Launched last week, the Victorian Government’s Cyber Security Strategy lays out 23 comprehensive recommendations and actions focusing on protection of critical information and infrastructure.
As promised last year, the Victorian Government has just released its whole-of-government Cyber Security Strategy. It’s a timely document, given the recent history of well-publicised security breaches in IT systems around the world, such as the WannaCry ransomware attack.
So, with an ever-increasing range of cyber security threats — from organised crime, lone hackers, political activists through to foreign States — how is our Government going to be protecting its critical information and infrastructure?
The Victorian Government approach is going to be a team effort! With the team being led by its captain and coach, the Victorian Chief Information Security Officer.
Let me explain. The Victorian Government Cyber Security Strategy lays out 23 recommendations and actions. These are comprehensive, and include essentials such as building awareness and capability in the public service, including a workforce plan to attract and retain critical cyber security skills.
The Cyber Security Strategy also include actions to improve collaboration, processes and governance within Government. There are also strategic actions to leverage and partner with external organisations, both private and public sector, to assist in defining the future state and how to get there.
What industry needs to know
This is a 23 point strategy with a focus on monitoring, response and recovery, coupled with capability uplift that leads to cyber resilience.
a) The Victorian Government Cyber Security Strategy is organised under five priorities:
- Engagement: Formal executive support and leadership, along with uniform reporting on cyber security
- Planning: Three-year planning cycle to provide the opportunity to identify use of shared and common services, and build capability based on effective cyber expenditure, to support sustainable outcomes
- Partnering: Leveraging of internal capability and industry expertise
- Service maturity: Buying intelligently and mitigating identified capability gaps
- Capability: Developing the right mix between in-house cyber security skills and use of managed security skills
b) Creation of a cyber security group reporting to the State Crisis and Resilience Committee
c) Establishment of a procurement panel to access private cyber services by June 2018
Chief Information Security Officer (CISO)
However, while the Cyber Security Strategy’s recommendations do not, in the main, demonstrate any funding commitments, the one exception is the appointment of a Victorian Government Chief Information Security Officer (CISO) within the Department of Premier and Cabinet and the establishment of a cyber security office.
The appointment of the CISO, to be announced in September, will not replace the responsibility that individual agencies have for their own security; it will be more about cross-agency coordination, whole-of-government capability, and to drive — and report on — the delivery of the Cyber Security Strategy’s recommendations.
This is where the CISO needs to demonstrate the skills of both the coach and the captain of the team. The CISO will need to effectively manage internal government processes, leverage external partner organisations, clarify the Cyber Security Strategy’s vision and goals, motivate agencies to action, and report regularly on progress. The challenges will be considerable.
For example, the CISO will be engaging with, and navigating across, organisations that all have a role to play in delivering the Cyber Security Strategy; but their involvement and efforts will be different and need to be coordinated. In no particular order, these organisations include: CenItex, Emergency Management Victoria, The Privacy and Data Protection Commissioner, The Victorian Managed Insurance Authority, CERT Australia, Data 61, Oceania Cyber Security Centre, Global Cyber Security Centre (Oxford University), Australian Cyber Security Centre, Australian Signals Directorate and all Victorian Government Departments and agencies. Phew!
There will be other challenges as well. The Cyber Security Strategy recommends that by March 2018 a workforce plan be developed to attract and retain specialist cyber security skills. This will be particularly difficult, given the scarcity of such specialist skills and the high demand for them in the private sector.
Supporting the CISO will be the Victorian Government’s Cyber Security Strategy Group, comprising representatives of Government and the private sector. This group provided guidance to the development of the strategy and will have a continuing, but as yet undefined, role.
The Victorian Government needs to be applauded for recognising the need for a comprehensive strategy to address what has become not just a threat to how governments function and support their communities, but a potential threat to democracy itself. My only hope is that the work of the new Chief Information Security Officer, and the delivery of the Cyber Security Strategy, is not undermined by the burden of too much bureaucracy.