The Breach is Over. Are We Smarter? Turning Incident Response into Institutional Memory with Krishna Bagla

Corinium’s Maddie Abe engaged with Krishna Bagla, Manager Cyber Security Operations & Implementation of NSW Education Standards Authority, to explore what’s holding us back and what it might take to shift.

Cyber incidents are a given. Repeated blind spots shouldn’t be.

Too often, when a breach hits a government agency, the response is swift, the investigation thorough, and the fixes well intended. But once the dust settles, those hard-earned lessons tend to stay locked within agency walls. Why is it so difficult to move from one department’s breach to whole-of-government learning? And how can we turn incident response into lasting institutional memory across the public sector?

To explore this, Krishna Bagla shared his thoughts on what’s holding us back and what it might take to shift based on his experiences.

Silos, Scarcity and Stigma: Why Lessons Rarely Travel

“There are several persistent challenges,” Krishna said. “Some of them are structural, others are cultural.”
At the top of the list are organisational silos. “Information about breaches and lessons learnt is frequently boxed within discrete departments or business units. These silos impede consistent, cross-agency sharing of experiences and mitigation strategies.”

Even when the intent is there, resources are often stretched. “Limited funding and staffing can result in inadequate or incomplete post-incident reviews. Staff turnover makes things worse, causing loss of critical operational knowledge.”

Then there’s the fear factor. “While a great extent of knowledge is shared through the ACSC, there’s still reluctance to talk openly about what went wrong. That’s often due to concerns around reputation, privacy and risk aversion. It discourages transparency and prevents knowledge from flowing across agencies.”

Turning Incidents into Learning Opportunities

At NESA, Krishna and his team take a structured approach to capturing and applying lessons from cyber incidents.

“It starts with formal reviews immediately after the incident, focused on root cause analysis and how effective our response was. We document clear remedial actions and timelines.”

But these aren’t done in silos either. “We run cross-functional debriefs involving IT, security, risk management, business units and executive leadership. That way, we capture both technical and organisational lessons from different angles.”

To retain that knowledge, they use a centralised document repository and make sure lessons are integrated into awareness training. “It’s about embedding what we learn into how we work.”

When I asked Krishna what meaningful cross-agency learning might look like, he was clear.

“In an ideal world, we’d have scheduled debriefs or forums after incidents that involve representatives from all affected agencies. Not just internal teams.” He suggested a secure, unified platform where authorised personnel could access anonymised incident data, mitigation strategies and key takeaways.

“There are already community groups where people share knowledge. Maybe we could use those spaces for case study presentations or vulnerability discussions, even when we’re not in the middle of an incident.”

But, as Krishna pointed out, confidentiality and different levels of cyber maturity still stand in the way.

Breaches Are Changing How We Approach Risk

High-profile incidents are starting to shift the conversation.
“These breaches have changed how cyber risk is approached. From threat modelling to frequent assessments, we’re now linking cyber risk directly to organisational objectives and managing them through the full lifecycle.”

Procurement processes are evolving too. “There’s more focus on vendor due diligence and supplier evaluations at the early stages. That’s where you can catch a lot of third-party risks before they enter the environment.”

And at the leadership level, things are moving. “Senior leaders are more involved in cybersecurity conversations. They’ve seen the reputational and operational damage that can come from being unprepared.”

The Role of Central Agencies

I wrapped up our conversation by asking what role central agencies could play to support more consistent learning.

Krishna suggested a structured knowledge-sharing platform, with appropriate access protocols in place. “This could be a central source that aggregates anonymised reports, lessons learned and mitigation strategies.”

He also sees value in joint cyber exercises. “Multi-agency scenarios could help align response techniques and build trust across departments. It’s about practising together before the next real one hits.”

Final Thoughts

It’s clear from Krishna’s reflections that we’re not short on experience. What’s missing is the structure and willingness to learn together, not just alone. Until we treat each incident as a shared learning opportunity, we’ll keep circling back to the same pain points.

True progress will come when we normalise open conversations. Not just about what went wrong, but how we responded, what surprised us, and what we would do differently next time. That requires psychological safety, cross-functional trust, and leaders who are willing to model humility.

In the end, the strongest security cultures are not the ones that avoid mistakes. They are the ones who learn from them faster and do so together.

Don’t miss the opportunity to hear more from Krishna Bagla at CISO Canberra 2025 on 17 September at Canberra Rex Hotel.

If you are interested in speaking at the events, feel free to reach out to Maddie Abe (Content Director).