Industry responds to cybersecurity agency announcement

This week's announcement from the Albanese government on establishment of a new cybersecurity agency has drawn comment from all sides of the industry.

While most commend the move as a positive way to help organisations tackle rising cyber threats in an ever changing landscape, there are concerns around the impact of an ongoing skills shortage, and a desire to ensure new frameworks and regulations minimise any additional administrative burden placed on organisations.

Elliot Dellys is CEO of Phronesis Security and a former Australian Signals Directorate operations manager. He believes a more hands-on approach from the government is necessary to help organisations gain real resilience to threats.

"I welcome the government's appointment of a Coordinator for Cyber Security and hope this represents a shift towards a culture where cybersecurity is a collective national challenge, not one relegated solely to the IT department. What is needed is more meaningful collaboration between the private sector and government, where we work hand in hand to fight rising threats throughout the journey, not simply establishing another reporting framework that creates further overhead for all involved," he said.

Dellys said the new agency will help bridge the gap and provide a depth of support to organisations to ensure they are not fighting the same battles in isolation.

"But it all comes down to implementation," he said.

"An agency that can help companies pick the right frameworks and tools for the job, provide timely and proactive expert advice, and execute a national coordinated method for sharing threat intelligence could really accelerate Australia's cybersecurity maturity.

Success will depend largely on the level of regulatory burden introduced through any new frameworks, processes or standards.

Nicole Quinn is head of government affairs APAC at Fortinet. She said her organisation welcomes government initiatives to improve the nation's cyber posture, as long as the introduction of these initiatives is manageable.

"It is important that any new obligations and standards are introduced in a measured way and small and medium businesses in particular are not overwhelmed by complex regulatory burden," she said.

For Dellys, the imperative is to deliver a clear plan and path that acknowledges the difficulties and sets out to overcome them, rather than just establishing more regulatory requirements.

"For too long we have had policy flip flopping and a multitude of action plans and strategies that have been counterproductive to progress. Striking the balance between service delivery and security is hard, and compliance mandates without support risks turning cybersecurity into a box-ticking exercise instead of prompting organisations to think deeply about the threats, risks and opportunities for improvement specific to their business," he said.

Of course, nothing will progress while the industry remains constrained by a lack of suitable skills.

"Good cybersecurity policy requires top-level accountability, long-term thinking and resourcing to support iterative progress — unfortunately, there is no magic bullet. The government's heart is in the right place, but this needs to be the beginning of a cultural shift, not just another regulatory hoop for organisations to jump through without the support and resourcing required to make it effective," Dellys said.

The most recent ACS Digital Pulse report on the state of the Australian technology workforce last year predicted the nation will need 1.2m skilled workers to meet the economy's needs — many of those will be cybersecurity professionals.

"To achieve the National Cyber Security Strategy's objective of making Australia the most cyber-secure nation by 2030, we are going to need a robust pipeline of technology professionals with the skills and knowledge to meet the demands of a connected economy and society," said ACS President Dr Nick Tate.

"To meet that demand, we are going to need to develop our local workforce through school level education, vocational training of our existing workforce, more students entering IT degrees and attracting the world's best IT professionals through our skilled migration program," he said.

The Tech Council of Australia (TCA) participated in the Prime Minister's Cyber Security Roundtable earlier this week. TCA CEO Kate Pounder commended the Prime Minister and the Minister for Home Affairs on their engagement with industry leaders and their collaborative approach to addressing this national challenge but also sees challenges in the current landscape.

"The deteriorating cybersecurity environment facing Australia and the increasing awareness of cyber threats amongst the Australian community presents an opportunity for government and industry to unite and work together to improve our national cybersecurity readiness and resilience," Pounder said.

"Australia currently falls behind leading nations in our cyber preparedness, cyber industry and cyber workforce — with vacancy rates for cybersecurity roles more than double the national average.

"We therefore welcome the government's efforts to make Australia a world-leading cybersecurity nation over the next decade. This goal isn't just critical to our national security, it is also central to our economic security.

"In the wake of the recent cyber attacks which have impacted many Australians, the tech sector has been closely engaged with the government to help identify practical and impactful measures that can improve cybersecurity across our economy and society," she said.

The TCA sees four essential components for a safer more secure Australia, as recently outlined at the National Press Club:

• A clear national cybersecurity plan underpinned by more effective coordination between the public and private sectors (from threat intelligence sharing to post-incident response and assessment).
• Creating a strong pipeline of cyber and tech talent, a thriving Australian cyber and tech ecosystem, and an uplift in cyber capabilities across the economy (including in small businesses and individuals).
• Better use and adoption of technologies that can help prevent or reduce the impact of successful cyber attacks, such as digital identity.
• A modernised legal framework fit for the digital age that creates the right incentives for organisations to invest in the appropriate collection, use and protection of personal information.
   

The 2023-2030 Australian Cyber Security Strategy Discussion Paper is open for comment until 15 April, with the full version available for download here. The national cybersecurity coordinator will be appointed in the next month.

Image credit: iStock.com/Muhammet Camdereli