With the increasing frequency and complexity of cyberattacks, public sector CISOs must shift their focus from trying to preventing incidents to building resilience for their organisation.
That is one of the key takeaways from KPMG’s government and public sector cybersecurity considerations for 2025.
The report said that robust incident response plans, regular testing and drills, and cross-functional collaboration can minimise the impact of inevitable breaches and ensure the continuity of critical services.
“By cultivating a culture of resilience throughout their organisations, CISOs can empower employees to become active participants in the defence against cyber threats,” it noted.
Another key consideration included in the report is digital identity. It said that most public sector organisations have low levels of preparedness relative to other sectors when it comes to securing digital identities.
“Often, this is attributable to insufficient investment and a lack of effective public-private collaboration,” it said. “The complexity of challenges such as trust, privacy concerns, and user experience is often underestimated. In federated government systems, alignment and cooperation across levels adds to the complexity. To overcome these obstacles and achieve a cohesive approach to digital identity, organisations must prioritise investment and collaboration.”
KPMG also said that for CISOs in the public sector, the stakes are particularly high.
“Digital identity systems play a vital role in safeguarding individual privacy, preventing fraud, and ensuring the integrity of sensitive data. A breach or failure of these systems can have far-reaching consequences, eroding public trust, disrupting essential services, and even compromising national security.
“As such, CISOs must prioritise the development and implementation of secure, transparent, and compliant digital identity frameworks. They must work closely with their teams to embed security and privacy considerations throughout the digital identity lifecycle.”
If you liked this content…
Think Digital Identity and Cybersecurity for Government: Key Takeaways
11 emerging technologies the public sector needs – Forrester
Cyber threat to UK government “severe and advancing quickly”
Think Digital Identity and Cybersecurity for Government Round-up
Employee and non-employees: breaking down the siloes
Key opportunities
KPMG listed public-private collaboration as a key opportunity for government, maintaining that governments, tech companies, and other related organisations all play critical roles in shaping digital identity frameworks.
“By driving cross-sector discussion and partnerships, cyber security professionals can help bridge gaps in standardisation, regulatory compliance, and best practices,” it said.
Similarly, KPMG urged regulatory alignment. “While navigating regulatory challenges is complex, alignment with regulations like General Data Protection Regulation (GDPR), DORA, NIS2 or eIDAS provides an opportunity for cybersecurity teams to establish best practices in compliance and strengthen trust in digital identity systems.”
KPMG advised public sector cybersecurity pros to:
- Prioritise the fundamentals of cybersecurity, focusing on basic cyber hygiene rather than solely investing in the latest, ‘shiny’ technologies.
- Maintain and document a comprehensive inventory of all systems, processes and assets — including the organisation’s ‘crown jewels’ — ensuring they are regularly patched and updated to help minimise vulnerabilities.
- Develop and implement a robust cybersecurity awareness training program for all employees, cultivating a strong culture of security within the organisation.
‘Lack of understanding or trust in cyber tech’
CISOs in government and public sector organisations face a complex web of challenges,” said Nicholas Fox, partner, head of government (justice), KPMG UK.
“Over the last five years, rapidly changing geopolitical developments and increasing tensions have resulted in an increase in cyberattacks on critical infrastructure. The sector is now focusing on improving resilience and reducing the associated risks with legacy IT infrastructures opening the door to an array of vulnerabilities for adversaries to exploit. Despite efforts to modernise and secure these systems, the sheer complexity and scale of the task remains overwhelming. In fact, according to KPMG research, a lack of understanding of, or trust in, new cyber technologies has made 65 percent of government and public sector organisations less confident about investing in these tools.”
In addition to the perpetual balancing act of addressing legacy systems, CISOs in this sector must also keep up with the rapid pace of emerging technologies, such as artificial intelligence (AI), blockchain, and quantum computing, added Fox.
“Amid these challenges, CISOs must find ways to bolster resilience and prepare for inevitable cyber incidents. This requires a shift in mindset from a purely preventative approach to one that also factors in detection, response, and recovery.”
