How NSW’s new cyber strategy changes the game for partners

Faster incident reporting, secure-by-design security and a focus on resilience feature prominently in the just released two-year plan.

Resilience, secure-by-design principles and governance sit at the heart of the NSW Government’s new cybersecurity strategy.

These priorities will guide departments, agencies and statutory authorities as they work to develop secure, trusted digital systems throughout the state.

For partners, it changes the ground rules for delivering services. Murray Mills, head of cybersecurity at Tecala, said it reinforces that security and resilience needs to be designed from the start and cover the full lifecycle of digital services.

“It helps organisations understand and shift away from a tick-box compliance exercise and toward a continuous, evidence-based approach to managing risk, monitoring controls and improving security,” Mills said.

The newly released strategy outlines several objectives that partners will need to align with when providing services to NSW government entities.

Strengthen risk management and governance

Governance, compliance and risk management become priorities across government and agencies. There’s also a requirement to document and assess third-party providers to strengthen supply chains.

Fred Thiele, CISO, Interactive welcomed the emphasis on governance but noted that efforts need to be aligned with real uplift rather than box-ticking. “Implementation of the policy needs to ensure a focus on improved outcomes,” he told CRN Australia.

The strategy highlights protecting ‘crown jewels’, including OT and IoT systems and critical infrastructure, although these requirements may be relevant to certain partners.

“Given NSW's focus on new rail technology (light rail and metro driverless trains) this makes sense, but won't necessarily be applicable to all agencies and suppliers,” Thiele added.

Raise the bar on incident response

Incident response and cyber intelligence must be faster and more coordinated across government. This includes maintaining inventories and lifecycle management plans for all critical assets and reporting within 24 hours.

Cyber incident response and continuity plans must also be aligned with state emergency plans for coordinated response and recovery.

“Partners should expect 24-hour reporting to be added to contractual notification obligations alongside SOCI and privacy requirements,” Thiele explained.

The goal is cyber resilience

Across NSW government, there’s now a mandate to strengthen cyber resilience, which includes identifying and protecting critical assets, targeted uplift programs and applying secure-by-design and zero trust principles.

This approach encourages government departments to shift away from the security mantra of block everything, according to Tony Campbell, enterprise security service line manager, Kinetic IT.

“Instead, by assuming a breach will happen (or already has), partners refocus on containment and damage limitation, and on effectively returning key institutions to business as usual,” Campbell said.

Partners will need to support agencies to achieve tight asset and identity hygiene, always-on telemetry, rehearsed response playbooks, and recovery that’s continuously tested, not once-a-year tabletop exercises, Campbell noted.

“In practice, success will be measured by the ability to detect, contain and restore services within specific timeframes,” he told CRN Australia.

Campbell explained that delivery partners should follow the basic rules of engagement: good patching, rigorous change control, practiced response, and a culture that treats security as inherent to service delivery.

“If so, then resilience is not a pipe dream,” he said.

“The end-state should be framed as a digital immune system, where architectures are observable by default, designed to fail safely, and increasingly capable of self-healing through automated containment and recovery patterns,” he added.

Greater need for workforce training and development

The strategy identifies workforce training and development across government and agencies as integral to achieving cyber resilience.

Over the next two years, partners can add the most value in three areas, according to Thiele. First, by helping agencies build confidence in using AI — from foundational understanding through to more advanced applications.

Second, by supporting agencies as the regulatory environment becomes more complex and obligations get harder to interpret.

Third, by reinforcing the fundamentals. “Strong asset, vulnerability and identity management remain the backbone of cyber maturity, even if they aren’t always the most exciting,” he said.

For partners, it’s supporting a more comprehensive approach to cyber maturity than in the past.

“Agencies that master the basics will be far better placed to lift their overall resilience,” he added.