So, change is in the air. And the CSS20 review is a major current in that change. But what do we actually know about it? Well, according to media quotes, it’ll:
- be “grounded in sovereign capability, with a plan for the future workforce and growth of the cyber security sector, including Australian cyber SMEs”;
- “build resiliency, with real engagement and industry alliances to deal with cyber shocks”;
- "include the role of critical technologies, our partnerships through the Quad and international norms and standards”; and
- “be truly strategic in how it contributes to Australia's economic growth and as part of our national security posture, including securing supply chains".
There’s more in the media about educating the young and reskilling the old(er) in cyber security as part of building Australia’s digital workforce and more to address #cybercrime .
So what does industry think about CSS20?
That depends on where the commentary is coming from, and where its interests lie. However, let’s look at the positions of industry’s senior voice into Government’s cyber security: the Cyber Security Industry Advisory Committee. The CSIAC, and its predecessor Panel, provided advice into CSS20 and has continued in its advising and reporting, releasing its second Report in August 22. This Report, dropped by Andy Penn in his role as (outgoing) CSIAC Chair, is one industry window into how to polish CSS20. In it, there are six main recommendations (paraphrased) for the next 12 months:
- Government has an imperative to accelerate the hardening of its ICT systems, mirroring what it’s asking of industry.
- Strategy is good. Rigorous strategy needs empirical, data-driven measurement and evaluation. CSS20 (or, I’d add, any strategy) needs this.
- SMEs are having a hard time. They need more support, including in the continuing impacts of a hybrid remote workforce.
- The “profound” implications of the fully implemented SOCI 2018 reforms need extensive, ongoing Government consultation with industry.
- Industry and government have agreed to waltz towards a larger, better skilled cyber workforce. But we all need to do more. Now.
- SOCI 2018 isn’t enough. Australian business that falls outside this regime needs more clarity on their responsibilities, and CSIAC’s recommendations tied to the Best Practice Regulations Taskforce should be noted (and responded to) by Government.
There’s some frustration, justified or not, implicit in these recommendations. Regardless, it seems a reasonable conclusion that industry sees a real need for immediate improvement. While the CSIAC Report is aimed at CSS20, I find it hard to trace their recommendations (except people) into the Government’s publicly known aims for the CSS20 review. Hopefully, ongoing and collaborative consultation will occur.
And what does all this mean for industry?
First, this is a period of increasing cyber security regulatory revolution. Apart from the SOCI 2018 #criticalinfrastructure reforms and whatever comes out of the CSS20 review related to the Best Practice Regulations Taskforce, media has also speculated that the review will tap industry with more regulation, through codes, to define its cyber security responsibilities for protecting consumers and businesses. So what? Well, industry has to find its voice and engage both with Government and government for balanced outcomes. The corollary, of course, is that Government has to listen. Whatever communication channel works best, there’s growing regulatory expectations of, and associated cost to, industry from regulation. Ultimately, however, when Government decides, Boards will have to adapt and act on improving their cyber security. For critical infrastructure at least, that’s now a legislative requirement.
Second, there’s opportunity for industry to position trusted and innovative cyber security solutions to government, sharply focused on its priorities. Offerings will be enhanced by robust training and workforce skilling support, particularly if aligned with accepted training and education standards. This is where a company like NEXTGEN Group, and our vendors and partners, come in.
Third, the Government is serious about building sovereign cyber capabilities. There’s considerable strength in AUKUS, alliances and partnerships – and significant value in reference sites in likeminded governments - but the chance of business success will be boosted by measurable and value-adding ties to Australian cyber security capabilities. Industry needs to pay attention.
Fourth, there’s possibly going to be increased opportunities for community and SME cyber awareness offerings and down-pipe services (including breach impact remediation), hopefully not just in ACSC and its JCSCs, to uplift Australia’s cyber security baseline.
Done. And we’re all relieved … although I plan more pieces on Defence’s new ICT and cyber security strategies for anyone who’s interested.
Finally, please note that this is a personal opinion piece on an evolving, complex issue set. Errors and stylistic indulgences are mine alone. But, penultimate sentence I promise you, cyber security is not a wicked problem. It’s entirely addressable through ongoing focus; programmatic and intellectual agility; consultation; an appetite for risk; and – of course – funding.
Mick Lehmann
NEXTGEN Group General Manager, Government
- Posted In:
- Cyber Security