One of the federal government’s most influential cyber watchdogs has signalled a firm new push to get business leaders and agency heads on board with the Commonwealth’s wider information security and risk mitigation agenda by cutting down on tech vendor spin.
Speaking at the Gartner Security & Risk Management Summit in Sydney, Mike Rothery, First Assistant Secretary of the Attorney General’s Department’s National Security Resilience Policy Division, revealed that consultations and outreach to industry had identified a pressing need for tangible risk assessment tools as opposed to an ever-extending laundry list of potential threats.
“The comment there was that we get lots of information about the threat – we can go and buy lots of information; lots of subscription products and lots of vendors that sell information about threat.
“[But] almost none of them can tell us about risk,” Mr Rothery said.
He likened the scenario for those responsible for information security and risk (including himself) as a struggle to cut through the “so what” factor when senior executives just didn’t get the kind of information that can enable them to interpret how risks could affect their organisation.
Mr Rothery said what was lacking so far was “being actually able to say: the reason you need to care for that in your industry is because. . .”
“That product doesn’t seem to be there.”
“So we are being asked whether government can actually do more, whether we can work with institutes of company directors, chambers of commerce , business councils and so forth to be able to help articulate the ‘so what’ …”
The senior securocrat’s frank comments appear to confirm an increasing view in government and industry that the technical and marketing language used to describe cyber security issues is often so impenetrable it is almost useless to lay people.
Part of the government’s wider cyber security outreach has been fostering an official, if confidential, channel of boardroom diplomacy between senior representatives of the Australian Security Intelligence Organisation, Australian Signals Directorate and CERT.
The push is intended to encourage boards and executives to help protect the national interest, much of which is in the private sector, by assessing their own risks and bolstering defences accordingly.
Mr Rothery frankly observed that even with the big push to date, the government’s messaging to two levels of business – leaders and practitioners – was not necessarily meeting in the middle of the targeted organisations.
“If we are going to engage with the board, it can’t be just to scare the pants off them and say that there are bad guys out there, there’s cyber espionage going on and they are coming to computer near you.”
“It has got to have some practical tools. There has got to be something that you can actually say to a board that says: if you believe us, if you share our concern, this is the kind of conversation you have to have with the senior executives of your organisation.”
Mr Rothery said the campaign of senior engagement “that we intend continuing” had to have utility and “very basic, simple clear messages.”
“That’s not a product we have attempted in the past,” he said.
One example of how disconnects can occur in corporate reporting lines was the example of SCADA operating systems that typically control equipment and infrastructure at businesses like utilities.
An ongoing issue has been that as analogue legacy systems are replaced with IP enabled equipment, stakeholders including chief information officers light not even realise they have critical infrastructure piggy-backing on their corporate network.
Describing a scenario of “two tribes” Mr Rothery noted reactions were not always pleasant when risks SCADA vulnerabilities were illuminated.
“You should see the colour drain from the CIOs,” he said.
New IT security and risk management vendors entering the Australian market are certainly not wasting time picking-up and supporting the government’s stand on the need for clearer language, especially if they can hitch their own products onto the end of it.
Brent Thurrell, vice president for recent public sector market entrant BeyondTrust said key aim for his firm was to “deliver actionable information that enables our customers to prioritise the critical activities necessary to secure their environments.”
“The Australian Signals Directorate have made it really easy for government organisations to prioritise where to focus often scarce budgets and resources in an effort to deliver maximum return with regards to cyber risk mitigation.
“Their Top 4 ‘must do’ strategies marry perfectly with our BeyondInsight platform and we are already seeing a dramatic increase in the number of government departments engaging with us to ensure compliance with these standards,” Mr Thurrell said.