An amendment to the Protective Security Policy Framework now requires agencies to have a dedicated CISO as well as a CSO. Credit: Mlenny / Getty Images The Australian federal government has approved amendments to the Protective Security Policy Framework (PSPF) to mandate non-corporate Commonwealth entities to appoint a CISO to be responsible for cyber security leadership in the entity. The PSPF already mandates that a CSO is appointed at the senior executive service level to oversee and make security-related decisions. The CISO however does not have to be appointed at the senior executive service level and "the role is best performed by an officer with the appropriate combination of experience, technical skills and other skills such as business acumen, leadership, communications and relationship building," the policy stated. The CISO role is expected to complement that of the existing CSO and in some cases the same officer may be appointed to both roles. As it stands the PSPF differentiates the CSO from the CISO role by responsibilities: The CSO must be responsible for directing all areas of security to protect the entity's people, information and assets. This includes appointing security advisors to support them in the day-to-day delivery of protective security and, to perform specialist services. The CISO must be responsible for the entity's cyber security program and associated implementation program. This includes appointing cyber security advisors to support them in the day-to-day delivery of cyber security, and to perform specialist services. Requirements for CISOs under the Protective Security Policy Framework When appointing a CISO, the accountable authority--the one responsible for and with control for the entity--will determine who the CISO reports to. Where the CISO does not report directly to the CSO or the accountable authority on cyber security matters, the Department of Home Affairs recommends the CSO and the accountable authority retains visibility of the entity's cyber security maturity. Where the entity's cyber security services are wholly provided through a shared services arrangement with another government entity, the CISO may be located at another government entity. In these cases, the accountable authority and CSO are in charge of establishing arrangements to retain visibility of cyber security matters. The Department of Home Affairs recommends that entities that are large, complex or carry high-risk and require multiple officers to manage cyber security-related functions, that these officers report to a single senior officer, ideally the CISO. These changes will commence immediately, and entities will be required to report against these new obligations in the 2023-24 PSPF reporting period. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe