Credit: Dreamstime
The New South Wales Government has taken a proactive approach to cyber security with its first strategy, which launched on 28 September.
By preparing a strategy as it transforms major services into digital offerings the NSW Government could be one step ahead of cyber criminals.
Enosys Solutions sales director Joseph Mesiti has given credit to the government for making cyber security a priority during their digital transformation.
"This approach allows for cyber security policies and controls to be an integral part of the digital solution design, rather than being retrofit after implementation," he told ARN. "In principle, I agree with a single strategy and shared services for the state rather than allowing individual departments to set their cyber security policies in isolation.
"This increases transparency on the efficacy of the strategy and information and resource sharing helps secure the whole of government if one department is attacked."
Mesiti also believes the strategy provides a more "consistent interface" between the departments accountable for their own cyber security, and the partners and vendors that will support them.
"Another positive outcome would be that the approach allows staff to transfer between departments while maintaining the same level of cyber security and without retraining," he added.
Furthermore, Mesiti also believes the government will benefit from cost savings when it comes to audit and compliance.
"I strongly agree with the risk-based approach that focuses finite resources where they are most needed," Mesiti added.
Meanwhile, director of cyber security advocacy for APAC at (ISC)², Tony Vizza, told ARN the strategy is a promising sign that the NSW Government is taking cyber security seriously.
"The strategy seeks to respond to a scathing March 2018 report by the Auditor General that stated 'the (NSW public sector’s) ability to detect and respond to incidents needs to improve significantly and quickly' recommending the adoption of a whole-of-government approach to cyber security," Vizza said.
"Using a risk-based approach, the strategy relies on the NIST Framework to develop action points, deliverables and milestones in the areas of cyber preparation, prevention, detection, response and recovery.
"The strategy also seeks to formalise cooperation with state and federal agencies, academia and research institutions through information sharing.
"While it remains to be seen if the Government will force all departments to adopt this unified strategy, judging by the wide-ranging digital transformation initiatives already embarked on, and with a state election due in early 2019, it will be reasonably certain that the Berejiklian government will be keen to drive a successful outcome from this long-overdue strategy."
Looking ahead
However, there are factors that should have the NSW Government dedicating its attention to, such as supporting the agility in setting cyber security policy, to cope with the rapidly-changing cyber security threat landscape.
That's according to Enosys Solutions' Mesiti who also said that the NSW Government's cyber strategy should align with the Commonwealth strategy.
"This allows easier compliance and leverages existing efforts and expertise from the ASD [Australian Signals Directorate] and vendors," he explained. "The documentation reviewed only references threat/intelligence feeds from the Commonwealth.
"Further clarity is required on how adherence to the security strategy will be audited, and who the audience of the audit is and their powers to drive the remediation of non-compliance.
"If there is an existing audit framework it should be referenced in the strategy rather than assumed. Action plans should contain more detail on quantifiable metrics for the success criteria."
Network security vendor WatchGuard Technologies believes a bigger focus should have been given on protecting SMBs.
"We welcome the NSW Government’s investment in improving cyber security," said Mark Sinclair, A/NZ regional director at WatchGuard. "This will certainly help keep the public’s online interaction with the state government departments secure and help improve the data security of personal information.
"However, it is local government and small-medium businesses in New South Wales which are often greater targets for cyber attacks. Overall, this initiative falls short in offering extra protection to these organisations."
For Rackspace A/NZ general manager Darryn McCoskery, the cyber strategy has highlighted the fact that some government agencies lack appropriate response procedures, while others don’t know who to notify if a breach occurs, or have no procedure in place at all.
"Moving forward, this new government-led strategy is addressing exactly what Australia needs right now: to empower and train the next-generation of information security graduates on the critical capabilities necessary to stay ahead of cyber security attacks in the future," McCoskery added.
On 28 September, the NSW Government introduced its first cyber security strategy which sees agencies across the state taking an integrated approach to prevent and respond to cyber threats.
The strategy was developed to ensure that services offered by the NSW Government agencies are connected and protected while meeting the needs of the government, business and citizens.
