Maria Milosavljevic became the New South Wales government’s first chief information security officer in March, after two years as both chief information officer and CISO at the anti-money laundering agency AUSTRAC, and five years as the Australian Crime Commission’s CIO.
She’s also an adjunct professor with the University of Canberra, and is giving a keynote presentation about how cyber security does not have inhibit “digital innovation and flexibility” at the upcoming Institute of Public Administration Australia NSW conference in Sydney on the 15th of June.
In the following interview, she discusses the new role, and the challenges public sector agencies face trying to pursue digital transformation and strengthen information security at the same time.
Your title is NSW chief information security officer. How do you describe what you do?
Primarily I need to provide consistency, clarity and transparency to underpin the trust in our systems and our digital transformation programs. I’m determined to reinforce the mantra of being prepared, vigilant, resilient and responsive. That may sound trite but it’s essentially that simple.
For example, being responsive means that when something happens — as it inevitably will — we can respond quickly and holistically. An holistic response is not just about restoring IT systems, it is also about communicating, addressing the impact of the cyber or information security incident, learning and putting measures in place to prevent it from happening again.
In digital transformation we often talk about “user experience” — making the experiences of our customers as seamless and efficient as we can. I don’t believe that this can be done without considering cyber security because the absolute worst customer experiences will come when the cyber security fails. If people lose their finances, identity or dignity then they lose trust.
There is lots of publicity about data leaks from private and public sector bodies, but most organisations probably imagine, ‘it won’t happen to us.’ What is one of the biggest mistakes that people make when thinking about data security in their own organisation?
I think there are a few but I’ll stick to just three.
First, thinking, ‘it won’t happen to us.’ The fact is, every day every agency is hit by illegitimate requests from external parties from all around the world. If you have valuable information then someone will want it. If you provide services that someone wants to disrupt then they will try to — and hard. Sadly, this is a fact of life.
Second is the opposite, that is, buying into ‘the sky is falling’. You could spend every dollar you have building a fortress but is that really what you need? Instead, focus on who wants my valuable information and services and then solve the problem by thinking like that hacker.
Any organisation, whether they are in the public sector or a private sector, needs to take a risk-based approach. This includes setting a risk appetite (at board level) and asking what risks you are willing to accept. Those with low impact are probably not worth the investment. These are organisational decisions because everything you do or pay for has an opportunity cost. And because the risk landscape changes over time, these questions need to be reviewed regularly. It’s ultimately about being smart about where and how we invest in cyber security.
Third, thinking that it’s simply a compliance issue. There are some great standards including the Australia Signal Directorate’s (ASD) essential eight. ASD has done a brilliant job and is recognised internationally for their thought leadership in this area. However just adhering to a standard is not enough. Every organisation must understand its own context and risks, and make an active decision about how it approaches cyber security. We will be doing this collectively across NSW government.
Digital transformation in the public sector will be driven by more data sharing and more innovative use of data. Is there a conflict between better information security and encouraging digital innovation?
Not at all, and as a data scientist myself, saying that would be heresy! But consider this: if you build your house without laying foundations, then in the first rain downpour it will begin to crack — and maybe even slide away. Security is the same. Yes, it costs more to lay solid foundations — and if you live in an earthquake or unstable area then you need stronger ones.
It’s no different for data-driven digital transformation. If your data or services are at a higher likelihood of being compromised, or if the consequence of a compromise is too high, then you need to ensure that you protect the data and services well. Another of my favourite analogies is this: security is an ingredient in the cake, not the icing on top. Icing can be easily removed but the eggs can’t!
You worked on information security at the Australian Crime Commission and AUSTRAC. What is one lesson you learned from working in those two bodies that you bring to working with the NSW public sector?
Just one? That’s tough! I think the most important lesson was this: risk is not something that exists in isolation — it is shared. Whether it is dealing with crime, terrorism or other complex risks, we are only as strong as our weakest link. At the ACC I worked a lot on building joint capabilities with our domestic partners and at AUSTRAC I did this as well as working with the private sector and international partners. The strength in working together shouldn’t be underestimated. There is an opportunity cost to doing this — of course — but there is a far greater cost in not doing so.
At both organisations I took this further that the traditional information sharing models toward deeper sharing relationships. For example, in the ACC’s Fusion capability we developed joint risk detection models and automated alerting (toward getting the right information to the right person at the right time).
At AUSTRAC we extended this to include APIs (system-to-system connectivity) and open data. APIs mean that analysts can access the information they need far more quickly and in one place rather than accessing multiple systems manually. And open data means that the problems being addressed by government (like money laundering or terrorist financing at AUSTRAC) can be shared with others including researchers.
In a digitally secure public sector, is there still a future for USB sticks?
Of course! As our AUSTRAC COO used to say, it’s not about saying no, it’s about saying, “Yes, if…”