With Australian cybersecurity standards in their ‘infancy’, industry seeks clarity

There are more cybersecurity standards and resilience frameworks than people to implement them, pointing to a need for harmonisation and aggregation.

crying whining baby after tantrum
Thinkstock

Evoking the bon mot that “the great thing about standards is that there are so many to choose from,” Sydney-based consultancy InConsult has debuted a new cyberresilience framework—just weeks after a New South Wales government strategic report called for better alignment among cybersecurity standards covering various industry sectors.

Developed by reviewing a broad range of cybersecurity and risk-management frameworks, InConsult’s six-element Cyber Resilience Framework leans heavily on governance as its first and most fundamental element, calling for a “formal and proactive governance framework” that lays down the organisation’s “intent, commitment, practices, plans, and responsibilities for achieving cyberresilience”.

The Cyber Resilience Framework

The framework highlights the need for cyberresilience to be addressed as a board priority, not at the IT level, with clear delineation of roles and responsibilities fostering ongoing board engagement. Formal risk assessments must be used, incorporating a range of factors including the value of information, existing control layers, and their effectiveness.

The six stages are divided into pre-incident (detect, identity, protect) and post-incident (refine, respond, recover) stages—helping organisations formulate a consistent and all-encompassing response in the event of a cybersecurity incident.

The refine stage is positioned as a “centrepiece” to ensure that companies consider continuous improvement both before and after any given cybersecurity incident.

“In some of the frameworks we reviewed, governance was either missing or the last element,” InConsult director Tony Harb said, noting that the division of the stages was important “as enhancements in a post-incident state need to happen much faster as there is an extreme sense of urgency, and reputational risk is heightened.”

Recent survey results from Okta highlighted just how much is riding on companies’ trustworthy data management processes, with 49% of Australian respondents to Okta’s recent “State of Digital Trust” report saying they would stop using the services of a company that had suffered a data breach. “Digital brands must be responsible stewards of customer data in order to nurture trust, and drive loyalty and success. The first step towards building digital trust is establishing effective security tools and policies,” said Graham Sowden, Okta’s general manager for APAC.

Bringing together all those security standards and guidance

Yet as InConsult adds its cyberresilience to the range of options available to increasingly cyberrisk-averse executives—others include options from the likes of IBM Australia, Accenture, MITRE, and specialised industry frameworks such as the recently launched CORIE for financial-services companies—a concurrent effort is working hard to normalise cybersecurity and risk-management frameworks to make it easier for companies to implement workable and effective cybersecurity protection.

Run as a joint effort between the NSW government, AustCyber, and Standards Australia, the NSW Standards Harmonisation Taskforce—which recently released a report with recommendations for seven industry sectors—has been working to bring together the strongest elements of available standards and frameworks.

Cybersecurity standards are “still in a state of relative infancy” compared to those in sectors like construction, a recent Gilbert + Tobin analysis noted, with a “piecemeal and inconsistent … approach to developing and adopting standards.”

Among the task force’s findings were a recommendation that policy and regulation be shaped by relevant standards rather than allowing a less-prescriptive ‘principles-based’ approach to regulation; revision of some standards in industries where cybersecurity is not a conventional focus; and development of practical guidance material to help organisations choose the most appropriate standards for their cybersecurity and risk management requirements.

“If used in combination with the latest advances in technology, and embedded across global supply chains, [the standards] can assist in guiding base line cyber security requirements,” AustCyber CEO Michelle Price said at the report’s launch. “This will help raise the posture of small to medium enterprise organisations and government agencies to compete in the Australian market and internationally.”

The report’s audit of cybersecurity standards noted that not all of the available standards—including ISO, IEC, EN, and NIST—are “embedded into policy and assurance frameworks”.

Appropriate risk appetite varies between sectors, the task force noted, with factors such as entity size, threat surface, risk appetite, maturity, and customer orientation all playing a part. “Care must be taken” in evaluating how standards are to be used, the report advised, “for what purposes, and in relation to specific public policy requirements”, including how issues of attestation, certification, and standards adoption might affect supply chains or procurement.

Businesses need more and better-quality “guidance material” about implementing specific standards, the taskforce found, with a particular requirement to understand how the standards map to existing or proposed government frameworks.

Cybersecurity workforce gap requires a more accessible process

Despite this requirement, the report noted, the industry is still suffering from a cybersecurity workforce “skills gap in relation to understanding and application of standards and compliance”—highlighting the need for this process to be more accessible and available to organisations of all types and sizes.

In the context of this skills deficiency, independent efforts such as that of InConsult may provide valuable context for broader harmonisation efforts.

Ultimately, InConsult’s Harb said, adaptability is key because cyber resilience is a moving target. “A good framework is not a silver bullet against cyberrisks [and] should always be appropriate to the organisation, its environment, and risk posture,” he said, noting that the company’s Cyber Resilience Framework is a “work in progress”.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)