As the only female government chief information security officer (GCISO) in the country, Dr Maria Milosavljevic knows a thing or two about being the only woman at the boardroom table.
But she’s not daunted. In fact, she’s encouraged to speak her mind. “Being a senior female leader in any relatively technical area means you’re often the only woman in the room, or one of a small number,” she tellsCIO Australia.
“But that doesn’t mean that you need to be any less heard. Nor does it mean you need to be aggressive to be heard. You just need to have something compelling to say. Let your contributions speak for themselves.”
She admits she has worked in environments in the past where it was “difficult being a rarity” but in her current role it hasn’t been an issue.
Certainly, Milosavljevic – who was appointed the NSW Government’s inaugural CISO in May 2017 – has already led an interesting life and notable career.
She joined the NSW Government from AUSTRAC, where she held the position of chief information security officer and chief innovation officer. She has also held a number of senior roles in the private sector and has been an adjunct professor at the University of Canberra and is now an honorary professor at ANU.
Interestingly, she can also boast about developing some groundbreaking research and technological innovation.
“I’ve had one of those ‘brilliant careers’ – genuinely. I’ve been fortunate to have experienced some amazing things,” she says. “It all started when I was an undergraduate student. I had never intended to major in computer science – quite the opposite. But I studied artificial intelligence in my second year and I fell in love with it.
“At the end of my second year of university I worked at a zinc refinery and I wrote the first successful thermodynamic model of a processing plant in the world. A year later for my honours degree I created a predictive AI component. This saved the company millions of dollars and won a Tasmanian Premier’s award for energy efficiency.”
Since then, she’s done a few more world-firsts. “Perhaps the most significant was the first AI-generated adaptive website in the world in early 1995 for my PhD. I wrote academic papers on personalisation and using information gathered about customers to reason intelligently about them – their knowledge, behaviour, understanding – and to adapt content to them.
“All in the name of convenience of course. But today this very same technology has gone a bit too far. We’ve lost the balance and we really need to be having more conversations about ethical AI – something I’m quite passionate about given that I created the first website using this technology.”
But what she’s most proud of is the work she undertook in intelligence agencies over the past eight years. First, in designing and building the Fusion capability at the Australian Crime Commission (ACC) and then at AUSTRAC, building the Fintel Alliance capabilities.
“Both these transformation programs resulted in enormous efficiency and effectiveness gains for these agencies. Some tasks that were previously impossible for analysts were made possible and where we were only able to digest small amounts of structured data well (and not in a timely manner by any stretch of the imagination) we were able to ingest almost anything – in seconds to minutes.
“When time is of the essence, analysts need to be able to access data quickly to be able to draw out insights and make decisions. This is ultimately about making the human-machine symbiosis work as effectively as possible. Capitalising on what machines (and AI) do well, as well as what humans do well, so that the right people can make rapid decisions that keep us all safer. Many agencies are only now trying to achieve what we did at the ACC in 2010.”
Top GCISO priorities
So what’s on her plate as the state government’s inaugural CSIO? For starters, Milosavljevic has worked over the past year to strengthen the government’s cyber security network. No doubt her appointment was timely given cyber risk and security has emerged as one of the most high profile, borderless and rapidly evolving risks facing government.
As such, as the inaugural GCISO she has worked across the NSW Government and consulted with industry leaders and research groups, as well as Commonwealth, state and overseas governments to ensure what she said is a “collaborative approach” to cyber security.
Indeed, it’s “exciting times” for Milosavljevic who said a NSW cyber security strategy that contains a detailed action plan is imminent and will soon be launched by Minister Victor Dominello. The details of which are still a tightly kept secret.
“Like any other government should be, we are focused on ensuring that we protect the digital information and services that NSW citizens rely on. The strategy covers a broad range of activities and it also addresses many of the previous recommendations from the NSW Auditor General.”
She said the work has revolved around “getting the governance right, getting the policy right, and making sure standards are in place.”
Meanwhile, another big priority for Milosavljevic in 2018 is building the team. The department obtained funding this year and are currently in recruitment mode.
“We filled some roles early this year and plan to do the rest before Christmas. That’s exciting – it’s always a great feeling to build a new team with a new vision. But they will be walking into an extremely busy area because we are all very focused on delivering our vision which is a cyber safe NSW. And we are well into delivering the strategy already.”
On the staffing front, she bucked the trend early in the role and hired four women into the cyber team, an unusual scenario in a typically male-dominated domain.
Cyber team: (L to R): Diana Drooj, Ivana Stojnic (seconded from NSW Department of Industry), Dr Maria Milosavljevic, Rachael Fraher (seconded from DFSI Policy), Geraldine Baldock.
“When I first started, I hired an executive support officer and a policy officer from the department was seconded across. Three women. Then, much to my surprise, we managed to find an incredibly talented cyber security technical analyst in the refugee program – her skills were so valuable and we were both very happy to find each other. Four women. Then I asked for secondees from across government and the first one was a woman. Five women, zero men.
“It was at this point that I asked for a team photo as soon as possible. I knew that this couldn’t last and wanted to capture it for the memory. I figured we were probably unique globally. And completely unplanned of course. Now we have a bunch of wonderful men in our team and our team culture benefits from incredible diversity including some graduates with their fresh thinking and several countries of birth across the team.”
She’s also spent a lot of time this year drafting a whole-of-government cyber incident management arrangements in addition to updating policies and standards, starting with the Digital Information Security Policy.
“Because as anyone should know by now, the role of a CISO is not just to reduce the likelihood of things going wrong, but also to make sure that when they do, we are ready. Because unless we are prepared, incidents will not be contained quickly, there could be some confusion and the impact will be worse.”
In that vein, the department has undertaken two whole-of-government exercises already this year and have two more coming up, which will involve a broader and more senior level of participants.
“If there was a major cyber incident affecting one state, or territory, it’s highly likely that it’s also affecting the others, and so all of the incident management arrangements really do need to lock in with each other and also with Commonwealth arrangements.”
Meeting challenges full-throttle
Milosavljevic said one of her top challenges is prioritisation – a constant battle she must face.
“One of the most difficult things I must always do is to prioritise where we place our attention. I am constantly asking: ‘where are the biggest risks and how do we most effectively and efficiently address them?’”
Another set of challenges has come on the governance front. One of the very first things she did in the new role was to assess governance and make sure it was right, which was no easy feat.
“Although we’ve all done information security for a very long time, the rapid rise of ‘digital everything’ in our world means that cyber security has broadened beyond information and become a much more important area to focus attention on. But this means that everyone’s previous governance structures need to catch up. Just like we see a lot of emphasis on cyber security being elevated to company boards, so too do we need to make sure we get this right in government.
“So this review resulted in the creation of a new senior governance committee which consists of business impact owners as well as representatives from those areas that will be involved in responding to major incidents, such as NSW Police and Emergency Management. This means that we are making decisions about risk rather than only security and we are making sure we understand and reduce business impact, not just reducing technology vulnerabilities.”
Some of her other top challenges include ‘learning the ropes’ and understanding a new government – she had worked in Commonwealth so NSW was a new landscape. She is also tasked with getting to know a vast range of stakeholders – a scenario that puts her typically quiet nature to the test.
“I’m an introvert by nature – but I’m also driven to get things done – so although this takes energy, I do really enjoy it.”
Asked what type of leader she is, Milosavljevic said she’s attracted to solving complex challenges where she can break new ground, set the vision and collaborate with others.
“I’m very strategic and collaborative. I’m not a maintainer. I’m an innovator and entrepreneurial perhaps,” she says.
Indeed, being a collaborator is a key part of her nature – a handy skill given she’s routinely worked with her GCISO counterparts across Australia, and in her previous role at AUSTRAC in performing international collaboration across borders.
“A lot of what you do is through influence and through diplomacy. It’s not like you are working to build tech capability in one organisation and basically someone in the organisation makes it so. Instead, you are collaborating. A lot of it has much more to do with influence than laying down the law.”
In wearing her ‘collaborator hat’, she particularly enjoys working with her fellow GCISOs across the country.
“The camaraderie is great – of course. However, the best part is being able to share ideas and solutions. Every one of them is collaborative – I think we all recognise that we are all doing the same thing, we can get efficiencies by collaborating and when it comes to the crunch, we will need each other.”