The content of this free article has been adapted from Intermedium’s Government Cyber Security Readiness Indicator (pdf).
The release of the Federal government’s cyber security strategy in April 2016 – as well as the accompanying $195 million in funding – is continuing to generate change in attitudes to cyber security across the Australian public sector.
The growing severity and frequency of security threats is also driving change. Several highly-publicised incidents, like the census debacle in August 2016 and the WannaCry ransomware attack in May this year, have projected government vulnerabilities into the public eye, and heightened citizen scepticism regarding the security of personal information held by government.
Security of information systems will only become more pertinent as governments adopt data-sharing, tell-us-once functionality and cloud solutions as part of the move towards digitally-enabled and citizen-centric government services.
For these reasons, Intermedium has compiled an indicator of the cyber security readiness of each jurisdiction at the Whole-of-Government (WofG) level. Through consultation with both industry and government stakeholders, Intermedium identified six cyber security readiness enablers. The scores were allocated to each jurisdiction based on its WofG progress in adopting strong and effective:
- Cyber security strategies
- Polices, standards and frameworks
- Compliance management
- Willingness to collaborate with other jurisdictions and industry
The results of these assessments – derived entirely from information available in the public domain – has been published as Intermedium’s Government Cyber Security Readiness Indicator (GCRI).
The GCRI was released today at Intermedium’s end-of-year briefing in Canberra.
Thanks largely to the Commonwealth’s constitutional responsibilities for ‘homeland security’, the Federal government has catapulted to the top of Intermedium’s new ranking, and become the first jurisdiction to achieve WofG “Cyber Security Readiness” as per the listed criteria.
With responsibility for national cyber issues, the Federal government received consistently high scores across every metric, including governance. The Special Advisor to the Prime Minister on Cyber Security sits at the top of a complex governance structure, which involves several cyber security-related committees, agencies, offices, and directorates.
The Federal government is one of only two jurisdictions with a formal, publicly available WofG cyber security strategy, and is also responsible for a number of reference-point polices, standards and frameworks, like the Australian Government Protective Security Policy Framework. The Federal government also has well-established support agencies, including the Australian Signals Directorate and the Australian Cyber Security Centre.
Other cyber security front-runners
A handful of other jurisdictions have scored well on the cyber security indicator including by leveraging work already done at the national level.
Victoria is the only other jurisdiction with a comprehensive cyber security strategy. Following the objectives in the federal strategy closely, the Victorian Cyber Security Strategy has set the state up to score well across most other criteria, putting the state in second place on the indicator.
With an “Assurance Model” used to verify its agencies’ security capability and maturity levels, Victoria scores well on Compliance Management. This Assurance Model helps deter self-assessment bias, a common issue where agencies believe they are better prepared to address cyber security threats than they actually are.
Consistent with its performance as a digital government readiness leader, New South Wales was also among the GCRI front-runners. One of the first states to install a formal executive-level leadership role, the first WofG Chief Information Security Officer (CISO) was appointed earlier in the year. The NSW Government also announced a team to support the new WofG CISO role in the 2017-18 Budget.
The Queensland government was the first state or territory to commit funding to a WofG cyber security unit (February 2016), which has boosted its performance against the Capabilities criteria. The state was also one of the first to appoint a CISO.
South Australia also performed relatively well thanks to its strong cyber security policies, standards, and frameworks. South Australia has statements pertaining to security in its relevant procurement and cloud polices.
Room for improvement
For the four poorest performing jurisdictions – the Northern Territory, the Australian Capital Territory, Tasmania, and Western Australia – a lack of cyber security strategy is also contributing to low scores on other categories, including Governance and Capabilities.
Intermedium expects that most of the low-scoring jurisdictions will resolve their WofG cyber security governance over the next twelve months, and once they do this, cyber security frameworks and policies will be developed and their cyber security readiness will improve.
The Northern Territory, for instance, has already indicated that it currently has a WofG cyber security road map in development.
Similarly, once Tasmania appoints its first WofG CISO (recruitment is currently underway) the state will be better positioned to improve its performance on other metrics.
By leveraging Canberra’s highly educated workforce, the ACT has been promoting itself as a potential hub for private sector cyber security investment, giving the state a leg up on the Collaboration criteria.
Despite scoring strongly in the Compliance Management and Polices, Standards and Frameworks categories, the Western Australian Government is yet to make meaningful progress against most other metrics.