How public sector CISOs can lock their data doors

Emerging technologies are not something new, but a consistent evolution of ideas striving to achieve better. New ideas and technological growth often work in tandem, to produce efficient output that changes the way we go about our lives. But what happens when an independent variable, such as a pandemic, is inserted into the equation? What can we expect when technological growth outruns its regulation?

Pressures from different strains of life, from disease to humankind’s interest in artificial intelligence, have created a reliance on technologies that provide new opportunities. But on the other side of the coin lurk malicious cyber actors eager to walk through an open door.

Recent data from the Australian Cyber Security Centre (ACSC) found an increase of 13% in cyber attacks within a year, with continued targeting of Australia’s critical infrastructure being a concern. Additionally, 34% of reported cybercrime incidents between FY21–22 originated from government bodies at Commonwealth, state and local levels.

These statistics alone illustrate the increasing high-level threat cybercrime poses to Australia’s economic and social growth. With the attractiveness of strategic assets from government agency data becoming a growing commodity for cybercriminals, it is important to ensure that both commercial and public enterprises can recover and run smoothly for Australia’s economic and social benefit.

Recent instances where cybersecurity has fallen short further prove there is a critical need for protection, regulation and collaboration between members of the cybersecurity public and private community. New Veritas data revealed that 84% of Australian cybersecurity leaders would expect moderate to significant disruptions in the wake of a potential ransomware attack.

The data points to an undisputable need for readiness at the helm, to ensure a tough and strong security posture as more pointed cyber attacks continue to evolve and grow, increasing the risk of exposure for government entities.

The state of security teams within government

The federal government has already taken steps to fight these looming threats, introducing the Privacy Legislation Amendment (Enforcement and Other Measures) Bill in 2022. The bill will increase the maximum penalties for serious or repeated privacy breaches to $50 million and provide the OAIC with greater power to resolve breaches and quickly share information about data breached to help protect customers.

However, catching up in the race against perpetrators already taking advantage of new technologies will require more support behind the wheel. Governments and their respective security leaders must look to work better to not just protect the front door, but everything behind it.

The recent 2023 budget revealed that a total of $101.6 million will be dedicated to boost the federal government and Department of Home Affairs’ capabilities to identify and respond to cyber risks. Of this, $46.5 million will be allocated to establish the coordinator for cybersecurity to ensure that the Commonwealth’s cybersecurity efforts are strategic, timely and effective. The coordinator will be supported by the National Office of Cyber Security and dedicated resources from within the Department of Home Affairs as well as other Commonwealth entities that can further support in the event of a cyber incident.

While these departmental innovations are a welcome development, they are only the beginning of endless possibilities to innovate Australia’s cybersecurity ecosystem. The question is, how can the public sector effectively implement these initiatives? The answer lies in the mindset decision-makers must take towards improving Australia’s cybersecurity standard.

Where a chief information security officer (CISO) sits in the organisation, and whether they are adequately resourced, are both statements on how competently an organisation is identifying and managing cyber risk. Many organisations in the private sector of Australia are aware of this, and government agencies can learn from their cross-sector peers.

Armouring CISOs

According to the Australian Information Security Manual, CISOs should be providing strategic-level guidance for their organisation’s cybersecurity program to maintain compliance with cybersecurity policy, standards, regulations and legislation. However, a hurdle many organisations encounter is hiring senior executives to provide cyber risk management advice, and then failing to adequately support the CISO role.

Cyber risk is not a problem to be fixed, but a condition to be managed. Government agencies must not repeat the mistake of dismissing cyber risk management as an IT problem and instead see this as an area of ongoing innovation.

The key words in the CISO’s title are ‘Information Security’, but unfortunately, CISOs are generally not responsible for data backup and recovery. To ensure holistic cyber protection, CISOs should be given the same powers as COOs to move throughout a public sector organisation, allowing full visibility of how data is moved and stored.

Security leaders need to ask themselves “Do we know where all of our personally identifiable information is located?”, “Do we know who has access to it?”, “Do we have adequate strategies in place to manage it?” and “Do we know when someone is accessing it, and who shouldn’t be accessing it?”

Veritas’s latest survey, which analysed how confident Australian IT Leads are in having complete knowledge of their organisation’s data backup and recovery strategy, revealed that 24% of respondents say they are not confident that they have complete knowledge of their organisation’s data backup and recovery strategy.

Just over 62% say they are moderately confident that they have complete knowledge of the strategy, while only 13% express confidence that they have complete knowledge of the strategy.

CISOs should also be given powers to ensure government agencies have a clear ransomware recovery position; can oversee and maintain an effective data backup infrastructure; anticipate and understand emerging threats to cybersecurity; and ensure that an organisation and its employees are well educated and trained on the best-practice cybersecurity. Implementing such objectives from both a commercial and public perspective will tighten access and defence for data.

Moving towards a more secure Australia

The Australian Government has made clear the growing threat cyber attacks pose to the economic and social stability of Australia. It is critical for Australian cybersecurity leaders to be equipped with the right tools to address the increasing and evolving risk of cyber attacks. In today’s complex multi-cloud environment, providing CISOs with transparency about how data flows within their own company can help map areas to improve security infrastructure and protocols, and to anticipate threats before they break the perimeter. Together, private and public sectors can secure handles to prevent doors from creaking and mysterious cyber players from peering through the cracks by turning a key to lock the data door.

Image credit: iStock.com/Olemedia