Baseline metrics needed for cyber strategy

Matt Tett

Late last week (August 6), the Department of Home Affairs finally released the much anticipated Australia’s Cyber Security Strategy 2020. It follows hot on the heels of the industry advisory panel’s recommendations report (July 21) which sought to feed 60 recommendations from industry into the 2020 Strategy.

In my opinion, the strategy itself is not as clearly defined as the recommendations report. But perhaps it is not so easy for governments to be black and white. As highlighted in my last piece working within a government department or agency is not an enviable task, having to balance a wide range of diverse stakeholder expectations and requirements.

One message that is very clear across both the strategy and recommendations documents is that at some point organisations and individuals need to self-regulate and take pro-active steps to improve their online safety and security. Even going as far as setting out a graphic that demarcates the roles and responsibilities of Government, Business and the Community (see Page 19 – Figure 3: Roles and responsibilities in cyber security).

Matt Tett Cyber
Matt Tett: If you want to improve something, you have to measure it. Including cyber

While the 2016 strategy was full of ambitious targets, it fell short on many of them and one of the biggest factors was a lack of accountability – despite $230 million being invested.

The industry advisory report suggested the government seeks to establish a maturity model to benchmark the 2020 strategy objectives. And while indeed there is a ‘metrics’ section in the new strategy document, it barely covers two pages of the strategy’s 52-page document.

While it talks about measuring success, it sets no baseline upon which to compare and does not touch on value. Nine actions are on governments, five are on business and four are on the community (See page 44 – Implementation and measuring progress).

One can only be accountable if success is measured, and measurement can only occur when a baseline is set from the commencement. This unfortunately was missing in 2016 and appears to be lacking in 2020.

However, over those intervening four years, surely sufficient data was captured in each area of that strategy focus which can be harnessed to enable Government to set a baseline for the 2020 strategy.

This can then be used to measure the success or failure of the admirable list of cyber security goals the 2020 strategy highlights and its documented action plan. It would be a shame to lose the past four-years’ experience by having to reset and start from scratch again.

While on the topic of security maturity, the measurement of uplift and success via baseline comparison is one thing, however another area is value for investment. 10 years and $1.67 billion of funding commitments, again well documented (see page 47 – Appendix A: Cyber Security Strategy 2020 Funding Commitments) is a significant amount of money to spend in achieving outcomes set in the strategy, even over a decade.

Each year that passes clear value ultimately needs to be demonstrated and reported for that $13.9 million dollars spent over each of those preceding 12-months. This not only ensures the objectives are being reached, the maturity is being gained but also the efficiency of value is being met.

As with any organisation one would not expect the Departments and Agencies to waste investment in time or money in such critical areas, therefore tying monetary value with the actual measured deliverables sets a powerful standard moving into the future.

Ultimately ensuring the strategy delivers a mature, robust online environment that is a safe and secure country that protects the privacy of its citizens.

Overall, this 2020 Strategy document is a great start in terms of initial actions, thankfully the government has indicated that it is a dynamic document expected to shift as technologies and risks shift (see page 37 – This Strategy’s work does not end here).

With any luck they will incorporate a more comprehensive baseline and maturity measurement model that demonstrates value and most importantly security and resilience to underpin safety and privacy.

There are a few more thoughts that I have in terms of the states and territories inclusion and involvement, likewise the stated intent to establish of a standing Industry Advisory Committee.

The discussion around security awareness and effecting culture change, I do note that an industry peer of mine, Blair, would be eye-rolling over the choice of “password’ over “passphrase” in the table included in the strategy (see page 38 – Table: How do I stay secure online?)

And of course, I have thoughts on my particular areas of interest the security of the Internet of Things for consumers safety and privacy, business and government secure IoT, and industrial IoT security underpinning critical areas of industry, business, communications and economies globally.

And how naturally the Security Mark certification and labelling scheme can assist the government in some of the objectives outlined in the strategy. However, all of these opinions are probably best left for other articles.

Matt Tett is chairman and managing director at Enex TestLab. He is a director of the Communications Alliance, a committee member at Standards Australia, and has been active in the IoT Alliance Australia. He has been engaged in the cybersecurity sector in Australia for 30 years.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories