US CNAP sets pace as Australian industry continues “holding breath” for overdue cybersecurity policy

Australia's security industry is on tenterhooks waiting for the pending release of the government's revised national cyber security policy, the release of which one expert believes will be crucial in initiating a new wave of security investment and skills development.

“We've been holding our breath for a long time” for the release of the policy, Nuix CEO Eddie Sheehy told CSO Australia. “A lot of work was done on it last year, but having the present PM's grouping of ministers, and his own stamp on it, will be very important to actually getting tangible detailed actions” to improve the country's cybersecurity posture.

Sheehy, who was one of several dozen Australian security experts who travelled to San Francisco this month as part of AusTrade's Digital Technology Australia-United States Business Week, pointed to US President Obama's recent Cybersecurity National Action Plan – which backs rhetoric on cybersecurity with clear action points and funding commitments – as an example of the type of cybersecurity policy that Australia needs to embrace to deliver an effective, meaningful response to increasing threat levels.

“The release of the national security strategy would get people serious about having the right level of meetings to drive up the awareness of individuals for their responsibility in fixing this,” he said. “A lot of Australian CSOs know about threats but the fear factor is there, and I don't think they know what to do. We should all be helping them in that.”

In October, prime minister Malcolm Turnbull rejected a draft report of the Australian cybersecurity review on concerns that it offered too little by way of practical initiatives; a deadline has not been set for the revised document, which Sheehy says he is both meatier and given more teeth as an enforcement tool.

Education around technologies such as 2-factor authentication will help boost overall security, as will a redoubled effort to impress upon the users the importance of “hygiene elements” such as not using simple passwords to protect sensitive corporate resources.

“There should be a ground-up education undertaken,” he explained. “However secure our environments are now, the threats are increasing. We have to increase our level of knowledge, but we also have to stop making the easy mistakes. And we've got to start to make ourselves small targets” by fixing poor password hygiene and other common mistakes.

Support for mandatory breach legislation will play a role in improving the overall awareness around cybersecurity in Australia, Sheehy said, noting that building effective cybersecurity defences here inherently relied on a collaborative 'carrot-and-stick' approach that “will be a much better solution for Australia because we don't have the same depth of cybersecurity expertise as there is in the US.”

Reiteration of strong policy support for the cybersecurity industry – already made to some extent by the $30m Cyber Security Growth Centre announced in December – will “feed the talent pool” and encourage more companies to bring their talented staff to Australia, Sheehy said.

“I'm a huge believer that the pace of change in technology over the last few years is getting faster and faster,” he said, adding that defensive efforts would fall behind “unless we actually apply that change to things like cybersecurity. The best part is that the conversations are being had – and if you can get all of those views out in public, you can start to create policies on them.”

The AusTrade event's climate of sharing was the kind of thought-provoking exercise that would help identify commonalities across the sector and drive future policy innovation based on shared principles. It also highlighted commonalities between the Australian and US delegations to the event, which saw a strong consensus around the importance of privacy and universal backing of Apple in its escalating stoush with the US government over iPhone privacy.

“I was in a room full of 50 people that included some very high-powered American organisations,” Sheehy said, “and not one of them really believed that Apple should break the encryption on that iPhone. There needs to be better ways of doing this, but it's really good to see America talking about privacy. In the end, people have to be true to what they are.”

Hear from International keynote speakers:Robert Lentz, and Graham Cluley,

A Security Awareness stream

18 different interactive Security Exchange discussions

Join CSO for a day of networking with your peers, engaging and discussing topics relevant to you, hearing from some of the top worldwide IT Security leaders in the market and attending the exhibition floor to win some amazing prizes.