Secret CSO: Narelle Devine, Australian Government Department of Human Services

Secret CSO: Narelle Devine, Australian Government Department of Human Services

Name: Narelle Devine

Company: Australian Government Department of Human Services

Job title: Chief Information Security Officer

Date started current role: 16 May 2016

Location: Canberra, Australia

Narelle Devine, Chief Information Security Officer of the Australian Government Department of Human Services was just 17 when she joined Royal Australian Navy. After 23 years serving the country with the Navy, Devine was appointed as the Department of Human Services' Chief Information Security Officer in 2016. The department delivers essential welfare and health services payments to the Australian community. Her team of about 220 staff protect the personal and financial security of 26 million Australians, managing 280,000 authentications every day and protecting the $190 billion in payments the department makes every year.

What was your first job? A warfare officer in the Royal Australian Navy.

How did you get involved in cybersecurity? My career in the Navy provided me cyber experience that I would not have seen anywhere else except the military. I managed the networks of all ships in the Fleet, which included building resilient systems. Security was obviously critical. While studying for my master's degree I was introduced to the concept of ethical hacking and quickly realised that I was incredibly interested in this area. I was given the opportunity to be the Navy's first Director of Cyber Warfare, which shaped the way the ADF would embrace cyber warfare into the future. It was at that point I would say I shifted to the cyber security profession.

What was your education? Do you hold any certifications? What are they?

  • Bachelor of Arts (Information Systems and English)
  • Master of Science (Information Technology)
  • Master of Systems Engineering

Explain your career path. Did you take any detours? If so, discuss. I didn't take any intentional detours because I don't think I knew where I wanted to end up. When I left school the concept of a CISO didn't exist and cyber security was around in theory but masked in secure coding courses in Computing and Information Technology degrees. The deviations in my career were the postings that I spent away from the more traditional computer networking roles. As a Warfare Officer specialising in Communications and Electronic Warfare in the Navy I crossed between the two but also had to, at times, combine those with traditional warfare roles and did things such as re-writing anti-submarine tactics. At the time, I considered these deviations from my desired career path but upon reflection, they all added to the skills that I now use routinely. These skills form the foundation for many of my daily technical conversations and I find myself using similar thought processes when working with the team to approve hunt missions that I did when writing anti-submarine tactics.  To win you need to understand and out-think the adversary - it doesn't matter if the adversary is a submarine or a computer.

Was there anyone who has inspired or mentored you in your career? I have worked for some exceptional senior officers in the military and I learned a lot from them. These officers taught me how to make difficult decisions under pressure, and the importance of having those first few immediate actions drilled to a point of them becoming completely instinctive. I've also been fortunate throughout my career to spend time overseas where I have met and worked alongside some amazing technical minds. Because of this, I acquired detailed technical skills that I would not have had the opportunity to get otherwise. They taught me that while you don't need to (and shouldn't be) hands on keyboard as a cyber-executive, you do need to know enough about the network and the technologies to be able to engage fully with your staff, and to be able to make sound technical decisions. You then need to translate those decisions into risk statements that are understandable to the rest of the board. My fellow CISOs also offer a lot of knowledge and wisdom, not just in government but across the private sector. While the role is new and we are all on this journey together, I find great comfort from the guidance I get from those that have been doing it for longer. Finally, I have some mentors completely outside of the military/technical/CISO space—people who are exceptional at communications, branding and public speaking. The advice that they have given me, particularly over the last two years since the public profile of the Cyber Branch in the department has increased, has been extraordinary.

What do you feel is the most important aspect of your job? Communication. Whether it be ensuring that briefs are timely and accurate; being able to have a deeply technical discussion with the analysts about courses of action during an incident; conveying issues to executives in language that is easily understood; responding to media requests; or speaking on stage in front of thousands of people. Every aspect of being a CISO relies on effective communication that is targeted to the audience and the audience and complexity of the message is often vastly different on a daily basis.

What metrics or KPIs do you use to measure security effectiveness? This is difficult. Cyber security is largely measured when something goes wrong - yet you are constantly fighting to prevent it from going wrong. We don't control the actions of the adversary and can only detect and respond to issues as they arise, so ‘quotas' as such are not helpful. I certainly don't want to encourage increased cyber activity just so that I can detect and report on more things to meet a KPI!

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? While I accept that there is a skills shortage, we have a number of strategies in place to ensure that it does not affect us. The Cyber Security Branch in the Department has grown in the 2 ½ years that I have been here from 25 to about 220 people. We have balanced experienced staff with enthusiastic newcomers, so we could ‘grow our own talent'. As a government department, we are competing with big organisations, often with bigger budgets. Investing in high quality training and ongoing development opportunities is paramount to keeping staff long enough to skills transfer to the up-and-comers. Having a pragmatic approach to staff movements also creates a culture that supports the career aspirations of our staff, because as long as they stay in the cyber security ecosystem, it benefits the sector. Since this is an emerging field, it's important to think through all the factors that could attract and retain the right people. Culture is also critical. If people feel supported and valued in their team, they are more likely to turn up every day and try their hardest. This comes from strong leadership, open communication, transparency of priorities, celebrating successes, and looking at failures or challenges as opportunities to learn. Overall, it's important to keep them interested. You will be dealing with people who are inquisitive by nature and looking to try new things. If you are able to let them be creative and give them the scope to do some interesting things, without breaking your network, of course, they will often not want to move on, even if the pay cheque is bigger.

Cybersecurity is constantly changing - how do you keep learning? Networking is important. I probably learn the most by meeting regularly with the other CISOs in Australia (both in the public and private sectors). Often issues unknown to me that they are dealing with are things that just have not reached me … yet! I also find podcasts really useful. I listen to them when I'm driving to try and keep up to date - the threat intelligence ones are my favourite. I've recently tried to shift my own learning to more business-focussed areas of study, such as completing courses in things such as Company Directorships. While the technology, threats and tactics of cyber security are rapidly changing, as a CISO a large part of my job is to communicate effectively with the rest of the C-suite and the board. Ensuring that I stay up to date on the non-technical components is equally as important.

What conferences are on your must-attend list? There are so many conferences in cyber that you could spend a large part of your time attending different events. Finding a good balance between industry and research led activities that complements the work you are currently or about to undertake is the key. Because of the size and scale of it I find the RSA Conference is one I regularly attend. Other international events such as Defcon and Blackhat are also valuable. We blend this with some of the other large Australian conferences - MPOWER, Cyber Defence Live - and more niche activities such as INTERPOL events. We also try and remain engaged with academia and attend, where appropriate and where we've had time to contribute, academic conferences such as IARIA.

What is the best current trend in cybersecurity? The worst? The best: Cyber security is everyone's responsibility. It is, I think, widely accepted that people are often the weakest link and that cyber security education and awareness is becoming increasingly important. The pace of change of technology means that even with the best procurement models it will be difficult, particularly at scale, to keep up with the latest software for each and every threat. Ensuring that basic cyber hygiene is in place and that all staff and customers are aware of the signs and that they know what to do and who to tell will be the key. My pitch to my colleagues is that everyone needs to care as much about cyber security as I do. I need all staff to understand and think about the consequences of copying a few lines of code without checking, or clicking on a link without hovering to see where it will take them first.

The worst: Moving from compliance to risk. It is certainly important, in my opinion, to adopt a risk-based approach to cyber security but not at the expense of an underlying compliance framework. Budget, staffing, available technology, technology integration, evaluation of the threat or vulnerability, business impact and customer experience should all be considered for each and every thing that is done. In nearly every case, cyber security will be a compromise between all of the above and will carry some level of risk that needs to be aligned to the risk appetite of the organisation. Without an underlying compliance framework and having some metrics to work from, calculating that risk becomes very difficult so I'm far more supportive of a blended approach rather than replacing compliance with risk - I think you need both.

What's the best career advice you ever received? Be patient and prepared. This holds true in many circumstances. Incident management - attacks will often occur when you least expect them and sometimes if you suspect it is a sophisticated actor you may wish to slow down the response to gain intelligence. Career management - opportunities will present themselves when you least expect it, be ready to move to something amazing but be patient and wait for the right opportunity that will contribute to your bigger pathway.

What advice would you give to aspiring security leaders? You're only as good as your last incident! The threat is constantly evolving and being on the front foot is increasingly difficult. You can't do that alone. You need a great network, greater executive support and an ever greater team. Invest in all of those areas. Being technical alone is unlikely to be enough. You need to understand the business, you need to understand risk, you need to understand how to balance finances and you need to understand how to lead people. People at every level will be your greatest asset. Know why your organisation is relevant. Consider who would likely target you and what information or access would they want; then shape your budget, governance, staffing and technology to match. It will mean that you are constantly changing - but in cyber security change is the only constant.

What has been your greatest career achievement? A Conspicuous Service Medal for meritorious achievement as the Deputy Director-Cyber (Maritime) in Joint Capability Coordination Division.

Looking back with 20:20 hindsight, what would you have done differently? I would have spent a little more time earlier in my career paying attention to change management techniques - both the good and the bad. Cyber security is constant change. While I truly love operations and the team spirit you can only get when locked in a room with no windows with a small team of your best and brightest for several nights in a row, most of my day is managing change: changing threat, changing organisational structure, changing report formats, changing skill requirements. It's probably the one thing that has taken us a little while to get right and I think we are still learning. I never expected it to be such a major component of being a CISO.

What is your favourite quote?"Deterring hackers is almost impossible when the rewards are so great and the risks so low" - Steve Ranger

What are you reading now? The President Is Missing (James Patterson and Bill Clinton)

In my spare time, I like to… I have a three-year-old daughter and am currently balancing pregnancy with full-time work … what spare time?

Most people don't know that I… Used to play the violin in an orchestra.

Ask me to do anything but… Make a decision in the middle of the night without at least having turned on the coffee machine.


« International Women's Day: We've come a long way, but there's still an awfully long way to go


Will Brexit lead to the death of mid-tier tech companies? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?