Can the Cyber Taskforce achieve its goals?

ISACA
By Garry Barnes
Monday, 21 September, 2020


Can the Cyber Taskforce achieve its goals?

Basic governance and risk management fundamentals and root causes, beyond the Taskforce’s remit, need to be addressed.

The new Cyber Taskforce comprising the NSW Government, AustCyber and Standards Australia focuses on three pillars of cyber strategy: prioritisation, regionalisation and harmonisation. These are commendable goals and ones which can provide an important and timely uplift to cybersecurity and the businesses and agencies that are dependent upon it.

However, to fully benefit from the work of the Taskforce, there are some critical points that need to be addressed, outside of cybersecurity, in the governance and risk management of enterprise IT.

Success in cybersecurity is highly dependent upon an effective governance system — one that understands enterprise outcomes and objectives and the contribution of IT in achieving them. ISACA’s COBIT 2019 model is one such example of a governance framework that can provide guidance in this space.

The resources, competencies and processes that support IT goals are fundamental to cybersecurity as well. Numerous problems in cybersecurity today can be linked, in part, to ineffective governance and IT risk leadership.

For example, in government today, many legacy systems are still in use and many IT departments are under-funded and/or under-skilled to drive their agency’s IT and cybersecurity plans. Uplifting of IT and cybersecurity fundamentals is required, such as:

  • providing ongoing capability development to securely architect, configure and maintain an increasingly complex portfolio of IT services for their customers;
  • replacing (or implementing countermeasures to protect) unsupported and legacy systems; and
  • improving supplier lifecycle management.
     

To really benefit from a harmonised set of cybersecurity standards, satisfactory funding of security programs in agencies is also required. Security funding should be incorporated into any proposed digitisation program, so that all new digitised services are ‘secure by design’ and in line with harmonised standards.

There is also the challenge of accountability for achieving any new harmonised standard. Ministers, secretaries and agency heads are accountable for agency outcomes, and cybersecurity should be no different, just as board directors and the C-Suite are held responsible in the private sector.

While NSW agency executives are required to sign-off the Agency Attestation report on implementations and current Essential 8 status, does this infer executive-level risk acceptance for all gaps in their agency’s cybersecurity maturity?

The Taskforce needs to be careful when it states it is aiming for ‘minimum standards’. In my opinion, minimum security requirements are a weak option when you consider the hostility of the operating environment for agencies.

Optimal security (ie, secure by design) is about making value-based decisions, and by determining the right level of security for the service’s/product’s purpose and for the environment in which it operates. In the physical world, we expect that a product is fit for purpose, and this should be no different in the cyber landscape.

Lastly, where organisations have low cyber maturity, causal problems often exist in IT and risk management and the governance of enterprise IT. For harmonised standards to succeed, governance and risk capabilities must also be lifted.

I applaud AustCyber and the agencies involved in the Taskforce for their desire to make standards compatible across industries in order to be more secure, assist businesses and be more successful. It’s a task that many have tried previously.

For their work to be successful, other basic governance and risk management fundamentals and root causes, beyond their remit, also need to be addressed.

Garry Barnes is Practice Lead, Governance Advisory at Vital Advisory, and a former board member of ISACA.

Image credit: ©stock.adobe.com/au/denisismagilov

Related Articles

Building secure AI: a critical guardrail for Australian policymakers

While AI has the potential to significantly enhance Australia's national security, economic...

Building security‍-‍centric AI: why it is key to the government's AI ambitions

As government agencies test the waters of AI, public sector leaders must consider how they can...

State government agencies still struggling with securing user access

Audit reports have shown that Australian government agencies in four states experience challenges...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd