Profiles in Leadership: John O'Driscoll, State of VictoriaRisk Mitigation Means Engagement with Stakeholders
Four years ago, John O'Driscoll became the first CISO for the Australian state of Victoria, a job that has purview over 1,900 entities with 340,000 public servants.
See Also: 2020 User Risk Report
He's an expert in risk and audit, and that has subsequently lead to interesting conversations about who is accountable for risk and how to manage risk in light of growing threats.
"I think it's really important that you engage with senior stakeholders with awareness but also to make them care about something," O'Driscoll says. "A big part of what I've been doing is integrate cyber into the overall risk management process within Victorian Government, engage senior stakeholders at a departmental Secretary level, but also boards of water authorities and hospitals and also audit and risk management committees."
O'Driscoll is also leading initiatives to streamline procurement to get the right cybersecurity tools in the hands of practitioners and managing risks that may arise from using third-party service providers.
"You can outsource responsibility for delivery of something but you can't outsource the accountability for it," he says. "And there's a lot of work done upfront before we sign a contract with a third-party service provider."
In this video interview with Information Security Media Group as part of CyberEdBoard's ongoing Profiles in Leadership series, O'Driscoll discusses:
- How to talk about risk in a government setting;
- How the Victoria government is streamlining procurement of cybersecurity software;
- What Victoria is doing to manage third-party risk.
O'Driscoll has over 35 years’ experience in information technology, with a focus on IT audit and cyber security in financial services and the public sector. He was appointed as the first chief information security officer for the Australian state of Victoria in October 2017. He leads the development and delivery of the Victoria’s Cyber Security Strategy to assess, monitor and respond to cyber security risks, as well as engaging with the government departments, interstate counterparts, Commonwealth and private sector experts to deliver a resilient and cohesive cyber security capability.