CSIRO outlines cyber security roadmap

CSIRO is uplifting cyber security across its enterprise and research functions with an emphasis on protecting core systems, tightening access controls and improving incident response. 

Speaking to the iTnews Podcast, the research agency’s recently appointed chief information security officer Jamie Rossato shared his roadmap for embedding a robust cyber security posture across both the agency's enterprise and research functions. 

Since joining CSIRO in September last year, Rossato has focused on building a comprehensive cyber security strategy and stakeholder relationships around the philosophy of “engage, inform, educate, influence and operate”. 

"I really took that first six months to listen and learn, and to understand what's important to [stakeholders] when it came to their outcomes and their priorities so that as we formulated our cyber security strategy, it was informed with a range of perspectives that will no doubt shape how we execute cyber security into the future.” 

That listen-and-learn period culminated in a cyber security strategy that’s aligned to Rossato’s long-held stance that cyber security success comes from “executing on the basics brilliantly”. 

As such, the CSIRO cyber security is built around five core pillars: system protection, data safeguarding, strong identity governance, incident response and, lastly, governance and oversight. 

“A solid strategy begins with understanding the needs and priorities of all stakeholders,” Rossato said.

“The goal is to build a security framework that’s not only effective but also adaptable to the evolving nature of technology and research.” 

From a practical standpoint, Rossato is acutely aware that his role is “one of the few functions where I'm worried about what's going to happen in the next two hours”. 

As such, "it's the technology and the people on the ground that will deal with the crisis that may occur in the next two hours that is really going to be the measure of [CSIRO’s] cyber security posture,” he explained. 

“We're always looking to progress our controls, mature our controls, extend and expand our controls, understand more of our environment, put things into context, and detect and respond rapidly to things that we see in our environment that shouldn't be there.” 

With this in mind, Rossato noted that resourcing the right technology solutions is essential to support both system protection and rapid detection and response capabilities. Choosing the right tools, however, goes beyond technical specifications—it’s also about trust and reliability. 

“Speaking more generally, I have had the best success with [technology] vendors who provide a capability that delivers what they say it will deliver,” he said. 

“If I open a can of peas, I want to see a can of peas inside. It's easy sometimes to over-promise and under-deliver. For me, I'd rather make sure that we are delivering what we've committed to delivering... are you actually achieving that with the resources allocated to you and the investment that you've made in the controls.” 

Compliance is not the “endgame” 

Rossato’s strategy underscores the importance of meeting rigorous regulatory requirements while staying focused on maintaining strong operational security. 

"Compliance is important, but it shouldn't be the ultimate goal,” he stated. “I don't believe compliance should be a CISO's endgame. 

“Our focus is on building a strong cyber security posture that effectively manages risk and ensures that the technology we use is secure and supports the agency's broader mission, rather than just ticking boxes for compliance's sake.

 "Certainly, in this agency, my focus is on safe and secure technology for science... If I think I just focus on achieving that compliance as the endgame in and of itself, I run the risk of actually missing some of the other threats that are out there.

“There are rules, and there are obligations that we need to achieve. We should be able to, and we must achieve those through a focus on strong cyber security posture management in line with organisational risk appetite,” he added. 

An environment of focus 

Rossato entered CSIRO as the organisation’s first dedicated CISO in two-and-a-half years. 

His predecessor, the now-retired CIO Brendan Dalton, oversaw the dual functions of IT and cyber leadership between March 2022 and August 2024. 

Speaking about CSIRO’s decision to re-create the dedicated CISO position, Rossato credited Dalton for “doing two very challenging jobs simultaneously”. 

“[Being] CIO for the corporate technology function within any government agency is no easy feat and then to add cyber security on top of that is quite the challenge,” he said. 

“Being able to have one person dedicated to cyber security as my exclusive focus for the organisation as a whole... has meant that I can take a step back and look at how do we make the technology that we need to do science safe and secure through the various lenses of the research units, the enterprise units, the researchers themselves and our key stakeholders, not just internal, but also externally.”