale identity and access management solutions. A dedicated team of over 20 Okta-skilled professionals was also established, supported by the advisory firm’s global capabilities.

“This alliance represents a multimillion-dollar investment by KPMG,” Flint added. “We see whitespace in biometrics and look forward to leading the way on the integration and transformation work.”

CyberCX – which has 65% of revenue assigned to professional services advisory work – has an eight-year partnership with Okta. Joint investments include technical in the form of certification and commercial specific to go-to-market engagement.

“We have partnerships with approximately 160 vendors as a result of our acquisitions but we’re making a real shift to those that understand our strategic approach to customers,” Siefert added.

“The next step is to shift into annual recurring revenue and managed services. Building those outcomes to be managed outcomes with Okta represents a big bet for our business.”

In February, Sekuro launched a zero-trust strategy services portfolio on the Amazon Web Services (AWS) Marketplace, a curated digital catalogue that customers can use to find, buy, deploy and manage third-party software, data and services.

The consulting service is a cyber security review delivered in partnership with Okta, CrowdStrike and Zscaler.

“Collaboration with Okta is front and centre with their platform acting as our primary choice to deliver customer value,” Allnutt added.

“We take a fully integrated end-to-end approach to identity and it’s all underpinned by Okta. Being aligned with Okta validates our commitment to build and deliver best-in-class solutions, it’s reflective of a deep understanding of the market need.”

From an Okta standpoint, ecosystem success can be best defined as aligning with partners capable of creating a market for identity in Australia, positioned as a strategic asset for organisations. This is dovetailed with a championing mentality of secure identity as an investment priority and a trusted foundation in a two-way engagement.

“Partners play a key role in pulling a complete solution together,” McGregor outlined. “Be prepared to invest in certifications and enablement to deliver more end-to-end solutions, whether that be through pre-sales, post-sales or implementation.

“Our job is to execute the partner strategy. The heavy lifting has been done so now our focus is on better understanding the business of our partners – better than our competitive vendors. If we can do that, we can help drive a unique value proposition to our current and prospective customers.”

In a direct message to the partner ecosystem, Goldie simplified Okta’s position further… “everything we do is with a partner – that’s it, there’s no complexity needed.”


Inform your opinion with executive guidance, in-depth analysis and business commentary.