Earlier this week the Department of Home Affairs published the Industry Advisory Panel report which seeks to feed a neat sixty recommendations from industry into Australia’s upcoming 2020 Cyber Security Strategy.
In my opinion overall there was a good range of recommendations for policy makers to consider.
Let’s get this straight, working within a government department or agency is not an enviable task, having to balance a wide range of diverse stakeholder expectations and requirements. This is underpinned by the blind faith of the public that the government will – or as critics claim, will not – look after everything that is in the ‘too hard’ basket.
This is touched on in the report. At some point organisations, and individuals, do need to self-regulate and take pro-active steps to raise their, their families and those around them levels of online safety.
We no longer leave our homes or cars unlocked; as threats increase so should our levels of security.
The inaugural Australian Cyber Security Strategy in 2016 while full of great intent and claims, in hindsight proved to be more aspirational than deliverable. Sure, good spin can be put on parts of it, but at the end of the day it’s polish rather than measured, demonstrable outcomes.
Let’s hope the 2020 Strategy is not more of the same.
That being so, most importantly the group of industry representatives has prominently highlighted and recommended setting clear metrics and measurement for the 2020 Strategy, which should lead to basic cyber maturity modelling over the years.
However, there is no mention of setting and clearly defining success factors, nor reporting value or accountability for each area of action. Measurement is great, delivery and value are critical.
Another great nod included in the recommendations is that the states and territories are finally being acknowledged as prospective contributors and participants.
There are a number of very smart and experienced resources in various state departments and agencies across the country, so being inclusive of their efforts is a win. Collaboration and communication are key.
Across the recommendations there are a lot of words dedicated to what government could do, while touching on industry, but not a lot of what various industries could do to collaborate with, or deliver for, the government. This is ironic given this report is from an industry representative panel.
For example, the concept of our Security Mark Certification and Labelling scheme, it’s widely known we have been working on for a number of years with industry and engaging with the government since 2018.
It was included in IoT Alliance Australia’s submission in response to consultation on the 2020 strategy. Therefore, this may be a perfect program to prospectively support. Yet the only mention of assurance programs is placed back on government shoulders.
Unfortunately, experience demonstrates that such programs do not endure well within governments due to the frequency of changes to policy directions and budgets.
Likewise, in relation to security culture and awareness programs – particularly for SMEs – there are a number of industry sectors and local resources that have emerged over the past few years specifically to service these markets. However, the report again focuses on government delivering these (including noting the range of pre-existing programs within the various cyber silos across departments and agencies).
However, this is nothing new. For five-years from 2012 Enex delivered the government’s Stay Smart Online Alert Service, including – dependent on threats – up to eleven alerts to the Australian public each month. And the creation and publication of the successful Stay Smart Online Small Business Guide, the My Guide (for individuals) and the Implementation Guide (how-to build a security culture in organisations).
We were nevertheless fully accountable throughout those contracts to ensure a lot of metrics and internal reporting of that data to key stakeholders took place, engagement with a wide range of industry participants, and ultimately that value was delivered throughout the contract, and all within reason.
While the recommendations focus on government and supporting Australian innovation and domestic enterprise is touched on, perhaps the 2020 Strategy needs to go further.
Particularly utilising the lessons we have learned about business resilience in this time of COVID-19 and the renewed call for supporting domestic manufacturing, services and supply.
Our lab has been operating for over 31-years now. Unfortunately, in a parallel industry sector we have ourselves experienced the penchant for a move towards overseas suppliers.
Over the past few years, we have lost significant tenders to overseas operations who employ no staff in Australia, and who ironically have significantly under-performed in their delivery.
Furthermore, at the end of June we failed to have a contract renewed, resulting in more job losses. That business went to an overseas supplier, again with no Australian employees. Both those examples were with Australian government entities.
I wish the architects, authors and policy makers behind the 2020 Cyber Security Strategy the best of luck. It’s not an enviable task.
And thank you to the members of the Industry Advisory Panel for your investment and delivery of a great range of recommendations.
Matt Tett is chairman and managing director at Enex TestLab. He is a director of the Communications Alliance, a committee member at Standards Australia, and has been active in the IoT Alliance Australia. He has been engaged in the cybersecurity sector in Australia for 30 years.