Could you describe your average day as CISO at WA Police? Do you have a particular routine for the start and end of day??
As I am involved throughout the lifecycle of a project, the typical day includes meetings with a diverse group of stakeholders, committees and technical briefings. I don’t have a particularly daily routine except for keeping my eye on the news.
Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
Organisations have become increasingly aware that information is a key business asset potentially thanks to increased media coverage of security breaches. Over time information security professionals have matured, focusing their skills towards improving business performance through governance, risk and compliance activities. The increasing level of maturity of security professionals has meant that business do see value in investing more into information security.
On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
I expect a moderate uplift in spending on Cybersecurity over the coming years. This is part of ensuring security is inherent in every project and service across the agency. There is also an ongoing effort to reprioritise existing spend on those initiatives that will produce the most significant outcomes
How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?
Targeting longer term security initiatives such as providing security architecture services and risk management services during the conceptual stages of a new information system project is an investment that delivers an ongoing business benefit. Getting some of those initiatives rolling before dealing with the tactical issues of today means that there are less tactical issues going forward. Establishing documented, repeatable processes and procedures is more often than not, a priority than dealing with short term issues.
I’m interested in understanding the degree of engagement that you have with the average policeman? I assume that you are a specialised unit operating within WA Police.
I am fortunate enough to be able to work closely the deputy CIO and his staff officer, both are sworn members. This allows me to socialise ideas and initiatives with them and to obtain feedback from them as to how this might affect frontline policing. The sworn officers help ensure that any communications and engagement with frontline officers are effective. My primary aim is to ensure that frontline officers have access to reliable and accurate information when and where they need it.
There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I have seen an increase in cloud services security assessment offerings. The general trend in government moving to cloud services means that getting visibility across the agency on the use of cloud services and understanding the security capabilities is important.
WA Police would clearly be a target for hackers. How do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
The agency conducts regular vulnerability assessments and penetration tests conducted by both agency staff and external contractors.
I would expect that there is more and more data forensics work that WA Police have to perform in their role. How does these shifts change your cyber security stance that you need to adopt?
The Data forensics is function that is performed by the Technology Crime Unit. Conversely I’m focused on prevention, detection and stopping any security breaches ASAP. Identification of the offender and subsequent prosecution isn’t my focus.
If there is a significant security incident I refer that matter to the technology crime unit. They are appropriately resourced to conduct forensics and investigation.
When you think about adding new talent into your team. What key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent, is this especially hard in WA??
Traditional security functions have been devolved as technical security controls have become pervasive within the network and server teams, or have been moved cloud services. The key skills I look for in an information security processionals are:
- The ability to communicate technical information with a diverse group of non-technical stakeholders.
- Able to build good working relationships across the entire organisation.
- Research and report writing skills.
- Being able to objectively look at risk vs reward
- Have a “can do” attitude
- Being a trusted advisor instead of a road block
Building a good team can be challenging in WA because many of the experienced security professionals are based on the East coast.
Finally what keeps you awake at night?
It’s pointless worrying about when an attack will occur. I try to focus on ensuring that when one does occur, we have the right process and procedures in place to minimise any damage and be able to restore from backups.