Joel – After a highly successful 23 year career in the Navy what attracted you to the role of CISO at the Department of Human Services? 



Narelle – 

For me it was definitely the opportunity to help so many people, our reach is so big and we touch the lives of every Australian and the system is so huge and complex, we pump through a lot of money and we have the personal information of so many Australians. It is a really rewarding role and it’s something that you know you are making a difference every day. You really do feel like you are giving back and it was a great opportunity for me.

Joel – From the outside looking in it appears to have been a very active first 18 months in the role, looking back what are have been the biggest challenges and what have been some of the biggest accomplishments?

Narelle – 

Certainly the biggest challenge has been building the team. When I first got here it was a relatively small team and we have increased from less than forty to over one hundred and forty people within that time (18 months). With that comes a really big overhead of cultural change and team building and being able to integrate all those capability bricks.

Joel: Team and culture number one?

Narelle: Absolutely

Joel: If you had to put the building of the maturity and capability in the business down to something, what would it be?

Narelle:

We took a very planned and structured approach. It wasn’t ad-hoc, it was all written and developed. We had to invest equally in technology and people. Definitely my approach is that you can’t win this cyber fight if you only invest in one of those pillars, it has to be an equal investment in both. The technology will get you to a certain point, people will get you to a certain point but if you blend them together properly and invest the time and energy in building them correctly then you can really reach the next level and that is where we are sitting now.

Joel: Could you give me an idea on some of the specific initiatives you’ve implemented locally to invest in talent and grow from the ground up?

Narelle:

We’ve taken a very different approach, rather than necessarily taking only those who are all highly trained and have the qualifications and experience we are saying to STEMS, cadets, apprentices, graduates ‘come and work here!’. Even if you don’t have a cyber qualification, all you need is the attitude and aptitude to succeed. I just want the enthusiasm and someone who wants to learn and we will train them. We have a large cohort of those entries and we are seeing a great outcome from them. They are very motivated to learn and they fit in very well with the teams. It is a bit of a grow your own approach. We won’t see the full benefits of that approach for another 18 months or so, it’s only been in train for about 8 months now and it will take a little while to see whether or not that approach has been totally successful, but we are certainly seeing indicators at this early stage that it’s been a good move for us.

Joel: Has this been a fairly targeted recruitment drive?

Narelle:

Yes, both internally and externally it has been a very focused approach on how we recruit. We’re all about investing in everybody at every level. We also need to change the model for those that we bring in who are experienced. The only way we can make this work is those who we bring in with experience need to not only be good at the job we recruit them for, but they need to have an element of wanting to teach. The only way this will successfully work is if we have a really strong mentor program that enables experienced staff to teach those lesser-experienced staff we bring in.

Joel: Am I correct in assuming on the experience side you’ve got a mix of contractors, permanents and consulting firms sharing the knowledge with the new comers?

Narelle:

Yes, we do and it’s good to get that cross-pollination going.

Joel: To complement that knowledge-sharing component of learning do you invest in both your own training and external training?

Narelle:

Absolutely, we have a combination of in-house training and externally provided training. We focus quite heavily on in-house training, both the mentoring/ad-hoc piece but also on the more formal in-house training courses and programs that we have developed. We don’t just deliver the in-house courses to our internal cyber staff but that gets pushed out wider into the departments to help raise the cyber awareness of the department. We have the unique touch point where if we encourage good cyber behaviours, we have the opportunity to help in the whole of government sense to lift the whole country in their cyber capability.

Joel: It’s well documented that there is a shortage of Cyber Security talent available in the market, how has DHS dealt with this challenging dynamic and been able to attract and retain high calibre security professionals?

Narelle:

You would have got to see a little bit of it as you walk in here. The new Cyber Operations centre is definitely one of the leading places in Canberra. We also have a great set up for flexible work, we are very outcomes driven and as long as you can achieve the outcomes then the method in which you do that is very unique to every individual team. We do work in a very different way because otherwise we won’t attract the right type of people. We have lot of good technology that is not only a benefit for retention, but also important to protect all the information we are holding. I would like to think that we overlay the great technology, tools and facilities with excellent processes for managing people and in investing in their training and them as a person. The combination of these two make it a great place to come and work every day. I think our culture is fabulous; there is a great vibe out there. It’s fun, it’s different and they all know they are doing something that is worthwhile everyday

Joel: Are there key initiatives that you looking to implement around culture, structure and team over the next year or two?

We have a formal strategy that runs over next 4 years, and shorter term one and two year plans. These are focused on people, the team environment and training. I am really excited about the next 12 months, and I think there are a lot of opportunities in this space. I think the way the team is working at the moment is great, it’s fabulous to watch them be able to do this. To be honest the cyber threat is constantly changing, it’s a job that continually moves and you have to be on your game constantly. It kind of gives you that adrenaline rush when it does happen and the team pulls together to fix it, it’s a great thing to watch and they are very professional and very good at what they do.

Joel: There’s clearly a shortage of females across STEM roles including Cyber Security, has DHS been successful in attracting women to such positions? if so, how have you gone about it?

Narelle:

I think we have been successful; we have a large female cohort within the branch. We are putting a lot of effort into the schools, and having St Claire’s on board to come and work with us to do some training has been a great way to do that. There are two elements, one is about investing in the females to come up in the future and the second part is about how we got here today. DHS in general invests quite heavily in females and also has a heavy investment female senior executive, in particular within Cyber where the senior leadership is 50/50. We have some excellent female role models within the team that perform above and beyond.

I don’t think there is any one strategy but it’s real and we see and feel it. Another component is having a flexible workplace, particularly for females they are able to balance their work life through our flexible working practices.

Joel: As the CISO of one our nations’ largest and most high profile Government Departments what level of collaboration do you have with your peers in other Departments and Private Sector in the fight against cyber crime?

Narelle:

We have excellent relationships with the other big government departments and with a lot of the smaller ones as well. We also reach out extensively through the private sector to the corporates and to industry and academia, both nationally and internationally. We have a really good group of people that we do lean on to ensure we’re all looking at the same thing at the same time.

Joel: Are there formal meetings or working groups that happen or is it more ad-hoc collaboration?

Narelle:

A bit of both, from a government point of view PM& C are doing a lot of work around the cyber taskforce and looking at how to formalise some of those relationships that already exist. With the wider community there is a much more formal stream, there is a group call CISO Lens and we do talk to our corporate partners a lot, through that mechanism and it’s very useful for us.

Joel: Is the talent component of your role something that comes up quite regularly in those discussions?

Narelle:

I think we all recognise there is a major skill shortage in this area and we need to be able to work together to be able to fix that, we need to invest in our people. One of the realisations is that it’s ok to invest in people and then have them move on as long as they are moving on to be in the cyber ecosystem still. If we are training people who are of the calibre to be picked up and move on to another agency then that’s actually a great outcome for us. In the past I think we were very reluctant to invest in people and have them move on.

Joel: The recently held “Cyber war games” appear to have been very well received across the market, please explain how this concept arose and also what we might we expect in next year’s event?

Narelle:

The Cyber war games were an idea we had a while ago, and coming from the military we’d see the exercise environments and knew that was a good way of simulating. We also at the same time a had vision for the community engagement program around getting out to schools and have some sort of thing that kids could feel and touch so cyber becomes real, not just something that sits on a screen. It moulded together from that. We looked at building a train set to take to schools in order to demonstrate critical infrastructure and how cyber can interact. When we looked further into reaching down into primary schools (at that stage we were primary dealing with secondary schools) we realised the Lego train would be more appealing to them. From there the Lego train expanded into a city, and then thought if we were using it for community engagement it be great if we enabled our own staff could train on it. We wanted an enduring capability that our teams could train on every day in house and now our staff can play on it whenever they can. It means they can really start to think outside the box.

Further on when we looked into how we could foster better relations with cross government agencies the idea of the cyber war games really took flight. We realised if we invited everyone else to come along and play, not only was a good opportunity to build a capability and use it more than once but it was a great chance for us to share knowledge, get our teams to know who their counterpart was in the other agencies and be able to test it in a fun way. When you overlay all the executives and corporate, international adjudicators it really did make for an excellent week where we could not only test for the technical skills of the teams but do a bunch of team building exercises and we could develop their public speaking and communication skills. Toppled with all the visitors it enabled us a good opportunity to focus on recruitment and give everyone a chance to come and have a look at what we can offer.

As for next years, I think it’s fair to say there will be another game or games and it will also expand from what it is now. We’re working to finalise those plans now.