Narelle Devine (Department of Human Services)
Developers, technology providers and foundational third-parties are what keeps the Department of Human Services (DHS) chief information security officer (CISO) Narelle Devine awake at night.
Addressing a crowd filled with those exact professionals at McAfee's MPower Cybersecurity Summit in Sydney, Devine explained that quite often security vulnerabilities are found in code, vulnerabilities that have been known for years or even decades.
The CISO believes this highlights the need for continuing learning opportunities for Australian developers.
But this is not the only thing that concerns the DHS, a government department responsible to service the Australia population which generates around 26 million customer records.
"And it is not just developers who keep me awake at night," she said. "External partners providing ICT services to the department are also a risk.
"While they are obviously required to comply with security policies and requirements, it is a constant management overhead but they are an important part of the department cyber ecosystem.”
Devine said that this also extends past the traditional parties, to foundational third-parties such as the telecommunications sector.
"Not only are their national critical infrastructure in their own right but without them we simply could not deliver our service," she said. "In return they are dependent on the utility sector. Without power they can't operate."
Devine said the entire ecosystem is dependent on each other, with collaborating and sharing now of upmost importance.
During her keynote, Devine also stressed the importance of training, alongside understanding each person within an organisation and what type of education suits each individual, whether that be face-to-face, online or even through games.
In the space of more than two years, the cyber branch of DHS grew from 28 employees to more than 200.
The cyber branch's primary mission is to protect systems against cyber events that could stop DHS from supporting the Australian public. And for that to be possible, DHS needs the right people with the right skills in the right roles.
“A successful attack on DHS' systems would see hundreds of thousands of families unable to support themselves,” Devine said. “Our medical services would be severely impacted if the flow of money was to stop for just a short few days.”
The DHS supports every day Australians through its three main services: Centrelink, Medicare and Child Support.
"We block on average, each month, 14 million emails, detect over 20 malicious campaigns and process over 700 suspicious emails,” Devine added. "Until we collectively, as an entire community, make this harder for those on the other side it is not going to go away.”
Devine said the department is also investing in simulated phishing tests in order to investment in more training to specific areas if needed. Within two years however, Devine realised that technology alone is not enough.
“Having a cyber smart workforce and cyber aware customers is key,” she explained. “You need to invest in cyber.
“Most of you are probably investing in technology but don’t forget to invest in your people. And that doesn’t only mean paying them more it means educating and up-skilling them even if it means you might lose them.
“You need to consider the workforce as a whole not just your own cyber team. You can have the best cyber security staff ever but remember it only takes one person.”
