Two ‘existential’ cybersecurity risks facing Defence

Joseph Brookes
Senior Reporter

The Department of Defence can’t attract and retain enough cybersecurity workers, and has turned to nurses and miners to build out its teams as it faces twin “existential” challenges of workforce and cyber supply chains.

The lack of talent is the number one challenge facing Defence’s chief information and security officer Jonathan Dean, whose been in the top tech role at the department since 2020.

“When I look at what we can do now as a security industry [and] where we’ve come in the last 10 years, we do pretty much have solutions for most of our challenges and problems. It is all about risk management.

“But the key issue is you need people and you need good people and there is just not enough good people in the market today that we can attract and retain,” he told the Gartner Security and Risk Management Summit in Sydney on Wednesday.

Image: Defence/Dan Gosse Images

Mr Dean was promoted to CISO from within Defence, where he started in its research division.

He said Defence offers several benefits to prospective employees but struggled to compete with the private sector on pay, putting the squeeze on an already tight talent pool in Australia.

“We do have an existential issue in Australia that there is just not enough in the market to go around.”

With no shortage of engaging cyber jobs within Defence from policy to incident response and threat intel, Mr Dean said the challenge is making the workplace appealing.

“The key thing is, obviously, as everyone always says, your boss and your team,” he told the Gartner case study session.

“So really making sure that you develop a culture of psychological safety, building out a leadership team, supporting and enabling them.”

The department has been “aggressively developing” its workforce, but has also had to cast a wider net for cyber staff by looking for people with transferable skills rather than hard ones, he said.

“A lot of the talent we bring into the organisation now, because we do have obviously challenges, is looking at people that have highly competent, capable professionals in another vocation. And [look at] how do we leverage their transferable skills?

Mr Dean said the department hired a nurse that ended up in an incident response [IR] role because of her ability to work under pressure, triage, and work with a team.

“Obviously nursing, if you’re looking in ER, it’s quite horrific at times. So all those transferable skills actually make for a pretty good team leader for IR right once you can put some cyber knowledge into them,” Mr Dean said.

A former mine health and safety worker was tapped for his understanding of risk practices and communication skills.

“He also — coming from mining — really understood how to have robust conversations in a sensible way with highly resistant stakeholders that would drop F bombs every second word.”

Mr Dean also flagged the growing dependence on partners and the need to understand the cybersecurity supply chain as another “existential risk” to the Department.

Defence typically manages partner risk through the Defence Industry Security program, a security vetting program for suppliers.

But for the cybersecurity supply chain it needs a specific and relatively new risk management approach, Mr Dean said.

The risk analysis component is “relatively simple”, but the intelligence component remains a challenge in the growing market, Mr Dean said.

“You can pick a [risk] standard, you can apply a standard to do that [manage the risk].

“It’s actually the intelligence requirement to understand those organisations, especially we’re starting to look at FOCI – foreign ownership, control and influence – and how we now are highly reliant on our supply chains that operate in a gig economy that are there to make money.

“They are businesses. They have interesting investments, they work with a whole bunch of different countries – some we like, some we don’t like as much – to do that.”

The risk profiles can dramatically change with a single investment, Mr Dean said, noting it is a challenge to achieve that level of “fidelity” in understanding risk profiles dynamically.

“We’ve got the existential issue of workforce and the existential risk of our supply chain over the next 10 years,” Mr Dean said.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories