cyber strategy and transformation program

Cyber Strategy and Transformation Program

Australian Hospital Company Ltd2021 - 2024


Average total cost and frequency of data breaches by initial attack vector

Cyber Resilience Strategy

Cyber Resilience Strategy Roadmap – 2021 to 2024From Basic Security to Organizational (Cyber Resilience)

Phase 2: Foundational Security capability

• Establish Cyber Security Policy

• Architecture & Segmentation

• ERD & Unknown Threats

• SOAR implementation

• 24/7 SOC Team

• Business Partner Risk Assessment

• Asset Management System

• Audit & Risk Register

• Cyber Crisis Simulation

• Data Classification

• Cyber Security Steering Committee

Phase 3: Organizational Security Capability

• Zero Trust

• Security Consolidation

• Primary Mode of Defence: Prevention

• IoT Security Implemented

• ‘End of Support’ & Legacy Systems

• Anti-DDoS Service

• Data Loss Prevention

All High Risks mitigated

All Crown Jewels with High Risks and Extreme Impact mitigated

All Very High risks mitigated

Capabilities delivered

Risk reduction target

Phase 1: Basic Security capability

• Incident Response Retainer

• Cyber Insurance

• Email Anti-Phishing

• Digital Transformation Assessment

• Identify & Protect Crown Jewels

• Cyber Awareness & Education

• Cloud Security Posture Management

• Identity Access Management

• Authentication: MFA & SSO

• Cyber Risk Assessment

• Vulnerability Management

CIS: Basic CIS: FoundationalCIS: Organizational

(70%)CIS: Organizational

(95%)Capability maturity target


Cyber Transformation Steering Committee

Name Steering Committee Responsibility Decision Maker or Influencer

Position within AHC Business Unit Domain expertise

Ash R Project Manager / Decision Maker Decision Maker Project Manager I.T Project Management

Phil Zongo Strategy owner /Chairperson / Decision Maker Decision Maker CISO AHC executive Cyber Security Strategy

Jan Schreuder Decision Maker Decision Maker Head of Finance AHC executive Budget accountability

Natasha Passley Change Manager Decision Maker External party External Operationalization and change management expertise

Darren Argyle Program Sponsor / Decision Maker Decision Maker CIO AHC executive Information Technology

John Smith Risk Advisor Influencer Risk Advisor Legal/Finance Risk advisory

Person A Responsible for specific security capability, Remediation Focused

Decision Maker (different person based on security capability being delivered)

I.T Ensuring specific capability will deliver security capability and integration

Person B Legal Advisor Influencer (different person based on security capability being delivered)

Legal Contract Negotiation & Legal obligations & Privacy concerns

Person C HR Advisor Influencer Head of H.R HR Human Resources, cultural advisor

Person D Design and Cyber Policy champion Influencer Head of Security Architect I.T Authentication and access management

Person E Operation and SOC champion Influencer Head of Security Operations & SOC I.T Ops, SOC Expert

Person F Business Unit specific insights Influencer Head of XXX Business Unity Multiple Impact on specific Business Unit/s


Deliverables Key KPIs Accountable Phase 1Status R1

Phase 1Status R2

Phase 1Status R3

Phase 1Status R4

Phase 2 Phase 3

Delivery Date Dec ‘21 Mar ’22 Jun ’22 Dec ’22 Dec 2023 Dec 2024

Identify & Protect Crown Jewels

All crown identified and foundational security applied

CISO >30% completed >60% completed >80 % completed 100% completed


All crown jewel protected with new security capabilities

CISO >20% completed >50% completed >70% completed >90% completed 100% completed

Cyber Awareness & Education

Training attendance and completion

Head of L&D 25% of all employees 50% of all employees 75% of all employees 100% of all employees


Social Engineering and Phishing tests

Steve Smith Pass rate > 75% Pass rate > 80% Pass rate > 90% Pass rate > 95 %

Digital Transformation Assessment

New security capabilitiesare integrated into existing projects

James Dean > 30 % Public Facing systems

80% Public Facing systems > 30% of internalsystems

All public facing systems> 50% of internalsystems

All systems

Cloud Security Posture Management

All configurations inline with Cloud Provider best practice

Head of Cloud Infrastructure

30% environment inlinewith best practice

70% environment inlinewith best practice

100% environment inline with best practice

100% automation of controls to address misconfiguration


Security integration into CI/CD pipeline

Head of Cloud Infrastructure

Scan all cloud application during Build Time

Scan all cloud application during Build Rime & Run Time

Configure capability from Detect to Prevent

Automate SAST and DAST controls

Quarterly Governance Reporting


Deliverables Key KPIs Accountable Phase 1Status R1

Phase 1Status R2

Phase 1Status R3

Phase 1Status R4

Phase 2 Phase 3

Delivery Date Dec ‘21 Mar ’22 Jun ’22 Dec ’22 Dec 2023 Dec 2024

Identity Access Management

Percentage of users with Privileged access who are monitored

CIO >50% of users with elevated level of access monitored

>60% of users with elevated level of access monitored

>90% of users with elevated level of access monitored

100% of users with elevated level of access monitored

Identity Access Management

PAM integrated with all security solutions and crown jewels security

CIO >30 integration with security tools and crown jewels

> 60 integration with security tools and crown jewels

> 80 integration with security tools and crown jewels

100% integration with security tools and crown jewels

Authentication: MFA & SSO

Roll out of MFA App Security Ops > 50% of crown jewelintegrated

> 70% of crown jewelintegrated

> 90% of crown jewelintegrated

All crown jewel access using MFA or SSO

Authentication: MFA & SSO

Number of Apps and systems using SSO

Security Ops > 35 % crown jewels and web apps

> 50 % crown jewels and web apps

> 75% Crown Jewels &Web Apps

100% Crown Jewels & Web Apps

Cyber Risk Assessment Mean Time to Contain (MTTC)

Head of SOC Time to Contain < 30Days

Time to Contain < 25Days



Cyber Risk Assessment Mean Time to Recovery (MTTR)

Head of SOC < 25 days < 20 days < 15 days < 10 days < 7 days < 3 days

Vulnerability Management

Infrastructure scanned Head of Platform > 50% scanned > 70% scanned > 95% scanned All infrastructurescanned


Critical and high risk Vulnerabilities remediated within target

Head of Platform Less than 14 days Less than 10 days Less than 7 days Less than 5 days Less than 3 days Less than 2 days


Automate vulnerability Head of Platform 75% Critical 100% Critical 100% Critical75% All environment

100% All

Quarterly Governance Reporting


Program Delivery StructureKey objective: Deliver demonstrable value in every release cycle

Key Metrics

Phase 1 Phase 2 Phase 3 Target

R1 R2 R3 R4

Capability maturity target 0 1.0 1.5 2.5 3.0 4.0 4.0

Key metrics / KPIs• Dataflow mapping• Data owners identified• All Crown Jewel has non-negotiable security

controls

Critical 100%Critical 100%

All 100%All 100%

100%Priority 1

Critical 100%Priority 1,2,3

Critical & High 100%All 100%All 100%

100%100%100%

Capability components to be implemented:

Operating model• SOPs documented• Reporting automated

30% 50%30%

75%50%

100%75% 100%

100%100%

People & Resourcing • Operational FTE 2 2 2 2 2 2 2

Processes implemented• Security Policy Lifecycle Review• Principle of least privilege• 3rd Party access

POC

Review

MVPAuditPolicy

AutomatedImplementImplement

TuningAutomated

Tuning

TuningTuningTuning

TuningTuningTuning

100%100%100%

Technology implemented• Next Gen Firewall (network security)• Document Security• Discovery Engines (MIoT)

POCPOC

Licensed and Configured Deploy

POC

TuningTuningDeploy

TuningTuningTuning

TuningTuningTuning

TuningTuningTuning

YYY




Key Metrics


R1 R2 R3 R4


Key metrics / KPIs• Training attendance and completion • Malicious Document opened• Sensitive Information exposure

Completion 90%80% pass rate80% pass rate




95% completionAbove 95% pass rateAbove 95% pass rate

95% completion98% pass rate98% pass rate

95%98%98%


Operating model• Online training• Gamification of training 50%

50%75%

75%100%

100% 100%

People & Resourcing • Operational FTEs 2 2 2 2 1 1 2

Processes implemented• Cyber training at during boarding• Yearly Role specific cyber training• Biannual cyber awareness training• Quarterly phishing tests

Review

MVP

MVPReview

MVPMVP

deployedMVP100%50%

100%100%

Tuning100%

TuningTuningTuningTuning

TuningTuningTuningTuning

100%100%100%100%

Technology implemented• On-demand Learning Platform via L&D• Automated User Awareness: Next Gen FW

URL Filtering

POCPOC

DeployLicense and Configuration

TuningTuning

TuningTuning

TuningTuning

TuningTuning

YY




Key Metrics


R1 R2 R3 R4


Key metrics / KPIs• Cloud native apps scanned• Internal applications scanned• Remediation within target

Critical Apps 100%Critical 100%

All Apps 100%All 100%

100%100%

Priority 1Critical 100%

Priority 1,2,3Critical & High 100%

All 100%All 100%

100%100%100%100%


Operating model• SOPs documented• Reporting automated• Holistic Virtual Group

50%50%

75%75%

100%100%

100%100%

100%100%

100%100%

People & Resourcing • Operational FTEs 2 2 2 2 2 2

Processes implemented• On boarding training • CI/CD integration• Code scanning

MVPMVPMVP

100%Manualmanual

TuningFully automatedFully automated

TuningTuningTuning

TuningTuningTuning

100%100%100%

Technology implemented• Cloud Visibility and Posture Management • IAM Security• SAST (Build Time)• DAST (Run Time)• Workload Protection

POCPOC

DeployDeploy

POCPOC

TuningTuningDeployDeploy

POC

TuningTuningTuningTuningDeploy

TuningTuningTuningTuningTuning

TuningTuningTuningTuningTuning

YYYYY



Project RisksPotential Risks to the successful delivery of key security capabilities

Deliverable Risk scenario Likelihood Impact Rate Impact to capability deliver Risk Mitigation Potential additional Cost

Budgeted allocated

Privileged Access Management

Lack of Internal ResourceLack of skills internally

Low High Capability deliver delay Leverage vendor Professional Services $50,000 Yes

Digital Transformation inline with Security requirement

New attack vectors found

Low Medium Additional Cost and resources required to address risk

Engage external partners to assist with remediation

Unknown Yes$75,000 set aside

Catastrophic event (Pandemic lockdown)

Reprioritization of projects and resources

High Medium Various capability deliver delay Focus on projects that can be delivered remotely (cloud)

Unknown Yes$100,000 set aside

24/7 SOC Team(Security Monitoring)

Skills shortage High Medium Capability deliver delay Outsource to MDR vendor $600,000 Yes

Multiple capabilities Successful cyber attack during deliver phase

Medium Medium Capabilities deliver delay due to key personnel resource allocation changes

Agile project deliver to reprioritize delivery of capabilities where resources are available and possible outsourcing

$500,000 Partial($200,000)

Multiple capabilities Ops and UAT teams not used to agile project delivery

Medium High Capabilities deliver delayed Change Manager working with Ops, SOC and UAT teams to embrace agile approach

N/A N/A


Tracking Progress Against our GoalsHow do you know that you are on track?

Target state (end of Program)Q1 target

Q1actual

CommentsQ2 target (revised)

Capability components to be delivered

Governance• Governance structure• Monthly reporting

YesYes

YesYes

DoneDone

Operating model• SOPs documented• Reporting automated

50%-

25%-

Delay due to slow onboarding of resources

60%25%

People & resourcing• 2 FTE• Patching contract

2Yes

1No

In process of recruiting second team member

2Yes

Processes implemented• Vulnerability scanning• Prioritisation• Remediation

YesYesYes

YPartialPartial

Delay due to slow onboarding of operational resources

YesYesYes

Technology implemented• Scanning engine• DAST

YesYes

YesNo

Delay in contracting with DAST vendor

YesYes


Target state (end of Program)Q1 target

Q1Actual

CommentsQ2 target (revised)

Financials

Program capex $550kOngoing opex $400k p.a.

$120k$100k

$100k$80k

Underspent due to slow onboarding

$120k$100k

Key metrics / KPIs

Infrastructure scanning• Crown jewels 100%• All systems 100%

100%50%

87%20%

Scanning coverage delayed due to slow onboarding of resources

100%60%

Web applications scanned• Crown jewels 100%• All systems 100%

50%0%

0%0%

Delay in contracting with DAST vendor

50%0%

Remediation within target• Critical – 100%• High - 100%• Moderate – 80%

100%50%0%

100%60%0%

Remediation performance targets achieved (however lower than expected # of vulnerabilities identified due to delays)

100%75%50%

14

Using Cyber Resilience Indices to track and report progress

CRI controls Short Name

1 Crown Jewels

2 Cyber Governance

3 Vendor Supply Chain Risk

4 Secure & Privacy by Design

5 Restrict User Access

6 Data Protection

7 Awareness and Education

8 Logging and Monitoring

9 Multifactor Authentication

10 Online Digital Defense

11 Business Cyber Resilience

12 Vulnerability Management

13 Cyber Threat Intelligence

14 Secure Zones

15 Advanced Malware Control

Sep. 2021 Dec. 2022

30% 80%

20% 50%

40% 50%

70% 90%

20% 50%

10% 10%

20 % 90%

60% 75%

15% 100%

60% 100%

30% 50%

20% 60%

20% 20%

20% 40%

50% 60%

Dec 2024 Dec 2025

Planned

maturity Q4

Target maturity,

subject to additional funding

How will you really know?

Dec. 2022

Actual maturity

achieved Q4

Start of

Program

Dec. 2023

100%

60%

75%

90%

75%

50%

100%

90%

100%

100%

90%

95%

40%

90%

100%

Target Q4

2023

Dec. 2024

100%

80%

75%

90%

75%

50%

100%

100%

100%

100%

90%

95%

50%

90%

100%

Target Q4

2024

cyber strategy and transformation program

Documents