Infosec professionals join ACSC to improve national cyber resilience and, hopefully, policy

(QESP Editor’s Note: The following is a reprint of a 01/02/2019 article in The Mandarin. The original, with Related Posts is available at  https://go.pardot.com/e/272522/um-email-utm-source-newsletter/wfsnz/328597165?h=iU3-kiPb1UYYJXrvPRU2yofrP5POrHVHpURechmPRj4)

A new partnership between the federal government’s peak cyber security team and a professional association promises to improve cross-sector collaboration, and might also lead to more consideration of independent expertise in the development of public policy.

The most visible outcome of the deal between the Australian Cyber Security Centre and the Australian Information Security Association is a plan to merge their respective annual conferences into one big get-together in October.

AISA chair Damien Manuel says the new Australian Cyber Conference will be the largest on the sector’s events calendar, a “cornerstone piece for the region” that helps position Australia as a centre for cyber security research, industry innovation and professional collaboration.

The association says it hopes to “further strengthen Australia’s cyber security posture and achieve a cyber secure nation” through the new partnership. Skills development is one of the main ways it can help, in the view of ACSC chief Alastair MacGibbon, who doesn’t want his staff spending time on event management.

“A partnership with the ACSC allows us to take advantage of AISA’s well-established reach and experience delivering events that build the skills of current and aspiring cyber security professionals and providers in Australia, while the ACSC continues to focus on our core business of making Australia the safest place to live, work and play online through our cyber security resilience programs,” MacGibbon said in the statement.

The not-for-profit group welcomes members from academia, government and the private sector, and it has also been working more closely with the industry growth centre, AustCyber, of late.

Damien Manuel

“The membership is quite diverse,” said Manuel, the director of the Deakin University Centre for Cyber Security Solutions. “We have people who are academics in the cyber security space, we have people that are in the risk management space, people in the project management space, senior executives at large organisations, small business owners, and people from different government agencies that deal with cyber security and risk management.”

Of course, the AISA chair would welcome more participation from public servants, and not just those with deep technical expertise who have traditionally joined the 20-year-old association.

Manuel, one of many sharp critics of the government’s new powers to get around encryption, thinks the partnership agreement might also lead to better industry policy, and allow independent experts to have more input on legislation.

“It’ll enable the government to effectively have a cyber security outreach program that they can leverage through AISA and AustCyber and the ACSC to actually get a sense of the direction that the industry needs to move in, or some of the legislation that might need to be changed, or introduced as well,” he told The Mandarin.

He says policy development processes related to cyber security could definitely be improved and hopes they will, with the three organisations working more closely together.

“The other area I think that probably needs to be improved from a whole-ecosystem perspective is, a lot of organisations focus on security awareness; we really need to flip that dynamic to start focusing on behavioural change,” he added.

Manuel sees a need for more public information campaigns “to harden Australia to foreign countries’ influences, cyber scams and things like that”  — something like the Slip, Slop, Slap campaign but for cyber security — and says the association is planning to ramp up its efforts to raise awareness in schools and the wider public.

“Security being such a broad topic now that impacts everybody, we need to be conscious that we don’t just talk to people who are in the sector, but also start to expand that messaging out to create an awareness change, and sort of a behavioural change in what people do online, to make sure that Australians as a whole are safe.”

As for the much-discussed skills gap in the sector, Manuel believes employers need to start accepting more new graduates and developing them, to meet the increasing demand for cyber security professionals.

“Everybody is time-poor, everybody is trying to achieve things very quickly, so it’s often easier to poach a known quantity from another organisation because you know that person has already got five or 10 years of industry or hands-on experience, rather than … getting some of the graduates and then investing time to bring them up to speed,” he said.

“So there’s that conversion problem, you could say, where industry needs to come to the table and say it is actually far cheaper for us to get graduates and grow them within the industry, as opposed to continually poaching them… which ultimately drives up the price that people pay for cyber security experts.”

A program of smaller professional events run by AISA will also become more accessible via the government’s network of Joint Cyber Security Centres, which were set up precisely to increase cross-sector collaboration.

“Those events will now start to appear in the JCSC locations around Australia, where there’s room capacity, which is also a great way to facilitate video link-ups because in the past, if we brought in a great speaker we had them in one city and we’d have to fly them around to the other cities,” said Manuel.

“Now we’re able to leverage the JCSC locations and we can do a multi-cast around Australia.”

He says AISA plans to make the conference accessible to parents by offering on-site child care, broaden discussions out to topics like mental health in cyber security, and bring in tertiary students from 20 institutions to compete in this year’s CySCA Cyber Security Challenge and “mix with others in the profession” at the same time.

The association is calling for speakers now and is keen to line up people from a relatively diverse range of personal and professional backgrounds, particularly women, who only make up about 12% of the cyber security industry, according to Manuel. Presenters are expected to be “vendor neutral” and focus on ideas rather than products.

People: Alastair MacGibbon, Damien Manuel

Departments: Australian Cyber Security Centre

Tags: ACSC, AISA, Australian Information Security Association, cyber security