The Cyber Brief: working with government in a cyber crisis

David: The role of the National Cyber Security Coordinator was established by the Department of Home Affairs in 2023 and you were appointed in 2024, nearly two years ago now. Can you tell us more about your role as the coordinator, the role of NOCS more broadly, and explain how it fits into the broader government infrastructure for dealing with cyber incidents?

Michelle: Yeah, absolutely. So, the role was established following a couple of reviews into some pretty significant incidents that we faced as a country in 2022 and 2023. In essence, we identified that we had what could be gracefully called 'stovepipes of excellence', and there was a role for whole-of-government coordination, both in the implementation of our strategy, which was released at the end of 2023, but also in coordinating incident response and, of course, supporting consequence management. So, the National Office of Cyber Security was established. And a big part of what we do is support organisations through an incident, not from a technical perspective, that rests with our amazing capability at the Australian Signals Directorate, the Australian Cyber Security Centre, but we support the coordination of the whole-of-government response. So, whether it would be bringing other government agencies who might have a stake or an equity in either supporting the response and minimising the harm for Australians, ensuring that entities understand their regulatory requirements, bringing together the AFP and others, including ASD, where we can actually coordinate the response, removing some of the burden from organisations. There were some early organisations who shared their experiences of incidents, and some of them noted, one in particular, noted, that they had to reach out. They had a list of stakeholders across state and federal government entities of over 80 people they needed to inform. Now, in the height of an incident, as you both know, there's no time to be phoning, calling, contacting a range of stakeholders, so we do try to streamline that for the entity. And also then leverage whatever we can across state and federal government, and, increasingly, other organisations, sometimes peak bodies or even sector counterparts, on how we can minimise the harm and mitigate the consequences of an incident to the greatest number of Australians.

David: So when and how does your team actually get involved in a cyber incident practically?

Michelle: Yeah, it's such a great question people often ask. Sometimes it starts with a phone call. And I have a great network, as does my team at different levels across our key infrastructure folk. The thing that everyone should do during an incident is actually go to cyber.gov.au or call the hotline, which will go through to the Australian Cyber Security Centre. Those reports listed there can be shared with my team under limited use. That should be the first point of call. They're the technical fire brigade to help understand the nature of the threat and what might have happened. We'd love then for people, it is voluntary to engage with the National Office of Cyber Security, which is security, which is my team. It is voluntary to engage with both, but we recommend you lean forward and you indicate your willingness to engage. We'll then bring an entity to a call, to a Teams call, and have them tell their story to help us understand what might have happened and the potential of the consequences. We won't do this until we know that ACSC have the technical support if required, if the organisation needs support in that remediation, we will not be interfering or moving forward until we know that that's under control. That's the really Triple O fire brigade for cyber security. But then we will help the entity identify who may have a stake, what the consequences might be, help them resolve and move through their incident, it is their incident, including sharing with them some of the lessons that we've learned so that they don't have to relearn lessons of other organisations, and let them know what options we've supported people with before. And we have this in playbooks. Dave, I should say there are 11 playbooks, in fact, 12, that are published on our website, the 11 critical infrastructures sectors and one Professional Services Sector Playbook. It really talks through the options of what we do. They're dynamic documents, because every time we do an exercise or we support another incident, we were always learning new lessons. So, we're updating those playbooks as we go, and we love industry input into updating those playbooks as well. But we'll often establish working groups, whether it be around communications, whether it be around sensitive, vulnerable peoples, whether it be around identity remediation, so rectifying credential-issuing bodies working with those organisations, whatever we can do to pull together the right stakeholders, to minimise the number of engagements and really streamline the speed at which an entity can both respond and then recover.

Valeska: Michelle, we've seen on a number of occasions, you issue comms in relation to an incident, sometimes a press release, sometimes on various social media channels. What informs your decision as to whether to do that in relation to an incident, and then what to say and how you engage with organisations?

Michelle: That's such a great question. Thank you for that. And noting that my background is a military officer, this has been a really new space in being proactive with comms. Firstly, I'll say the comms for an incident belongs to the entity, so we will never do anything without engaging with the entity, and we encourage them to lead their comms. I often say that you can have the best practice response, but if you don't communicate it right, it might not matter, because communications are really important. Often when my team and I get involved is when we know that we need to reach a broader audience to prevent or minimise harm. We see in incidents, not just the number of people who might be concerned about being caught up in an incident. Part of our job is to reassure that we're aware of it and we're working with the entity, but we also see really significant follow-on scams, so actually helping inform Australians on what they can and shouldn't expect, who they should respond to. So, it really is amplifying communications. And we'll often amplify the communications of an entity and ensure that our talking points are coordinated with an entity, particularly when they're providing services to support organisations. We'll expand that, so that our reach can ensure that it's not about the entity, it's about the Australians, and actually minimising the greatest amount of harm for the greatest number of Australians.

Valeska: Yeah, I remember participating in a cyber simulation for one of our clients few years ago that you were involved with, and you talking about the comms piece, particularly really early on in an incident, and your advice was the importance of really focusing on the impact of the incident to the broader public, as opposed to getting really bogged down in precisely how it's happened and how it's unfolded when that's kind of still to come, that information might not be known yet.

Michelle: Yeah, absolutely. We, I think here in the room, have all seen the very long tail of cyber security incidents. But we also know the first story is very rarely the full story or the last story. There is some expectation management to do, and there really is that important balance of transparency and ensuring that whilst, whilst we're informing, whilst entities are informing their stakeholders and the community, they're also providing the right support, so that it's not just causing panic, it's saying this is what's happened, and this is what you should do about it. And if there is something to be done about it, my team and I, along with other colleagues across the government, will look to amplify it in the interests of making sure that it reaches every Australian who needs to see that.

Valeska: In an incident, there are a lot of stakeholders that need information really fast, and a lot of those stakeholders are government agencies, law enforcement, regulators. How do you manage responding to those inquiries with also allowing organisations the space that they need to prioritise some of the critical aspects of the incident response? Because we've seen you be really empathetic and helping to manage that. So I'd love to hear how you think about it and how you manage it in practice.

Michelle: I have, firstly, a fantastic team who now, sadly, have quite a bit of experience working with entities, but we do try to relieve some of that burden. We do try to help an entity tell their story once to all who might need to hear it. There are, of course, also a large number of stakeholders who may not be involved in the consequence management or the rectification, but need to be alert to what's happening, and then even just helping manage expectations of all those stakeholders is when you'll next be updated and how we'll update you. And my team and I try to take some of that burden for the government off an entity so that we can keep everyone informed who needs to stay informed. And an entity, of course, is really running 24/7 to try and remediate and understand and rebuild their service, their capability, or whatever it is that they're doing that's been harmed.

Valeska: One of the questions we're often asked when organisations are looking to engage with your team is, what is the nature of your engagement with regulatory arms of government? How's that going to work, and what might the implications be for us?

Michelle: I, as a military member, am seconded into Home Affairs, but I am possibly the only Home Affairs member who is not a regulator. Limited use, and, Valeska, I know we've talked a lot about limited use, and thank you to the broader legal community who worked so closely with us on that legislation. But under limited use, we are constrained, both myself, my team, but also the Australian Signals Directorate. We are constrained into how we can and can't use information, and we can only use information shared with us for the purposes, for my case, for the purposes of mitigating the harm and minimising the consequences, so the information that's shared with us cannot be used by regulators. Of course, a regulator maintains their own powers, their own ability to come and ask for information, their own requirements, but they won't hear it from us. They'll have to utilise their own access and powers. So, the intent with that is so that entities really can think out loud as they're trying to problem solve and understand what may have happened and what consequences might be without fearing that they're both sharing with a regulator something that a) might not be true because it might not have happened the way they thought, and b) isn't a requirement under the regulatory protocol to release it. So, they can actually focus on what is the regulatory requirement, but also engage, particularly with the ACSC, with experts on what might have happened, and really open the doors to 'Can I talk through what might be happening, or what I might be seeing?' We've seen a really great response. The data is hard to get because, you know, I know that we don't see all incidents, but, certainly, the substantial increase in engagement when ASD both reach out to entities and when they reply and engage back with ASD to talk about what ASD might be seeing, or what they're what's happening to them, and the speed at which entities are engaging with us and sharing what's happening.

David: Yeah, I mean, that's a really interesting observation, because we're interested to hear your perspective on how you kind of feel that the limited use obligation has played out in practice. You know, are you still seeing reluctance from organisations to engage? You know, I think you know, knowing personally, talking to clients, when there's a panel of 50 government agencies on a call, and some of those are regulators, it can still create some significant concerns. So, I guess it sounds like you have seen some, you know, behavioural shifts in engagement, but it'd be super interesting to hear your kind of experience of under life under the limited abuse regime.

Michelle: Yeah, yeah. Look, I equally value your views on this. People who come to myself and the NOCS are willing to share and they understand the limited use regime. What we don't know is those who aren't coming and seeking our support or engaging with us, whether it's because of an uncertainty about limited use or some other reason, I do believe we've seen it be more fulsome, faster. And, as I said, there's some really great data that the ASD have where, I think, before limited use, in the 12 months, they did between 600 and 700 outreaches. I know that Abigail Bradshaw has spoken about this publicly, but there's a number of outreaches, and I think around 50% of those companies picked up the phone or replied, and I think since limited use, they've reached out to over 1700 organisations, and over 75% have actually replied and engaged. Now, there are so many factors, right? Because it's a very complex ecosystem. We're seeing, are we seeing more attacks? Are we seeing more willingness to engage? Are we seeing all of the above? But we have seen for the organisations that my team and I have supported through an incident, we have seen a willingness to share, and we're very specific about that limited use. We try not to have a huge number, certainly no one who doesn't need to be on the call, and we won't bring regulators into those consequence management calls, although, if an entity would like to share with a regulator, sometimes we've heard about incidents through regulators, because an entity, depending on their own obligations, will go straight to a regulator, and then they'll let us know so that we can connect up with the organisation. It's a dynamic space, and one that I think is providing some level of comfort to industry and communities.

Valeska: It is really hard to attribute that increased engagement. We have absolutely seen greater engagement. I think part of it is definitely due to limited use, but I think the other part, frankly, is just the fact that people are seeing more value over time, including from your team, in engaging with government, and that's so important, because if you feel like you're just providing information and it's not a two-way conversation, then, you know, in the middle of a crisis, when you're pretty strapped for time, then there's not going to be value in that.

Michelle: Yeah, I hope you you're right, and I know that a number of the features of our recent legislation seek to address that. Certainly the message that we're giving is that it is a really hard professional day, but we want to be there beside you, and we want to work with you, and I think the more we can build genuine trust, this is not one thing. This, this cyber issue, challenge, is not whether it be criminals, state, activists. It's not an issue that one of us can solve. No one sector, not the government, not industry, not academia, no one sector can actually manage this alone, and it's going to take every one of us to work together. It is absolutely whole-of-nation endeavour. So, I hope that that actually is part of this puzzle.

Valeska: I think so, and I think a big part of it too was even the way that the legislation, or the draft legislation evolved, and it's not a safe harbour, and I know that that's been misreported a number of times, but some of the additional protections that were built in in the legislation that was actually passed, I think was really meaningful for organisations in helping them understand that there are some genuine intentions there.

Michelle: Absolutely, the team who worked on it, an amazing team out of Home Affairs, I personally haven't seen that level of engagement. I think the data speaks to that, that it was absolutely co-developed with professionals across the country to make sure that we hit that balance.

Valeska: It's always struck me that your team operates very differently to many other government agencies, possibly even most, just in terms of the level of accessibility and responsiveness and flexibility, in terms of your team's rightsizing, the nature and intensity of response and, above all, going back to what I was saying before, really, the empathy and understanding of what organisations are going through at the time. Can you talk to us about how you run your team internally, and how you've sort of managed to build such a high-performing culture?

Michelle: Thank you. That's a great thing to say. I will say, as someone who's served our nation in uniform for over 30 years, this is such an honour to serve and a privilege to serve in this way. And I know that, as a team, it's a strange thing to say but we have the privilege of being able to be there to support someone who we know we can make a difference. And I think that, in itself, is incredibly inspiring and drives us to do our best and to respond. We're a really small team. So, again, building that team culture around trust and collaboration and excellence, and really being focused on the best outcome for the greatest number of Australians, and supporting that entity is what we've rallied around and what we build our skills on. There was no playbook. There was no, 'Hey, I'd like a cyber incident consequence management responder. Can I train out one of those and bring them in?' There has been some great folk before me and throughout the team who've come in. And, to my mind, we attract people who understand what we're doing and really want to serve in that way. And, again, as someone who's served in uniform all of my working life, it's abundantly clear to me that you don't need to wear a uniform to serve. We have incredible professionals across both my organisation but across the whole government who absolutely see this as a calling to serve our nation, especially in the cyber security space.

Valeska: And how has your previous career informed the way that you've approached this role?

Michelle: I spent different times throughout my career managing complex and wicked problems, multiple stakeholders. I've done quite a lot of work with our allies and partners in different roles, so managing so many equities and not necessarily owning and pulling all the levers. They are some of the things that resonated with me when I came across to do the job, when I was asked to do the job, I thought, 'I don't know what my skill sets can bring', but that was pretty short-sighted. When I saw the complex and diverse range of things we do.

Valeska: And what did you think when you were tapped on the shoulder to do this?

Michelle: To be honest, I went and spoke to a very good friend. I was in the US, and I had a colleague there, who was the chief information officer, who had a team of around 4000 people. And I said, 'Hey, I don't know about this.' And he's, like, 'No, you can absolutely do this.' He said, 'This is about leadership. This is about …' He quite flippantly said, 'Don't worry, none of us know anything about cyber. This is such an evolving space.' That was his way of making me feel confident. I think I looked at him and said, 'Now you're really taking the mickey.' Again, it's an honour to be asked. I was intimidated. I didn't think I would be selected for the job, but it is a great honour, and I've loved every minute of it. It's equal parts challenging and rewarding, and the threat is not going away anytime soon. So, we're continuing to grow. You know, I think something that has surprised me is that every incident, we're still learning things, and we're not learning because there's been a failing. We're learning because it's such a novel and dynamic space, such a complex ecosystem.

David: So, I mean, that's certainly been our observation is, you know, again, coming back to the conversation before, the kind of unique malleability of the way that your, the NOCS kind of operates and allows you to size up and size down, but also to learn and to adapt to different incidents. So it's been a, you know, really interesting engagement process for kind of industry and professionals in seeing how the NOCS has kind of evolved over this period of time. I did want to touch on one thing you just said there about the kind of ongoing threat and challenge. I mean, you know, a big question, but, like, looking forward, how do you see the kind of unfolding set of challenges for industry and government in this space?

Michelle: Yeah, look, I think a couple of things, we know that AI is making our threat actors faster, making it easier for them. I'm not necessarily sure it's making them better, but we're going to have to embrace, match, and beat, defeat, rather than playing whack-a-mole.

Valeska: When you say not sure it's making them better, do you mean better than us or better than they have been?

Michelle: I think both. I think there's plenty of opportunities for us to embrace those technologies in a safe and secure way, in order to remain match fit. We often say there is no finish line, and we have to be undeterred by that, because it is a constantly—both the threat and the technical environment are constantly evolving. So, it's going to require, and I recently spoke to the government graduates, the data and digital graduates, and you look at these innovative people who thrive in that environment, and it's going to take those people who actually not only thrive, but love being in this space where they're constantly learning, evolving. And I think we're also going to have to just continue to work on our foundations to ensure that we are secure by design, secure by default, secure by operations, and really uplift the whole nation in order to then deal with the novel. ASD, I think, have really laid down the markers for post-quantum cryptography and being prepared for that. I think that's a challenge, that's going to be a challenge we're all going to face in the next few years, and we'll face it together. You know, you said how the NOCS has responded and evolved as industry watched. It hasn't just been industry watching. It's been in partnership with industry as well. The team learns so much from all of our partners, and as we collaborate through this incredible public private partnership that we have, that we're building, that trust, it's so important. And as I said, none of us hold the keys, all of us, it's going to take all of us. But, again, with the great support of so many industry partners, we can continue to learn and evolve and adapt.

Valeska: It feels like with the current geopolitical environment, there are an increasing number of nation-state attacks as well. Be really interested to hear how your engagement, both with affected organisations, but also the broader government infrastructure, how those dynamics change where there's a nation-state attack, as opposed to a financially motivated one.

Michelle: Look, I think it's fair to say that today we have business owners, critical infrastructure owners, big and small, on the front line of national security. That's what's a little novel here. In terms of the NOCS capability, you're right, the lines are completely blurring, and we've seen state actors employ criminals, and criminals support state actors who might be financially motivated. For us, for the NOCS, we're actor agnostic in the way that we will support the consequence management. But, of course, we have fantastic world-class capabilities in the Australian Signals Directorate, which has not only got the cyber security centre, but is our leading threat intelligence, signals intelligence. And so there's really powerful capabilities there that, of course, we encourage everyone to report incidents into cyber.gov.au, so that we do have that single repository of threat information, so that we can constantly understand the environment that we operate in. And as we build that repository, we know that threat sharing and threat blocking are so important, it's one of the features or pillars of our strategy, but all these things tie together.

Valeska: It's always felt to me, and perhaps this has changed more recently, but the function and the role that you have is actually reasonably unique globally. Are there equivalents in other jurisdictions that you're working with?

Michelle: Look, I've worked with some great partners, but I'd agree the role had been quite novel to date. We certainly have partners who are also looking at the value of the role. I think you can cut the cake so many ways. We've cut it this way and we're making a difference. I share and work closely with people in the region, with our allies and partners, there are some real benefits to our model that others are looking at as well. But you're right. I don't, I didn't come into the role feeling like I had a natural peer, and that was briefed to me by a number of colleagues that said, you know, 'These three people all have a part of you.' But I do think others are watching and evolving and looking at how do we develop some of the unique things that this position offers.

David: You've seen, you know, the knocks kind of come out of a particular time when there was very high-profile data loss and data breach incidents. But I guess we're also seeing increasing commentary from, you know, the various agencies about the importance of just, going back to the question of just resilience, and, you know the importance of not just focusing on the data protection aspect, but actually, you know, in and when you talk about critical infrastructure, obviously that becomes almost the most important thing. I'm just really interested in your observations from the NOCS, position of the NOCS, about those issues.

Michelle: Yeah, look, I think you're spot on. The number of incidents that we had in a row that resulted in the personal identifiable information of citizens being released, put us down a path where we could potentially be focused on that outcome, and we have some good practice in remediating and mitigating that. I think the bigger issue is we don't want to be blindsided by an incident, an incident that actually prevents a service delivery or prevents a capability that actually takes down a network, rather than, you know … We've had some discussions over the last few months just about the importance of ensuring that companies who want to succeed and be resilient don't just focus on where their data is and how they protect their data and make sure that when they have, if they have, a data spill, they take these steps. It's really important that we do step back and look at broad resilience and how quickly we can recover. And there are some simple things that everyone can do. We have some great resources online, cyber.gov.au have great priorities for small businesses. We have the new cyber health check tool that was released last month on Act Now.Stay Secure.gov.au. We have tips, really simple tips in 32 languages, for citizens, and that applies to sole traders and small businesses as well. There are still things, simple things that scale, of course, depending on who you are, but really the foundational things that we know we can all do better. So, we're really constantly trying to push that and uplift that as well.

Valeska: Dave mentioned at the beginning that you've been in the role for almost two years now. What's been the most surprising thing to you over the course of those two years?

Michelle: It feels like two days and like 20 years sometimes. Most surprising. You know, I think the thing that struck me, I'll give you three. One is the audacity and the grubbiness of the criminal threat that we're talking about. In fact, the entire threat, the boldness, if you equate it to a physical security threat, too often it goes it's unremarkable in cyber security. And there is some cultural uplift we have to do there to ensure that the culture that we've established in the physical world, if we want to live and thrive in this digital world, then we have to lock up, lock up the house in the digital world, and we have to know what's safe to bring in and what's not safe. We have to keep our kids safe the same way we do in the physical world. So there's more to do there, but I was shocked at the volume and the scale and the audacity. On the other side of it, I've just been incredibly, I find it incredibly patriotic working with industry. I know that's a term that's not always very Australian, but I can't find a better term for the response that I get from partners, colleagues across industry when an incident happens, my phone is running hot with calls or texts saying, 'How can we help?' It's incredibly inspiring to watch professionals say, sometimes, 'By the grace of God, go them, not I. What can I do?' And then, increasingly, through limited use, those organisations who are having incidents happy to share their lessons learned very quickly, so that we don't see these modes and methods being proliferated, and that others protected. And that's been another benefit of limited use, using that convening power and the limited use to share things under limited use that might help others to not fall victim to the same thing. And, of course, coming out of the military, this is probably my blinkers on, but back to that point about civilians being on the front line of national security. This is absolutely a national security issue, and we have business leaders, small and large, and critical infrastructure owners on the front line of it every day.

David: So, Michelle, I'd be really interested to hear your experience from the NOCS perspective of the new ransomware reporting regime, and what that has looked like, and how you engage with entities who are grappling with that question or having to deal with the notification obligations.

Michelle: So, the government never recommends you pay a ransom. And the new legislation, which requires any entity with a turnover of more than 3 million annually to report if they have paid a ransom. Now, the reason we're doing that is so we can better understand the quantum and build stronger response options to tackle this massive issue across our economy. It's really important that this reporting regime is no fault, no liability, so people don't call back out the organisation. If they'd like our help, we'd love to hear from them, and they can report separately through cyber.gov.au, and give us or the hotline a call. But that's really about collecting data so that we can continue to build our awareness, but importantly, build the response options for it. You know, we don't recommend anyone ever pay a ransom. We know that those that pay are far more likely to be re-targeted. We know that we can't trust those criminals, that when you say when you do pay, that you'll get the data back, or that you get the only copy back, or you won't be re-extorted for the same data that it wouldn't have been unsold. It really doesn't solve any of your problems. You'll still have to fulfil your regulatory obligations. You'll still have to remediate your systems, and also any personally identifiable information or PII that might have been lost. But it does both feed into this financial circle of criminality, and it makes you far more vulnerable. We know that criminals know who are payers and who aren't, and advise their colleagues on, 'Oh yeah, they're a payer.' So there are some pretty big stats on those, on those that have been re-targeted or even just doubly extorted.

Valeska: There were obviously a few different iterations of that regulation before it was actually passed. Do you know why the decision was made to pin it to actual payment, as opposed to just a cyber extortion incident occurring?

Michelle: Look, I think we're looking to understand the quantum of resources and who is vulnerable to these payments. The actual legislation is designed to inform us so that we can be far more agile and learn more and then combat this scourge. I know that at different points, government leaders, the former minister, was quite keen to look at the options for banning payments. We've seen through different incidents in the health sector, in the US or in the UK, that there can be a threat to life. Any future developments would accommodate for those things. There's a stat out there that if cyber crime were a nation, you'd have the third-largest GDP, and by 2030 is expected to have the largest, so the amount of money that is being lost from across our economy is phenomenal. So, really understanding the amount that's being paid and taking each of those steps to continue to combat it together as a nation.

David: Can I ask the question of whether we're still seeing ransom payments being made through that regime. You know, now that there's a reporting regime, it obviously, in itself, might have an effect on people's decision to make a payment. But, you know, do we, are we still seeing things post that commencing?

Michelle: Yeah, look, absolutely. It is a great question. It's back to what we're talking about, Valeska, about hoping to send that message that we're partnering together so that if you do have a choice, if there's any way at all that you don't pay, then know that we'll, you know, it's going to be tough, but there are organisations that can support. Yes, there have been entities who've reported into that, through that regime, it's another really hard question as to whether we've seen a reduction. Anecdotally, we hear from, including law firms, are really great partners who let us know what they're seeing. It's often you guys that see a far larger quantum than the government in terms of who's being targeted and who's paying. I believe it's making a difference the collection of things that we're doing across the economy through multiple arms of government. I think it's making a difference.

David: Well, I think that's all we've probably got time for today. Thank you so much for your insights. It's been a really great chat. What we always like to finish on is the question of: What is your favourite cyber book, TV show, or podcast, fiction or non-fiction?

Michelle: Oh, I've seen some great movies, they feel a lot like real life. Sometimes I will say I try not to miss the Risky Biz news, which often alerts me to some pretty alarming things. But I really enjoy that very contemporary, very quick daily update from that.

Valeska: Thank you so much.

David: Thanks, Michelle.

Michelle: Thanks so much for having me.

David: Cheers.

Valeska: That was a good chat.

David: It was great.

Valeska: I was reflecting when Michelle mentioned that in an incident a number of years ago, there were over 80 government stakeholders that that organisation had to engage with, and now with the role of NOCS, that's significantly reduced. And we've really seen, I think, the evolution that that function has gone on over the past few years.

David: I think that's right, it's been, you know, I think our experience working on incidents involving NOCS, we've kind of watched that evolve and seen them be really responsive to feedback, you know, scale up, understand concerns from clients, manage the engagement with regulators. And it's, I'm sure, it's challenging function on the other side that we don't get to see, but you know, it's truly been, you know, that collaborative partnership that Michelle was really keen to emphasise.

Valeska: The two takeaways for me are really the importance of understanding the role of NOCS in an incident and making sure that that is built into the preparedness activities, including in simulations as well. And I know Michelle has been quite involved in a number across Australian organisations. And the other is really the power of engaging in those consultations and providing that feedback. I think we've just seen, over many years now, that that willingness to really understand what industry is going through and the unique pressures, and then to take that experience on board and make sure that the broader response effort is going to be sensitive to that.

David: Yeah, and for me, I think the other thing that was a really striking takeaway is Michelle's view around industry and business being on the front line of a national security issue. And, you know, we kind of see that play out through what we see through our clients, but it is really, you know, to hear it coming from that perspective and thinking about it in that broader context, you know, really frames the type of issues that our clients are facing.

Valeska: Thanks so much for joining us, Dave.

David: Oh, absolute pleasure. And thanks for everyone for joining us here.

Valeska: Thanks for listening to this episode of The Cyber Brief. Check the show notes for resources from this episode, or visit allens.com.au/cyber for our latest thinking. Don't forget to follow, to keep up to date on what's ahead for cyber risk governance and emerging threats as we interview some of the most respected voices in the industry.