Innovate South Australia 2024 Key Takeaways: Cyber Security & Risk Management

Driving Digital Trust with Cyber Security Audits

Andrew Corrigan, Executive Director Data and Technology, Auditor-General’s Department of South Australia

1. The Foundation of Digital Trust
Digital trust relies on secure, transparent, and user-friendly government systems. Citizens must feel confident their data is protected, used only for its intended purpose, and not shared without justification. Maintaining trust requires addressing cybersecurity vulnerabilities and ensuring consistent, high-quality user experiences.

2. The Role of Cybersecurity Audits
Cybersecurity audits are vital for identifying weaknesses, enforcing compliance, and enhancing digital trust. Regular audits of controls like user access management, patch management, and logging provide assurance that systems are secure. Audits also hold third-party vendors accountable for meeting contractual and security requirements, preserving the agency’s integrity.

3. Proactive Risk Management for Public Confidence
Government agencies should conduct internal process walkthroughs before audits to identify vulnerabilities and prioritise resources for resolution. Transparent risk management, even when challenges persist, demonstrates accountability and builds trust. Strong cybersecurity practices directly influence public satisfaction and confidence in government systems.

Exploring the Zero Trust Mandate

Louis Fourie, Senior Solutions Engineer, Zscaler

1. The Role of Zero Trust in Modern Cybersecurity
Zero trust is a strategy, not a product, aimed at reducing attack surfaces by connecting users to applications at the session layer without exposing networks or applications to unnecessary risk. By eliminating VPNs and minimising complexity, zero trust creates a seamless, secure connection that is consistent regardless of location or network type.

2. Simplification and Scalability Through Platform Innovation
Platforms like Zscaler's Zero Trust Exchange reduce the complexity of traditional network and application security by introducing an identity perimeter and leveraging AI-driven insights. This innovation allows organisations to manage risks at scale while enhancing user experience, ensuring security controls are applied efficiently across diverse environments.

3. Proactive Risk Management and User Experience Enhancement
AI-driven tools within the zero trust platform provide actionable insights, such as proactive risk assessments, user behavior analysis, and policy efficacy checks. This enables organisations to address risks before they escalate and maintain optimal user experiences, even in complex IT ecosystems. Integration with tools like CrowdStrike and Intune enhances incident response and visibility, improving overall security posture.

Unlocking Shared Cyber Capability: Building a Secure Future Together

Will Luker, Government Chief Information Security Officer, Department of Premier and Cabinet

1. Comprehensive Cybersecurity Framework for Diverse Agencies
The South Australian Government encompasses 95 agencies with varied ICT capabilities, ranging from large departments with dedicated cybersecurity teams to smaller agencies with minimal resources. The Chief Information Security Officer’s team supports all agencies by mapping the attack surface, monitoring approximately 140,000 Internet-facing devices, and addressing vulnerabilities across a wide spectrum of operations.

2. Proactive Threat Intelligence and Incident Response
A strong intelligence program is in place to monitor evolving threats, including cybercriminals, hacktivists, and nation-state actors. The team processes around 300 incident investigations monthly, continuously learning from incidents to adapt and refine mitigation strategies. This proactive approach ensures government systems are better prepared for rapidly changing cyber risks, such as those arising from geopolitical events.

3. Collaborative and Scalable Cybersecurity Initiatives
The South Australian Government leverages federal cybersecurity resources, such as the protective DNS service, while fostering collaboration with local, federal, and private entities. Initiatives like community-of-practice sessions and partnerships with the Australian Cyber Collaboration Center at Lot 14 ensure shared knowledge, skills development, and unified efforts to bolster the state’s resilience against cyber threats.

Cyber Security is National Security 

Nicole Quinn, Director of Government Affairs, Fortinet

1. The Geopolitical Context of Cybersecurity
Cybersecurity is now a cornerstone of national security due to escalating global tensions and hybrid warfare threats. With nations like China, Russia, Iran, and North Korea utilising cyber operations for espionage, financial gain, and military advantage, the Indo-Pacific region is particularly vulnerable. For Australian organisations, this means preparing for heightened threats, including nation-state-backed attacks targeting supply chains and critical infrastructure.

2. Legislative and Strategic Responses
Governments worldwide, including Australia, are increasing regulations and policy measures to address cyber threats. Initiatives like Australia’s critical infrastructure (SoCI) legislation, the National Cyber Security Strategy, and leadership in international efforts such as the Ransomware Task Force demonstrate a shift toward comprehensive cyber defence. Businesses and public sector organisations must align with these evolving frameworks to mitigate risks and ensure compliance.

3. Role of Collaboration and Supply Chain Security
The national security spotlight on initiatives like AUKUS highlights the importance of robust cyber defences across all levels of the supply chain. Small and medium-sized enterprises (SMEs) connected to critical projects, such as defence contracts, are potential weak links and require enhanced cyber resilience. Collaboration with Five Eyes partners and adherence to secure innovation principles are key strategies to safeguard sensitive data and maintain global trust.

Privacy vs Security: Exploring the Differences and Relationships

Peter Worthington-Eyre, Chief Data Officer/ Executive Director, Officer for Data Analytics, Department of the Premier and Cabinet
Mamello Thinyane, Optus Chair of Cybersecurity and Data Science UniSA STEM, University of South Australia
Anne-Louise Brown, Director of Policy, Cyber Security Cooperative Research Centre

1. Interdependence of Privacy and Security
Privacy and security are intrinsically linked, with security providing the mechanisms to protect privacy. While privacy focuses on individual rights to control and safeguard personal data, security ensures that data is protected through measures like encryption, access controls, and compliance frameworks. Organisations must address both to build trust and resilience in their operations.

2. Evolving Legal and Societal Expectations
Upcoming reforms, such as the Federal Privacy Act Review and global regulations like GDPR, signal a shift toward empowering individuals with control over their data. For businesses, this means ensuring transparency, adopting privacy-by-design approaches, and staying compliant with updated legal requirements. South Australia’s ongoing discussions about standalone privacy legislation highlight the importance of aligning local frameworks with national and international standards.

3. Building Societal Cyber Resilience
Strengthening cyber resilience requires a collective approach, from educating individuals on responsible data sharing to enhancing security across supply chains, small businesses, and vulnerable community groups. Partnerships between governments, academia, and industry are essential to address cyber threats holistically and ensure that privacy and security measures benefit all societal stakeholders.

Five Areas of Focus for Cyber Uplift

Mitch Riley-Meijer, A/g Assistant Secretary, Government Cyber and Protective Security, Cyber Security Policy Division, Australian Government

1. Institutionalising Cyber Uplift
Embedding cyber security practices into every facet of organisational operations is essential. Cyber uplift should be normalised within governance frameworks, including procurement processes, risk management, and performance monitoring. Making cyber security a routine business-as-usual priority ensures sustainable progress toward resilience.

2. Strategic Investment in Security
Aligning technology investments with organisational security goals is critical. Cyber leaders must collaborate with financial decision-makers to secure funding and ensure new technologies meet long-term security objectives. This approach minimises risks from shadow IT and ensures readiness for upcoming technologies.

3. Protecting Crown Jewels
Identifying and prioritising the most critical assets—those essential for mission-critical operations—is foundational. Organisations must focus on protecting these "crown jewels" through tailored security measures, lifecycle management, and resilience planning to mitigate risks to core operations.

4. Building for Resilience, Not Just Security
Cyber resilience goes beyond prevention; it prepares organisations to detect, respond, and recover from inevitable cyber incidents. Resilience planning should include technical response protocols, consequence management, and communication strategies, ensuring continued safe and effective operation during crises.

5. Empowering People and Partnerships
Investing in workforce awareness, leadership engagement, and collaborative skill-sharing enhances organisational resilience. Leaders must understand the cyber implications of their decisions, while partnerships can address resource gaps and foster shared capabilities for addressing modern cyber challenges.

Shaping & Influence: The Art of Activating Cyber Mastery within Senior Leadership

Alex Heidenreich, Executive Director -SA & NT | Founder of Diamond Cyber Security, CyberCX

1. Framing Cybersecurity as a Leadership Responsibility
Alex Heidenreich emphasised the importance of positioning cybersecurity as a top-tier leadership issue rather than an IT or risk department problem. Senior leaders are high-value targets themselves, and their accountability sets the tone for organisational culture and priorities. Educating executives on the "why" behind cybersecurity builds personal buy-in and ensures decisions align with strategic objectives.

2. Cultural Uplift Starts with Leadership
Organisational culture is driven by leadership, with executives casting a "long shadow" that influences behaviour throughout the organisation. Establishing the right cultural climate, rooted in accountability and values, is critical for meaningful cybersecurity transformation. Leaders must set and enforce standards to foster a security-conscious culture.

3. Simplifying Complex Cybersecurity Concepts for Engagement
Heidenreich underscored the need to simplify cybersecurity messaging for senior leaders to activate their "cyber mastery." Using relatable frameworks, analogies, and focusing on personal and family-level impacts can help overcome resistance or apathy. The aim is to establish trusted advisor relationships with leadership, leveraging moments of engagement to instil lasting understanding and responsibility.

We Need to Talk About Third-Party Risk Management

Fern Hillyard, Senior Manager Cyber Policy & Risk, Cyber Strategy & Policy Cyber Security Directorate, Office of the Chief Information Officer, Department of the Premier and Cabinet
Rosalie Martin, Director, Cyber Security Outreach, National Office of Cyber Security

1. Third-Party Risk is Complex and Requires Strategic Focus
Managing third-party risks involves addressing challenges of capacity and scale, especially in large organisations with thousands of suppliers. The critical need is to map the supply chain, prioritise high-risk suppliers, and embed cybersecurity requirements early in procurement processes. Without early engagement, organisations lose leverage to enforce critical security measures.

2. Collaborative and Continuous Monitoring is Essential
Risk management cannot be a point-in-time exercise. Continuous monitoring tools, contractual obligations for ongoing security reporting, and collaboration across risk domains (e.g., cyber, privacy, finance) are vital. By pooling resources and integrating insights, organisations can better manage risks holistically and ensure suppliers maintain compliance throughout the relationship.

3. Government-Led Frameworks and Tiered Approaches
Government initiatives like procurement frameworks and national cybersecurity standards provide a foundation for managing third-party risk. Tools such as supplier tiering systems—categorising suppliers by risk and criticality—help streamline efforts and focus on high-priority contracts. Leveraging certifications like ISO 27001 and SOC 2 ensures suppliers maintain ongoing security and operational standards.