CIO50 2019: #26-50, Maria Milosavljevic, Department of Human Services

As the inaugural NSW Government chief information security officer, Maria Milosavljevic created a whole-of-government (WoG) cyber security function from scratch in under two years that fundamentally changed the cyber security landscape for NSW.

Today, Milosavljevic is the chief data officer at the Department of Human Services, a role she clinched in February 2019.

“Governance is almost always incorrect for cyber security because it is most often IT-led. This is a conflict of interest. So I designed and created a deputy secretary-level body of cyber risk ‘owners’ from all clusters called the Cyber Security Senior Officers’ Group,” she told CIO Australia.

“To ensure we have the best advice from outside government, I also set up a Cyber Security Advisory Council with a diverse range of expertise. I instigated regular meetings with relevant Commissioners to ensure they were a part of the solution.”

She also met regularly with Audit and Risk chairs or committees to brief them on risk trends and mitigation strategies; advised boards or senior committees including icare, the government’s insurer; and provided assurance for senior executives and committees (including NSW Electoral Commission leading up to the election and the NSW Digital Driver Licence).

Reflecting on her time as the chief information security officer, Milosavljevic said when she first started in the role there was no central funding.

“I advocated for and achieved $20 million over four years to fund the central whole-of-government cyber security function to better coordinate and improve existing activities across NSW government agencies.

“I led and launched the NSW Cyber Security Strategy which outlined our risk-based approach with a clear action plan for future initiatives on a wide range of areas including training and awareness, cyber skills and career pathways.

“I led the development of a new Cyber Security Policy which replaced the earlier Digital Information Security Policy. The policy significantly strengthens the NSW posture including mandating a crown jewels assessment, the ASD Essential 8 and further strong obligations on agencies. It also broke down the boundary between corporate IT and operational IT (such as trains and infrastructure).

Additionally, she established an operations team to help agencies with threat email advisories and support in managing incidents when they happen.

She also created a new WoG incident response plan including an emergency management sub plan.

“This brought the IT and emergency management (and policing) worlds together and resulted in significant cultural change and incident awareness.

“In order to make sure that these plans are second nature for everyone, I established a program of Cyber Incident Response Exercises and undertook four over the year leading up to the approval of the plans. These exercises involved running through fictitious scenarios to test how staff and executive management responded and then integrating findings back into the plans to improve them. This resulted in significant clarity of roles and responsibilities of all staff in the NSW public sector and built our cyber resilience and preparedness.”

Additionally, she commissioned a passive security assessment which scanned the total of 3,257 unique web domains and subdomains used by NSW government agencies and provided useful vulnerability information to many agencies.

“I reinvigorated a tired community of practice that was low in numbers. This became so big that we had to institute a ticketing system and turn people away. I also arranged for the creation of shared material for cyber security culture uplift. For example, template posters and pictures for screen savers were provided across government for use in Cyber Week.”

Milosavljevic said there were significant obstacles to getting the job done, including a complete absence of any funding and resistance from some corners on the need for the function.

“There was an absence of any WoG cyber security culture and no shared resources to assist in addressing this. As described above, this was corrected. In order to address the risks around connected infrastructure, IoT and BYOD, several actions were taken including awareness exercises, inclusion of non-enterprise technology in the policy and including operational technology representatives in governance and exercises. I also commissioned and oversaw the successful completion of several RD projects with Data61 and other institutions to look at the use of AI for improved detection and information sharing.”

Reflecting on her role, she said as part of her role she had the responsibility to influence very broadly across the whole of government. In that vein, she said keeping an eye on the cultural side of things – in particular workplace diversity – is vital when making such sweeping changes.

“I’m a strong advocate for women in cyber security (and IT more broadly). I mentor at least 3-4 women every year and I have spoken at many events to support women in the field including many closed-door events.

“My NSW team was balanced on gender as well as other factors such as ethnicity, age and backgrounds. Likewise, the Cyber Security Advisory Council I established was balanced for gender, expertise and age. The exercise program and community of practice were also extremely useful in building the right culture, both within my team as well as more broadly across NSW Government.”

Milosavljevic said the biggest lesson she’s learned during her career, is when you inspire people and empower people – galvanising them to a common cause – that’s when change happens.

“I learned this many years ago and it has become part of my psyche. For example, as NSW Government CISO, I needed to work successfully across a very diverse set of stakeholders – some of whom really preferred that I wasn’t there – to facilitate a cultural transition from IT security to cyber risk management.

“To achieve this, I needed to create a new function that itself also embodied this culture – I couldn’t be the only voice. I designed the function, wrote all the key role descriptions and hand-picked a leadership team.

“An unusual complexity in WoG cyber security is the lack of senior people with security and (genuine) risk knowledge combined with an ability to communicate with senior public sector leaders and Ministers to drive change. I spent a lot of time mentoring my new leaders and identified targeted learning opportunities; and they did similarly with their own staff. As the team grew, we frequently discussed risk and security culture at our meetings so that the whole team learned concurrently and became cohesive.”

She said team members created short, simple guides for use with stakeholders that demonstrated effective risk culture.

It ultimately became a “team of teams’ approach to leadership, which was successful in allowing a small team to scale, with results evidenced through effective decisions all the way from cabinet and the Secretaries’ Board to changes inside organisations, she said.

“People want to believe in a joint mission and be inspired and empowered to do their jobs. The rest – almost – comes naturally.”

Jennifer O’Brien