Security firm RSA has recently started “teasing apart” the Australian government’s cyber security strategy to work out how the $230 million is to be spent, and find potential opportunities for input into its implementation.
The company’s recently-appointed chief cyber security advisor for APJ, Leonard Kleinman, said his office had started deconstructing the strategy “literally in the last 3-4 weeks”.
Kleinman joined RSA in October last year after a decade at the Australian Taxation Office (ATO), most recently with its vulnerability management and research team.
“The cyber security strategy is still in its infancy,” he said on the sidelines of the RSA Conference in San Francisco.
“But it’s something we will be looking to further develop [around] how we can better engage with government and industry to collaboratively improve the security offering and posture [of organisations].”
Several parts of the cyber security strategy target industry involvement, particularly around increasing public-private intelligence sharing, and growing Australia’s overall footprint and reach in the global cybersecurity market through the Australian cyber security growth network (ACSGN).
Kleinman said he was “encouraged” by the strategy and the funding commitment.
“I’m hoping that as we as a nation embark on this journey, that we will continue to grow our investment in cybersecurity at a pace similar to other nations,” he said.
“To me, though, it’s now about how Australia utilises what we have to get the biggest bang for buck we can.”
Kleinman also welcomed the passage of mandatory data breach notification through both houses of parliament, saying it would make Australia a less attractive target for attackers.
“One thing I like is that we’re now pretty much aligned to the rest of the world with having some level of requirement to notify,” he said.
“I believe that that makes us a safer country in the long term. If I was an attacker, a country with no breach notification is a juicier target, knowing they may be more reticent to openly disclose occurrences.”
He also said it would help incident response teams justify fixes to the root cause of identified issues.
“For people such as myself and colleagues, if we were responsible for incident response it used to be a real bugbear when you’d triage an incident and identify what the root cause was, and there was a prevailing attitude of ‘job well done, we’re back, remediated, into business again’,” Kleinman said.
“That’s where they’d want to leave it. But the lifecycle of incident response runs from preparation right through to lessons learned.
“From an incident responders perspective having something like the mandatory data breach notification scheme is great because it helps to enforce that requirement to remediate root cause.”
Though it took almost five years to put mandatory notification into law, Kleinman said the passage of time had helped to soften attitudes and reduce opposition.
“There was scepticism when it was first proposed, but I think attitude [towards it] has definitely changed,” he said.
“Of course there were going to be organisations not entirely happy with it, but you can always tie it back to creating more effort and quite possibly cost to create the posture.
“At the end of the day we’re being entrusted with people’s personally identifiable information and other data.
“We should be improving out security posture. It shouldn’t just be about facilitating the revenue stream of that entity or corporation.”
Ry Crozier travelled to RSA Conference 2017 in San Francisco as a guest of RSA.