Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs is investing in cyber security operations after an extensive program to overhaul its cyber risk management and system authorisation processes.

The department is in the early stages of implementing ServiceNow’s SecOps module for incident response, integrating it with the vendor’s integrated risk management (IRM).

Home Affairs director of cyber risk management Alex Reale told ServiceNow’s Federal Forum in Canberra that foundational work to define system risk profiles and security controls is now providing “red flags” for SecOps teams to act on.

“Based on the integrated model, we can identify incidents in critical systems,” she said.

“These are visually surfaced for our teams, allowing operations and incident response teams to quickly make risk-based decisions about how they prioritise their effort and time, and [it] gives a common view of where the urgent issues are."

Since joining Home Affairs in January 2023, Reale has led a major program to build on the department’s earlier use of ServiceNow to digitise its system authorisation process, a critical step in meeting obligations under the Protective Security Policy Framework (PSPF) and the Essential Eight.

As outlined at ServiceNow World Forum Melbourne in November 2024, the department began using the vendor’s continuous authorisation and monitoring module to manage the process, "with minimal configuration required".

Since then, the department has transitioned to a system authorisation that utilises ServiceNow’s integrated risk management (IRM) module.

The IRM capability, combined with the system authorisation workflow, has allowed Home Affairs to define its systems and assign them a confidentiality, integrity and availability (CIA) or protection rating.

This, along with clearly defined security controls and demonstrated alignment with PSPF, Essential Eight and other frameworks, “provides the foundation of the security risk management of our systems,” Reale said.

“That protection rating demonstrates how critical all systems are to the organisation and the business impact of compromise,” she said.

“What's really powerful about this rating and the fact that we've centralised it in the tool is that that data then becomes available to other modules with ServiceNow.”

As a result, when Home Affairs activated SecOps, operational teams could immediately see which systems had “critical business value”, helping them prioritise alerts and incident response.

“We're also able to see which systems have critical security controls missing, or vulnerabilities present,” Reale added.

Stakeholder buy-in from Home Affairs’ senior leadership was earned, meanwhile, through the IRM capability's executive dashboards.

This, according to Reale, means all “this information can be aggregated, centralised and provide that dashboard and source of truth for our senior executives”.

“It makes it much easier for cyber security to demonstrate its value to the business, making risk a central feature of decision-making and investment.”

Eleanor Dickinson travelled to ServiceNow Federal Forum Canberra 2025 as a guest of ServiceNow.