Victoria’s government today unveiled the state’s first cyber security strategy. At the heart of the strategy is a shift to a whole-of-government approach for information security.
The state government signed off on the strategy earlier this year and began the process of recruiting a chief information security officer (CISO) to oversee its implementation.
A state government Network and Cyber Security Statement of Direction was issued in August 2016 following the launch last year of a new ICT strategy for the state. New South Wales, Tasmania and South Australia also recently established CISO positions to boost information security efforts.
Victoria’s CISO will sit within the Department of Premier and Cabinet.
DPC’s security efforts will continue to receive support from a whole-of-government Information Security Advisory Group, which is a subcommittee of the Chief Information Officers Leadership Group.
The government CISO “will oversee government’s response to the cyber threat, develop best practice, provide assurance, report internally on our cyber security status, and coordinate cross-government action,” states the new strategy document (PDF).
“The CISO will not replace the individual responses and accountability within each government agency to address risks in the cyber landscape, nor will it assume responsibility within these agencies to address the standards issued by the Office of the Victorian Information Commissioner,” the strategy states.
“Rather, the CISO will coordinate cross-government responses in those areas where a whole-of-government approach is preferable, more efficient and will provide better security outcomes than individual approaches – for example, the creation of whole-of-government cyber services, capabilities, reporting, executive engagement, and information dissemination.”
The CISO will be backed by a staffed unit within DPC.
Another key initiative outlined in the strategy is the development of clearer “cyber emergency” governance arrangements. That work will be undertaken in consultation with Emergency Management Victoria and seek to ensure that “cyber threats” are one of the emergency risks considered by the owners and operators of critical infrastructure in the state.
The strategy envisages greater efforts to build partnerships both across government and with the private sector. As part of this, the Cyber Security Strategy Group, which launched in August 2016, is working on developing an intelligence-sharing mechanism with a deadline of October this year.
In addition, a procurement panel will be established by June next year to access private sector cyber security services.
Procurement of some services will continue at the department and agency level; however, the strategy states that procurement of some security services on a whole-of-government basis makes sense.
“Careful consideration needs to be given to developing and maintaining the right balance between in-house cyber security skills and appropriate use of managed security services,” the strategy states.
“The Government needs to be a smart buyer and consumer of cyber security services and maximise the opportunity to develop and retain its own cyber security skilled workforce.”
By February 2018, the government is aiming to develop a plan to implement a federated Victorian Government Security Operations Centre service.
As part of the strategy, the state government will also develop a workforce plan to attract, develop and retain skilled cyber security workers in the public sector.
“Victoria’s first ever Cyber Security Strategy ensures we can stay ahead of the cyber criminals and develop the infrastructure, systems and processes needed to protect government services and information,” special minister of state, Gavin Jennings, said.
“Victoria is already a hub of digital innovation, so it makes sense that we use our existing tech knowledge and talent pool to be a hub of cyber security as well,” Victoria’s minister for small business, innovation and trade, Philip Dalidakis, said.
“The cyber security industry is growing quickly and will surpass $100 billion in value in the next few years. It’s an industry that will create jobs and boost our economy and we need to be a big part of it.”