Name: Narelle Devine
Title and company: CISO, Australian Government Department of Human Services
Number of years in the information security industry: 15 years
If you weren’t working in the infosec world, what would you be doing?
I would probably still be in the Royal Australian Navy driving warships.
What does the RSA Conference 2019 theme of “Better” mean to you?
To me it means being better at every aspect of cyber operations: analysis, intelligence, resilience, hunting, collaboration, governance, education - the list is long. As a community we are doing well but we can always, and should always, strive to be and do better—as an entire industry. Our networks are so dependent upon one another that we all need to be better collectively!
What is the biggest challenge facing the infosec industry right now?
It’s hard to pick one, but I feel the biggest challenge is the speed at which technology is changing—on both sides of cyber! Adversaries are continually finding new technologies and new ways of using old technologies to challenge defences, while the defenders need more money and more time to keep up with the constantly changing technology landscape. Continually upgrading, replacing or acquiring new technology is not only expensive, the training overhead for staff is also increasing. There is an intelligence requirement to understand what adversaries are currently doing, and predict what they might do next to ensure you are investing in the right capability gaps. It’s nothing short of exhausting!
Complete this sentence: 2025 will be the year of__:
Cyber Bots. We are already seeing a huge increase in the application of both machine learning and artificial intelligence. In just six years it’s not beyond reality to imagine some large elements of the cyber fight being done bot to bot.
You’ve been in the public service for over two decades, first in the military and now in the government’s Department of Human Services. Both role focus on protection; how are threats and actors similar and how are they different in both these roles?
Fundamentally both the threats and actors are the same—they have the same motivations and don’t discriminate. If you hold information that is valuable they want it. The only real difference is that in the military you can choose in some cases to air-gap systems of interest and very quickly reduce your exposure. However for the Department our daily business is providing services to all Australians. This means not only are the systems internet facing, you have to balance security with user experience.