Op-Ed: Building a cyber resilient Australia – insights from the Office of the CTO

To complement this, fostering a culture of open communication about cyber risks across all levels of the department or agency will be essential. Regular cross-departmental meetings and knowledge-sharing sessions create a unified understanding of cyber threats, thereby encouraging collective responsibility for risk mitigation.

Collaboration can also be achieved by mandating risk assessment activities that address both current and emerging threats. Establishing cyber steering committees with representation from all key business units is another effective approach. These committees can act as a forum for sharing insights and aligning strategies to address evolving cyber security challenges cohesively.

In addition, leveraging collaborative tools such as shared dashboards or cyber security management platforms can ensure real-time updates and foster transparency among stakeholders. Initiating joint workshops and training programs further enhances alignment and builds trust among different groups.

2. Are there preferred frameworks or standards used by your organisation to identify and assess cyber security risks, including both internal systems and third-party services?

A comprehensive approach to risk assessment spans the entire digital footprint, including cloud environments, networks, endpoints, and email systems. Risk assessments should be tailored to address specific vulnerabilities, such as:

• Threat hunting: Actively searching for indicators of compromise or malicious and unusual activity.
  
• Cloud security risk assessments: Aligning with Cloud-Native Application Protection Platform (CNAPP) requirements to evaluate cloud security risks.
• Tabletop exercises: Facilitating scenarios to identify gaps in cyber crisis management plans for both operational teams as well as executive teams.
• Email and collaboration tool security assessments: Examining vulnerabilities in email systems and collaboration tools related to phishing, spoofing, malware, business email compromise, as well as account takeover.
• Network security controls assessments: Evaluating the effectiveness of current network defences against advanced threats designed to evade detection for IT and OT environments.
  

3. How should the Commonwealth ensure that cyber security roles and responsibilities are defined and communicated across different levels of their organisation?

Clearly defining roles and responsibilities is paramount. A Cyber Security Charter should outline accountability, responsibility, consultation, and information-sharing mechanisms.

This document must be reviewed annually or after significant organisational changes. To ensure alignment with organisational strategy, the charter should articulate a clear vision, mission, and scope for cyber security. Ultimately, levels of authority, accountability, and responsibility for decision making must be defined and documented, including clear organisational charts where possible.

Regular updates to policies, written in accessible language, are essential to keep pace with the evolving threat landscape. Communication should extend beyond onboarding, with annual updates delivered through diverse channels like emails, in-person sessions, and bite-sized training videos.

Regular town hall meetings can also be used to reinforce key messages about roles and responsibilities. By allowing employees at all levels to voice concerns and seek clarifications, these sessions foster a transparent and inclusive cyber security culture.

4. How does your organisation ensure that all employees, regardless of their role, understand their responsibility in achieving cyber resilience?

Cyber security awareness needs to be prioritised, ideally through monthly training sessions that are accessible on-demand for flexibility. Regular phishing simulations test employees’ ability to recognise and avoid sophisticated social engineering attempts. The effectiveness of these programs is measured using completion rates, quiz scores, and phishing simulation results. This approach ensures employees are equipped to recognise and mitigate cyber risks in their daily roles.

To further embed awareness, cyber security best practices should be integrated into daily workflows. Regular newsletters and micro-learning modules keep employees updated on the latest threats and preventive measures, reinforcing their role in maintaining organisational cyber resilience and embedding a cyber-savvy culture.

VIEW ALL

5. How do you ensure that roles and responsibilities related to cyber security are clearly defined and maintained across diverse client and supply chain portfolios?

Vendor onboarding and procurement processes play a critical role in ensuring cyber security roles and responsibilities are clearly defined and communicated with the supply chain ecosystem. Organisations should clearly articulate expectations regarding regular communication and reporting lines during contract negotiations. Contracts must specify communication protocols and reporting structures.

Identifying critical partners helps prioritise regular updates on cyber security roles and responsibilities. Embedding discussions about roles and responsibilities in crisis simulations or tabletop exercises that include key clients and critical supply chain partners can reinforce understanding and ensure alignment during potential incidents.

6. What requirements and policies are most effective to ensure that all areas within an organisation (technical and non-technical) develop a necessary baseline understanding of cyber security concepts applicable to their role?

Role-specific training tailored to employees’ responsibilities ensures relevance and engagement. Personalised awareness messaging highlights both organisational and personal risks, fostering commitment to best practices.

At the same time, a Cyber Security Champions Program can empower non-security staff to advocate for security measures, extending awareness efforts across the organisation. By making cyber security relatable and practical, a shared sense of responsibility is cultivated.

7. What modified or new requirements would you recommend for the PSPF, HCF, or the Whole of Government Gateway policy to embed a zero-trust culture?

While zero trust traditionally focuses on access control, organisations should also prioritise threat prevention. Shifting from detection and remediation to a prevention-first approach aligns with the zero-trust ethos and mitigates risks more effectively.

A holistic zero-trust culture combines stringent access controls with proactive security measures, fostering a robust and secure environment. Embedding zero trust into procurement policies ensures that third-party vendors comply with the same stringent security standards. Additionally, integrating zero-trust principles into cloud infrastructure management helps safeguard critical digital assets.

8. What requirements would you recommend to ensure that effective metrics and benchmarks are implemented?

Effective metrics must resonate with the intended audience, whether technical teams or management, so they must be relevant to the roles and responsibilities of the recipient.

It should highlight urgent issues requiring attention and ultimately enable appropriate and well-informed decision making.

As a general rule, metrics should be specific, measurable, and relevant. Regular audits and updates can ensure metrics remain accurate and aligned with evolving organisational goals.

Metrics must also be actionable, so it is clear to the recipient what action must be taken.

9. What requirements or policy changes would you recommend to ensure alignment between your broader cyber strategy and individual uplift plans?

Aligning the cyber strategy with business outcomes ensures stakeholder buy-in. When the strategy supports achieving key performance indicators (KPIs), it gains credibility and fosters collaboration.

Regular governance and oversight mechanisms for feedback, such as steering committees, help coordinate efforts and maintain alignment across different levels of department or agency.

Additionally, conducting periodic reviews of both the broader strategy and individual plans ensures that adjustments are made in response to new challenges or opportunities, maintaining alignment over time.

10. What zero-trust capabilities have you already applied within your organisation? How long have you been implementing these? List the benefits and issues associated with these measures.

Zero trust builds on foundational security practices like the principle of least privilege and the CIA triad (confidentiality, integrity, and availability). Effective implementation should extend Forrester’s model by addressing evolving threats through automation, orchestration, centralised management, and proactive threat prevention.

A sound zero-trust architecture goes beyond traditional access control by also enforcing proactive threat prevention. This approach not only upholds zero-trust principles but also actively prevents threats.

For organisations looking to implement zero trust, it is important to implement a phased approach with milestones that are achievable. As a starting point, focus on a well-segmented network, and role-based access to implement the principle of least privilege.

12. How do you manage distributed accountability, such as situations where multiple vendors or third-party providers are involved in delivering cyber security services for a government client?

To manage distributed accountability well, start with thorough risk assessments of all third-party providers to identify potential vulnerabilities. Focus on vendor onboarding with robust contractual obligations, including right to regular audits and monitoring to ensure ongoing compliance with contractual obligations and security standards.

Incorporate stringent information security clauses into outsourcing contracts, clearly defining responsibilities, including data retention, access controls, incident response, and regulatory compliance.

While strong relationship management can foster collaboration, developing well-defined incident response procedures that outline the roles and responsibilities of all parties involved, including third-party providers, can go a long way in ensuring accountability is well understood within the partner ecosystem.

To enhance coordination, establishing a centralised oversight team ensures accountability across all third parties. This team serves as a single point of contact, streamlining communication and addressing potential gaps in responsibility.

Ashwin Ram’s insights underline the importance of a proactive, prevention-first approach to cyber security. By embedding a zero-trust culture, fostering collaboration, and aligning strategies with business goals, Commonwealth government departments and agencies can navigate the complex and dynamic cyber threat landscape effectively.