Download Executive Summary – Cyber Insights Series (PDF, 226.13 KB)
As we've seen from the recent high-profile cyber attacks that have victimised millions of Australians, there is an urgent need for the cyber security industry to come together and develop workable solutions that can overcome the common challenges faced across the public and private sectors.
The Cyber Insights Series was concepted by the Hon Victor Dominello MP, Minister for Customer Service and Digital Government, to facilitate this cross-sector collaboration, by bringing together cyber security experts from NSW Government, business and academia.
Each of the six Cyber Insights Series sessions was co-hosted by Cyber Security NSW and a relevant industry partner, providing a space for the cyber security representatives to share their experiences, insights and ideas for future initiatives on neutral ground.
Beyond Essential Eight
This session aimed to ensure that NSW Government is across industry best practice when it comes to cyber security frameworks. While the Australian Cyber Security Centre (ACSC) Essential Eight controls provide a valuable foundation for mitigating risk, NSW Government is looking to build our cyber security capabilities beyond this framework.
Co-hosted by CyberCX, the discussion provided a wealth of insights into how NSW could lead cyber security in Australia.
A recurring theme throughout the discussion was that while the Essential Eight added value as a starting point and benchmark for measuring progress, it was not the “be all and end all”. The representative CISOs (from the health insurance, banking and transport sectors) used the Essential Eight in conjunction with other frameworks, such as NIST and the MITRE ATT&CK Framework.
Alastair MacGibbon, Chief Strategy Officer of CyberCX, said: “Every organisation has its own unique operating context and its own unique risk profile. What is consistent for every organisation, in every sector of the economy, is the need to prioritise what is urgent without losing sight of what is important. Focusing exclusively on compliance can come at the cost of missing the bigger picture.”
While the NSW Cyber Security Policy does require agencies to report on their implementation of Essential Eight, the policy also asks agencies to take a risk-based approach to implementation. In addition, the policy outlines actions agencies should be taking outside of technical controls, such as cyber incident response plans, to improve their cyber security posture.
Third-party vendors were flagged as a significant risk, given that they often have access to organisational data and systems, but don't necessarily meet the same cyber security standards. Some of the CISO representatives called for a set of cyber security standards or a star-rating system that third-party providers would have to meet in order to win NSW Government contracts. This in turn would provide an indicative measure for private companies engaging third-party providers. NSW Government is assessing whether this would be viable and beneficial, and is looking at addressing the issue of high-risk vendors through policy frameworks. Consultation with state and Commonwealth jurisdictions is underway.
Over the course of the discussion, it became evident that many of the risk mitigation strategies faced by security teams are common across the sectors. For example, educating staff who don't have a technical background on cyber hygiene and acquiring skilled staff are two ongoing challenges for the whole industry.
A number of participants called for NSW Government to establish channels that would enable greater collaboration among cyber security teams from all sectors. Some suggested that a physical innovation hub would provide a space to facilitate such information-sharing.
Keith Howard, Group CISO at Commonwealth Bank, said: “I have found the cyber security industry to be very community spirited across the board – and actively nurturing that sense of community can be a powerful retention strategy. If we can become a centre of innovation, then we will attract the capability we need to better fill the industry-wide resourcing gaps.”
Cyber Security NSW is investigating new avenues to support closer industry collaboration, including an innovation hub, and will be holding a second iteration of the Cyber Insights Series in 2023.
Reporting Metrics and Evidence of Impact
For effective reporting, organisations need to assess their risks, prioritise them, determine appropriate controls and measure how these are being implemented. Co-hosted with CISO Lens, this session sought to explore how other organisations are measuring and reporting on cyber security metrics, and how this data is assisting cyber security uplift, in line with organisational objectives.
Christopher Neal, Global CISO of Ramsay Health Care, said: “There is an art and science to cyber security reporting. It's one thing to gather and collate data, and another to extract insights and translate meaning for leadership, so that they are informed in driving organisational cyber security improvements.”
For example, some attendees noted that when they showed executive teams reporting dashboards, they were too focused on 'turning metrics from red to green', without understanding how these metrics should be prioritised, based on their potential impact on the organisation's core service/product.
One representative from a major bank said that they tie their metrics to the customer journey and minimum viable product. This helps the leadership understand what cyber security metrics matter most, so that they can lead the necessary changes.
To improve its own operations and services, Cyber Security NSW has recently established the Cyber Insights and Performance team, which is establishing a Cyber Security Performance Framework that will help the branch prioritise its activities to ensure it is adding the most value for the whole of NSW Government. The team will take these learnings on reporting metrics to NSW Government entity leaders via the Cyber Insights Program Panel, which is designed to help guide these leaders in uplifting the cyber security performance of their organisations. Ultimately, Cyber Insights and Performance will use reporting metrics to identify whole-of-government cyber risk.
Vulnerability Disclosure
To leverage their expertise in this area, Cyber Security NSW brought on Bugcrowd, an Australian bug bounty and vulnerability disclosure company, to co-host the Cyber Insights Series: Vulnerability Disclosure session.
The central objective of this roundtable was to inform NSW Government's first vulnerability disclosure policy, which is currently being developed by Cyber Security NSW. “Arguably your greatest strength is understanding your greatest weakness, and moreover, disclosing it – this has particular application in the cyber world,” said Minister Dominello.
The branch's Policy Development and Coordination team was able to gather a wealth of knowledge about what a strong approach looks like from the perspectives of both the researchers who make reports and major organisations who have already embarked upon the vulnerability disclosure program journey.
The attendees resoundingly had positive feedback about implementing a vulnerability disclosure policy.
“One representative from a major organisation said that their vulnerability disclosure program had helped them identify thousands of vulnerabilities that had not been picked up by their own teams. “With penetration testing firms you pay for effort – now we pay for output,” the representative said.
For their part, researchers noted the difficulties when there is not a centralised 'front door' for submitting vulnerability reports and set timeframes around when they can expect to hear back from an organisation. Once its vulnerability disclosure policy is underway, NSW Government will consider options for a standard entryway for reports. Cyber Security NSW is also evaluating adding vulnerability disclosure processes to the NSW Cyber Security Policy.
The roundtable identified the need for legislation to be amended, to ensure that those participating in good faith reporting within the guidelines of vulnerability disclosure policies are not liable to be prosecuted by legislation.
Lyria Bennett Moses, Director of the UNSW Allens Hub for Technology, Law and Innovation, said: “Lack of clarity around computer crime legislation leaves those reporting vulnerabilities vulnerable. NSW would benefit from a 'cyber socket' to allow organisations to easily create vulnerability disclosure programs that are aligned to the legislation. Such assurance would in turn lead to a greater number of important vulnerability submissions.”
Following the session, some of the academic and industry attendees drafted a paper on the cyber socket for Minister Dominello, who plans to take it to the Commonwealth for consideration.
“It’s increasingly obvious that Australia faces a diverse and persistent array of cyber-borne threats, and that overcoming an army of adversaries would benefit greatly from an army of allies. State and Commonwealth legislation need to be in alignment to offer true protection to those who hack in good-faith and report vulnerabilities in the interest of a safer internet,” said Casey Ellis, Founder of Bugcrowd.
“These types of legislative changes are starting to happen all over the world now, and Australia needs to soon follow suit if it is to welcome good faith vulnerability reports, rather than exploitation from threat actors.”
Critical infrastructure
NSW Government is responsible for the majority of the state's critical infrastructure, and we are well aware that we will remain a sizeable target for malicious threat actors. Led by Deloitte, the Cyber Insights Series: Critical Infrastructure session explored how NSW Government can complement the Commonwealth's Security of Critical Infrastructure Act to improve cyber security protections for NSW's critical infrastructure.
A central point of discussion was around the role of leadership and executive teams in uplifting cyber security, given that cyber risk is an organisational risk, not just a matter for cyber security teams. It's important that every member of an organisation is aware of their responsibilities when it comes to cyber security – and this needs to be driven by an organisation's leaders.
Helen Patton, CISO of Cisco, said: “You need every person in an organisation to be empowered when it comes to cyber security. If you see something that needs to be attended to, do you have the influence to make that happen? It can be very difficult to solve longstanding, expensive problems, so teams really need to have that top-down support.”
Cyber Security NSW has developed cyber security awareness training e-modules for NSW Government's executives, to ensure they understand their roles and responsibilities when it comes to leading the cyber security uplift of their entities.
In 2023 Cyber Security NSW will also be leading a whole-of-government (WoG) exercise to stress test and hone NSW Government's response to a significant cyber security incident. This will give NSW Government leaders a chance to assess their current processes and strategies, and adjust them in readiness for a real cyber security incident.
At the session, attendees also noted that there are two main ways to drive compliance: the 'carrot', such as incentives; and the 'stick', like mandated requirements.
Cyber Security NSW incorporates both these approaches in its initiatives to uplift the cyber security maturity of NSW Government. For instance, while it is mandatory for agencies to report against the NSW Cyber Security Policy, our teams also assist agencies with reporting and provide a range of services to help them improve their cyber security.
Women in Cyber
While most of the Cyber Insights Series comprised intimate roundtables of around 20 cyber security leaders, this session had around 60 women working in cyber security, from the C-suite level to those starting out in their careers.
Co-hosted by the Australian Women in Security Network (AWSN), this format allowed us to hear from a broad cross-section of women, about barriers they have faced joining or working in the cyber security industry. The aim of this session was to inform NSW Government's future engagement with female cyber security specialists, so that we can more effectively attract, train and retain women in this field.
A number of women said that shifting the perception of cyber security – through representation (especially at the leadership level), flexible work practices and mentorship programs, would help encourage more women to join the industry.
To support their great work in fostering a connected community of female professionals, NSW Government has become a gold sponsor of AWSN, which runs a mentoring program that connects women at different stages of their careers to support their professional development. NSW Government's sponsorship of AWSN allows us to support their great work in this space.
Jacqui Loustau, Founder and Executive Director of AWSN, said: “Greater representation of women will go a long way to encouraging the next generation of girls and women to embark upon careers in cyber security. Stronger support networks for those women working in security will help us get there.”
Roundtable participants also noted the importance of employers understanding and valuing diversity in capabilities. Women who have experience in other areas may have transferrable skills for cyber security work. Attracting these professionals could help fill the many resourcing gaps in the cyber security workforce.
The provision of career development opportunities across women's careers would help retain these staff as well.
To support the ongoing development of our staff, Cyber Security NSW is sponsoring 11 women who are working across NSW Government to complete a cyber security course of their choosing up to the value of $15,000. At the 2022 NSW Government Cyber Security Showcase held on 3 November 2022, Minister Dominello was able to congratulate the 11 women on this achievement: “These recipients were nominated by their managers because of the value that they're already adding to their teams, and more importantly, the vital service they are providing to the people of NSW.”
While greater visibility, mentorship and support for career switchers may help bring more women to cyber security in the shorter term, NSW Government is also looking into longer-term solutions. Cyber Security NSW is working with the Department of Education and industry to develop cyber security curricula, with cyber security elective modules already being trialled in secondary schools.
Protecting Mental Health
The heightened cyber threat environment has only increased the pressure on cyber security teams. To quote Cyber Security NSW's 2022 NSW Government Cyber Threat Report: “Research has shown the high-stress, high-risk and intense tactical environment of cyber security operations has a detrimental impact on frontline teams, leading to errors, decreased performance and burnout.”
At this session, we heard from around 60 cyber security leaders about how their teams are coping, which confirmed what we already knew – the industry is feeling overwhelmed and burnt out. As one participant said: “We expect perfection from our cyber security teams. We notice when something goes wrong, but there's little thanks for everything they help prevent.”
NSW Government has sponsored the not-for-profit Cybermindz.org, which co-hosted the Cyber Insights Series: Protecting Mental Health session. Cybermindz.org specialises in building mental resiliency within the cyber security industry. In 2023, select Cyber Security NSW staff, including those monitoring the dark web for leaked data, will complete Cybermindz.org's eight-week course to equip them with tools to prevent burnout.
“Athletes perform at their best when they train hard but allow their muscles sufficient time to recover – the same applies in high-stress jobs, such as cyber security. These staff need to be supported in protecting their mental health,” said Minister Dominello.
To ensure the welfare of our cyber security teams, who provide a critical service to NSW, Cyber Security NSW is developing support structures and investigating options that could be rolled out across NSW Government.
This inaugural Cyber Insights Series has been incredibly informative for Cyber Security NSW's specialist teams, and we will continue to use the insights gained to inform our coming policies and strategies. I'd like to thank all of our co-hosts who facilitated these discussions, as well as all the academic and industry representatives who came to share their expertise with us. Your contributions are helping NSW Government implement best practice approaches to cyber security as we build towards a cyber safe NSW.
Our Cyber Insights Series in 2023 will tackle another six cyber security challenges to develop potential solutions NSW Government can lead. If you would like to submit topics or be involved, please reach out to info@cyber.nsw.gov.au.