Source: Collated information from the Australian Signals Directorate and Cyber Security NSW.

ASD and Cyber Security NSW both emphasise that cyber actor tactics are evolving, with the use of more advanced hacking tools, including artificial intelligence. Cyber Security NSW informed that the number of incidents related to systems owned or managed by a third party almost tripled this year, including increased instances of data breaches associated with third parties.

Our performance audits assess whether the activities of government entities are being carried out effectively, economically, efficiently and in compliance with relevant laws. Cyber security has been a key focus of our performance audit program since 2018.

Our annual financial audits consider cyber security planning and governance, and whether cyber security incidents might have a material impact on the financial statements. Identified cyber security gaps are communicated to management and reported in the annual cluster agencies’ reports, internal controls and governance reports, universities’ reports, and local government reports.

Note: The analysis involved summarising Detailed Requirements which form the Mandatory Requirements. Percentage displayed above refers to compliance rate of the Mandatory Requirements across all 66 reporting agencies in FY2024. Reporting agencies did not specify compliance to requirements that were managed by third parties. Therefore, the requirements managed by third parties has been classified separately where it was not assessed. Agencies were not expected to fully meet all Mandatory Requirements of the CSP for FY2024.

Source: Audit Office analysis of agency cyber security compliance returns to Cyber Security NSW for 2024.

Agencies’ control compliance is not reported when performed by third parties

The 2024 CSP compliance graph shown in the previous section highlights that some of the Mandatory Requirements are managed by third parties. CSP specifies guidance and Mandatory Requirements around engagement with third party service providers.

When outsourcing, entities retain accountability for managing associated risks. Third-party compliance with minimum CSP requirements may be known to the agency but is not reported to Cyber Security NSW. An absence of clear reporting risks agencies and Cyber Security NSW not knowing about non-compliance against the CSP where the cyber security control practice is provided by the third parties.

The highest level of third-party reliance that is not reported or assessed against CSP requirements is in the ‘Protect’ domain. This domain covers all ACSC Essential Eight controls, and controls for access, data, email and network security. When in place and effective, these technical controls provide preventative protection against cyber attacks.

Planned or in-progress cyber uplift programs and budget constraints were the most common reasons for not achieving minimum requirements

Agencies were asked by Cyber Security NSW to provide reasons they could not meet the minimum compliance requirements for each Detailed Requirement in their reporting to Cyber Security NSW. The most common reported reasons for partial and non-compliance includes cyber uplift programs being in progress and or planned, budget constraints, lack of approved or formalised cyber processes and insufficient cyber security resources.

Source: Audit Office analysis of agency cyber security compliance returns to Cyber Security NSW for 2024.

Source: Audit Office analysis of agency cyber security data returns to Cyber Security NSW for 2020–2024.

Cyber Security NSW advises agencies in Section 3.1.1 of the Cyber Security Policy Reporting Guidance 2023‒24: ‘Agencies required to report under the NSW Cyber Security Policy may report individually, independently or be aggregated into the department report’.

The definitions for each of the reporting methods is as follows:

• individually – the agency submits a separate report, the contents of which may be visible to the lead department, through the Portal (this was previously also known as reporting ‘through cluster CISO’)
• independently – the agency submits a separate report, the contents of which are not visible to the lead department or only limited visibility is available
• aggregated – the agency is included within the lead department report.

Source: 2024 State Agencies Cyber Security NSW Data Returns.

As we reported in Cyber Security NSW: governance, roles, and responsibilities, if agency self-assessments are unreliable, there is a risk that knowledge of the potential resilience of the NSW public sector to cyber security incidents is similarly incomplete.

We also noted various examples of inconsistencies in the agencies’ risk reporting to Cyber Security NSW, which may indicate inaccurate assessment:

• ten risks had a ‘substantially effective’ control treatment and resulted in the risk decreasing from extreme/high to moderate, while a further 12 risks with ‘substantially effective’ control treatment did not reduce the risk rating
• two risks were accepted by management, but the risk was reduced from extreme to high, while another risk was also accepted but management assessed the treatment plan as fully effective.

Note: Reporting agencies did not specify compliance for requirements that were managed by third parties. Therefore, the requirements managed by third parties has been classified separately where it was not assessed.

Source: Audit Office analysis of agency cyber security compliance returns to Cyber Security NSW for 2024.

The least progress was made in achieving compliance with the Mandatory Requirements in the following areas:

• asset inventory management process (Mandatory Requirement 1.6), the purpose of which is to help enable effective asset protection and swift threat response
• identification, retention and secure disposal of data (Mandatory Requirement 1.8,) which ensures data is properly managed throughout its lifecycle, protecting sensitive information and reducing the risk of data breaches
• third-party service provider risks management (Mandatory Requirement 1.10), which ensures third-party service provider risks are identified and managed to protect agency systems and data from potential cyber threats.

Cyber security policy implementation has improved, but not consistently across the sectors

Implementing a cyber security policy is important and a foundational step as it sets organisation-wide expectations, objectives and accountabilities in relation to cyber security.

Our reports indicate improvement over time across NSW state agencies, universities and local government sectors in implementing a formal cyber security policy. We are still identifying agencies that do not have a cyber security policy established.

The Internal controls and governance 2021 report highlighted that some agencies still had only a draft cyber security policy. This has since improved, as reported in the Internal controls and governance 2022 report, where it was noted that all agencies under review had formalised their policy.

In the university sector, the Universities 2021 report highlighted that cyber security policy implementation reached 100% in 2021, up from 90% as reported in Universities 2018.

Cyber security policy implementation for the local government sector is increasing over time. The Local government 2019 report identified a lower base, with only 20% of councils having a cyber security policy, growing to 66% as reported in the Local government 2023 report and up to 74% in the Local government 2024 report.

While these statistics show improvement over the past few years, the Cyber security in local government report from March 2024 highlighted risks relevant to policy implementation. Based on a review of three selected councils, the report found that while they had cyber security policies, there were gaps within their policies and related procedures that limited their effectiveness in supporting cyber security risk management. These included gaps in clearly assigning accountability for core cyber security functions.

The use and adoption of cyber security frameworks is improving, but not consistently across sectors

The use and adoption of cyber security frameworks is essential as they provide structured guidelines and best practice examples to protect an organisation's information systems from cyber threats. These frameworks help to identify and manage risks, ensuring compliance with regulatory requirements and establishing a robust security position. By implementing a cyber security framework, organisations can systematically address vulnerabilities, enhance their incident response capabilities and foster a culture of security awareness among employees. This ultimately leads to improved resilience against cyber attacks and safeguards critical data and assets.

The NSW Cyber Security Policy (CSP) is a mandatory cyber security framework for all NSW Government departments and public sector agencies. As highlighted in the Internal controls and governance 2024 report, other frameworks are also being used by NSW Government departments and state agencies. The most commonly used are the International Standard ISO/IEC 27001 and the NIST CSF.

As the CSP is not mandated for local government and universities, the Universities 2023 report highlighted that in 2021, NIST CSF and Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies (ACSC Essential Eight) are the two most common frameworks being used, but one university had not adopted any framework. This has improved as of 2023. The University 2023 report highlighted that all ten universities had adopted at least one framework, with the NIST framework (90% of universities) and ACSC Essential Eight framework (80% of universities) being the most commonly used frameworks, individually or in combination.

For the local government sector, the Local government 2019 report highlighted that only 20% of councils had adopted a formal cyber security framework. This grew to 91% by the release of the Local government 2024 report, which outlined that one framework, or a combination of frameworks, had been adopted. The ACSC Essential Eight was the framework most commonly adopted by councils (71%), followed by the OLG Guidelines (26%) and NIST CSF (18%). The low percentage of councils adopting the OLG Guidelines (26%) may be because compliance with the framework is not mandatory.

Many entities reported cyber security risks exceeding their risk appetite, but not all have a formal uplift program

Since the introduction of the CSP in 2019, all NSW Government departments and public sector agencies are required to conduct a cyber security risk assessment and to have an approved cyber security plan, also referred to as a cyber uplift program. Systemically identifying and evaluating potential vulnerabilities and threats through risk assessments is crucial for supporting and targeting cyber uplift programs.

According to our Internal controls and governance 2021 report, 96% of the agencies reviewed had conducted cyber risk assessments, reaching 100% by 2024, as highlighted in the Internal controls and governance 2024 report. However, only 77% had assessed their cyber risks against their cyber risk appetite, with 90% of these noting risks above their appetite. The Internal controls and governance 2024 report also explained that only 65% of agencies covered in the report had a current cyber security uplift program. Additionally, two agencies stated that they do not have funded plans to improve cyber security.

In the university sector, the Universities 2022 report indicated that all universities had performed a risk assessment related to their information technology (IT) assets and identified their ‘crown jewels’ or ‘mission critical’ assets. The University 2023 report highlighted that 70% of universities had cyber security risks above their risk appetite, but only 20% of these universities had formally accepted this situation. In addition, the report also noted that only 60% of universities had formal cyber uplift programs, with one university reporting that it did not have a specific budget allocated for improving its cyber security.

In the local government sector, the Local government 2019 report showed that only 54% of councils had included cyber risk in their risk registers, indicating that at least 46% had not performed a cyber security risk assessment. This statistic improved over the years, with 72% of councils including cyber risk in their risk registers by 2021 (Local government 2021), 82% by 2023 (Local government 2023) and 87% in 2024 (Local government 2024).

In the Local government 2024 report, 37% of councils evaluating their cyber security risks rated their residual risk as being above their risk appetite. Additionally, 30% were unable to determine if their residual risk was above or below their tolerable or acceptable risk. The Cyber security in local government report in 2024 audited three selected councils, noting that while two of three audited councils had identified cyber security as a strategic risk, none of the councils were effectively using risk management processes to identify and manage the cyber security risks.

The Local government 2024 report also highlighted that only 59% of councils had a cyber security uplift program and, of these, 14% advised that their spending on cyber security was insufficient to adequately resource their uplift programs.

While cyber security roles and responsibilities are established, they may not always be clearly defined and communicated

Clearly defined roles and responsibilities for cyber security are essential in ensuring effective governance and protection of digital assets. Incident responses are likely to be less effective where role requirements and responsibilities are unclear. As required by the NSW Cyber Security Policy (CSP), agencies have defined and allocated roles and responsibilities in relation to cyber security. In 2021, 96% of the agencies covered in the Internal controls and governance 2021 report had established cyber security roles and responsibilities. In the same year, the Local government 2021 report noted that only 61% of councils had established cyber security roles and responsibilities, which increased to 70% by 2024 per the Local government 2024 report.

The Detecting and responding to cyber security incidents report in 2018, which examined ten selected agencies, found that these agencies could only provide limited information to demonstrate that the role requirements and responsibilities of their staff are clear and well communicated. The 2024 Cyber security in local government audit, which assessed three selected councils, reported a similar finding, where these councils had not clearly defined roles and responsibilities for detecting, responding to (including through appropriate reporting) and recovering from cyber security incidents.

Inadequate asset identification can hinder protection prioritisation and incident response

Asset identification is a key element in effective cyber security management. Maintaining a comprehensive inventory of assets can help better manage cyber security risks, prioritise protection efforts and improve incident response. In 2022, the Internal controls and governance 2022 report highlighted the following:

• 84% of the agencies had comprehensive cyber security plans covering all IT systems, while 16% focused only on their most critical assets or ‘crown jewels’
• 68% of the agencies had not undertaken a process to identify digital or electronic intellectual property assets, such as patents, copyrighted material or trade secrets
• 24% of the agencies had not undertaken a process to identify highly sensitive digital or electronic assets, such as Cabinet-in-confidence information or data requiring security clearance like classified information.

The university sector identified its ‘crown jewels’, as reported in the Universities 2021 report. The Universities 2023 report highlighted that, while universities work with critical infrastructure entities such as defence, health, transport, utilities and telecommunications, all ten universities advised that no critical assets had been identified as defined in the Security of Critical Infrastructure Act 2018 (SOCI). The SOCI legislation regulates critical infrastructure nationally and mandates cyber security incident reporting to the ACSC for critical infrastructure assets under certain circumstances.

Within the local government sector, only 36% of councils identified all their information assets requiring protection as per the Local government 2024 report. This was further supported by the 2024 Cyber security in local government report, which highlighted that the three councils selected for the audit had not assessed the business value of their information and systems to inform cyber security risk identification and management. This limited the councils’ ability to prioritise their activities and ensure that their most valuable information and systems are adequately safeguarded and secure.

Third-party cyber security risk management is a significant challenge, with some cases of cyber security incidents involving third parties

The NSW Cyber Security Policy's (CSP) Mandatory Requirement 1.10 outlines expectations for third-party security risk management, including contract clauses, monitoring and enforcement. Being unaware of weaknesses in the third-party cyber security controls may lead to slow or inadequate responses to vulnerabilities, allowing threat actors to exploit agency systems, data and assets. Even when a service is outsourced, the agency retains accountability for managing associated risks.

The 2018 Detecting and responding to cyber security incidents audit found that, although agencies advised that IT service providers reported cyber security incidents, only two of ten selected agencies had contractual arrangements requiring providers to report incidents in a timely manner.

In 2022, 96% of agencies covered in the Internal controls and governance 2022 report ensured that their cyber security policies or plans specified the application to third-party service providers. However, only 80% of them detailed how they monitored or ensured compliance with the relevant parts of the CSP.

In the university sector, as per the Universities 2021 report, 60% of universities extended their cyber security policies to third parties, reaching 100% by 2022 as reported in the Universities 2022 report. Additionally, the Universities 2021 report also highlights that 50% of universities required their IT vendors to confirm compliance with their cyber security policies through attestations or certifications, increasing to 70% by 2022 as per the Universities 2022 report. Similar gaps were also highlighted in the following audits:

• The 2021 Managing cyber risks audit found that the two selected agencies were not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations.
• The 2024 Cyber security in local government audit found that none of the three councils reviewed were effectively identifying or managing third-party risks. The audited councils lacked guidance on cyber security risk assessments in their procurement policies and procedures.
• The 2025 Regulation of the Land Titles Registry audit found that for the land titles registry IT system that was identified as one of the Department of Customer Service’s crown jewel, there is a lack of clarity in the assignment of roles and responsibilities between the Office of the Registrar General and the Department of Customer Service for ensuring compliance with the NSW Government CSP, as well as the obligations of the private operator and its third-party contract service providers.

The following are examples from past published reports of cyber security incidents involving third parties that had an impact on NSW state agencies, universities and councils.

Source: Cyber security in local government, Local government 2024.

Note: Reporting agencies did not specify compliance for requirements that were managed by third parties. Therefore, the requirements managed by third parties has been classified separately where it was not assessed.

Source: Audit Office analysis of agency cyber security compliance returns to Cyber Security NSW for 2024.

The highest compliance is for Mandatory Requirement 2.3, which ensures cyber security incidents are reported and threat information is shared with Cyber Security NSW, enabling coordinated responses, better threat intelligence and improved overall security positioning across all agencies.

The lowest compliance is for Mandatory Requirement 2.1, which ensures continuous monitoring and event logging to detect anomalous activities, enabling early threat detection and timely responses.

Cyber security detection capabilities are improving but coverage is incomplete

Cyber security detection monitoring is critical to ensure the early identification of potential threats and to trigger swift responses that can significantly reduce the impact of cyber security incidents.

The 2018 Detecting and responding to cyber security incidents audit noted that only two of ten selected agencies demonstrated high cyber security incident detection capabilities, while the rest had medium to low capabilities, with some lacking automated monitoring tools. Additionally, many agencies had incomplete response procedures and most had never tested them. Although all agencies had documentation requiring post-incident analysis, only one agency could provide a detailed post-incident review example.

Since then, state agencies have shown improvements as reflected in the Internal controls and governance 2023 report. This report highlights that automated monitoring systems to detect cyber security events were deployed across all agencies under review; however, the scope and sophistication of these systems varied. Automation and artificial intelligence played a crucial role in ensuring efficient and accurate event logging.

For the university sector, the Universities 2023 audit reported that all universities had implemented systems to detect cyber security incidents, recording and logging security events across their networks. However, the extent of cyber security monitoring varied, with 70% of universities noting that their processes did not cover all systems. This was primarily due to challenges with integrating legacy systems and the decentralised management of systems.

The 2024 Cyber security in local government report highlighted that the three audited councils used third-party tools to monitor for cyber security incidents and events. However, the councils had not clearly defined the scope of their monitoring and detection activities, nor the roles and responsibilities of council staff and third parties in these processes.

Regular testing of cyber incident response plans should improve

Regular testing of cyber incident response plans is crucial for validating the effectiveness of response strategies to minimise the impact of cyber security incidents.

The Internal controls and governance 2023 report highlighted that 92% of agencies covered in the review tested their cyber incident response plans. Most of these tests were conducted through tabletop exercises, which involve discussing scenarios and talking through plans and responses.

In the university sector, the Universities 2019 audit highlighted that only 60% of universities tested their incident response plans, reaching 100% by 2023, as highlighted in the Universities 2023 report. Of the tests performed in 2023, only ten per cent were functional, while the rest were tabletop exercises.

In the local government sector, only 57% of councils had a cyber incident response plan, as highlighted in the Local government 2024 report. Additionally, the 2024 Cyber security in local government report noted that none of the three selected councils for review had a cyber incident response plan.

Comprehensive playbooks support cyber incident response preparedness

Developing comprehensive playbooks is essential for ensuring that organisations are prepared to respond effectively to various cyber security incidents. Playbooks are documented incident responses tailored to address plausible cyber security incidents and support cyber incident response plans. Playbooks could cover scenarios such as (but not limited to) denial of service attacks, website defacement, compromise by an external attack, phishing and data breaches.

Our audit reports have highlighted how state agencies, universities and councils have established their playbooks.

• The Internal controls and governance 2023 audit noted that 88% of agencies covered in the review have detailed incident procedures and responses for multiple scenarios, while the rest only have ransomware scenarios in their playbooks.
• The Universities 2023 audit found that 30% of the universities having cyber incident response plans had not developed and finalised playbooks to support it.
• The Local government 2024 audit noted that only 56% of councils having cyber incident response plans have playbooks supporting their response plans.

Playbooks help agencies respond better to cyber security incidents by providing step-by-step procedures that guide response teams. Responses to incidents differ according to type, supporting agencies having multiple playbooks developed.

Below are examples of different types of incidents from past published reports that have had an impact on NSW Government agencies and councils, excluding those involving third parties that have been listed previously in this report.

Source: Detecting and responding to cyber security incidents, Cyber security in local government.

Note: Reporting agencies did not specify compliance for requirements that were managed by third parties. Therefore, the requirements managed by third parties has been classified separately where it was not assessed.

Source: Audit Office analysis of agency cyber security compliance returns to Cyber Security NSW for 2024.

The least progress was made in achieving compliance with the Mandatory Requirements in the below areas:

• patching applications (Mandatory Requirement 3.3) and patching operating systems (Mandatory Requirement 3.4), which ensures that applications are regularly updated to fix vulnerabilities, preventing cyber attackers from exploiting these weaknesses
• implementing multi-factor authentication (Mandatory Requirement 3.5), which enhances security by requiring multiple forms of verification, making unauthorised access much more difficult, even if one credential is compromised.

Many agencies have not met level one Essential Eight cyber protection measures despite these being a focus for many years

The Essential Eight, outlined by the ACSC, are strategies designed to mitigate cyber security incidents. Cyber Security NSW has adopted the Essential Eight strategies and included them in the NSW Cyber Security Policy (CSP). The Essential Eight maturity model uses a four-point scale. The definitions for each maturity level are:

Source: Essential Eight maturity model.

The current 2024 CSP requires agencies to report their Essential Eight strategies to a baseline maturity level of one, and report each of the Essential Eight strategies as part of their annual CSP reporting. However, based on the number of agencies compliant to the Essential Eight strategies in the ‘Protect’ section of the Mandatory Requirements (3.3 to 3.10), there remains significant challenges in patching applications and operating systems, implementing multi-factor authentication, restricting administrative privileges and implementing application controls.

The previous versions of CSP require agencies to implement the Essential Eight strategies in applicable information and communication technology (ICT) environments using full maturity scale. There were revisions and additional requirements to meet the level one maturity under the Essential Eight over time. This could explain why the maturity level for some controls have dropped from 2022.

The graph below shows the median maturity levels for the Essential Eight cyber security controls from 2020 to 2023, when agencies reported under the former CSP and Essential Eight models. The table tracks the progress of these controls, highlighting improvements and areas needing attention in cyber security practices over time.

Note: The median represents the level at which half of the https://www.audit.nsw.gov.au/our-work/reports/internal-controls-and-governance-2021maturity assessments are reported as having been met.

Source: Individual self-assessed Essential Eight maturity returns (unaudited).

However, based on the above graph, between 2020 and 2023, some reported controls did not meet this minimum requirement. Specifically, some agencies reported a maturity level of zero for critical controls such as application control, patch applications, restricting administrative privileges and patching operating systems. This suggests that these controls are either not implemented or are implemented in a manner that is ineffective against common cyber threats.

Further, the graph shows that there are controls with a maturity level of zero. Some of the findings from past audit reports reveal potential contributing factors limiting the effective implementation of the Essential Eight controls, leading to low maturity assessments reported by agencies.

• The Internal controls and governance 2021 audit highlighted 82% of agencies had high numbers of deficiencies related to IT general controls, particularly around user access administration and privileged user access.
• The Internal controls and governance 2022 audit revealed that 20% of agencies do not patch or mitigate applications or operating systems for 'high-risk' vulnerabilities within 48 hours, as recommended by the Essential Eight. Further, over 72% of agencies run applications and operating systems that are no longer supported by the IT service provider and are unpatched. The Internal controls and governance 2023 audit highlighted that many agencies operated on legacy systems that were not compatible with modern security controls.
• The Internal controls and governance 2024 audit highlighted agencies’ reliance on third-party IT service providers without adequate oversight, and assurance of their compliance with cyber security policies was a recurring issue. Ineffective controls operating at third parties may reduce the agencies’ Essential Eight maturity level.

Cyber security awareness training has improved but phishing simulations should be more commonly used

Implementing regular cyber security awareness training and exercises is essential for building and maintaining a resilient cyber security culture. It is a cost-effective and quick method to enhance cyber resilience, addressing the human element often targeted by cyber criminals. Human errors are often a common cause of cyber attack, as cyber criminals frequently target individuals through phishing and other methods to infiltrate networks. Cyber security awareness training is covered in Mandatory Requirement 3.1 of the NSW Cyber Security Policy.

Between 2019 and 2024, there was a notable increase in cyber security training and awareness exercises among agencies covered in the internal controls and governance reports.

• 2021: The Internal controls and governance 2021 report showed 92% of agencies conducted cyber security training compared with 70% reported in Internal controls and governance 2019. Additionally, 56% of agencies conducted awareness exercises to test staff knowledge of responding to cyber threats, such as sending a simulated phishing email.
• 2022: Over 90% of agencies conducted awareness exercises, including simulated phishing tests as reported in the Internal controls and governance 2022 report.
• 2024: Only 12% of agencies reviewed had not defined their cyber security training requirements or mandated annual cyber security training as reported in the Internal controls and governance 2024 report. Additionally, 96% had performed phishing simulations.

In the university sector, all entities provided cyber security training and awareness programs in 2021. However, only half had tested staff knowledge through awareness exercises such as sending fake phishing emails (Universities 2021).

In contrast, in the local government sector, only 24% of councils had trained staff in cyber awareness in 2019 (Local government 2019). This figure grew to 74%, as reported in the Local government 2023 report, but dropped slightly to 69% in 2024 (Local government 2024). Additionally in 2024, 45% of councils did not conduct phishing simulations. Among the 55% that did, five councils failed to provide feedback to staff who reacted inappropriately to the phishing exercise.

Past audits that have also identified gaps in awareness training are as follows:

• The 2018 Detecting and responding to cyber security incidents audit found that training was limited and role requirements and responsibilities within the case study agencies (ten in total) were unclear. These agencies could provide only limited evidence of the cyber security training provided to their staff.
• The 2024 Cyber security in local government audit noted that while two of three selected councils had mandated cyber security training, they lacked a regular training schedule. The third council did not mandate the training, resulting in only a small number of staff completing optional training.

Culture and accepted practice can drive non-compliance with protection controls

Human error is often a contributing factor in successful cyber attacks. Situations can arise when there is a conflict between achieving day to day business requirements and adhering to cyber security controls. In practice, preference is often given to the achievement of business goals. For instance, individuals may bypass cyber security procedures during emergencies or time-sensitive work. Another example relates to meeting budget objectives, where an entity might reduce software license costs by sharing accounts and passwords among multiple users, thereby violating cyber security protocols.

Cultural drivers and accepted practices that threaten cyber security can be mitigated through comprehensive cyber security training that enhances employee awareness of cyber risks. However, training may not be enough to address the risk that arises from conflicting priorities between business requirements and cyber security controls. The above highlight the need for agencies to consider how their culture interacts with their cyber security control environment, and to make sure their cyber security controls are fit for purpose. Ultimately, the common purpose of protecting community interests remains paramount ‒ in how government agencies achieve outcomes while protecting their digital environments. These objectives are not at odds.