Northern Beaches Council is undertaking a thorough assessment of its technology and capability stack to secure its 50-plus business units.
Chief information security officer David Griffiths told the iTnews Podcast that the council is mapping its environment and technology stack to understand specific security requirements and capabilities.
This, Griffiths said, is helping inform the team about cyber security solutions, vendors and outsourcing.
“We narrow down the functions... narrow down the capabilities that the organisation generally needs,” he said.
The local government sector in general comprises small organisations that run multiple different service units – and therefore, present a large potential attack surface.
Federal and state government departments and agencies tend to have better resourcing than their local government counterparts.
This includes having internal security teams, whereas budget-constrained local councils are likely to have a single IT team responsible for the entire organisation.
This was the case for Griffiths when he joined Northern Beaches Council at the end of 2023, having spent the previous four years managing intelligence and response at Cyber Security NSW.
“[The wide surface] was the huge shock coming into local government from state government," he said.
“I was used to complex organisations. However, Northern Beaches Council [has] about 2000 staff. Those 2000 staff deliver over 50 different services. Some of those are obviously internal ... and the rest are out to the public.
“We have to put in as many common controls as we can. We want to standardise. We want to consolidate. We want to provide a single way of doing everything that we can.
“But over and above that, then there are all the various business areas that will have their own systems, their own processes, their own requirements, their own security requirements... We can't just specify something and say: ‘Everybody's doing it this way’.”
Still, managing security in local government requires a “large resource pool” and often highly specialised skills – something out of reach for most local council’s budgets.
Northern Beaches Council’s IT and cyber security are overseen by a small, virtual team under the leadership of CIO Naren Gangavarapu.
As such, the council also works with an outsourced security services provider in order to give it “full resiliency”.
Having now been in his role for over nine months, Griffiths is happy with the internal conversations taking place around security.
“The level of discussion has improved,” he said. “The mindshare, the conversations, the questions I get back from people have improved. And from all my security roles throughout my career, changing the organisation is much harder than publishing policies and putting in technology.”