There has been a groundswell of attention and support for cybersecurity in the Victorian government, with recent high-profile breaches serving as a wake-up call for public servants, according to Victoria’s first chief information security officer John O’Driscoll.
It comes as the state government moves to treat cybersecurity incidents as emergency events along the same lines as fires and floods.
Recent large-scale breaches have helped to raise awareness in government of the importance of cybersecurity and its real-world impact. In June about 14 Victorian government agencies were impacted by a breach of human resources software provider PageUp.
Mr O’Driscoll, who discussed the issue at the ISACA OceaniaCACS conference in Melbourne, said this served as a wake-up call for those in government and the public sector in Victoria.
“As a professional you think you have to scare the crap out of people for them to sit up and take notice, but there’s a fine line between fear, uncertainty, doubt and being informed. They do recognise that things are happening, and PageUp helped with that,” Mr O’Driscoll told InnovationAus.com.
“My team was able to take the lead role in coordinating the state’s response to that, helping with consistent communications and messages.”
A large focus of the Victorian government’s cybersecurity strategy has been its incident management and response, with a trial conducted in July of a mock cyberattack.
“The state has practices for fires and floods and those types of emergencies, and we recently had our first cyber exercise that we ran on that. We’re going to be more focused on incident management response,” Mr O’Driscoll said.
“Going forward you won’t be judged on whether you had a cyber incident, you will be judged on how you respond to it.”
“[The test] scared the crap out of me – going in front of the Premier and Cabinet. They’ve never done of these tests before so it had a high visibility and high risk, but it went really, really well.
“Government is now prepared to say that cyber is one of the normal things we have to rehearse and prepare for.”
The state government has developed cyber emergency governance arrangements with Emergency Management Victoria, aiming to ensure that cyber threats are considered by critical infrastructure owners and operators as a real threat.
Mr O’Driscoll is approaching his first anniversary in the role as the first ever CISO in the Victorian government. In this time, his team has more than doubled to nine people, and a significant focus has been changing the conversation around cyber, from an IT risk to a general business and government risk.
“Too many business people say it’s IT and the CIO will look after it, but it’s a business risk and the CIO can help you, but you have to take accountability for it. The second part of changing the conversation is moving from exclusively compliance to risk management,” he said.
Mr O’Driscoll is embedded in the Department of Premier and Cabinet, with the government adopting a whole-of-government approach to cyber.
“There are 297,000 public servants in Victoria and there are hundreds of entities that employ staff. I don’t have the authority to direct departments and agencies to do stuff, so I have to try to influence them,” he said.
“I wanted to develop that level of trust so if something is broken or not working, it’s better to fess up to it. I’m not going to kill the messenger, but we need to understand what we need to fix.”
“That has been different in the past. People are now coming to me and are prepared to tell me stuff in confidence, and then I can help them come up with solutions.”
The appointment of a CISO was a key tenant of the state government’s cybersecurity strategy, officially unveiled in August last year.
Mr O’Driscoll is now responsible for driving the implementation of the strategy, with 14 items completed, seven in progress and two yet to commence.
The three year cyber plan was launched to address known and emerging issues for information security and infrastructure security, with 23 key facets.
A big part of the strategy is improving government procurement to better service local cyber providers, something which has historically been “diabolical”, Mr O’Driscoll said.
The strategy also looked to combat the impending skills gap that the entire Australia cybersecurity industry is facing. Mr O’Driscoll is aiming to create a new pay scale in the public sector for cyber and data analytics, and has also taken a number of students from the Box Hill Tafe cyber course for a 12-month rotating placement within government.
Before taking the state CISO role, Mr O’Driscoll served as a private sector IT risk and governance specialist, with 20 years experience in IT, most recently at ANZ, AMP and the Commonwealth Bank.