The New South Wales government’s chief information security officer Maria Milosavljevic unveiled the state’s first cyber security strategy in Sydney this morning.
The plan is backed by $20 million in funding and will be followed by a cyber security industry development strategy that is still being developed by the NSW Department of Industry. It builds on the relevant part of the NSW government’s existing digital strategy, and complements the national information security plan that was launched by the Department of Home Affairs in April 2016 and updated in mid-2017.
“Cyber security has emerged as one of the most-high profile, borderless and rapidly evolving risks facing governments. Investing in strong cyber capabilities will provide confidence to citizens and business who trust us with their data,” Milosavljevic said in a statement today, released as a launch event at Darling Harbour concluded.
The new action plan is the culmination of her work to date since being appointed to the relatively new whole-of-government CISO role last year. The strategy calls for an “integrated approach” to information security risk management policies across the government, and new “incident reporting and incident response arrangements” to be standardised across all agencies. The new guiding document explains Milosavljevic will lead a new cross-agency group:
“Since being established, the GCISO has laid the foundations for the whole-of-government cyber security practice, providing basic coordination and support for agencies and a single point-of-contact for the receipt and sharing of cyber security information across NSW Government
“The Cyber Security Senior Officers Group (CSSOG) has been established to provide for whole-of-government decision-making for cyber security. Members represent the key business owners of cyber risk from across NSW Government. The group’s focus is on supporting the GCISO in minimising the impact of cyber risk to NSW (citizens, business and government agencies) and integrating cyber risk into the emergency management and counter terrorism frameworks.”
The plan states agencies retain independence under this model “but are optimised and supported through coordination, shared information, services and capabilities” so the government can do the best job possible of protecting resident citizens, critical infrastructure and organisations from threats that do not respect borders.
It also refers to a “cyber security steering group” made up of agency CISOs that will govern implementation of the “action plan” items, some of which look out to the 2019-20 financial year.
“The suite of initiatives will ensure that the government is equipped to prevent, prepare for and respond to incidents and that each agency and all staff have a clear understanding of their role,” said Milosavljevic.
“To ensure this, we have introduced whole-of-government advisories that are already improving the ability of agencies to quickly and effectively respond to emerging threats.
“We will continue to collaborate with industry leaders and research groups as well as Commonwealth and state law enforcement to ensure we maintain a collaborative approach to cyber security.”
The NSW cyber plan states that a “joined-up mindset” is required across sectors and jurisdictions, and is partly based on the all-purpose cyber security framework developed by the National Institute of Standards and Technology.
“Effective, holistic cyber security is achieved through a strong sense of mutual responsibility between government, business, industry, researchers and the public. If each is empowered and able to fulfil its role, the security of the entire community is enhanced. Accordingly, the GCISO is working across NSW Government agencies to lift cyber security capability in the public sector.”