3 minute read
Can the Cyber Taskforce achieve its goals?
Security strategy CAN THE CYBER TASKFORCE ACHIEVE ITS GOALS?
Garry Barnes
©stock.adobe.com/au/Mariakray
BASIC GOVERNANCE AND RISK MANAGEMENT FUNDAMENTALS AND ROOT CAUSES, BEYOND THE TASKFORCE’S REMIT, NEED TO BE ADDRESSED.
The new Cyber Taskforce plans. Uplifting of IT and cybersecurity The Taskforce needs to be careful comprising the NSW fundamentals is required, such as: when it states it is aiming for ‘minimum Government, AustCyber • providing ongoing capability standards’. In my opinion, minimum and Standards Australia development to securely architect, security requirements are a weak option focuses on three configure and maintain an increasingly when you consider the hostility of the pillars of cyber strategy: prioritisation, complex portfolio of IT services for operating environment for agencies. regionalisation and harmonisation. These their customers; Optimal security (ie, secure by design) are commendable goals and ones which • replacing (or implementing is about making value-based decisions, can provide an important and timely uplift countermeasures to protect) and by determining the right level of to cybersecurity and the businesses and unsupported and legacy systems; and security for the service’s/product’s agencies that are dependent upon it. • improving supplier lifecycle purpose and for the environment in which
However, to fully benefit from the work management. it operates. In the physical world, we of the Taskforce, there are some critical To really benefit from a harmonised expect that a product is fit for purpose, points that need to be addressed, outside set of cybersecurity standards, and this should be no different in the of cybersecurity, in the governance and satisfactory funding of security programs cyber landscape. risk management of enterprise IT. in agencies is also required. Security Lastly, where organisations have
Success in cybersecurity is funding should be incorporated into any low cyber maturity, causal problems highly dependent upon an effective proposed digitisation program, so that often exist in IT and risk management governance system — one that all new digitised services are ‘secure and the governance of enterprise IT. understands enterprise outcomes by design’ and in line with harmonised For harmonised standards to succeed, and objectives and the contribution of standards. governance and risk capabilities must IT in achieving them. ISACA’s COBIT There is also the challenge of also be lifted. 2019 model is one such example of a accountability for achieving any new I applaud AustCyber and the agencies governance framework that can provide harmonised standard. Ministers, involved in the Taskforce for their desire guidance in this space. secretaries and agency heads are to make standards compatible across
The resources, competencies and accountable for agency outcomes, and industries in order to be more secure, processes that support IT goals are cybersecurity should be no different, just assist businesses and be more successful. fundamental to cybersecurity as well. as board directors and the C-Suite are It’s a task that many have tried previously. Numerous problems in cybersecurity held responsible in the private sector. For their work to be successful, other today can be linked, in part, to ineffective While NSW agency executives basic governance and risk management governance and IT risk leadership. are required to sign-off the Agency fundamentals and root causes, beyond
For example, in government today, Attestation report on implementations their remit, also need to be addressed.
many legacy systems are still in use and current Essential 8 status, does this and many IT departments are under- infer executive-level risk acceptance Garry Barnes is Practice Lead, funded and/or under-skilled to drive for all gaps in their agency’s Governance Advisory at Vital Advisory, their agency’s IT and cybersecurity cybersecurity maturity? and a former board member of ISACA.
