ACSC deliverables – About time, security needs to grow up and become mainstream.

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

Along with that, the Government announced (surprise, surprise) it would launch a renewed cyber security review. The last review was completed in 2008. A panel of experts have been commissioned to perform that work. Now I am no futurist; however, one can only imagine that the review will set the agenda for the ACSC – along with a call for greater budgets, greater jurisdictional control, etc.

What, however, were the outcomes of the 2008 review? What recommendations were adopted and implemented? and how has their success been measured? What were the outcomes of that measurement and the financial bottom line?

One would hope that the recipients of the report(s) do not simply tick a box “report delivered” and file it in the cabinet only to refer to it “as needed” without physical action or measurement. Unfortunately, those of us at the coalface of security see that all too often, and therefore develop a hardened and cynical view on the concept of “report commissioned”. Actionable, realistic recommendations, clear desirable outcomes and an implementable measurement system need to be built into the 2015 document (it’s due in 6-months) – and I don’t mean just a fiscal measurement system but an effectiveness rating against each task objective. And not just a single measurement at an arbitrary point in time, but an ongoing measurement system.

Unfortunately Australia has been well behind the 8-ball globally when it comes to pro-actively and publicly developing and communicating strong, implementable and effective security measures (particularly vendor product evaluation and assurance/certification systems).

Hamstrung, often not just by politics, but also by the ephemeral nature of “security” itself. We are always caught in the cyclical nature of chasing our tails. Security is sometimes a token façade “flashing lights” to deliver comfort to stakeholders or it is “cloak and dagger, secret squirrel, confidential: need to know basis, could tell you but would need to kill you” bluff. There is actually a middle ground that is not FUD. Security needs to grow up and become mainstream.

Governments are siloed with many departments and agencies working towards similar goals with very little communication or collaboration. The ACSC is a great initiative and a decent opportunity as a starting point for convergence. Let’s hope that it can be agnostic, flexible, independent, transparent, engaged with industries, and where applicable, enable public private partnerships to thrive – not a know-it-all policy bulldozer.

We all know that wars are never won by an individual; hopefully the ACSC will not develop into another un-measurable government silo.

Tags: canberra, Cyber Security Centre (ACSC)