A Titanic lesson — changing governments' fate with the 'Essential 8'
Described by Mark Toomey of Australia’s Digital Leadership Institute, being the leader of a large and established organisation is like being the Captain of the Titanic and trying to change direction. A metaphorical comparison to a journey that was fraught with a series of errors that led to the demise of over 1500 souls.
The Titanic and its doomed fate have become important lessons in leadership — of unknown risks and misplaced confidence, poor communication and failures to act, and inadequate crisis management.
So, what is it we have learnt from our past mistakes; about weak links in human behaviours, lack of visibility to what’s ahead of us, and loose processes which under threat, can sink us?
Evidence suggests we haven’t learnt a whole lot. Collisions of magnitude continue to mark the reputation of government, as agencies try to navigate at full speed through the murky waters of transformation and change, simultaneously opening themselves up to increased cyber-attacks.
Through the hard lessons, it seems governments have become experts in humility. One can’t forget the noble admission by Australian National University Vice-Chancellor, Professor Brian Schmidt, who published a report following its June 2019 cyber-attack in which he said, “we could have done more”.
Why AREN’T we doing more?
For one, organisations and particularly government departments, continue to be resource stretched. The majority of whom are still allocating skeleton staff to cyber security, and worse yet, do not have the skills, capacity, experience or playbooks to address cyber security incidents.
Dominic Scislo, ASG Group’s Cyber Security Delivery Lead, has worked extensively across security for government organisations over his 30-year ICT career.
Scislo described a culture within government that still treats cyber security as a ‘checkbox’ exercise.
“Many (organisations) go through the motions to become administratively compliant, but this doesn’t equate to cyber resilience and neither does it scream the hallmarks of a truly secure entity,” Scislo said.
“The expectation that any organisation can achieve a suitable level of security by pressing a few buttons is simply unrealistic.”
Non-mandatory strategies for security compliance were published in 2019 by the Australian Signals Directorate (ASD) to advise businesses and government on ways to mitigate cyber security incidents.
There are 37 mitigation strategies in total, with the ‘top four’ and ‘Essential Eight’ being a prioritised set of strategies that are likely to mitigate up to 85 percent of targeted cyber security attacks, according to the Australian Cyber Security Centre.
Referencing the latest government Protective Security Policy Framework (PSPF) compliance report released in November 2019, Scislo said, “The Essential Eight are an absolute baseline for organisations. They are a starting point. Yet there are still 40 percent of agencies that don’t even meet the ASD’s top four.”
Essential Eight — just the tip of the iceberg
When the Titanic took its maiden voyage in 1912, it was manned by 893 crew. Of those crew members, only six were watch officers and 39 were seamen. Most of whom were unfamiliar with the ship.
As the ship sailed at nearly full speed through the North Atlantic Ocean during a winter that had produced large crops of icebergs, the lookouts failed (despite six warnings) to spot the looming “dark mass” hidden by a haze on the horizon.
Unable to turn quickly enough due to its size, the Titanic suffered a glancing blow that buckled its side and opened six of sixteen compartments to the sea.
We all know what happened next. A ship that “not even God himself could sink”, disappeared beneath the water’s surface less than three hours later.
Metaphorically, the factors that contributed to the sinking are not all too dissimilar to the cyber security challenges our government organisations face today. Lack of experienced resources, lack of visibility, and due to size — an extremely complex change process.
Lloyd Lush, Chief Information Security Officer and General Manager, Infrastructure Managed Services at ASG Group, is responsible for security across the enterprise and oversees ASG’s delivery platform to its clients.
Following the 2019-20 Australian Government Budget review and a commitment to support a whole-of-government cyber uplift, Lush says there has been a number of ASG government clients that have acknowledged their compromising security position and are taking action to remediate.
“We (ASG) created ASG’s Essential Eight services to help government organisations determine what level of maturity they are at with regards to the implementation of the Essential Eight.
“It’s worrying how many organisations there are out there that still lack visibility into their own cyber security posture,” said Lush.
From here, a maturity level is determined, and a strategy and roadmap is developed to create a clear vision for achieving the desired security posture.
ASG’s approach to remediation involves leveraging the ecosystem of people, processes and emerging technologies to gain compliance, confidence and resilience.
Security needs to be intwined into the fabric of an entire organisation to create what Lush described as “defence in depth” — the only way to safeguard assets and critical systems — the real heart of the ocean.
“The Essential Eight are only the tip of the iceberg. They’re intended to provide the first line of defence for a rapidly changing and increasingly complex cyber security environment.
“This means fusing security into the entire business operating model. There’s no shortcut, no silver bullet.
“Our message is to act with intent now. Security does come with a cost, granted. But the cost of continuing to make excuses could hurt you more,” said Lush.
ASG Group is an established provider of digital solutions and services for government. Leveraging automation, innovation and sovereign capabilities, ASG’s Essential Eight Services deliver a real-time view of a client’s security posture to drive smarter remediation, faster.
EKA CyberLock is the solution for securing remote sites such as traffic control boxes or remote...
Cyber criminals have expanded their coronavirus-themed attacks and are now preying on victims by...
Conventional mechanical locks are the weak point in your access system. Softwave-controlled locks...