The SA government has found its new permanent chief information security officer from within after the top job was vacated earlier this year.
iTnews can reveal that the Department of Premier and Cabinet (DPC) quietly promoted Office for Cyber Security deputy director Will Luker into the role late last month.
He had spent five months acting in the role following the departure of inaugural government CISO David Goodman, who resigned in January.
Goodman has since become cyber security and hi-tech director in the state’s Department of Innovation and Skills.
DPC went looking for a new CISO to lead the Office for Cyber Security, which is responsible for developing the state’s cyber security standards, policies and frameworks, in April.
Luker has spent the past seven years working in cyber security and emergency management at the department, including two-and-a-half as a senior manager.
He has also previously worked in the state’s Office of the Chief Information Officer between November 2010 and September 2014.
Executive director of ICT and digital government Eva Balan-Vnuk told iTnews that Luker was appointed to the position on May 31 following a “rigorous application process”.
“His appointment is an asset for the department, as it continues to lead the state government’s efforts to ensure South Australia is prepared for and protected from the threat of cybercrime,” she said.
Luker comes to DPC at a time when agencies are “not always effectively manage the penetration testing and vulnerability scanning of their public environments”, according to the auditor-general.
An audit [pdf], released last week, found 79 percent of 292 public-facing environments assessed had not been pentested in the last three years, including 47 percent of environments holding sensitive information.
“We found that the level of penetration testing and vulnerability scanning conducted by most of the entities in the last three years was limited and ad hoc,” the auditor-general said.
“We identified several environments holding sensitive information that were not tested or scanned.”