Digital leadership will only succeed when leaders understand that digital government is underpinned by trust. Trust means making sure that as we create our digital world, we are designing it to be as secure and resilient as possible. But how do leaders know what to do or if they have done this well?
I get asked this question a lot and by a range of people in different roles. So as part of my role as the NSW Government Chief Information Security Officer (GCISO), my team and I prepare useful guides for people in various roles.
What do the most senior leaders in an organisation need to know? Or what should they do to be prepared, protected and resilient? We provide the following advice to Secretaries and CEOs in NSW Government.
Navigating Cyber Security – Advice for Secretaries and CEOs (PDF, 209.33 KB)
The absolute must-dos for heads of organisation to get things started are:
1. Appoint a senior accountable officer who genuinely owns the risk
Ask yourself whether they really are the right person. For example, will they mobilise a whole-of-organisation response?
Your CIO will probably be busy addressing the technology issues, but who is managing the impact on your customers? Who is informing you and coordinating the public information?
2. Start talking about cyber security from a whole of organisation risk management perspective
Leaving this issue to ‘IT Security’ was last century. Right now, you will not be able to guarantee that you have 100 per cent secure systems, in the same way that currently we do not have 100 per cent safety on our roads.
So what can go wrong for your organisation?
Start by understanding your digital ‘assets’ – the information, online services or internet-connected infrastructure you operate.
How do you reduce the likelihood that they are compromised?
What happens (and to who) when things go wrong (the consequences)?
Do you understand what your organisation is willing to tolerate – or what your cyber risk appetite is?
What can you do to reduce this risk?
For example, the Australian Signals Directorate (ASD) suggest that all organisations implement the ‘Essential 8’ mitigation strategies.
3. Develop a cyber incident response plan
Developing a response plan is critical because things will inevitably go wrong and if you’re not prepared, you could make things worse than they need to be.
Make sure it is a whole of organisation plan and not just an IT Security plan. Exercise it regularly – just like you do for fire drills. Involve your media and communications team, because if you experience a cyber incident you will want to communicate to your customers and stakeholders early, often and well.
Also make sure you know who you need to report this to – for example, the Privacy Commissioner if there is a data breach involving private information.
4. Understand mutual responsibility intimately
Your risks are not just yours. Just as we all breathe the same air, we also all share the same internet.
Not everyone has good cyber hygiene and viruses or malicious computer software can travel quickly. We are all mutually responsible to each other for reducing the risks. Anything connected to the internet is at risk from anything else on the internet. This is especially important to remember every time you ask someone else to provide a digital service on your behalf.
Make sure that your service providers are held to the same standards you expect of your own people because you will ultimately be held accountable for their behaviour.
Also make sure your contracts are well designed for this. For example, you will want to ensure your service providers implement effective prevention controls (like the ASD Essential 8) and report incidents to you quickly.
Learn more about the Cyber Security Strategy.