Cyber Security NSW fails to address inconsistencies in agencies’ cyber security self-assessments

The Office of the Auditor-General for New South Wales has found that Cyber Security NSW, which sits within the Department of Customer Services, did not provide assurance of cybersecurity maturity self-assessments performed by individual NSW Government agencies.

Although Cyber Security NSW has a remit to carry out audits of agencies’ self-assessment, according to the audit report Cyber Security NSW: governance, roles and responsibilities, it has, to date, not carried out these audits and did not seek its own assurance of the results of these self-assessments. It also failed to sufficiently address previously identified inconsistencies and inaccuracies in how those self-assessments were performed.

“This is important given that maturity reporting is the main source of knowledge about the cybersecurity maturity and resilience of NSW Government agencies to cyber threats,” the report read.

“If these self-assessments are unreliable, then it creates the risk that knowledge of the potential resilience of the NSW public sector to cyber security incidents is similarly unreliable.”

The audit also found that Cyber Security NSW had failed to effectively demonstrate its progress towards improving cyber resilience and to ensure that its efforts were “effectively and efficiently targeted, prioritised, planned, and reported”, despite the majority of councils and agencies reporting that the services they had received had helped to improve their individual cybersecurity.

According to the report, Cyber Security NSW currently has many sets of objectives across a range of sources, including the Cyber Security Strategy, business plans, corporate material, and public communications. However, it lacks reliable and meaningful ways of measuring progress towards its objectives, and has no overall workplan or roadmap to show how the objectives would be achieved.

The audit also highlighted that, consistent with the expectations that accompanied its 2020 funding enhancement, Cyber Security NSW has engaged with the local government sector, “albeit with mixed results”.

The agency has a remit to assist local governments to improve cyber resilience. However, the review found, it could not mandate action and does not have a strategic approach guiding its efforts.

“While these mixed results are partly a consequence of it not being provided a formal mandate in the sector, it has also been impacted by the fact that Cyber Security NSW has not established an engagement plan or strategy to guide its engagement with the local government sector,” the report said.

Key findings of the report confirm that Cyber Security NSW, however, does align with broader NSW Government policy, had an evidence base or rationale, and was developing its organisational capabilities to meet its purpose.

The audit found that while agencies and councils consulted during the process had a “sound understanding” of Cyber Security NSW’s high-level purpose generally, they had limited awareness of its specific services and functions.

The final recommendations, to be implemented by the Department of Customer Service by 30 June, were as follows:

  1. Implement an approach that provides reasonable assurance that NSW Government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
  2. Ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW Government outcomes
  3. Ensure that Cyber Security NSW has a detailed, complete, and accessible catalogue of services available to agencies and councils
  4. Develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders

The audit report measured the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.

It examined internal planning and governance processes in place to support the agency’s objectives as well as Cyber Security NSW roles and responsibilities as understood across the public sector.

In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions.

As a result, according to the report, Cyber Security NSW is receiving $60 million in funding covering the 2020–21 to 2022–23 period – an increase from its previous funding of around $5 million per year (sourced from contributions from each NSW Government department).

Cyber Security NSW “aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats”, but it does not provide broader consumer-focused services.