Cyber Security is a Business Risk

Not just an IT problem

Rob Champion
Cyber Security Unit
Queensland Government Chief Information Office
What has changed?
For decades we have been
“doing” information security
(Not very well, but just well enough)

But we are now facing:

• Increasing digitisation
• Increasing dependence on ICT
• Increasing pace of change
• Increasing complexity
• Increasing capability of
adversaries
Changing Landscape
• It is now a strategic risk to all
organizations.

• Increasing expectations of
community and stakeholders

• Maintaining trust is a key

imperative for all organisations

• It’s too important to be left to IT

alone
Security is not binary
No such thing as perfectly secure – we can’t expect or afford to be 100%
secure.

• Protect what we can

• Detect when we fail
• Respond rapidly, effectively
and efficiently

• But how much is enough

security?
Current state of our cyber defences has improved
• Still needs continuous focus and
improvement
• Generally, organisations aren’t
effective at stopping generic
threats
• Cyber criminals are already very
capable, and rapidly increasing
in sophistication motivated by
huge financial returns.
• It’s not going to get any better
any time soon.
Focus has been
mostly here
previously
Cyber hacktivism Embarrass, disrupt, deny, degrade.
Cyber crime Ransomware, email compromise, identity theft, and
DDoS extortion. Lucrative financial gains, often by
serious and organised crime syndicates.

Insider Threat Personal gain, revenge, unintended actions

Cyber espionage Covert information theft. (for economic or political gain)

Cyber Terrorism
Embarrass, disrupt, deny, degrade, destroy.
Cyber Warfare
PAE – PAL – PFU

• People are Evil

• People are Lazy
• People Make
Mistakes
Cyber Security principles
• Cyber security is a CEO and leadership responsibility.
• Cyber security risk management and governance are to be
embedded in agency management processes.
• Transparency of an agencies cyber risk and remediation is
essential to ongoing improvement.
• Cyber security threat and incident information is proactively shared
between Queensland Government agencies to help strengthen our
government-wide defences.
Steps to Success
• Assign management
responsibility
• Form an ISSC with key
stakeholders
• Understand the value of your
assets
– to you, your stakeholders
and to adversaries
• Assess asset risk & posture to
identify gaps
• Prioritise security initiatives
• Ongoing assurance framework
Five Know’s of Cyber Security

• Know the value of your data

• Know who has access to your data

• Know where your data is located

• Know who is protecting your data

• Know how well your data is protected

Source: Telstra