Margaret Crawford (Auditor-General of NSW) Credit: Audit Office of NSW

The Audit Office of NSW has slammed Cyber Security NSW, claiming it “does not clearly and consistently communicate its key objectives” despite the agency receiving “enhanced funding” in 2020.

This is according to a performance audit of Cyber Security NSW, as detailed in the Audit Office’s report Cyber Security NSW: governance, roles, and responsibilities.



The purpose of the performance audit focused on two key areas: whether there are internal planning and governance processes in place to support Cyber Security NSW meet its objectives and if Cyber Security NSW roles and responsibilities are defined and understood across the public sector.

The conclusion found that while it has a clear purpose that is aligned with wider government policy and objectives, it can’t “effectively demonstrate its progress toward improving cyber resilience”.

This is despite the fact that from the start of FY21 to the end of FY23, the agency will have received $60 million, which was part of a $240 million investment to bolster the state government’s cyber security.

The business case for additional funding was made in 2020, with a version provided to the Cyber Security Senior Officers’ Group early in the year and being approved later that year in August.

The Auditor-General's report claimed the agency said the funding was needed to respond to a heightened security risk, low overall public sector cyber maturity and increasing digitisation of NSW government functions and services.

“Cyber Security NSW does not clearly and consistently communicate its key objectives to ensure that its efforts are effectively and efficiently targeted, prioritised, planned and reported,” the report claims.

It also said that it has “too few reliable and meaningful ways of measuring progress toward its objectives and no overall work plan or roadmap to show how the objectives will be achieved”.

“Without a clear and consistent program logic, it is difficult to determine whether the functions and services delivered by Cyber Security NSW are helping to achieve the level of cyber resilience required to meet the increasing cyber threats faced by the NSW public sector,” the report said.

The audit found that Cyber Security NSW doesn’t offer assurance of the cyber security maturity self-assessments performed by individual NSW Government agencies and while it sets out to help local governments improve their cyber security standing, it can’t mandate action and doesn’t have a “strategic approach guiding its efforts”.

However, the report also said that the majority of agencies consulted during the audit said that the services they received did improve their cyber security standing.

To combat Cyber Security NSW's issues, the Audit Office suggested a four-pronged approach. The first, it advised, is to implement an approach that has “reasonable assurance” that state government agencies are looking into whether they comply with the NSW government’s cyber security policies in a consistent manner.

The second is for Cyber Security NSW to have a strategic plan that “clearly” shows how the agency is actively working towards its goals, while the third is to make sure it has a complete catalogue of services that is available to agencies and councils.

Its fourth recommendation suggests for it improve its engagement with local governments, which includes councils, government bodies and other relevant stakeholders.

