With the limited size of its domestic market, Australia has always looked beyond its shores to export its capabilities, particularly in services where it is already punching above its weight and earning more revenue compared to its peers.
About five years ago, the Australian government earmarked cyber security as an area of growth, leading to the formation of the Australian Cyber Security Growth Network, or AustCyber in short.
The organisation, one of six industry growth centres, is charged with growing Australia’s cyber security ecosystem, exporting the country’s cyber security products and services to the world, and building a pipeline of skilled cyber security professionals.
In an interview with Computer Weekly, AustCyber CEO Michelle Price shares more about the work that AustCyber is doing to bolster the cyber security posture of Australian businesses, grow the country’s cyber security sector and what participants can expect from this year’s Australian Cyber Week.
The world has seen an unprecedented number of cyber threats in the past two years, including growing threats against critical infrastructure. Could you provide a high-level perspective of the threat landscape in Australia?
Price: It’s been characterised by increased ransomware, right down to the individual level, while organisations also have had to educate themselves on cryptocurrencies as a result. The debate around whether or not an organisation should pay the ransom is also starting to heat up in Australia. It’s not been in the public discourse until recently and that’s not necessarily a bad thing. Having conversations of that nature demonstrates that we are starting to see an uplift in cyber maturity in Australia.
With the pending changes to the critical infrastructure legislation in Australia, it does mean that for critical infrastructure and industries, there has been increased focus on cyber risk and how to do cyber risk management, at least to a baseline level, which is great. The rest of the economy, though, is still lagging, and that’s obviously an experience for many other countries as well.
If you don’t have regulation, then you’ll only see proactive risk management from organisations that clearly understand how the risk plays out. I’d say when you compare us to where we were pre-pandemic, we certainly have seen a measurable increase in cyber maturity in the economy overall.
There’s also increasing awareness at the individual level, so in households, cyber security is something that people know they need to focus on and they are starting to ask questions about it, which is great. Now suffice to say, there are still many households that are not talking about it, but the fact that some are doing so is a shift from where we were almost two years ago.
Against this backdrop that you’ve painted, could you talk about the work that AustCyber has been doing to address some of these gaps and issues?
Price: AustCyber funds a whole range of different activities, and we deliver programmes ourselves to make sure there is awareness around the upside and downside risks in cyber security as much as there is in any other area of the economy. We also broaden the conversation beyond the traditional concept of what information security is to get people to appreciate why cyber security is a broader concept than information security.
“Cyber security is not one-size-fits-all and malicious actors will leverage the fact that if you haven’t taken account of the context, it’s their playing field”
Michelle Price, AustCyber
Also, what we’re starting to see at the more mature end of the spectrum, at least in listed companies, is the broadening of those conversations around digital risk. To be a trusted organisation in cyber space can provide huge opportunities for new forms of growth, and part of what we do in our programmes is to help Australian cyber security companies get in there and provide products and services backing those conversations.
The cyber security market is vast and comprises a broad range of suppliers offering niche products and services as well as large global companies that offer a suite of services. Is there a sweet spot for Australian cyber security companies?
Price: When we look at the international Cyber Body of Knowledge (CyBok) facilitated by the University of Oxford, Australia does have sovereign capabilities in most but not all areas. That is a good thing because Australia is playing to its strengths – we’re not trying to generate capability where we don't have natural global competitiveness.
As an economist in this space, I see that as being a good thing and it provides opportunity for free trade agreements. In terms of natural strengths, it is very clear that Australia has some fantastic strengths in integration around governance, risk and compliance, and ability to achieve the right kind of balance between technology and people in that space.
In the past three years, we’ve seen a lot of domestic consolidation of that part of the market. Over the next five years, we'll see a small number of larger companies further scale, which is great.
Australia is also very good at niche capabilities related to national security where we’re seeing invention. Some of the companies we’ve supported at AustCyber have been able to commercialise their invention. They include amazing companies like Secure Code Warrior, Airlock Digital and Cybermerc.
We also continue to support deep tech companies like Quintessence Labs around quantum encryption. These are very high-end capabilities which Australia has been very good at. For the past 15 years or so, we’ve been able to home in on deep tech research. We’ve not been as quick at commercialising what we need to, but once that’s done, we see products and services being taken up very quickly.
What is the growth mindset of these companies? Do they see Australia as their key market, or do they think of themselves as a global company from day one?
Price: It’s our mantra at AustCyber to help every company we work with to build local and deliver global very early in their journey through a facilitated and targeted approach. So, rather than go to what feels like the biggest market in the world, which of course we know is the US, they can go to a market where their capabilities are most needed, in terms of that country’s government and policy settings, combined with what the market conditions are.
We’ve had some companies in the portfolio go global by going to Germany first, and not the US. Some companies have been able to see that the greatest opportunity really is in Australia, and their go-global approach has been to test with New Zealand and Singapore, and then scale through Singapore up into Asia. For us, it’s about a tailored approach to help companies play to their strengths so they have the best chance of success rather than take a one-size-fits-all approach.
My next question is about skills. We know there’s a shortage of cyber security talent across the globe, including in Australia. Are there efforts from AustCyber to plug the talent and gender gap in cyber security?
Price: AustCyber has been instrumental in focusing the nation’s attention on what we need to do at a very foundational level around the curriculum, and the availability of high-quality training and education in the country.
Almost every foundational factor that you see across the economy to do with cyber security skilling has been driven by AustCyber and we’re very proud of that. We’ve also been front and centre in terms of nationalising the vocation education piece through our Tafe [Technical and Further Education] system and ensure that registered training organisations have a high standard.
Michelle Price, AustCyber
Equally, there is an opportunity to commercialise the good work that government agencies do to develop training packages for their staff. In terms of the quality and prevalence of training, I think Australia can now say it is in a world-class position, and quite a few of those packages are being exported around the world now.
Australia is also the first country outside of the US to adopt the US National Institute of Standards and Technology’s skills framework at a foundational level, both in policy and practice, across the government and private sector.
We’ve also been the first country outside of the US to internationalise a platform called Cyber Seek – in Australia we call it Cyber Explorer – that identifies the supply and demand of cyber security skills and jobs. It is important to be able to visualise where the jobs are and where the need is so you can start to track the clusters of different skillsets required in different industries.
In terms of diversity, it would not surprise you that we and other organisations in Australia are pushing for diversity. For us, diversity is not just about gender, which is very important – I’m very much involved in all of the women in cyber-related activities in Australia – but diversity is also about the diversity of ethnicity and language, both in terms of technical language and spoken language, as well as age and disciplines. We’ve also funded programmes to make it more straightforward for First Nations people in Australia to be part of cyber security.
On the matter of women in cyber, we’re really proud that with our partners, a huge amount of work has been done in Australia on women in cyber. We’ve gone from having around about 4% of the cyber security workforce in Australia being women in 2015 to now having almost 40% of the workforce in Australia being female.
That’s a huge gain in a short period of time and most of it comes from having graduates entering the profession at the early workforce stage. But we still have a long way to go. We’ve done a lot of work to make sure that cultural issues are being addressed at workplaces, but we also need to make sure that we get that pull-through so that we can see more diversity within the management and leadership levels, which still have low levels of female representation.
You talked about the role of regulation. Singapore has plans to regulate cyber security service providers in two areas: penetration testing and managed security operations centre (SOC) services. What are your thoughts on that?
Price: It’s an interesting topic and I’ve spoken to David Koh [chief executive of Singapore’s Cyber Security Agency] about this as we sit on a couple of committees. I think that what we do agree on is that the regulatory approach that might be taken by a country should be suited to the way business gets done in that country.
So, in Singapore, which is a far more regulated economy than Australia, it could make sense for that to be a signal to the market around the kinds of behaviours expected if you were to do it specifically for those two areas. And I think those are the safer parts of cyber security practice to start if you’re going to regulate technical competence.
But overall, it’s my personal preference to not regulate those kinds of areas. My preference would be to regulate the technical competence of the individuals that make up the collective and the kinds of audits that you might do on their capabilities.
So, if we think about the professionals operating as penetration testers, we’ve got the Crest framework in Australia from the UK. Within an SOC [security operations centre] environment, if you’re accrediting the people who work in those environments, but also for the types of technologies that get used to deliver those services, I think over time, auditing how people who are accredited apply the technologies in those environments will see a better outcome.
But that’s a personal view. The reason why I think that’s the better way to go is because we know that cyber security is so incredibly contextual. An organisation could have an internal SOC or contract the services of an SOC. There are very different contexts around those two things when you apply them in, for example, a retail environment. That’s very different from a mining environment which is very different from a government environment.
Regulation tends to be all encompassing and one-size-fits-all. Cyber security is not one-size-fits-all and malicious actors will leverage the fact that if you haven’t taken account of the context, it’s their playing field.
The behaviours of how people do business in Australia would not be suited to those areas of practice being regulated, at least not at the moment. But the types of regulation that have come before this in Singapore mean that type of regulation might work. And I think that, in any case, what we’re saying is that some form of regulation at some point in the value chain is needed. I’m saying that I think we should regulate the skills of the people and look at how we apply the technologies rather than regulating the environments.
Finally, could you tell us more about Australian Cyber Week this year? What can participants expect this time round?
Price: The Australian Cyber Week turns five this year, and what’s made it an enduring success has been how well it synthesises all of those different components that we’ve talked about. It puts an agenda together that enables people inside and outside the cyber security industry to navigate these issues. Regardless of the level of understanding you have, you can learn something from it, as well as be able to develop and deepen your people networks and your understanding of the technology.
Michelle Price, AustCyber
What we’re doing a little differently this year is to include a couple of events that really sort of challenge some of those next-step type conversations. We’re doing that through a couple of different types of experiences, such as having debates in a traditional sense where affirmative and negative teams debate over a hypothetical issue that is very topical, like a significant cyber attack on hospitals.
Our hospitals are increasingly under pressure at the moment with the number of hospitalisations that are happening because of Covid-19, on top of all of the usual issues that hospitals deal with. Obviously, hospitals are critical infrastructure, so to be able to play through what a cyber attack would look like in a hospital setting gives the ability to discern how sensitive that can be from a legal point of view. We don’t want to place blame in the first instance, but how do we work together to identify what has happened and very quickly remediate when we know that lives are at stake.
We’re also doing a series of cyber escape rooms, which are virtual environments where you work through a series of puzzles to be able to escape. And one of the great things about being able to do Cyber Week virtually is that anyone from around the world can be a part of it, so we encourage our colleagues from around the world to be part of Cyber Week and see cyber security through the eyes of Australians, learn about what’s going on Down Under and see what great companies we’ve got to show off to the world.
Read more about cyber security in Australia
- Australian state agency Transport for New South Wales is the latest victim of the supply chain attack against Accellion’s legacy file transfer system.
- Australia’s latest cyber security strategy includes centralised management of networks and a voluntary code of practice for deploying internet-connected devices, among other areas.
- Supply chain security risks can wreak havoc for Australian firms if measures are not taken to deter cyber attackers from exploiting a supplier’s security gaps to target another firm.
- Australia’s New South Wales department of education takes some systems offline as a precautionary measure in response to a cyber attack.