Modernising IR Plans – Getting to First Response Faster

Carsten Boeving (Cenitex) shares how treating incident response as a practised muscle, defining crown jewels, and tightening early-warning triggers helps teams declare incidents faster, communicate clearly, and strengthen resilience across government services.

Like Comment

Benji Crooks, Marketing Director at Public Sector Network, sits down with Carsten Boeving (Chief Information Security Officer, Cenitex) to discuss why incident response needs to be treated as an organisational muscle, the non-negotiables of knowing your “crown jewels” and rehearsing decision-making under pressure, and what’s driving the modernisation of IR plans as threats accelerate, technology shifts, and public and regulatory expectations rise, ahead of his panel discussion on modernising incident response and getting to first response faster at the Government Innovation Week Cyber Security Showcase in Victoria on 25 March.

Benji Crooks:
Okay. So my name is Benji Crooks. I’m the Marketing Director at Public Sector Network. I’m here with Carsten Boeving, and this is ahead of the Government Innovation Week Cyber Security Showcase in Victoria, which is happening the 25th of March.

So first of all, if you could just quickly introduce yourself, your role, and a quick overview of what Cenitex does and what you support.

Carsten Boeving:
My name is Carsten Beoving, and I’m the Chief Information Security Officer at Cenitex.

And as the Chief Information Security Officer, my role is to make sure that cybersecurity supports Cenitex’s ability to deliver critical services safely and reliably. And that means setting the strategy, managing risks, and helping leaders to understand what cyber threat means in real operational terms, and also especially during an incident.

Cenitex, who I work for, is Victoria’s shared ICT service provider for government, and we deliver core digital services like networks, data centers, cloud, and security to public sector agencies, so they focus on serving the community. And because of it, resilience and trust are central to everything we do, because if our services are not available, then our customers’ services to the community are not available either.

Benji Crooks:
Excellent. So just touching on the incident response planning at Cenitex, what core elements do you consider non-negotiable?

Carsten Boeving:
So we treat incident response not just as a theoretical or a technology process in Cenitex, but we consider it more like a muscle. It’s a muscle of the organization, and as such it has to be exercised. It needs to be used, it needs to be exercised, because touch wood, we will never encounter a compromise.

But if we never encounter a compromise, it means that we can never put to practice what we think that we are capable of doing. So therefore we develop plans, and then we practice those plans, and we exercise and practice those plans. And so therefore the muscle must be activated as often as possible.

And non-negotiable during those exercises are for the cybersecurity personnel to know the organization and know the assets of the organization that they are there to protect, so that in an incident they’re not going down the wrong road and trying to extinguish the wrong fire while the whole building is on fire and they only pay attention to a little rubbish bin outside.

So that is very important to us, is to make sure that the entire organization is aware of what are our crown jewels and what do we need to do to protect the crown jewels.

And from there we design our plans around protecting continuity and decision-making under pressure. And that’s one of the most important things that we have learned during our exercises, but also during near misses, is the decision-making process under pressure.

And that’s what I have carried over from my experience in Europe in the state emergency services, is to make sure that we have plans that we can rely on during incidents so that we don’t have to make things up and develop new plans from scratch during an incident, so that we can trust those plans and we can just carry them out.

So these are the non-negotiables, is that we have plans that we can rely on, and that our employees know what’s important to the organization, and that our executives are able to make decisions under pressure.

Benji Crooks:
Great. And so what would you say is driving the need for modernizing incident response plans right now? Is it threats, technology changes, regulatory expectations, or is it something else?

Carsten Boeving:
I think it’s a combination of all three, in isolation, but also together they reinforce each other.

For example, the threat actors, they are moving faster, they’re using automation, and they’re increasingly targeting supply chains and operational systems. So therefore the attack surface has been expanded around our organization. And also the attack surface attacking the supply chain also then has a greater blast radius in the other direction. So therefore that then influences our IR plans.

So we are not just looking out for ourselves, but we also have to look out for our suppliers and for our customers to make sure that they are secure, so that we are secure.

Another one is the regulatory environment and the public expectations have changed as well. So that in the past, if an organization had compromised, the attacker was the adversary, and we could blame the attacker for having done something illegal, which is clearly wrong. However now the public has come to realize it is not just the fault of the attacker, but it is also something that could have been prevented most likely. So therefore the scrutiny has increased. So it’s not just that we have to be able to fend off an incident, but we also have to be able to explain to the public that we are capable of doing it and that we can do what a reasonable party is expected to do.

And of course technology has changed with AI, et cetera. So therefore the threat landscape has changed, the technology has changed, the regulatory landscape has changed, and it all plays together. And therefore we have to adapt our incident response plans. They have to be more flexible.

So they now superseded the old structure of incident response plan. We had just one framework with dedicated playbooks. What we now do is when we do exercises or have near misses, or even when we read in the news about incidents in other organizations, we create playbooks out of those, only to make sure that after two years, if something similar happens, that we’ve got something that reminds us of the process that we have rehearsed years earlier.

Benji Crooks:
Right. So talking about getting to first response faster, where do you think organizations typically lose the most time, and what’s one improvement that would speed things up?

Carsten Boeving:
I think it is before the incident is declared. It is this, seeing something in the log files that we believe is wrong, but not raising the alerts, not telling anyone, and trying to be sure.

So then digging deeper and going down that rabbit hole, and then ending up down the rabbit hole just trying to find one more evidence that it really is an incident because we don’t want to ring the CISO on a Sunday morning at 2 o’clock.

So this delay, trying to be sure and sure and sure that really something is going on, and then ringing someone up and then making a call and say, “We do have an incident. We now have to enact our incident response plan.” That delay can take, I would say, it can take hours, sometimes even days before somebody raises the alarm.

And we had something, again it was a miss, we have layers of defenses. So when the first layer of defense got breached, we then have a second and a third. And the first one is something that is just there to clear the noise in our logs. And we sometimes see something that could have been declared earlier, even at the first layer of defense, but people just say that it is, they didn’t realize that it could potentially escalate to something more serious.

So that’s where we are training now, that we make sure that we push as far left as possible in our incident detection process to raise alarms earlier to prevent it from escalating.

So that’s basically what we are trying to do.

So what we are now doing with every one of our exercises or near misses, or when we do those simulations based on publicly published incidents, is that we revise our simple and pre-agreed triggers. So we define triggers and we say, “If that trigger is reached, we must raise an alert.”

And then if something happened to another organization, we then evaluate whether our trigger would have triggered it earlier, or whether we should refine our trigger to make sure that it would never escalate to that level in our organization.

Benji Crooks:
Perfect. So I guess you couldn’t give us any real examples because of sensitive data, but is there any examples you can share where you’ve learned a lesson that has led you to improve incident response readiness?

Carsten Boeving:
The thing is, I can’t tell you about an incident because touch wood, we haven’t had any. So it does work.

And the thing what we are always reminding ourselves about is that although we would not like to have an incident, it is not about preventing incidents. The end result is we want to prevent the consequence.

So therefore, if we had a million hackers in our network and they would not cause any harm, it wouldn’t be that bad. A million hackers in our network and they would not cause any harm, it wouldn’t be that bad. So we have to make sure that we detect it early enough to kick them out of our network before any harm is incurred.

So that’s basically what we are doing, then when we kick them out early enough so that we actually respond to an incident before it becomes an incident, while it’s still an event.

The lesson we learned during those near misses, we call, is the communication, the internal communication. So the delay in declaring an incident is the first level of communication that has to be improved.

But another one is then what happens after that. And that is where Cenitex is in a unique position, that we provide IT to other government agencies. So therefore it’s not just about us, and it’s not just about our customers, but we have to also consider the impact on our customers and their communication to their consumers, for example to the community and to the public.

So therefore that’s where we then, after we do the exercises or we are involved in those near misses, that’s where we realize that there are little things in our communication that we have to improve on.

And one important thing to improve on is the vocabulary. That in an incident it is too late to explain to someone what the term adversary means or what the term threat means. It’s too late.

So we have to make sure that we develop a common vocabulary before an incident, that not just we can communicate effectively internally, but also that our leadership can communicate effectively to our customers, or if necessary to the public.

So that’s where we do exercises using publicly available material from previous incidents, where we then say, the board chair of that particular organization facing the press after an incident, could it have been done better? And most of the time we realize that the people that are facing the cameras do not seem to understand what the words mean that they are saying.

So that’s one of the communication things, making sure that the people in Cenitex that are involved, not just in communicating to the public but also to our customers, that they know what the words mean that they are supposed to use during the communication, before they have to use them in the communication.

So it’s all about preparing all the people involved to be able to effectively communicate, but also then be able to understand what had been communicated to them. So it’s mostly communication. The technical part is the easy part.

Benji Crooks:
Okay. I love the fact that the start of the answer was that you’ve never had an incident to describe. Touch wood, touch wood.

So of course we’ll be seeing you at Cybersecurity Showcase, and you’re on a panel discussion discussing modernizing incident response plans, getting to first response faster. What would you say is one thing you’d hope the audience take away with them?

Carsten Boeving:
First of all, I would encourage the audience to listen to what other people have to say, even if you do not agree. So if you believe that what I say is absolute nonsense, listen to it. Just look around you and see how it resonates with the audience, and the least it can do is reconfirm and reiterate that this is something you would never say in the future.

So you can learn from these things even if you don’t like it, and you say, “Okay that is something I will definitely not say myself in the future.”

So that’s the first thing that I would like to encourage other people to do, because that is something that I have to tell myself, to listen, to open up, and to be open to other people’s opinions. And maybe after 10 minutes of saying something that I don’t agree with, maybe it is because in the 11th minute they say something that summarizes everything, and then I realized I just got it the wrong way. I do actually agree with it, and that was actually a very good way to articulate this.

So that’s the first thing during the event.

After the event, it is reflecting of what we have seen during the event, and then within the next 30 or 60 days going through your incident response plans, and applying what other people have said, and applying the experiences that they have made in their life.

Because one thing that I have learned, I used to be a skydiving instructor, and one of the things that we always told ourselves is that we have to learn from others’ mistakes because we will literally not live long enough to make them ourselves.

It is the same for cyber incidents in organizations. If organizations do not learn from other organizations’ mistake, then the organization will not live long enough to make all of those experiences themselves.

So learn from others, and then go through your incident response plans and determine whether your incident response plans would have dealt with the incident in a better way.

We have to say that when we do this validation, and when we reflect on our incident response plans after listening to others’ experiences, we always find something that can be improved.

Hear Carsten Boeving live at the Government Innovation Week Cyber Security Showcase, Victoria on 25 March. Join his panel on modernising incident response and getting to first response faster to explore what’s accelerating threats, how to improve early detection, and how to strengthen decision-making and communication under pressure. View the agenda and register to secure your place and be part of the conversation.

Regions
Australia Australia

Published by

Benji Crooks Marketing Director

Most Popular Insights

Future-Ready Governance: Aligning Data, AI, and Modern IT for Impactful Public Service
Future-Ready Governance: Aligning Data, AI, and Modern IT for Impactful Public Service
ON DEMAND 12 Jan 2026
Future Trends in Digital Government
Future Trends in Digital Government
ON DEMAND 8 Jan 2026
Progress on the Digital Government Strategic Plan: Advancing Wave 3 Goals
Progress on the Digital Government Strategic Plan: Advancing Wave 3 Goals
ON DEMAND 7 Jan 2026
Digital NSW 2025: Practical next steps to delivering on 2026 priorities with Laura Christie
Digital NSW 2025: Practical next steps to delivering on 2026 priorities with Laura Christie
ON DEMAND 11 Dec 2025
Digital NSW 2025: The Agentic Government: Re-Imagining an Inclusive Future for Public Service
Digital NSW 2025: The Agentic Government: Re-Imagining an Inclusive Future for Public Service
ON DEMAND 11 Dec 2025
Digital NSW 2025: John MacKenney & Charlie Sukkar on Readying for the AI era
Digital NSW 2025: John MacKenney & Charlie Sukkar on Readying for the AI era
ON DEMAND 10 Dec 2025
GIW FEDERAL 2025: Strategies to bolster female participation in the cyber workforce for optimised outcomes
GIW FEDERAL 2025: Strategies to bolster female participation in the cyber workforce for optimised outcomes
ON DEMAND 26 Nov 2025
Driving Innovation: Uruguay Path to Digital Transformation
Driving Innovation: Uruguay Path to Digital Transformation
ON DEMAND 19 Mar 2025
Revolutionizing Environmental Regulation in Alberta Through Technology
Revolutionizing Environmental Regulation in Alberta Through Technology
ON DEMAND 3 Jan 2025
Designing Services Around Citizen Needs: Achieving Seamless CX in the Digital Era
Designing Services Around Citizen Needs: Achieving Seamless CX in the Digital Era
ON DEMAND 20 Jun 2024
California’s Technology Strategy: What Is on the Horizon
California’s Technology Strategy: What Is on the Horizon
ON DEMAND 14 Apr 2024
Seamless Citizen Engagement: The Path to Simplicity
Seamless Citizen Engagement: The Path to Simplicity
ON DEMAND 20 Dec 2023
The Intersection of Technology, Security and Privacy at Service NSW
The Intersection of Technology, Security and Privacy at Service NSW
ON DEMAND 6 Dec 2023
Equity, Diversity, and Inclusion as Part of Organizational Transformation
Equity, Diversity, and Inclusion as Part of Organizational Transformation
ON DEMAND 11 Oct 2023
Generative AI, Trust & the Public Sector
Generative AI, Trust & the Public Sector
ON DEMAND 29 Aug 2023

Most Popular Partner Content

Innovate Federal 2025 Key Takeaways: Data, Analytics and AI
Innovate Federal 2025 Key Takeaways: Data, Analytics and AI
INDUSTRY TRENDS 8 Dec 2025
2025 Ransomware Holiday Risk Report
2025 Ransomware Holiday Risk Report
INDUSTRY TRENDS 25 Nov 2025
EntraGoat is a deliberately vulnerable lab that simulates real-world identity misconfigurations in Microsoft Entra ID.
EntraGoat is a deliberately vulnerable lab that simulates real-world identity misconfigurations in Microsoft Entra ID.
GUIDES 6 Nov 2025
How Australia builds by design
How Australia builds by design
INDUSTRY TRENDS 20 Oct 2025
What’s Shaping Investigations and Integrity in Government (Australia, 2025)
What’s Shaping Investigations and Integrity in Government (Australia, 2025)
INDUSTRY TRENDS 26 Aug 2025
Private LLM Services for secure, compliant AI. Built for when Public AI won’t do.
Private LLM Services for secure, compliant AI. Built for when Public AI won’t do.
INDUSTRY TRENDS 1 Aug 2025
Are AI Apps safe to use? How to securely adopt AI in your agency.
Are AI Apps safe to use? How to securely adopt AI in your agency.
INDUSTRY TRENDS 15 Feb 2025
Unlock the Strategic Power of AI for Information Governance in 2025
Unlock the Strategic Power of AI for Information Governance in 2025
INDUSTRY TRENDS 2 Dec 2024
AWS vs Microsoft Azure vs Google Cloud vs Oracle Cloud Infrastructure: A Comprehensive Comparison
AWS vs Microsoft Azure vs Google Cloud vs Oracle Cloud Infrastructure: A Comprehensive Comparison
INDUSTRY TRENDS 12 Sep 2024
North Korean State-Sponsored Cyber Attack: Unveiling the Intricacies of Threat Actor Group Andariel
North Korean State-Sponsored Cyber Attack: Unveiling the Intricacies of Threat Actor Group Andariel
WHITEPAPERS & REPORTS 20 May 2024
Using the Viable System Model to Improve Government Operations
Using the Viable System Model to Improve Government Operations
GUIDES 3 May 2024
Leveraging the Strength of Centaur Teams: Combining Human Intelligence with AI's Abilities
Leveraging the Strength of Centaur Teams: Combining Human Intelligence with AI's Abilities
INDUSTRY TRENDS 20 Oct 2024
Embracing Value Stream Thinking in Public Sector Project Management
Embracing Value Stream Thinking in Public Sector Project Management
GUIDES 21 Oct 2024
Everything You Need to Know About Oracle 23c
Everything You Need to Know About Oracle 23c
INDUSTRY TRENDS 24 Sep 2024
The Role of Database Management in Business Growth
The Role of Database Management in Business Growth
INDUSTRY TRENDS 16 Apr 2024