Narelle Devine has always embarked on missions: first, as a principal warfare officer in surface warfare and communications, navigating giant navy warships and protecting the nation for over 23 years, and today, as Telstra’s Asia Pacific chief information security officer (CISO), where she’s navigating from the security helm to protect people and systems.
Indeed, Devine – who’s been awarded a Conspicuous Service Medal in the 2016 Australia Day Honours List for meritorious achievement as the Deputy Director-Cyber (Maritime) in Joint Capability Coordination Division - has already led a colourful life, working and protecting the nation, citizenry and systems during her time in the military, government and now the private sector.
Better still, the significance of her multi-faceted journey isn’t lost on Devine, who asks, “Who would have thought a 17-year-old who joined the Royal Australian Navy would end up protecting the systems of Australia’s largest telco?”
In fact, her actual transition from military to government to private sector has been remarkably smooth sailing, and one that presents certain similarities.
“It was easy for me to jump from military to government because it was just protecting people in a different way," Devine says.
"Protecting people when you’re in the navy, doing those deployments and doing good for people, was very easily translatable when I moved across to the Department of Human Services, where you’re helping people at their most vulnerable.
"It’s a very rewarding culture.
“And then moving across to Telstra – the goal is very similar: You’re protecting the national telco. It’s one of the most critical systems that the country has, and you need to keep those lights on from a cyber perspective.
"So, I take pride each day when I think about how important that service is to the country and my role in protecting that.”
Today, as the recently appointed APAC CISO, Devine is leading Telstra’s Cyber Security capability – and on a mission to protect the privacy and security of customers, Telstra and the vast services it provides.
“I love our mission. Everything we do impacts the lives of every Australian in some way – whether it’s tackling scam calls and SMS messages, or reducing the delivery of malware via email, or making sure the Telstra network is secure so we can keep Australians connected," she says.
“My big vision is to transform the way my team embeds security into everything we do at Telstra, and share what we do more broadly, so we can uplift the broader security posture of the Australian community.”
Charting a course in cyber
Looking back, Devine says a “defining moment” helped shape her career – and ultimately landed her at Telstra’s cyber security helm.
Admittedly, working for over two decades as a surface warfare officer specialising in communications with appointments both at sea and ashore in Communications, Electronic Warfare and Cyber Operations, Devine says leaving the navy wasn’t originally part of her game plan.
But “an opportunity to make a real difference in government” arose at the Department of Human Services, now Services Australia.
“I was never seeking to leave the Navy. I loved being in the Navy. But the opportunity to become the CISO at the Department of Human Services was presented to me. To be honest, it was just an opportunity that was too good to turn down. They had really big plans to build their cyber capability,” Devine says.
Immediately after taking the leap, Devine was tasked with delivering the department’s first-ever purpose-built, multi-million-dollar cyber security operations centre.
In completing the mission in record time – just under nine months, Devine says the transformation of the team at Services Australia was a huge accomplishment.
“We went from 25 to 250 people; moved to 24/7 operations and built capability that embraced the non-technical elements of cyber," she says.
"This was undertaken at time when the skills were not available, and we very much embraced a train-your-own approach.
“As part of that transformation, understanding that engaging across the wider community to get them to understand what the department was responsible for and the importance of the cyber capability was critical in assisting the recruiting effort. It really showed how success is very dependent on a holistic approach, a wide and diverse lens and an element of creativity.”
Certainly, it was one job that Devine says she was happy to ditch her sea legs for – a move back to land that ultimately nixed her persistent sea sickness.
“I got sea sick my entire career, which was quite a unique thing about me. So I wasn’t upset not to go back to sea. I also think it was pretty nice to go to an office in the morning and know that you’re going to be in the same city when you leave that afternoon.”
Asked her lessons learned from building the department’s first-ever cyber security operations centre, Devine says CISOs need to be realistic about change, humble and adaptable – three traits not always achievable.
“You’ll never get to perfect, so in order to make progress, any progress, is going to be good progress in this space. And you need to be constantly changing and adapting. Decisions you make today might be wrong in a couple of days through no fault of their own. The threat changes, the adversity changes, the way that you’re going to deal with it changes. So you need to be quite humble in the way that you approach your decisions," Devine says.
“Changing your mind is okay, and a really good prerogative in this industry. But it needs to be balanced with the ‘change fatigue’ in your organisation.
"At the department, we changed multiple times over the years and I was buried in form and function. And I’m not apologetic about that at all.
"I think it was really important to keep up with what we could see in the cyber threat landscape.”
CISO role in transition
And then Telstra came calling, Devine recalls. What excites her is the promise of the CISO role, which is becoming more defined and shifting to meet the ever-evolving business and threat landscape.
“From my position, there was no defined pathway. The CISO role was immature in comparison to a doctor or a lawyer. But it really is about collecting the experiences and being able to put them together over time. It’s quite an exciting time for most people to pursue a career in cyber.”
The CISO role, in particular, is starting to solidify. “I have a lovely balance of structure, framework and experience, and also a real agility at Telstra to move and mould and always look for improvements. So, I get the opportunity to shape it as I go to make it better,” she explains.
“I’ve inherited an amazing team. They are exceptional. For a cyber capability in the private sector, I’m not sure I’ve seen anything better. They’ve come to me incredibly well trained, well-disciplined and well structured.”
In fact, Devine loves the variety of the CISO post at Telstra. “It’s a wide-ranging role – from setting the vision of where we want to be in 2025, to fronting the Board and audit risk committee, to having a hand in the operational matters day-to-day, to responding to media queries or even getting involved in complex customer situations.”
Already, Devine says her team is kicking goals and achieving results.
“The team has completed amazing work in blocking DNS, scam SMS and scam phone calls which, knowing the impact to every Australian, I am incredibly proud of.”
Outthink and outsmart
Asked for her thoughts on the ever-evolving threat landscape, Devine says criminals are savvier at accessing personal information and monetising it – and there’s a blurring of the lines as tactics and techniques get more advanced.
“The crossover between stealing your information and stealing money has now blurred," she says.
"We’re also seeing a lot of sharing of tactics between nation states and criminals themselves.
"The lines are really blurry now, and it doesn’t matter where you are. You can become a target. Everyone is sharing tactics and they’re all after your data or your money.”
At the same time, advancements in behaviours, heuristics, automation and machine learning are helping to combat the threats - and “we’re trying to do as much as we can without having to have eyes on everything.”
“How do we build the systems going forward to naturally be able to learn on their own, and be able to look for those abnormalities that would otherwise be completely hidden? It’s a pretty exciting task moving forward.”
Automation and behavioural analytics are two of the biggest areas of development, and not just for Telstra, but across the cyber domain, she explains.
“Rules-based detection, for example, is quickly becoming unmanageable because of the size and scale of the threats now. It’s an interesting problem to have: You’re trying to outthink those that are still human at the other end of the keyboard, the people doing you harm," Devine says.
“The uptake in ransomware, and denial of service, is increasing, and we’re seeing such a huge ability for criminals to generate more traffic with amplification.
"The bottom line is these criminals are looking to make money – and there’s a lot of money to be made.
“As the economy moves more into a digital framework, as everybody is online more and more, and as we tie ourselves to that digital footprint, it means it’s more appealing to those who might wish to cause us harm.
Admittedly, the tools needs to change, and so too does the fight and the strategy, she says.
“For us, it’s about having a diverse team – some really curious and creative humans - so that we can outthink and outsmart our adversaries.”
Creating the vision
Her work doesn’t stop there. “My vision is a safe and secure Australian digital landscape so that the next generation – who will rely on the digital economy – are able to maximise the opportunities that a connected world brings," she says.
Undoubtedly, her vision to “serve and protect and to make a difference” has been the common denominator across all three disciplines and across all jobs – and now in full view at Telstra.
“Like most people, I like to do work that is rewarding – and for me I find that reward in knowing that I am making a difference," Devine says.
"The ability to do that at such scale is a feeling that is difficult to describe.
"It comes with incredible responsibility – but the personal satisfaction makes it very worthwhile.”