GOVIS 2023 Digital Resilience

Friday 16 June 2023

Museum of New Zealand Te Papa Tongarewa, Wellington

Programme

GOVIS 2023 Digital Resilience was a one day conference and contained a mixture of keynote speakers, panels, and streamed presentations.

You can find the presentation recordings here (Oceania room only).

You can find the live transcript here (Oceania room only).

You can find a selection of the presentation slides here.

See below for the programme and precis:

What did we hear at the conference?

Our conference theme was all about how to build digital public sector resilience in a global period of change and uncertainty. In just the last three years this country has faced many challenges - including major floods exacerbated by climate change, high inflation, a pandemic, reduced social cohesion, geopolitical tensions, supply chain issues, and cyber attacks. What do these challenges mean for working in the cloud, for designing digital services, and for protecting data? What can we do to foster institutional and personal resilience, so we can deliver for Aotearoa New Zealand? What opportunities and challenges are posed by generative AI, as it becomes immensly more capable and accessible than before?

Here is a quick summary of what we heard:

  • National resilience. Our strategic environment is no longer benign, rather it is becoming increasingly competitive with actors constantly trying to secure access to digital systems. We heard from Michael Jagusch at NZ's National Cyber Security Centre (NCSC) about how they deal with about 350 incidents every year - of which about a third are state-sponsored, and a quarter are due to organised crime. However despite the scale and sophistication of these attacks, virtually all of can be prevented if organisations adopt unique/strong/long passwords and carefully manage administrative access to systems. We should be looking to the NCSC's highly accessible Cyber Security Framework - this contains tangible security objectives that go far beyond the direct responsibility of a cyber security team, for example having good documentation and processes around your organisational information and data. Nationally signficant New Zealand organisations can also make use of the NCSC's Malware Free Networks service.

  • Institutional resilience. In order for our public institutions to be resilient and adaptable they need to have the right internal capability, a flat org chart, and unapologetically prioritisng the needs of customers. This is what we heard from Damon Rees  - the recent head of Service New South Wales. Service NSW and its 114 service centres (plus mobile centres) was able to support customers through floods, droughts, bush fires, a mouse plague and COVID-19 by prioritising them over everything else. This customer focus become a powerful cultural lever that over about 10 years enabled digital transformation efforts, the ability to get ahead of chronic 'failure demand', and better collaboration with partner organisations.

  • Personal resilience. We heard from both senior managers and regular public servants about how achieving personal resilience and wellbeing can be a huge challenge. While increased levels of working from home bring more freedom and flexibility; they can also contribute to loneliness & isolation, impact teams' ability to plan and collaborate, and create difficulties for new starters and early-career staff. Many of our jobs have been very stressful over the last few years, and burnout & health scares are a very real threat - if this sounds like you then a proper break and/or career shift might be prudent! And look out for your colleagues as well.

  • Incident response. When is the best time to plan and prepare for a potential incident? Before it happens! While obvious, this advice is not always followed... so now is the time to understand your responsibilities when it comes to potential cyber incidents, privacy breaches, or natural disasters - dust off and review your incident planning (even if it is just a basic BCP) and run some exercises! We heard from Mike Chapman (Archives NZ), Simon Mason (Stats NZ) and Fiona Dally (MBIE) about how to pivot a census when confronted with #1 COVID-19 and #2 a major cyclone - even to the point of hiring helicopters, jetskis and horses to deliver and collect census forms, and making pragmatic trade-offs on data quality. We also heard about the realities of working in incident response - the need to be able to quickly resolve bureaucratic hurdles around data sharing and access (or better still - pre-empt these) and for organisations to develop a 'wider bench' of reserve capability that can step up as needed and manage the pressure on the individuals involved. Interested in being involved in incident response work? Get yourself trained in the Coordinated Incident Management System (CIMS).

  • Resilience and sovereignty in the cloud. With several multinational technology companies announcing their intentions to set up on-shore cloud services in New Zealand, what should we expect and what questions do we need to be asking? We heard from Phil Pennington (RNZ), Dr Te Taka Keegan (University of Waikato), Louisa Joblin (Duncan Cotterill) and Don Christie (Catalyst IT) about the need to ensure Māori sovereignty over cloud services, data & AI; what legal and governance issues are at stake; and the case for strengthening NZ's domestic cloud and AI capabilities through procurement decisions and use of open source technology.

  • Cyber security. We wrapped up the day with some great cyber security tips and tricks from Steve Honiss and Elf Eldridge (ZX Security). Good governance is essential for cyber security - so you can refer your senior managers to this Cyber Risk Guide from the Institute of Directors New Zealand! But it is also on us to be identifying and raising the risks that we see (rather than sweeping them under the carpet...) and making sure that they are addressed, or are accepted by a manager with the appropriate level of seniority. One category of cyber attacks are those intentionally targeted at our organisation - we can and should be preparing for these - for example by implementing these Critical Controls from the Computer Emergency Response Team (CERT) - see here for they could help prevent a ransomware incident. However we also need to think of a second category - opportunistic attacks. These are generally based on newly-discovered software vulnerabilities, and cannot be anticipated. Instead we need to be investing in our people and putting in place good incident response processes (e.g. by ensuring incident response plans are kept in one place and have a clear summary. Finally - don't put sensitive information in ChatGPT, because it will be used to retrain the model and could be accessed by another user!

Featured Speakers

Mike Jagusch

Manager Mission Enablement, National Cyber Security Centre

Mike is Manager Mission Enablement at the National Cyber Security Centre. Mike has had several roles within NCSC and a broad experience within cyber-security. Mike has worked in customer engagement, providing organisations security advice and guidance at both a practitioner and governance level. Previously, Mike has been involved in the more ‘hands-on’ aspects of cyber-security in his role managing the Systems Engineering team who design, build, maintain and evolve NCSC’s cyber-security capabilities.

In his current role, Mike is focussed on delivering strategic outcomes by leveraging the expertise of the entire NCSC. Mike’s teams provide communications, policy, stakeholder engagement and business support.

Dr Te Taka Keegan

Waikato University

Te Taka Keegan is from Waikato-Maniapoto, Ngāti Porou, and Ngāti Whakaue. He received a Diploma in Computer Engineering from CIT (Wellington), a BA (Te Tohu Paetahi stream), MA and PhD from Waikato University. Te Taka has worked on a number of projects involving the Māori language and technology. These include the Māori Niupepa Collection, Te Kete Ipurangi, the Microsoft keyboard, Microsoft Windows and Microsoft Office in Māori, Moodle in Māori, Google Web Search in Māori, the Māori macroniser and SwiftKey for Māori. He holds a number of positions in local, regional and national authorities that seek to empower Māori in technology.

Suzanne Pullman

Chief Information Officer, Commerce Commission

Suzanne Pullman has over 13 years’ experience in IT across Government agencies and the private sector. Having stepped up into the role of CIO in 2020, just weeks before the global COVID pandemic, digital resilience has been a key focus for her in recent years.

Louisa Joblin

Senior Associate, Duncan Cotterill

Louisa advises commercial, corporate, and public sector clients on anything and everything to do with privacy protection and compliance including data governance and protection, privacy documentation and processes, staff training, notification requirements, and dealing with access and correction requests. She also advises clients experiencing privacy breaches, including providing guidance when assessing whether privacy breaches are notifiable, liaising with the Office of the Privacy Commissioner, and working as part of incident response teams alongside other advisors such as insurers and IT professionals. 

Damon Rees

Managing Principal and CEO, Better As Usual Pty Ltd

Damon Rees is a business leader focused on customer centricity, culture, digital enablement, and innovation, with more than twenty years of experience driving transformational change, organisational performance, and better customer outcomes.

He is currently the Managing Principal and CEO of Better As Usual Pty Ltd, a practitioner-led professional services organisation committed to better customer outcomes, building organisational capability, and positive social impact.

Damon’s experience spans the private, public, and not-for-profit sectors including as the CEO of Service NSW, the inaugural Government Chief Information and Digital Officer for NSW Government, the Chief Digital Officer for Macquarie Group, the Chief Technology and Interim Chief Information Officer for Woolworths, and the Head of Integrated Delivery for Westpac. He has served as an independent Director of GP Synergy for the last eight years including three years as Chair of the Finance, Audit and Risk committee, and six years as Chair of the Digital and ICT committee.

GOVIS wishes to acknowledge and thank our conference sponsors for their support