It’s been a very big year for the federal government when it comes to cyber security. With the establishment of the Australian Cyber Security Centre and release of the government’s cybersecurity, Prime Minister Malcolm Turnbull has also appointed Alastair McGibbon as his advisor on all matters cyber.
I spoke to McGibbon at the AISA conference, held in Sydney during October 2016. In his presentation, he discussed the evolution of Cybersecurity 2.0.
“We need to change the way we do business. We need to fundamentally look at how government does its business and how business does its business when it comes to cyber,” he says. “Do we want to partner the old ways or in ways that are smarter, more scalable and quicker”.
McGibbon says there is a “significant delta” in our current capability to deal with cybersecurity and our capabilities. Incremental change, he says, is not the answer and is a pathway to losing the battle.
One of the prevailing views of the last two decades has been that security vendors and professionals have been engaged in a reactive battle. When a new security threat rears its head, vendors scramble to develop and deploy new solutions. This has driven the emergence of SIEM, AI and other tools. But McGibbon sees cyber in a different way.
“I see cyber as a social question and nit a technical question. There are technical solutions and architectures that can reduce the likelihood of things going wrong. But the [government’s] strategy looks at the ecosystem – everything from the international governance of the web and whether there are state havens where the nation states look after things through to how we better educate end-users. It’s silent on technology and rightly so”.
That’s not to say technology is not important but McGibbon says it is important to use the best technology as things evolve. For example, as the perimeter of organisations has become more opaque, the idea of using signature-based detection is not completely effective.
But the technology needs to be considered with risk so that the right solutions are put in place so that assets are protected appropriately. That has to take into the account the different needs of various groups. For example, the risk appetite of SMEs, enterprise and government are all different. The government, says McGibbon, is working harder at understanding those different needs and providing ways for them to all be supported.
For example, on the issue of threat sharing, he says the government is working on providing information in different ways that meet the needs of different market sectors. That extends right through the level of support and policing offers to different groups.
McGibbon also champions the importance of education. It can, he says, drive behavioural change but it needs to be appropriately designed and targeted.
With mandatory breach notification legislation expected to passed soon, I asked McGibbon his views on how companies will deal with the internal conflict of revealing a breach and the potential reputational damage it might give raise to, and the need for the public to be informed.
“The good thing about a legislative approach to this is that it creates a level playing field. I’ve been an advocate of data breach legislation for some time. What I hear from industry is some degree of certainty. Is it coming? If it comes, what will it look like? This is good as they’ll know what it looks like and what their obligations will be”.
There is no doubt, says Mcgibbon, that breach notification laws will change the behaviour of affected organisations. With companies not wanting to disclose, the best way to avoid being in this position is to tighten security so breaches are less likely to occur.