Building a cyber champion in a local council

This Think Tank is an active panel exploring the practical business challenge of building a cyber champion in a local council business environment. The 2024 Auditor-General for New South Wales performance audit “Cyber Security in Local Government” found that the three local councils reviewed in this report did not effectively identify and manage cyber security risks. As a result, none of the councils have up-to-date plans and processes to support effective detection, response and recovery from cyber security incidents. This is despite the availability of the Cyber Security Guidelines for Local Government from Cyber NSW. The above audit shows there are few natural cyber champions in a council due to their organisation structure. Councils are resourced to serve the local ratepayers, unlike for-profit enterprises prioritising the interest of shareholders. To be successful, the security Lead /manager must be equipped with the business skills to build these cyber champions by communicating cyber risk using a business language. As the ICT Security Manager of a large local council, Iftekhar demystifies a local council's organisational structure. Jeff is an experienced councillor and a recognised cyber leader. Denny is a recognised expert in the FAIR risk quantification standard to bridge communication gap between the business and cyber leaders. We will explain how to build up a cyber champion through a role play between the ICT Security Coordinator and the councillor facilitator by a FAIR expert. We frame the technical cyber security control conversation into a business impact statement expressed in financial terms. The success of these conversations is in humanising these technical conversations by substituting opaque opinion-based risk measurement with Open FAIR standard base risk measurement to demonstrate transparency and authenticity of the conversation.