Ajoy Ghosh, Chief Information Security Officer, icareNSW
It is spring in Sydney, which means that not too long ago I was gazing out of my window admiring the blooming Jacarandas across our neighbours’ yards. It reminded me of a time almost 20 years ago when I was gazing out of our then apartment window across the row of Jacarandas planted across the street-line. It was 1998 and I was gazing at the Jacarandas, thinking about how I was going to answer the question posed to me by the then CEO of one of the Big Four banks. His question was: “How do I know that the Internet thing that the CIO is building for us is going to be safe for our customers and ourselves, and not embarrass the Bank?”
Almost 20 years on, the question I am regularly posed by Boards is: “How do I know that the digital/cyber thing that the CEO/CDO/CIO is building for us is going to be safe for our customers and ourselves, and not embarrass the brand or make the company or the Board liable?”
So what has changed across those 20 years?
More recently, I’ve been asked similar questions by the CEO and Board of icare (or Insurance & Care NSW) where I am serving as the interim Chief Information Security Officer.
icare is a Public Financial Corporation which protects, insures, and cares for the people, businesses, and assets that make NSW great. icare insures more than 296,000 businesses and their 3.4 million employees. In addition we insure all road users, builders, and homeowners, as well as landmark assets like the Sydney Opera House, the Sydney Harbour Bridge, and the State Library of NSW.
With its ethos of “Commercial Mind, Social Heart” and its mandate to disrupt the way insurance and care services are provided to the community of NSW, icare’s executive team recognised early in its inception that the traditional technology model of its predecessors would no longer support the pace and scale of technology transformation needed to deliver on its commitments to the people and businesses of NSW.
To enable it to do so, icare adopted a cloud-only strategy. It also adopted a strategy of working with capable partners.
So how is icare ensuring that its mission-critical systems are safe and appropriately protect our own data and the data that the businesses and people of NSW entrust into its care? In summary:
• icare selects suppliers who can demonstrate mature cyber security practices;
"Who is asking” is the big change, with Boards increasingly engaging in the conversation about brand and liability
• icare ensures its systems are secure by design;
• icare tests systems during development, prior to deployment and regularly during operation;
• icare recognises that cyber security will not be perfect and we monitor threats and respond appropriately and cooperatively with our partners and other government agencies.
On reflection, that’s the same answer I gave in 1998, except that “security” has become “cyber security”.
Firstly, icare selects partners who can demonstrate they have mature cyber security practices. For key platforms, including our “virtual data centre”, icare has chosen partners who are certified under the Australian Signals directorate’s Certified Cloud Supplier List scheme or CCSL. Part of the reason for choosing this scheme is that certified suppliers undergo a rigorous and regular assessment and the detailed results are made available to customers i.e. transparency.
For other suppliers, icare selects partners who are certified under ISO 27001, which is the minimum requirement required by the NSW Government under the Digital Information Security Policy. It has been important to verify that the supplier itself has been certified and we’ve seen many who claim to be but are actually saying that on their data centre or cloud platform provider is certified.
icare has a regime of cyber security testing that starts with automated code inspection for developed code. Prior to each release, penetration testers are engaged to test Internet-facing systems. icare selects capable testers who have been certified or registered by CREST Australia and who are qualified under the NSW Government’s ICT prequalification scheme (SCM0200). Penetration testing is conducted for every major release and at least annually. Our infrastructure is scanned for vulnerabilities monthly.
All our systems integrate with our cyber security monitoring capability which is based on Splunk! and whose capability is continually being tuned and improved. Alerts are monitored 24/7/365. We have rehearsed simulated cyber security crisis management exercises with our own crisis management teams as well as joint simulations with our key partners. We have also run a gamified cyber security exercise for the Board and Executive leadership.
We also maintain close relationships with relevant authorities such as the Australian Signals Directorate, the NSW Government CISO, and other NSW Government agencies as well as sharing appropriate threat intelligence information with key Security Operations Centres across our cyber eco-system. Our CCSL suppliers also have cyber security teams that work cooperatively, in fact each of them maintain a cyber security capability that is significantly more capable than ours and each has been generous in ensuring their capability is used to help us appropriately protect the information of the businesses and people of NSW.
On reflection, my key learnings have been:
• “What” to do hasn’t really changed in 20 years.
• “How” to do it has kept up with technology and the introduction of automated tooling to orchestrate what used to be human initiated testing.
• Choosing “Who” should do it has become somewhat simpler as cyber security certification and accreditation schemes have become more accessible for suppliers and transparent for customers and suppliers.
• “Who is asking” is the big change, with Boards increasingly engaging in the conversation about brand and liability.