The recent Channel 9 attack is a timely reminder of the devastating consequences of a successful cybersecurity attack on national infrastructure. The incident serves as a stark wake-up call for businesses and joins a growing list of escalating attacks that involve nation-states, and other motivated groups determined to access sensitive data or disrupt critical services. No doubt, the question many will continue to ask; How do we better defend against these kinds of attacks? Particularly where adversaries are nation-state actors with almost limitless means and nefarious intent.
Focus on the right things
Somewhat counterintuitively, doubling down on security regulatory measures will continue to send organisations into a death spiral of misfocus, consuming resources on the wrong things and ultimately making us less secure. Instead, policymakers and organisations need to sharpen their focus on what is critically important in defending the nation against modern adversaries. Executive teams and boards must also elevate their ownership and accountability for the cybersecurity imperative in their organisations.
In short, to combat the rising tide of threats, organisations need an effective risk-based cybersecurity strategy that ‘connects the dots’ between understanding what is critically important to the business and the evolving threat surface and matching these with specific and targeted capability. Only through effective strategy can we stand a chance against our adversaries in the areas where it matters most.
A holistic, data-driven, defensible cybersecurity strategy provides organisations with a better-targeted defence and response against the modern threat surface. Importantly, it elevates these concepts to the executive and board level, providing situational awareness to inform decision making. Organisations are juggling many corporate risks, and cyber is no different. There are no silver bullets. However, by ensuring senior leadership is cognizant of the likelihood and consequence of cyber events on the business, decisions and a right-sized budget can be applied to minimise those loss scenarios that are material. This is why strategy is essential; It aligns oversight and investment to address the organisation’s key security risks, enabling the business to focus limited funding on managing critical loss scenarios.
What does a good cyber strategy look like?
Cybersecurity strategy must be specific, measurable, and practical to address the challenges posed by critical risks across the evolving threat surface, such as disruption from ransomware. The underlying frameworks may need to pivot to tackle these challenges at a more granular level, such as the excellent MITRE Attack Framework, and harmonise at the macro-level to provide holistic coverage. But always using a risk-based strategy to inform the focus and determine the extent of mitigation (and resulting residual risk) that is acceptable to the business.
Yet strategy alone is not enough to defend our nation’s critical assets. Equally important is getting agreement and ownership from the executive committee and board. A pervasive organisational culture that proactively tackles cyber risk is set from the very top. Security and IT leaders cannot adequately defend an organisation where senior leadership are distracted and completely unaware of how to protect themselves against attacks.
Getting cyber right starts at the top
If we are serious about defending national interests and sovereignty from cyber-attack, we must make senior leadership and boards take ownership of the problem and place it alongside other major corporate risks such as financial and legal.
Too often, security decisions are made by business lines with the view that their goals are prioritised over security. This changes when there is stronger accountability demanded from the top. This is a significant challenge for the government and businesses. Despite the misguided focus we see on agencies failing to meet compliance obligations, undeniably, a change in accountability at the senior leadership level would result in a very different and more resilient landscape than we have now—food for thought.
Compliance won’t get the job done
Organisations and industry commentators are increasingly equating compliance with strategy and driving the consensus that meeting compliance obligations must be resilient. Often this will mean losing focus on entire domains of security – such as response and recovery, which can severely impact an organisation’s resilience. This is precisely why cyber strategy is critical. The regulatory view is often focused on the pass mark and not what matters the most for an organisation.
The ‘death spiral’ reflects organisations spending all their available funding and resources chasing elusive compliance dreams while ignoring and understanding their critical threats or actual security risks. The focus must be on what is the most critical priority for the business, and a compliance standard cannot make that decision. Most standards provide valuable benchmarks and guidance, some are mandated, but as security leaders, senior executives, and board members, we need to have the fortitude to stand behind and prioritise the security outcomes that matter most for our organisations. 100% compliant is rarely the most appropriate goal, often incompatible with operating a large business, and may leave you with gaping security holes. You will end up far from ‘cyber-resilient, to use a much-misaligned term adopted by some auditors.
Delivering real change
The era of cyber-attacks targeting critical infrastructure is only now in its infancy. As a nation, we must rethink how we defend ourselves. A deeper focus is required on what is critically important, understanding the threat environment, and how we uplift targeted capability. Ownership from senior leadership must become a key foundational pillar necessary to deliver any meaningful change to the nation’s cyber resilience. Compliance is not the answer, and doubling down will not shift the needle further. Improvements to governance and regulation should instead focus on better executive ownership of the issue and developing a more effective, defensible, right-sized cyber strategy that is supported by an operationally repeatable way to make data-driven decisions, manage the business of cyber, and track progress in an agile manner.
We may not always get it right, but this at least gives us a better fighting chance of securing our most critical systems and information against the modern adversary.
