NSW's first CISO - focus on identity
Maria Milosavljevic: The NSW Government's first ever Chief Information Security Officer
The NSW government will reach out across the public and private sectors to build a strong cyber regime for the state under the government’s first chief information security officer Maria Milosavljevic.
“We are going to take a very collaborative approach,” Ms Milosavljevic said, the NSW Government’s just-appointed CISO when she spoke at the Cyber Security Leaders 2017 forum in Sydney last week, on just her third day on the job.
“We have to take a networked approach. We have to work with partners, this is not something that can be done by one small team.”
For a strong cyber security regime to succeed, there needed to be a ‘cultural transformation’ within government that took cyber issues into account.
“We need strong identity solutions,” Dr Milosavljevic said. “Although identity doesn’t solve everything, it’s certainly a good pillar.” Co-designing cyber solutions across multiple stakeholders was also important.
Dr Milosavljevic said the proliferation of easily obtainable cyber tools was making it hard for regulators, enforcers and law makers to keep up.
“Anyone can become a cybercriminal today,” she said.
“Just the other day my thirteen-year old son asked me for a VPN because he wanted to circumvent the security controls at his school. I told him no!”
“We’ve have had thousands of years to codify the law around the physical world and physical threats, but we are babes in the woods when it comes to cyber.”
Dr Milosavljevic listed a bunch of disparate technologies such as autonomous vehicles, gene editing, the Internet of Things and autonomous weapons as challenges for state cyber security.
Government cannot cover this technological onrush alone and must partner up with the private sector, she said.
Meanwhile, the elephant in the room for everyone at the Cyber Security Leaders 2017 forum was the effect of upcoming mandatory breach notification which passed through parliament in February and goes live in February 2018.
“Next year will be a game changer for cyber in Australia with mandatory breach notification laws coming in February,” said Nick Abrahams, partner and APAC Technology Practice Leader at international law firm Norton Rose Fulbright, which boasts 4000 lawyers across 58 cities around the world.
“We know from the experience of our US practice that once those laws came in various states over there the number of breaches jumped by one hundred, two hundred, three hundred percent.”
“The problem ceases to be one we can sweep under the carpet, which is frankly what everyone has been doing. Boards are aware there will be notification, but so far the response has been largely all about insurance.”
Mr Abrahams said boards were treating cyber risk just like any other commercial risk.
“Boards think they insure for the risk of somebody slipping and falling so they insure for cyber.”
Australian boards’ sense of security from considering or taking up cyber insurance was not necessarily well founded, Mr Abrahams said because of the variation between cyber insurance policies.
But the market for cyber insurance will be hot. “We will continue to see cyber insurance really rise,” said Mr Abrahams.
Cyber vendors will come under increasing pressure from their customers over the next twenty-four months as the mandatory breach laws bite.
“You might have impeccable data handling processes yourself but if you are not managing your internal vendors very carefully and getting regular auditing of them then you are not doing your job.”
Cyber vendors would find it increasingly hard to avoid vouching for their products and services.
“Vendors have traditionally said it was hard for them to guarantee security. That will change because the law is going to oblige the vendor’s customer that they have to account.
“Vendors are going to have to stand up to higher levels of accountability,” Mr Abrahams said.
Increased information sharing around cyber threats between organisations was also a touchy topic at the event.
An attendee from a government agency asked panellists at the event about resistance to sharing information about cyberattacks in that it could be perceived as a commercial weakness.
Craig Davies, the CEO of the Australian Cyber Security Growth Network and a former CSO at Atlassian said it was a matter of building personal relationships with other CSOs.
Mr Davies said that while working at Atlassian it became imperative to share information with security officers from other cloud providers.
“We shared threat intelligence with a number of large cloud providers including people that you would think would be our competitors,” said Mr Davies.
“We did it because the bad guys are better organised than us anyway.
“Also the way you share information is done in a way that you are not sharing anything private or confidential – you are sharing indicators of compromise.”