NSW govt's first cyber strategy weeks away

The NSW government is just weeks away from launching its inaugural cyber security strategy aimed at uplifting public sector capability. 

Government chief information security officer Maria Milosavljevic revealed the strategy’s impending release at the annual NSW government Digital Marketplace event in Sydney today.

The strategy - planned for release on 28th September - stems from a cyber security blueprint that was developed to underpin ahead of the creation of the the whole-of-government cyber security function last year.

“We developed a blueprint last year which lays the foundations for the new function that I now manage and we’ve developed a cyber security strategy from this that will be launched very soon,” she said.

“As part of this we have identified that our broader content is quite complex. It needs to be well coordinated and integrated for us to do our jobs.”

The strategy will be underpinned by “a very detailed” program of work, which “lists many activities to improve the security of the NSW government and their relative priority”.

It comes just months after a $20 million injection from the NSW government in the state’s 2018 budget to plug cyber security gaps across the public sector. 

The funding is being used by Milosavlijevic and her team to shore-up the government’s readiness and ability to respond to cyber security issues and incidents, rather than harden systems.

It follows a damning audit report earlier this year that found cyber security practices lacking at the majority of government agencies, and called for stronger practices to improve its detection and response capabilities. 

But on Thursday Milosavlijevic said the the government-wide cyber security function had been busy working to address issues by “uniting cyber security teams” and moving the state to “a system of shared responsibility”.

“We’re working with other jurisdictions to make sure that our national arrangements are all consistent, we’re working closely with the private sector and academia on our hardest challenges and we’re also trying to understand the prospective of victims because they can articulate the issues and allow us to improve how to respond,” she said.

The cyber function has also been developing the government-wide cyber security response plan, which it has tested with agencies using two whole of government exercises, as well as other standards, policies and services.

Milosavlijevic said this contained information on “who will be doing what if there is a cyber security emergency in any particular jurisdiction or even nationwide, what are our communication protocols, including to the public, how do we define them, how do we host all of this”.