Cyber security leadership from the top

David Jarvis and Clem Colman from UXC Saltbush offer their first impressions of the Federal Government’s new Cyber Security Strategy

©iStock.com/maxkabakov 

©iStock.com/maxkabakov 

As a team of security consultants, when it’s the CEO of an organisation who initiates a cyber security engagement, it speaks volumes for intent and commitment. So it’s very encouraging to see the Prime Minister deciding that cyber security is one of his key priorities.

Overall, there are many reasons to be encouraged by the Federal Government’s long overdue Cyber Security Strategy for Australia – the first since 2009. It seems timely to discuss some of those reasons – as well as initiatives within the strategy we feel could need bolstering in its execution over coming years.

Cyber security resources

The focus on building capacity in terms of skilled cyber security professionals in the strategy is welcome and aimed at a structural problem that has affected our industry for some time, becoming particularly acute in the last couple of years. As any cyber security professional will tell you, there are already not enough skilled resources to go around. Adding to this already pent-up demand is that strategy indicates the Government’s own ambitions to have its own cyber army as well as dedicated cyber security resources within specific agencies.

While it’s an open and free market, the Government needs to work with industry – not be in competition with it. It is therefore comforting that the first section of the strategy calls for a National Cyber Partnership, with the goal of having “Governments, businesses and the research community together” advancing cyber security – but the proof will be in the pudding.

The Cyber Smart Nation section of the strategy proposes addressing the skills shortage across all levels of education, “… starting with the most urgent need in the tertiary sector”. However, while greater effort at the tertiary level is warranted, our own industry consultation has led us to believe there’s a much stronger case to leverage the TAFE sector at the Certificate IV or Diploma level to make inroads into that skills shortage more quickly and in a more business-focused environment.

International advocacy and co-operation

The Global Responsibility and Influence section of the strategy outlines plans for international engagement, with the goal of having Australia “actively promote an open, free and secure cyberspace”. The appointment of a cyber security ambassador is a welcome effort to address the elephant in the room. Some nations permit cybercrime operations to run within their borders; many countries simply don’t have the resources to combat the problem – but others are all but openly permissive of cyber crime, especially where it targets traditional national rivals.

Creating an ambassador to co-ordinate and negotiate on international cyber security measures is a good step, as are the others outlined in this goal of the strategy. However, we cannot afford to underestimate just how much effort needs to be focussed offshore if we are to seriously combat this ever-growing problem. Economic disparity, sovereignty and nationalism are all factors which contribute to the cyber security issue; the internet gives us global access, but we don’t always act as a global community.

Translating strategy into practice

In several policy areas, the strategy could miss the mark if not applied properly. Focus throughout the report on academic centres of cyber security, and monitoring centres, are other strategy initiatives for which support must, in our view, be qualified. The last twenty years provide ample evidence that centres of excellence can become somewhat disconnected from the assets they are supposed to protect – sometimes delivering impractical advice which, if pursued, would stifle digital innovation.

In current practice, risk management is the central tool security practitioners use to gauge where security efforts are most needed. As a tool, risk management has its issues, but the alternative is to focus entirely on good practice guides, and we already have plenty of those.

Missed opportunities?

One challenge Australian Chief Information Security Officers have is the lack of a specific statement that one standard or another is even preferable, let alone enforceable. That remains an open issue, and hopefully one which will be addressed as part of strategy implementation. Australian Government Agencies are mandated, and can already point to the Attorney General’s Protective Security Policy Framework and the Australian Signals Directorate’s Information Security Manual (ISM) – but there is nothing ‘mandated’ in this new strategy for the rest of industry.

There are perhaps other opportunities which ideally would have been addressed. As above, the missing piece in education appears to be TAFEs. With minimal investment TAFE can begin to address the skills shortage over the next one to five years while the academic programs gather momentum. There is also a repeated emphasis on private funding of this education effort – which may appear wishful thinking.

Another disappointment is that this is not the first time the Australian Government will be issuing governance ‘Health Checks’, and it’s tempting to say, “So what?”. With the commitment being given to industry that it will have voluntary engagement and compliance on cyber security, then where are the bottom line or reputational consequences of having a poor or average score?

To put the problem in commercial terms, while businesses can still gain first-mover advantage from getting serious about cyber security, in most cases its cost is viewed as a threat to competitiveness. Too many businesses are simply prepared to ignore the risk, or make a minimal effort at compliance by just ‘getting the tick’ – as our colleague Bernie Ryan highlighted in his article, ICT security risk assessor: Cassandra or Chicken Little? The process is at risk of being so benign that nothing is really gained.

Who wins?

Nobody will shed a tear if criminals make less revenues, but all legitimate Australian businesses stand to benefit from strategy initiatives.

Of course, cyber security organisations and those consulting to industry also stand to gain, at least initially as a result of the strategy and the Government’s lead from the very top. It’s a profession that requires continuous update and innovation to remain competitive and relevant.

Certainly the education sector gets a boost. Data61, an innovation group which has established a network of partnerships across industry, government and academia since 2015 is specifically mentioned as central to delivering PhD programs.

At the other end of the scale, generic public education and awareness programs will need professional communications services. Small-to-medium businesses (who are particularly vulnerable to threats like ransomware) also stand to be better educated and get access to AFP and other policing resources, who will be specifically trained to assist. To this end, the insurance industry may see a boost in cyber insurance as a result of better education and awareness.

Strategy with an eye to cultural change makes sense

Overall, there is one enormously positive thing about the strategy. Leadership from the top like this is essential to achieving cultural change. There’s an old business saying that culture eats strategy for breakfast – so it’s an excellent foundation that our government’s new cyber strategy clearly understands that cultural change is the end game.

Further Reading

About the Authors

David Jarvis is the Cyber Security National Practice Lead at UXC Saltbush. He is accredited to undertake ISO/IEC 27001 certification audits, and the first to accredit an Australian organisation to that standard. He also helped establish the Standards Australia certification arm for Information Security Management Systems (ISMS)

Clem Colman is the UXC Group’s Chief Information Security Officer. With over two decades of experience including roles with BHP, he built and ran his own successful Canberra-based technology company, merging it with the Saltbush Group in 2010. In late 2014, he led the integration of Saltbush into UXC Consulting following its acquisition by the UXC Group.