Australia’s information security industry wants to see the Government introduce a mandatory baseline for basic IT security and associated penalties for non-compliance as part of the country’s revised national cyber security strategy.
Infosec industry representative body AISA recently followed the Communications Alliance [pdf] to release the second public submission [pdf] to the Government’s review of the ageing national cyber security strategy.
AISA said the setting of a mandatory security baseline and support for small-to-medium enterprise in implementing basic security were two of the most important missing pieces of cyber security in Australia.
It said its 3000 members named poor information sharing, lack of investment in security and failure at the executive level to appreciate security risks as the top challenges for Australian organisations in information security.
AISA members listed a need for greater understanding at board level of cybersecurity risks “coupled with some sort of regulatory push by way of a mandated security baseline or greater penalties for data security failures to encourage the adoption of improved security controls".
“There is also wide support for increased enforcement and penalties for non-compliance with agreed baselines where private information is concerned or where such enforcement would be regarded as for the public good,” AISA wrote in its submission.
“AISA members support government funding of some sort [of] verification or low-level audit activity for essential systems or for service providers hosting personal information and in other cases where assurance is required.”
Taking on a bigger role
AISA also put forward its argument for having a bigger role in the development of infosec skills in the country.
The organisation proposed to develop a professional certification program similar in nature to that run by the UK Institute of Information Security Professionals (IISP), tailored to Australia.
The program would recognise existing certifications - such as CISSP, GIAC, and IRAP - but would be specific to the Australian environment and its skills requirements, AISA said.
“The program will include skills confirmation and continuing professional development requirements, which will be managed by AISA,” the organisation wrote.
“To support this scheme, AISA proposes to provide ongoing education and professional development opportunities to its members in cooperation with organisations such as AusCERT.
"AISA will also engage with both the public and private sectors to encourage and explain the long term benefits of supporting this program.”
Security skills shortage
AISA echoed concerns raised by the Comms Alliance around a skills gap in the local infosec industry and the increasing amount of skilled infosec specialists leaving Australia.
The Comms Alliance highlighted a lack of skills in areas including forensics, pen testing, incident management and risk assessment, and urged the Government to include a targeted program to retain and develop such expertise within its revised cyber security strategy.
AISA similarly listed pen testing, forensics, security architects and application security testers among the skills currently in short supply across Australia.
It said this shortage could be addressed by reviewing tertiary education and vocational training offerings as well as sponsoring employment of graduates leaving university with such skills.
Greater investment in research and development of products and services in Australia - rather than relying on overseas companies - would encourage the retention and growth of in-demand skills locally.
“Professional networks are imperative. The industry, and our adversaries, all move too fast for us to try to capture all approaches to each risk and/or threat in a core body of knowledge which is formally taught in detail over a set period of time,” AISA wrote.
“Ultimately, what will be most important is a strong grounding in a particular discipline (e.g. like computer science, or engineering), training in high level frameworks and principles, communications skills, and an individual’s professional network.”
The Department of Prime Minister and Cabinet - the agency leading the review - said it had so far consulted with over 140 organisations globally. It expects to complete and release the revised review midway through this year.