We keep hearing about the need to become more cyber resilient but the focus is often on technical skills and specific solutions that patch or mitigate vulnerabilities. But Carmel Ali, there General Manager and Information and Safety and Chief Security Officer at New Zealand's Department of Internal Affairs saw there was a need to take a different approach.
"Everything we do is on a risk-based approach," she said during the Technology in Government event held in Canberra recently.
That's led to a shift in focus from a compliance approach to an education and awareness approach.
Initially, the department's corporate structure, when it came to security was split across three business functions with technical issues held with the ICT function under the organisation's CIO, personal data security managed by humans resources and physical security managed by facilities. And a result, Ali said thew technology function rarely had a voice and was seen as an obstacle "interfering with the success of a project" and as a "last minute sign-off".
It would be fair to say there was a hearty rumble of concurrence by many in the audience who have been in a similar position with the security function lacking a single focal point and often seen as a blocker rather than an enabler.
The shift came when the organisation suffered a malware event. A ransomware attack brought information security to the fore and made it a focus. The department's low maturity was seen as being an issue with the diversion of resources away from business as usual operations creating a hit on business productivity. This was coupled with a rising awareness at the board and executive levels and resulted in the establishment of a privacy and security program. Importantly, the focus of the program was not about addressing technical issues but on ensuring the message about cybersecurity was heard and understood by everyone in the business.
A change management program was created that aimed to shift the discussion away from compliance and towards the creation of a cyber awareness plan and education program that brought together the best from the private and public sectors.
But it wasn't all smooth sailing. The first program, dibbed "Spot an alien" was deemed a failure as it didn't stimulate real behavioural change. Ali decided to learn form this and move forward by talking to leaders and influencers. And in a good news/bad news moment, the WannaCry outbreak hit which resulted in greatly heightened awareness of the real risks. As the department was technically prepared for the outbreak, the impact was managed but the incident provided a way to further the communication and education program.
The nature of WannaCry and Ali's work in talking with leaders and influencers helped push the message that everyone is responsible for cybersecurity.
"People now get ti," said Ali
The changing nature of cybersecurity means the the awareness and education program needs to continually adapt, said Ali. The work is never over, said Ali, and will require constant updating and evolution in order to ensure staff are prepared for emerging threats.