I think we can all agree that the Australian government has demonstrated its will to empower our country, its organisations and citizens to be more secure online. Australia has become a prime target for bad actors, and like my counterparts, I appreciate a government with a hands-on approach—one that recognises the criticality of cybersecurity.
From updates to our Privacy Act, or the latest rules for Critical Infrastructure, to the upcoming cybersecurity strategy, we are seeing a vocal and proactive leadership spearheaded by Minister for Home Affairs and Cyber Security The Hon Claire O’neil MP, which is what we need to not only steer the Australian ship, but also strengthen it to ensure we stay the course in rough waters. Australia can only achieve this if our leaders create the right framework of laws, and adopt measures that will foster awareness and education, protection and collaboration.
At a crucial time in our short cybersecurity’s history, the upcoming Strategy will be the instrument that guides this effort, and it is only natural that it is built taking the industry’s insights, perspectives and suggestions into account, which is the purpose of the current consultations.
With this activity-filled backdrop, we recently asked 300 Australian tech and IT leaders what they thought should be a priority in the next cybersecurity strategy, in order to better understand our users’ and customers’ needs and inform our conversations.
When asked about the measures they would like to see in the upcoming Cyber Security Strategy, Australia’s tech decision-makers called for tougher laws around online privacy and data protection to be the main priority (49%), an opinion likely bolstered by the major cyber incidents that occurred in 2022. A large majority of respondents (70%) said that their business leaders were more willing to allocate more budget to cybersecurity after those incidents. I’ll wager the continued anger from individuals about organisations misusing or failing to protect their personal data is also having an influence. In any case, let’s hope the amendments to the Privacy Act will answer organisations and citizens’ will to reinforce privacy and data protection in our country.
Further underlining the industry’s appetite for stronger rules for Australian organisations and their cybersecurity efforts, another priority was “reinforcing cyber security regulations for all Australian businesses” (36%). However, tech leaders were less inclined to increase the personal accountability of individual business leaders and/or board members, with less than one in three pushing for targeted sanctions for major data breaches (29%). This seems to contrast with the government’s desire to increase personal liability, as we see from the latest rules governing critical infrastructure leaders.
In this area, I believe spreading security’s responsibility and accountability across the whole organisation should be considered. All departments are now responsible for software and application sprawl, and if they fail to use them with security in mind, they should also be held accountable. This shared responsibility would help improve cyber security knowledge, education, and postures across the board. We keep on saying that security is everyone’s problem, so let’s make it so.
Finally, when looking at the cybersecurity skills gap, Australia’s tech leaders prefer measures encouraging the development of talent locally, such as better promoting cybersecurity as an attractive career path (28%) or policies designed to grow Australian cybersecurity startups and sovereign capabilities (30%), rather than better facilitating the migration of foreign industry talent to Australia (17%).
Another solution here is to look at cybersecurity consolidation. Recent research in the US showed that the average organisation is using 76 different security tools. As cyber threats evolve, and digitisation increases the attack surface, many organisations are left with overly complex security stacks, which require extensive human resources and are costly to maintain and operate. Consolidation requires short term investment, but in the long run delivers strong returns, including cost-efficiencies, and a more robust security posture. It also increases the potential to automate some processes, which is difficult with siloed solutions coming from various vendors.
While each organisation must do their part, a sound government strategy is crucial to Australia’s efforts to collectively protect against cyber attacks. Cyber criminals are constantly refining their attack methodologies, and our ability to adapt, mitigate, and retaliate lies in a solid partnership between public and private players: one that helps define the right regulatory framework, fosters intelligence sharing, and ensures we will keep ahead of the bad guys. And you, what would you like to see in this strategy?