Overcoming the top cybersecurity challenges faced by public agencies

With a new cybersecurity strategy out and the right approach to key challenges, the public sector can improve its cyber stance.

By its own admission, the Australian Government has for some time fallen short of its own standards when it comes to cybersecurity maturity. But with a new cybersecurity strategy out and the right approach to key challenges, the public sector can improve its cyber stance.

In its 2023-2030 Australian Cyber Security Strategy, the federal government noted that “enduring and low levels of cyber maturity across many Australian Government entities have revealed major gaps in our security posture”.

The release of the strategy last year was a step in the right direction and has put the public sector on the path to achieving a new level of cyber maturity and making Australia, in the words of the government, a world leader in cybersecurity by 2030.

Across six focus areas, dubbed ‘shields’ by the government, the strategy adopts a targeted approach to some of the top cybersecurity-related issues Australia faces today. In addition to a renewed focus on securing the vast small- and medium-sized business segment, the strategy focuses on, among other things, threat sharing, sovereign capabilities and critical infrastructure.

These three areas in particular are of interest in the context of securing the public sector. For instance, the importance of threat sharing between government entities in other regions and with the business community locally cannot be overstated. With this in mind, the government plans to create a whole-of-economy threat intelligence network — a highly laudable and eminently effective goal.

At the same time, the strategy aims to bolster the capability of our critical infrastructure and essential government systems to withstand and bounce back from cyber attacks. In a bid to set the right example to private sector owners and operators of such assets, the government itself is striving for a higher level of cyber maturity to show it can meet world-class cyber standards.

Leading by example

As the strategy notes, “The Australian Government needs to hold itself to the same standard it imposes on industry.” Why? Because it is an owner of and operator of critical infrastructure, and it also holds some of the most sensitive data about the country’s citizens, economy and security.

However, among the stated challenges that have held the government back from doing a better job of cybersecurity internally is a significant skills shortage in the Australian Public Service and an acknowledgement that many government systems still do not meet the Australian Signals Directorate's ‘Essential Eight’ strategies for mitigating cybersecurity incidents.

With that in mind, the government has made a commitment to adopt cyber best practices to uplift its collective cybersecurity posture. This uplift includes further driving accountability for cybersecurity across its own departments and agencies. More broadly, the plan to designate ‘Systems of Government Significance’ that need to be protected with higher security standards is a major step in boosting the cybersecurity resilience across the public sector.

On a practical level, as the government puts its own entities on notice, a number of challenges remain, the ongoing skills shortage being just one. Other key challenges include a more general lack of appropriate resources, budgetary restrictions and an awareness of the risks associated with cyber threats.

However, there are a number of effective approaches the government can take to help overcome the challenges it faces and move Australia closer to its goal of leading the world in cybersecurity by the end of the decade.

Focusing resources

Beyond budgetary constraints, resourcing remains a top challenge to cybersecurity maturity. Australia is facing a prolonged cybersecurity skills shortage, leading to a lack of resources in the segment, both in the public sector and the private sector.

While it’s clear that there’s an appetite for more cyber skills within government entities and the private sector service providers that partner with them, it’s not always easy to find the skills needed to fill the roles on offer — and meet the needs of the respective organisation.

While there are initiatives in place to help fill the skills pipeline to boost resources further down the track, one approach to help manage the immediate shortfall is to structure things to make the existing resources available go further. And one of the best ways to do this in the government space is to consolidate functions.

One particularly effective approach to consolidating functions is by establishing a shared services model across government. Some shared services already exist, but the consolidation of key cyber skills into a shared services hub will mean every agency has the chance to tap into a central resource made up of the best cyber skills the government has to offer.

Making investment go further

Public spending comes with public scrutiny, so government agencies need to be able to demonstrate value for money when it comes to the services and infrastructure they invest in. This includes technology and, more increasingly, cybersecurity.

This scrutiny is partly the reason why cybersecurity remains comparatively underfunded in the public sector. A lot of people, both in the public sector and the private sector, still don’t have a comprehensive understanding of cybersecurity. Being able to show the value of investing in something the public may not understand makes it hard for government entities to prioritise it.

Establishing cyber functions like an all-important security operations centre (SOC) internally to actively monitor and take action against threats as they emerge can be a daunting undertaking, even for a government agency, not least because of the investment that needs to go into it.

However, in combination with a shared services approach, third-party providers that offer security suites with on-demand capabilities such as SOC-as-a-service can help governments reap the benefits of such services without needing to bear the full cost for them. The best of these should meet industry-leading benchmarks like the US Government’s FedRAMP standard.

Managing mindsets

As mentioned earlier, a lot of people out there still don’t have a full understanding of cybersecurity risks and what they can do to minimise them. Both parts of that equation are important. It’s not enough to know the risk without knowing what to do if you’re confronted with a threat.

That’s why it is important for technology leaders in government agencies to facilitate a mindset change within their organisations, communicating implementable and scalable solutions effectively to decision-makers. Indeed, leaders at all levels need to be aware of the risks and have some understanding of effective defences.

A good starting point in educating the human capital in a government entity is to identify critical functions in the organisation and make everyone aware of the role they play in the broader agency or department. After all, an organisation is made of individuals, and a united front makes for a stronger defence.

To cultivate continued employee cybersecurity awareness, organisations can issue periodic prompts and reminders to make sure cyber risks are front of mind, or go further by building formal cybersecurity training programs that include explainers, videos and other informational formats to illustrate what risks to watch out for and what to do in the event of an active threat.

Together, these approaches can help the federal government make decent progress in overcoming some of the key challenges it faces as it works towards its goal of making Australia a world leader in cybersecurity by 2030.

*Martyn Beal is currently Federal Government Strategic Lead at Trend Micro based in Canberra and is responsible for the development of the federal market. He has over 30 years’ hands-on experience delivering reform and transformation value to government. He has a deep understanding of the Commonwealth procurement process and how government partners with industry.

Top image credit: iStock.com/Wavebreak