Director for Cyber Security, Governance and Risk for the Queensland Government, Faisal Khan, shares key reasons why government organisations are a target for cyber-attacks
While now an expert across cyber security resilience, ICT governance and risk, Faisal Khan’s cyber career evolved from an IT project management and implementation role.
Khan had originally studied Public Administration, specialising in information systems and has mostly worked in the public sector, both in Australia and overseas. He also holds a Master of Philosophy degree in Cyber Security from the University of Queensland, in addition to cyber security certifications such as CISSP, CISM and CISA.
Working at a reserve bank overseas early in his career, Khan recognised the need to establish a cybersecurity function when a new IT rollout changed the way information was hosted and shared across the organisation.
“Due to the unavailability of resources and knowledge locally, I jumped into cybersecurity from IT project management and implementation domain,” Khan says. This journey has provided Khan with a great vantage point of the function of public sector information systems and security.
Where the public sector ranks as a potential target for cyber attacks
Khan believes that despite recent efforts to make senior executives and boards responsible for cyber, there remains a huge lack of understanding at the highest level that hinders adequate cybersecurity decision-making.
“There are several causes of this lack. However, the effect is quite alarming for the public sector that deals with heaps of critical and sensitive information,” he says.
“Hence, cybersecurity and corporate goals are not always well-aligned, cyber risks are not well-managed and organisational resources are not necessarily utilised with prudence.”
Khan is a firm believer that data speaks louder than words. To illustrate this, he references the ACSC’s Annual Cyber Threat Report 2021-22, which revealed that Government is the most-attacked sector in Australia.
“Inherent low maturity and slow pace of processes, lack of adequately trained cybersecurity resources, and the news value of a public sector breach also make this sector a potential target for the cyber-attacks,” he says.
“Moreover, state actors have their own plans, and they look for weak links across this sector as part of their political agenda.”
Acting and achieving results
Khan is proud of acting as a change enabler by engaging discussions at the highest forums in a Queensland Government agency.
“Being successful in winning their support to address cyber risks has been my biggest success this year,” he says.
“It took several months and various approaches to engage with the executives, however, the end result is an approved cyber maturity plan with associated budget and resources which was just a compliance issue when I started.”
“Another strategic and long-term initiative that could greatly help public and private sectors equally is Queensland Government’s Cyber Mentoring Program which I am a part of.
“There are several experienced mentors like me that are contributing to this noble initiative to bring more and more individuals into the cyber security domain to address the cyber-skills shortage and make cyber a safer place for individuals, organisations and families.”
Khan is also an active advocate for finding and establishing successful practices to reduce risks of cyber-attacks. He does that by speaking to the executives on ‘Prioritising the Prioritised’, a presentation that focuses on how to select the most important of a number of cybersecurity priorities where everything is high-risk, urgent and important.
“I presented a framework to enable the decision-making process regarding the above and the executives liked the approach and approved the prioritising decisions I had made using that framework,” he says.
“The framework presented was quite generic and could be used by any organisation.”