Australia’s Cyber Security Strategy has just been released and promises a significant funding boost and new initiatives to improve Australia’s Information Security, which is great news.
While the increased funding and attention for Information Security is positive, having read the document and looking beyond the motherhood statements I have some serious concerns about the strategy itself. We certainly need to develop a comprehensive approach to information security across government and the private sector, but how this is implemented is just as important as the sentiment.
Having worked on information security in the government and commercial space for decades, I have seen first-hand the challenges of technology change, policy initiatives, funding gaps, business pressures, emerging threats and international paranoia. Just a few of the issues I have encountered working in Government include:
- There is no central Security coordination role in many key Government Departments.
- Information Security responsibilities typically fall under the CIO which lacks the required business perspective.
- Silo management – Departments do not cooperate or share. Even within a Department, information security responsibilities are typically allocated on a temporary project basis.
- The Standards used are based on a long history of guidelines, such as the Australian Government Information Security Manual, that do not comply with international standards and are seriously lacking in critical areas.
- Initiatives are strongly Department of Defence (DoD) biased, and may be relevant to the DoD but are impractical or unworkable for most other Government Departments.
My biggest concern with the new strategy is that it appears to be reinforcing the key governance structures that have created serious problems across Government in the past and applying this across the board to Government and the private sector alike.
Government vs Business
Perhaps the easiest way to describe the issue is using the Get Smart Title Sequence as an illustration (See https://www.youtube.com/watch?v=sWEvp217Tzw for a short clip). DoD sees every steel door as a necessary safeguard protecting access to the phone booth ‘asset’ which is seen as a critical part of a highly secure facility. Their defense-in-depth philosophy implies the more doors the better, and the thicker the steel the better. If one door fails we have another etc.
The modern business world, however, sees a very different picture. Why should they invest in multiple doors if one door is sufficient for the specific risk? In fact, analysis shows that the phone booth doesn’t actually provide access to any sensitive data, only the main office area, so a steel door is not needed at all.
Why does this matter?
These two contrasting philosophies have serious implications. The DoD approach is valid where extreme no-compromise protection is required. In other words, you are willing to spend as much as it takes to reduce risks as close to zero as possible.
In most Government Departments and businesses, however, limited budgets require protection to be focused proportionally only where sensitive information exists. In other words, good data sensitivity analysis is the key to driving quality outcomes for most organisations.
In essence, the emphasis on DoD driving much of this initiative risks pushing an underlying philosophy that is simply incompatible with wider Government and business. What we need is to unbundle this initiative from DoD and create a truly independent body with representation from business and a broader Government group.
The business sector dwarfs the public sector in dealing with threats and developing the necessary skills to deal with those threats. While I have the utmost respect for the existing skills and capabilities in DoD, having them lead many of these initiatives is letting the tail wag the dog. Neither would I suggest letting multi-national security consultancies drive the agenda.
I believe a guiding committee with well-balanced representation across industries and Government would provide the best solution for all involved. Surprisingly, organisations such as the AISA have not even been mentioned, even though their membership is far more representative than any of the other groups.
As the various health checks and assessments are put together, we need to be very careful regarding what we are measuring. It is far more important for organisations to adopt a practical, repeatable method to assess their individual information security needs, rather than an unworkable baseline or ‘one size fits all’ white elephant.