YACSP (Yet Another Cybersecurity Strategy Post)

Having sat in a room and had the privilege to listen to Minister for Home Affairs and Cyber Security Clare O'Neil outline a message similar to the foreword of the new Australian Government's Cybersecurity Strategy 2023-2030 , I have to say - I'm a big fan.

There's a lot to like about the new strategy. The strategy is here. (PDF)

Firstly, for me it's fairly direct and clear. I think the imagery around the shields is relatable and easy to understand. The Shields are layered, so it's easy to comprehend that the 2023-2025 horizon 1 of "Strengthen our Foundations" is where government, business and community must start.

The action plan is here. (PDF)

The Strategic context sets the backdrop for this being a growing problem, and whilst it's well trodden territory for many of us in the cyber industry, I think it's going to be a great scene setter for many executives. I've met too many individuals both related and not, who have fallen for scams. I've met too many organizations burnt brutally by cyber incidents. The strategic context is a call to action to solve a risk, and at the same time looks through the problem through the lens of opportunity - an opportunity for Australia to uniquely lead the cyber response globally.

I'm not going to regurgitate the strategy, but focus on a few select areas that I am pleased to see in the strategy and corresponding action plan:

• The support for small and medium business who can't afford cyber resources, is of course welcome - the action plan is a step in the right direction although I wonder if it's enough. I hope it becomes The Oasis for SMB to come and receive all-things-cyber.
• What I particularly like is where the cyber awareness initiatives might go. Having that as the 2nd item in the list reconfirms to me just how important resourcing and attention here is important - we cyber professionals we focus a lot on engineering and architects to fix technology problems, GRC to fix process problems (compliance), and then we often skimp or do a shared-resource strategy for security awareness. All big business should have dedicated security awareness people, IMHO. I know of a few excellent security awareness specialists who riff off the national resources particularly for cyber week/month - if they (Gov) are going to beef this up, I think that is great. It's the right shield to start with IMHO. Our older generation(s) are "digital immigrants" and many of our elderly citizens don't understand the new rules of online trust. For businesses, in particular enterprise and large business - the ransomware response, threat intelligence bolstering in region and clear guidance will hopefully be a timely and credible source of action.
• I'm excited to see the momentum of Embed cybersecurity into software development practices . Great for Software development practices are geared for agility, speed to deliver and speed to market. Any incentivizing app developers to code securely is welcome. I look forward to seeing the cyber security code of practice.
• The protection of data sets "of national significance" and support towards data governance is a welcome move, particularly the creation of a voluntary data classification model.
• I'm also particularly pleased to see the framework that hopefully will develop for assessing vendor products and services. For me, this will be a welcome assist because we all know what it's like to get big US vendors to fill out GRC Risk Assessment Questionnaires. Most of the time you get an abrupt email point you to their /trust /privacy or /security page where you can "feel free" to fill it out yourself. I hope this framework drives some accountability that makes it easier to procure from vendors who want to do the right thing.
• If you're lucky enough to work for an enterprise that can built threat intelligence capability, then already we've seen great benefit in the ACSC partner model but many businesses opt in for one-way sharing. The two-way threat intelligence sharing incentivizing looks like a great next step. The continued support for threat intelligence and blocking capabilities - this is very welcome - and funding towards ISACs that support low maturity areas such as Retail, will be amazing. (I hope)
• Well, many Australians saw the impact of a large telco going down for a day, so it's welcome news that telco providers are being looped in to be aligned to the same standard of SOCI. (as well as managed service providers for CI)
• The obligations for organisations that operate within SOCI are more defined and the focus on Pressure Testing (through national cyber exercises and developing incident response playbooks) is a good step.

Well worth a read or a skim, I think cybersecurity is in for a ride the next 7 years - and it's nice to see it finally getting the attention it deserves with government making it clear it intends to be a leader, and hopefully industry will keep up.