Op-Ed: 5 core principles for Australia’s impending cyber regulations to build more resilient, modern organisations

Existing regulations were put in place when companies typically ran applications on equipment in their own data centres.

Companies now leverage sophisticated public cloud platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, which let them create and rapidly iterate and improve dynamic digital experiences. They’ve decommissioned many of their own data centres in favour of running their own applications in the cloud and subscribing to software-as-a-service (SaaS) offerings. Many of these apps make use of microservices, which break the code into small chunks that can be delivered to customers securely and efficiently across a variety of platforms and use continuous integration and delivery (CI/CD) methods to automate the never-ending flow of tiny changes.

The result of these changes is that many longstanding regulations are now hopelessly mismatched for today’s dynamic, highly automated modern software operations. Many security and compliance regulations, for example, require documentation of which person approved a particular software update — a practical impossibility for companies that do hundreds of updates a day.

The Australian Cyber Security Centre’s (ACSC) Essential Eight Maturity Model endorses the adoption of technologies that can help, particularly regarding security. But even the ACSC acknowledge the limitations of the existing model, explaining that “while the principles behind the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily designed for such purposes, and alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments”.

VIEW ALL

To truly keep up with the changes wrought in the cloud, we need a new regulatory philosophy, one that focuses on technology-agnostic principles and workflows, helping rather than hindering companies’ efforts to adopt zero trust and other leading-edge security approaches.

There are five core principles that should be considered in order for Australia to truly lift its resilience for the cloud-first digital age.

1. Require the adoption of modern security methods, not obsolete ones
   Cyber regulations should drive companies to adopt development methods and security practices, like zero trust, that ensure security is built into products and systems from the get-go, not as an afterthought. Many companies in Australia and New Zealand are already planning to implement some form of zero-trust, according to Okta. Regulators should consider mandating more aspects of the Essential Eight model or the NIST Cybersecurity Framework, which lays out voluntary best practices.
   
   
2. Free companies from a broken compliance model
   While current regulations usually don’t specify exactly how companies should prove their systems are secure, many of the auditing firms they hire have fallen into the habit of requiring particular security implementations that were designed to protect against on-premises threats, and do not require controls that are appropriate for the public cloud. Organisations frequently want to adopt cutting-edge approaches to security but struggle to get approval from their auditors. The government could encourage the auditing industry to modernise its approach. Whether through education campaigns, mandatory training requirements, or other methods, auditors need the technical acumen and mindset to reward companies for finding better security methods, not stifle them.
   
   
3. Engage more with industry
   The organisations facing daily attacks are the front-line experts on what works and what doesn’t. Regulatory agencies need to create ways for private sector leaders to share battle-won expertise and best practices. Otherwise, the agencies will likely focus on the things they know they can control: forcing companies to check compliance boxes rather than thinking meaningfully about what they are trying to protect against, and taking the steps needed to help safeguard themselves and their customers.
   
   
4. Embrace automation
   When it comes to promoting cyber security at scale, automation is essential. There is no human-based process sufficient for organisations the size of a Medibank or Optus to identify and remediate vulnerabilities and misconfigurations quickly enough to prevent massive damage. And yet, many in regulated industries such as financial services and healthcare must still document their processes for tracking who signed off on a particular change to its software. Given how quickly bad actors can exploit new vulnerabilities, companies have replaced slow-moving manual ticketing for fixes with automated systems, applying approaches like infrastructure-as-code that can update applications and infrastructure in minutes, or less. The regulatory requirements have to keep up with this new reality and challenge software and hardware vendors to improve the security capabilities they provide.
   
   
5. Move faster
   Every industry wants its regulators to keep up with the times and hopes for a constructive rather than a confrontational relationship. But when it comes to cyber security, speed and collaboration are mandatory. Software development methods evolve too fast, and the cost of falling behind is too high for the typical pace of governmental action. The average cost of a data breach in Australia is now US$4.35 million, climbing 12.7 per cent since 2020.

Updating cyber security regulations is necessary to make the world a safer place, but it will also bring many other benefits. A fast, modern, automated approach to compliance will help unleash the full power of the cloud economy. Smart rules requiring the adoption of current best practices would make Australian companies more secure and free them to innovate more rapidly and boldly while keeping consumers and society safe.

Grant Orchard is the Field Chief Technology Officer for HashiCorp, Asia-Pacific and Japan.