The keys to tech shift from one of the Commonwealth’s busiest CIOs


Digital transformation in a major department is a huge job. Have a risk management plan, but don’t lie awake thinking of everything that could go wrong, says Immigration and Border Protection’s CIO.

Form a plan, identify and manage the risks it involves, but don’t lie awake at night thinking about everything that could possibly go wrong.

That’s the advice of Randall Brugeaud, who has a rather complex and high-pressure job as chief information officer of one of the Commonwealth’s most technology-reliant organisations, the Department of Immigration and Border Protection.

“If something comes out of left field, then you just have to deal with it,” he told the Trans-Tasman Business Circle’s founder Johnny Weiss after giving a speech at one of the group’s business lunches in Canberra last week.

“I think, there’s 24 hours in a day and seven days in a week and sometimes I use all of them, but there’s no point in laying awake at night wondering about what might happen.

“We’re in an emotionally charged, highly volatile, business-led operational environment… it is 24-7, global, you really can’t sit there and just wonder about what might go wrong and stress about it.”

Brugeaud was there to give a helicopter-view update on “digital transformation” projects he has been leading in the big organisation — while, he noted, it continues bedding down the complex integration process that created it, and keeps on top of business as usual.

Of the three, he says keeping the lights on is the top priority: “If production for whatever reason stops working or looks like it will stop working, everybody stops what they’re doing and they work on our production environment.”

Brugeaud also listed a set of “enabling factors” he considers necessary for the success of the department’s transformative digital projects:

Support from the top: “Yes, the business transformation is absolutely critical but technology is actually being discussed at our executive table. We’ve had more discussions than I can remember about technology with our secretary, with our commissioner and with our deputy secretaries than I can ever recall. It is absolutely front of mind and being driven from the top.”

Risk management: “A very easy way to engage with risk is by not changing anything and just battening down the hatches and hoping nothing goes wrong. In order for us to transform, we do need to engage with risk in an informed way. It’s a matter of managing it, not being reckless in implementation.”

Collaboration and co-creation: “We have far more interaction, I think, between our consumers of services and suppliers of services, be they technology or otherwise. And that is really proving to be a powerful union.

The right people with the right skills: “I think this is one of our biggest challenges, particularly in Canberra, in government. There’s a lot of transformation happening right now and in order for us to be able to resource this with people who have the right skills, and are of the right character, it is a real challenge, I think.”

The capacity to exploit data and information: “When we distil down what we do as an organisation, we bring together information, draw insights, and then feed and support decision-making … either by people or systems. That’s really what we do. Yes, we have a whole lot that sits around that but fundamentally, our job is to ensure that the department makes good decisions.”

Secure and resilient systems: “As you enter the digital space you do open yourself up more to greater interest from the external community, or those who wish to exploit or penetrate our controls, [becoming] resilient being very important as we move to a more digitised and automated environment. We no longer have the fallback of manual processing.”

There’s still a lot more ground to be covered in cybersecurity for DIBP, according to the auditor-general’s latest cybersecurity report, which follows up on a 2014 audit of seven Commonwealth agencies including DIBP that found none were up to scratch.

This time, the audit office concluded DIBP was still not “cyber resilient” against external attackers, and it is still yet to fully comply with the Australian Signals Directorate’s top four mitigation strategies (along with the Australian Taxation Office).

Brugeaud said DIBP had made “a big investment in cybersecurity” and had begun a significant new program at the start of this financial year.