Five key technology and digital considerations for the public sector

7 minute read  08.09.2022 Vanessa Mellis, Ashish Das, Jonathon Blackford

Technology and digital transformation uptake continues to accelerate in the public sector. The pace of change is unprecedented, and changes bring new challenges, issues and potential pitfalls.

Our legal and consulting experts uncover the top five technology and digital considerations for public sector clients.

1. Cyber risk management is critical as cybercrime increases

MinterEllison’s Technology Team conducts annual qualitative and quantitative research into how cyber risk is affecting organisations. In the seventh edition of our Perspectives on Cyber Risk report, we find that in the face of heightened geopolitical conflict, intense regulatory focus and a reliance on technology as never before, organisations are facing a unique, perilous and escalating cyber risk landscape.

Key findings from the research disclosed:

 

Icon block

of respondents have personally received an obvious phishing email or ransomware security threat in the last 12 months

 

Icon block

of respondents said that cyber security risk ranks as high risk (top five) on their organisation’s corporate risk register

Icon block

of respondents said they have taken steps to assess their cyber security maturity against an established framework

Icon block

of respondent organisations were subject to at least one cyber security incident in the past 12 months that compromised their systems or data

Within this context, there remains much for organisations to address in managing cyber risk – and it's dominating management agendas. Australian organisations are finding it difficult to fill specialist cyber security roles, and organisations with large volumes of data said they felt particularly exposed by gaps in their resources.

Between 2020-21, there was a 15% increase in ransomware-related cybercrime compared to the previous financial year, as reported in the Australian Cyber Security Centre’s Annual Report. Many organisations told us they had received additional budget to mitigate a ransomware attack – though few had developed a comprehensive ransomware playbook to implement should one occur. Appropriate incident response is crucial for the public sector given the high profile and community significance of many public sector information systems.

Our key takeaways on practical steps to mitigate cyber risk:

Icon block

Align cyber security measures with an external framework

Organisations should assess their cyber security maturity, and align it with external frameworks such as the ASD Essential Eight Maturity Model or the NIST Cybersecurity Framework.

Icon block

Conduct cyber incident response plan drills

Cyber incident response plans must be regularly tested and updated to reflect an ever-changing environment. They need to be aligned to broader risk management.

Icon block

Train and educate employees

Human error still plays a key part in many serious cyber incidents. Organisations should not underestimate the insider threat. They should also continue to invest in and improve their security architecture.


Icon block

Understand compliance obligations

Organisations need to urgently address new regulatory obligations under the SOCI laws. They should also consider pre-emptively preparing for the likely imposition of new privacy and cyber-related regulation.

2. Organisations need a robust and agile approach to digital transformation and strategic procurement

Selective technology advances were made during the COVID-19 crisis on a needs basis, while some less urgent or legacy modernisation projects were deferred. Two guiding comments are provided from the Queensland Audit Office’s most recent review of Queensland technology projects:

  • the public continues to become more reliant on working, learning, and doing business remotely, and it will be essential for governments to use technology to transform their services, but
  • the current economic climate emphasises the need to ensure public sector technology investment delivers value.

The pandemic accelerated public sector adoption of cloud solutions, providing flexibility to scale and more rapid delivery, as well as the possibility of shifting capex investment into more consistent and predictable opex funding. It has been reported by Gartner that by 2025, 95% of new IT investments made by government agencies will be made in “anything as a service” (XaaS) solutions, and over 75% of governments will have more than half their workloads with hyperscale cloud service providers. As well as the now-traditional categories of software and platform, categories of IT infrastructure and software services provided by subscription include business process as a service, unified communications as a service, and case management as a service. A shift from direct management to brokering ICT products and services will impact required organisational skillsets.

Organisations are facing continuing challenges. These include:

  • increased risks of disruption,
  • security management risks (cyber, data and operational),
  • the imperative and consequences of rapid decision-making,
  • maintaining workforce productivity, and
  • ensuring the stability of critical business processes underpinned by core technology and systems such as ERP, Network, Infrastructure, Applications and Data.

These challenges call for robust and agile procurement response strategies with implementation horizons ranging from immediate, short to mid-term and long term.

In respect of digital transformation approach and methodology, experience is showing that smaller, incremental development, and agile development methodologies, are more successful. Our technology consulting team has advised 70+ clients across federal, state, and local government.

3. Data protection and management requires its own transformation

Data, its management and protection, is a key consideration for public sector entities. Data-sharing between agencies is becoming commonplace (notwithstanding some regulatory compliance hurdles). Government data is becoming more widely considered for input to decision intelligence systems. It is reported that, by 2024, it's anticipated that 60% of government AI and data analytics investments will aim to directly impact real-time operational decisions and outcomes.

Government data-sharing requires an appropriate balance between managing compliance while also improving transaction speed and reducing friction. Outcomes-focussed perspectives can result in stakeholder confidence to apply data and data-sharing in support of an organisation’s strategic goals.
Data protection and management goes well beyond privacy. In Queensland, public sector entities should be aware that the Queensland Government has released for consultation proposed reforms to Queensland's privacy and right to information framework. This includes introduction of a mandatory data breach notification scheme. If implemented, the changes would no doubt introduce changed administrative and resource burdens.

Many organisations now recognise that while they thought they were embarking on digital transformation, in fact what they need is data transformation. The public sector will need to allow citizens to pay a greater role in controlling and accessing their data to ensure there is trust in the technology, and in the responsible deployment of AI.

4. Integrating digital and strategic goals is critical

The ICT changes due to the COVID-19 shock were largely tactical and responsive in nature, though the role and utility of ICT in government has been elevated by those changes. Recovery provides the opportunity to take stock and consider more strategic issues.

Technology strategy will link an organisation’s technical developments and work programs to the overall strategic goals of the organisation, while remaining agile and responsive to changes in organisational requirements, and identifying, managing and communicating risk. Scenario planning and roadmaps can assist to finesse and communicate strategy. Citizen experience remains a top concern.

In Queensland, the Queensland Audit Office has emphasised its expectation that technology projects need to be strategically set up to maximise success, that an organisation’s need for projects should be actively challenged and validated on an ongoing basis, and that periodic reassessment should be undertaken to confirm that projects have the right approach and skills.

Digital strategy often involves a shift to the cloud. This shift offers organisations compelling benefits, including reduced capital expenditure, increased operational agility and faster innovation. However, the move also comes with contracting risks that – unless deftly negotiated – could leave an organisation facing significant legal and commercial harm.

The cloud services landscape is becoming increasingly complex, particularly in a quickly evolving regulatory environment. Organisations should enter the cloud services procurement process armed with a clear understanding of their regulatory requirements and risk settings.
Overall, the digital strategy needs to build trust in government through use of digital tools and policy that enable transparency, accountability and 'explainability' such that there is ethical use of data and equitable access to services.

5. Regulatory compliance should be a priority as obligations increase

Security of Critical Infrastructure (SOCI) regulation has become a central feature of the regulatory space of technology management. Recent amendments have imposed new obligations on entities operating critical infrastructure assets. These include a positive obligation to report incidents, an expansion to the coverage of the regulation, and obligations in respect of risk management programs. Relevantly, hospitals, energy and other utilities, universities, ports, transport can all be impacted.

Other flagged regulatory changes that may impact technology leadership and strategy include, for example, the Queensland privacy and RTI reforms, as well as proposed changes to the Commonwealth Privacy Act, broadening the definition of personal information and increasing enforcement powers and penalties for a breach.

The previous Commonwealth government also released a Ransomware Action Plan in October 2021, which flagged an intention to introduce ransomware-specific laws including a mandatory reporting regime. The appointment of a dedicated Minister for Cyber Security tends to suggest these issues remain front-of-mind for the current government. The legal and policy constraints on paying of ransoms needs to be well understood.

Please contact a member of MinterEllison’s technology team to discuss how we can assist your organisation. MinterEllison is the only major Australian law firm to provide specialist technology legal and consulting services. Our technology specialists cover both the commercial and legal aspects of technology projects as a stand-alone or integrated service, and partner with clients on their digital transformation journey. MinterEllison's technology team are specialists in cyber security, privacy, technology disputes, IT strategy, governance, benchmarking and procurement requirements across all technology and BPO requirements. We’re experienced in minimising the legal and commercial risks, to ensure your organisation is protected and productive.

Find out more about our technology team.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI4NTkyYjJkZi1iYmRmLTRmYTMtODZkMi05YTFiYWEzZWE3NTciLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczOTcwNjkzMywiZXhwIjoxNzM5NzA4MTMzLCJpYXQiOjE3Mzk3MDY5MzMsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2ZpdmUta2V5LXRlY2hub2xvZ3ktYW5kLWRpZ2l0YWwtY29uc2lkZXJhdGlvbnMtZm9yLXRoZS1wdWJsaWMtc2VjdG9yIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvZml2ZS1rZXktdGVjaG5vbG9neS1hbmQtZGlnaXRhbC1jb25zaWRlcmF0aW9ucy1mb3ItdGhlLXB1YmxpYy1zZWN0b3IifQ.e1JD-_bH_57e7WHiK1dgo80hKMWIBLIc2tEfK5wB1tk
https://www.minterellison.com/articles/five-key-technology-and-digital-considerations-for-the-public-sector