The Security Legislation Amendment (Critical Infrastructure) Bill is a complicated and comprehensive piece of potential legislation but, experts from two cybersecurity organisations told CRN, any organisation carrying out good cybersecurity practice needn’t be worried.
This is the final piece in our series on the Bill that builds on the explainer of which orgs would be affected, the look into the 12-hour reporting timeframe, and the outline of the intervention powers the Government would have should the Bill pass in its current form.
To conclude, this article features advice offered by the experts from ASX-listed cybersecurity services provider Tesserent and security specialist consultancy The Secure Board on how to make sure an organisation is safe, secure and compliant.
Leadership and processes
The Secure Board directors and co-authors of ‘The Secure Board: How To Be Confident That Your Organisation Is Cyber Safe’ Claire Pales and Anna Leibel said the first thing that should be done is to designate a ‘cyber leader’ – a person “who is the responsible officer for cybersecurity in the business”.
“It doesn't have to be a C-level strategic leader in every business,” Pales explained, “but if there's an incident you need someone in your organisation who represents the business around cybersecurity.”
Leibel added that it’s about having that knowledge of how to respond within the organisation itself.
“You need to have someone internal who's accountable for cyber,” she said. “It's not appropriate to have that outsourced to a vendor or a partner, it's good to have someone who actually knows the organisation knows the customer base and knows the data to really be owning and managing that risk within the organisation itself.”
That person can then be the point of contact with a partner who may be providing a managed security service.
Whether it is their full-time role or just part of their job description, they should be able to ensure that there are processes in place that are rehearsed and refined so that, in the case of an incident, everyone in an organisation will know what to do to prevent it spiralling out of control.
As an analogy, while not every company can have a dedicated health professional on staff, every organisation should still have at least one person who can take the lead in the case of a serious medical or natural disaster emergency.
“We talk about when people are injured on worksites and constantly pushing that message around safety. Cybersecurity is no different. People learn through the unfortunate or fortunate experiences of others,” Pales said.
Tesserent chief information officer Michael McKinnon agreed that there is a crossover between health and safety and cybersecurity in the modern landscape. In fact, he sees the worlds of physical security and cybersecurity as two sides of the same coin.
“If we're talking about nation-state attacks, there is also potentially a physical component. What we're increasingly seeing is a very strong need for converged security … bringing together physical and logical or cyber or virtual security into one space,” he stated.
“What I'm referring to there is if you look at an organisational chart in a large organisation, you might have a chief information security officer, a CISO, and then you might have someone else who's head of security, and that head of security role will often be the person who's doing the traditional physical security – they both have security in their titles, but they often have completely separate reporting lines. So there's a disconnect.”
McKinnon described the combining of these two areas of security as ‘converged security’ and suggest that a better approach would be having a single chief security officer who can ensure that physical and digital protection are being considered holistically.
His advice on how to achieve this mirrored Pales’ and Leibel’s – assign responsibility.
“Get your org chart worked out. First, align your reporting lines through some common person or role that is accountable for the security outcomes of your organisation. Once you establish that accountability, you can then use that as the building block to do the next step, which is to assess what you've got. We always use this term in security: you can't protect what you don't know you have.”
Get started now, but be prudent
While partners can sometimes have difficulty convincing a client of the importance of security before it’s too late, the experts all agree that the best time to start is, as they say, yesterday.
Pales said that the Bill was getting execs thinking about their cybersecurity needs and putting risk outside of the purely financial into the spotlight.
“Everywhere we go at the moment, the question is asked around, ‘What does this bill mean? When is it going to come into play? How are we going to address the needs of the bill?’,” she said.
“We don't want people to look at [cybersecurity] and think it's actually too hard to get our heads around so we're just going to focus on the other risks. Non-financial risk is so significant in organisations that we really want people to start prioritising cyber even though it's a topic that's, for some, not the easiest to get your head around," Pales said.
Leibel added, “A lot of organisations see [a cyber attack] as a risk that it can actually address on their own. Whereas we know that employees are often the ones clicking on a phishing email, or third parties – vendors that people work with – that actually have a breach where there's data loss of the organisation's sensitive data. It still impacts the organisation's brand, their reputation, their regulatory requirements, and has financial implications on them.”
McKinnon said that in order to be a strong cybersecurity partner to an organisation, MSSPs and resellers need to ensure that they are offering well-researched and informed advice.
“In cybersecurity and security in general, sometimes we are too reliant on certain vendor and it's the vendors who have the really good salespeople or really good sales pitches, and sometimes not so much the technical solutions that stand up to scrutiny,” he said.
”A lot of resellers often do get hooked into a particular vendor solution, a particular way of doing things. It's really important that people have a broader perspective on the cybersecurity landscape and also understand that there are different areas of concern. There are nation-state actors, there's organised criminal groups, there's kiddie script hackers, there's all sorts of variation out there.”
However, a good place to start is to look at the approaches that have stood the test of time.
“A lot of the fundamentals in cybersecurity and security haven't changed for the last 10 or more years,” he stated. “The NIST framework, ISO 27,001 – these are global standards and frameworks that people could already be researching and studying.
“Don't be so myopic about security in one way, understand that there's a lot more to cybersecurity you could be looking at, make sure that you're applying the craft more evenly across all of the areas.”