CEOs need to skill up on cyber security: ASD chief

The biggest problem facing Australian businesses in terms of cyber security is not a shortage of skills, but rather chief executives who don't properly understand the risk, according to the head of Australia's signals intelligence agency.

ASD chief Mike Burgess made the comments to a parliamentary committee hearing on digital delivery of government services today.

The inquiry is looking at, among other things, whether the government is currently capable of delivering services to citizens digitally with due regard for security.

It came as a result of a series of high-profile government technology bungles, including the eCensus failure, Centrelink robo-debt program, and ATO website crashes.

In hearings today, the committee questioned whether a well-documented local skills shortage of cyber security professionals was hindering the government's digital transformation efforts.

The Australian Cyber Security Growth Network has previously estimated the local industry will need to grow by 11,000 workers by 2026 to meet demand.

Burgess - whose agency produces guidance to government and industry on how to make their systems more secure - said the more "critical issue" was a lack of skills within top leadership.

"I am not one of these people that will call out a skills shortage as a problem," Burgess said.

"There is no doubt that this issue is being recognised, and organisations both in federal government and the private sector are starting to invest more in skilled people.

"But skilled people is not the critical issue here - it's the skill of the CEO and management team to identify and manage risk effectively."

Executives are broadly struggling to ask the right questions, identify risk, and ensure they are managing it appropriately, Burgess said.

He argued this was largely a result of a lack of "decent" frameworks or bodies of practice that executives can use to educate themselves.

"It's fair to say there's no decent framework that's internationally recognised for how to manage cyber security risk, because this risk is really a young thing," Burgess said.

"And there is not yet a decent body of practice. There is, however, good advice out there coming from the likes of my agency, but what's missing is [something that can help] senior executives recognise the value of their data, who's accessing it, who is protecting it."

However, he argued it was still possible for CEOs to "truly educate yourself and skill yourself to do this effectively".

Burgess penned the "five knows" of cyber security with Rachael Falk when the pair worked at Telstra. 

The approach [pdf] outlines the five things Burgess and Falk say business leaders must know to effectively manage the risk. They are: know the value of your data, know where it is, know who has access to it, know who is protecting the data, and know how well the data is protected.