How the Australian Government can build national cybersecurity resilience and stand tall against threats
With 2020 seeing an enormous spike in remote working, plus continued large-scale data breaches and an increasing focus on the consequences of compromised privacy online, there has never been a sharper public focus on cybersecurity. As a result, governments around the world have stepped in to reshape and update their cybersecurity plans and infrastructure, including strategies and regulations that businesses are required to follow when handling our most precious digital resources.
Strategic protection guidelines for cybersecurity are not a new concept, and organizations like NIST have informed the policies of global government departments for many years. As we have moved through digital advancement at a cracking pace, it has become difficult for many to keep up with the number of threats, possible attack vectors, and compliance requirements that are part of an ever-changing landscape.
A recent breach of 54,000 New South Wales driver's licenses as a result of an easily accessed, misconfigured S3 bucket on a third-party server has compromised thousands of individuals, with the security researcher who reported it conceding that the data may already have been sold on the dark web. The sad thing is, this is an easy fix and would have been unlikely to happen at all had security been front-of-mind for those configuring the cache.
The Australian Government recently released the Australian Cyber Security Strategy 2020, highlighting new initiatives and a $1.67B funding boost to be used over the next decade, to achieve their "vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend". This is clearly a very welcome review and updated plan, especially since one of the chief objectives is:
"Action by businesses to secure their products and services and protect their customers from known cyber vulnerabilities".
While government bodies tend to focus on (as they should) the security measures concerning a country's critical infrastructure -- areas that are ripe for a catastrophic organized attack -- what was lacking in the past were guidelines for the companies that collect and use our data every day.
Now, when it comes to official strategy like this, it's not always beer and Skittles. It can be a little hard to interpret, and vague on the details, leaving it up to an organization's security team to piece together a plan based on non-specific guidelines. This issue is not unique to Australia's government, but let's analyze their brand new release.
A focus on reaction, not prevention.
The updated Australian Cyber Security Strategy is a more relevant uplift to the last release in 2016, with fairly comprehensive plans for businesses, especially SMEs. The strategy outlines:
"Government and large businesses will assist small and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability. The Australian Government will work with large businesses and service providers to provide SMEs with cyber security information and tools as part of "bundles'of secure services (such as threat blocking, antivirus, and cyber security awareness training)."
This will provide SMEs with a decent basic foundation on which to protect their business from cyber threats, but it is largely a reactive approach, and the focus is on detection tooling - a relatively small part of the cybersecurity landscape.
There is also surprisingly little information on how large enterprises can protect themselves and reduce their attack vectors. While many may be part of the plans to protect critical infrastructure (such as telecommunications, transportation), financial services, retail, and many other verticals have a lot to lose when it comes to a successful cyberattack. Perhaps this will be part of forthcoming legislation, but even so, highlighting the importance of meticulous cybersecurity best practices at the enterprise level is fundamental to seeing significant change, and a drop in compromised data and cybercrime.
Overall, when considering the strategy as a whole, it is built around a reactive approach. Countering cyber attacks, disrupting active cybercriminals and ensuring their prosecution, as well as intelligence sharing with international allies, are all important factors, but imagine if the nation-wide standard for protection was focused on prevention. Along with protective measures for critical infrastructure, if security was front-of-mind in every business, and every person touching the code that creates our digital world was properly equipped to block attacks before they happen, the savings in time, money, and heartache for victims is immeasurable.
Resilience is possible, but it must be planned.
It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level. Like any other malicious attack that has the ability to disrupt our way of life, resilience is absolutely crucial - not just to withstand such an attempt, but to act as a deterrent to it happening at all. At the end of the day, even threat actors can be lazy, and they will move to an easier target to achieve their goal if too many barriers are put in the way of their success.
At the moment, we face a global cybersecurity skills shortage, and this is something that keeps CISOs around the world awake at night. Billions of lines of code, constant large-scale data breaches, and more risk of penalty (Marriott alone received a USD $123M GDPR fine for their 2018 data breach... and they had another breach this year) than ever before has created a demand chasm for security specialists that, realistically, is unlikely to be closed. There is simply too much code, and too little resources to ensure it is fortified from every angle.
So, should we give up on the idea that we will ever truly stand tall in the face of cyber threats? Not a chance. Resilience requires using all available resources, and thinking one step ahead. And for many companies, their developers can unlock a powerful method of fortification right as code is written. When paired with a visible, positive security culture across the whole business, this provides a secure foundation that is difficult for many attackers to shake and break. However, this method requires taking the suggestions from the Australian Cyber Security Strategy, as an example, and diving deeper into how they can be customized to support effective change that is relevant to the business.
To that end, it is important to break down a couple of the tips:
- Security awareness training: This is specifically called out for SMEs, and in the context of the whole report, is mainly aimed at teaching all staff basic security hygiene (e.g. spotting phishing emails, not clicking unknown links, etc.). Realistically, it must go much further than that and become role-specific, especially for those who touch code, like developers. It is imperative that security awareness training is a component of preventative measures and building resilience
- Education: In a refreshing change, there is an in-depth plan to address the cybersecurity skills shortage over the next decade, by way of emphasis on cybersecurity training from primary and secondary school, through to tertiary education. This is sorely needed if we are to build the security superstars of the future, but from a perspective of addressing business needs right now, hands-on training in secure coding for the development cohort is an absolute necessity to start reducing common vulnerabilities, and must be part of a functional security program.
As security experts, we need to do more to help companies all over the world understand the importance of building an internal security program that goes beyond simple foundational measures of awareness. Spending time to upskill developers takes the pressure off overworked AppSec specialists, and ensuring the entire organization is as security-aware as possible within the context of their role is vital in reducing the threat surface attack area in software.
Developer upskilling is time well spent, so why are so many companies ignoring it?
A recent survey by DDLS concluded that there is very little sense of priority when it comes to cybersecurity training in Australian organizations. In fact, it didn't even make the top three training priorities, despite 77% of respondents ranking cybersecurity awareness as "extremely" or "very important" in their business.
It's little wonder, then, that Australia is struggling to close the widening skills gap, and has some work to do to create a more resilient infrastructure, from essential services to retail, and everything in between.
There is an enormous opportunity here for governments to create a security skills baseline certification, or regulation, and the strategy alludes to this as a way to work with finite resources. However, once again, this seems to be a future-state proposal, and we have the tools to start much sooner if we target high-impact areas first. For me, the beacon of hope lies in the development teams within each organization, and given the tools and knowledge to succeed, they can cut off common vulnerabilities at the pass and significantly reduce the risk of a data breach within their organization.
In 2019, 24% of all data breaches were caused by human error - namely security misconfigurations - which are usually relatively simple, code-level fixes. If training is made a priority here, in conjunction with building company-wide security awareness, I'm betting that there would be fewer CISOs signing off on breach notifications to thousands of compromised customers.
It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level, but is their strategy reaching far enough?
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
With 2020 seeing an enormous spike in remote working, plus continued large-scale data breaches and an increasing focus on the consequences of compromised privacy online, there has never been a sharper public focus on cybersecurity. As a result, governments around the world have stepped in to reshape and update their cybersecurity plans and infrastructure, including strategies and regulations that businesses are required to follow when handling our most precious digital resources.
Strategic protection guidelines for cybersecurity are not a new concept, and organizations like NIST have informed the policies of global government departments for many years. As we have moved through digital advancement at a cracking pace, it has become difficult for many to keep up with the number of threats, possible attack vectors, and compliance requirements that are part of an ever-changing landscape.
A recent breach of 54,000 New South Wales driver's licenses as a result of an easily accessed, misconfigured S3 bucket on a third-party server has compromised thousands of individuals, with the security researcher who reported it conceding that the data may already have been sold on the dark web. The sad thing is, this is an easy fix and would have been unlikely to happen at all had security been front-of-mind for those configuring the cache.
The Australian Government recently released the Australian Cyber Security Strategy 2020, highlighting new initiatives and a $1.67B funding boost to be used over the next decade, to achieve their "vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend". This is clearly a very welcome review and updated plan, especially since one of the chief objectives is:
"Action by businesses to secure their products and services and protect their customers from known cyber vulnerabilities".
While government bodies tend to focus on (as they should) the security measures concerning a country's critical infrastructure -- areas that are ripe for a catastrophic organized attack -- what was lacking in the past were guidelines for the companies that collect and use our data every day.
Now, when it comes to official strategy like this, it's not always beer and Skittles. It can be a little hard to interpret, and vague on the details, leaving it up to an organization's security team to piece together a plan based on non-specific guidelines. This issue is not unique to Australia's government, but let's analyze their brand new release.
A focus on reaction, not prevention.
The updated Australian Cyber Security Strategy is a more relevant uplift to the last release in 2016, with fairly comprehensive plans for businesses, especially SMEs. The strategy outlines:
"Government and large businesses will assist small and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability. The Australian Government will work with large businesses and service providers to provide SMEs with cyber security information and tools as part of "bundles'of secure services (such as threat blocking, antivirus, and cyber security awareness training)."
This will provide SMEs with a decent basic foundation on which to protect their business from cyber threats, but it is largely a reactive approach, and the focus is on detection tooling - a relatively small part of the cybersecurity landscape.
There is also surprisingly little information on how large enterprises can protect themselves and reduce their attack vectors. While many may be part of the plans to protect critical infrastructure (such as telecommunications, transportation), financial services, retail, and many other verticals have a lot to lose when it comes to a successful cyberattack. Perhaps this will be part of forthcoming legislation, but even so, highlighting the importance of meticulous cybersecurity best practices at the enterprise level is fundamental to seeing significant change, and a drop in compromised data and cybercrime.
Overall, when considering the strategy as a whole, it is built around a reactive approach. Countering cyber attacks, disrupting active cybercriminals and ensuring their prosecution, as well as intelligence sharing with international allies, are all important factors, but imagine if the nation-wide standard for protection was focused on prevention. Along with protective measures for critical infrastructure, if security was front-of-mind in every business, and every person touching the code that creates our digital world was properly equipped to block attacks before they happen, the savings in time, money, and heartache for victims is immeasurable.
Resilience is possible, but it must be planned.
It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level. Like any other malicious attack that has the ability to disrupt our way of life, resilience is absolutely crucial - not just to withstand such an attempt, but to act as a deterrent to it happening at all. At the end of the day, even threat actors can be lazy, and they will move to an easier target to achieve their goal if too many barriers are put in the way of their success.
At the moment, we face a global cybersecurity skills shortage, and this is something that keeps CISOs around the world awake at night. Billions of lines of code, constant large-scale data breaches, and more risk of penalty (Marriott alone received a USD $123M GDPR fine for their 2018 data breach... and they had another breach this year) than ever before has created a demand chasm for security specialists that, realistically, is unlikely to be closed. There is simply too much code, and too little resources to ensure it is fortified from every angle.
So, should we give up on the idea that we will ever truly stand tall in the face of cyber threats? Not a chance. Resilience requires using all available resources, and thinking one step ahead. And for many companies, their developers can unlock a powerful method of fortification right as code is written. When paired with a visible, positive security culture across the whole business, this provides a secure foundation that is difficult for many attackers to shake and break. However, this method requires taking the suggestions from the Australian Cyber Security Strategy, as an example, and diving deeper into how they can be customized to support effective change that is relevant to the business.
To that end, it is important to break down a couple of the tips:
- Security awareness training: This is specifically called out for SMEs, and in the context of the whole report, is mainly aimed at teaching all staff basic security hygiene (e.g. spotting phishing emails, not clicking unknown links, etc.). Realistically, it must go much further than that and become role-specific, especially for those who touch code, like developers. It is imperative that security awareness training is a component of preventative measures and building resilience
- Education: In a refreshing change, there is an in-depth plan to address the cybersecurity skills shortage over the next decade, by way of emphasis on cybersecurity training from primary and secondary school, through to tertiary education. This is sorely needed if we are to build the security superstars of the future, but from a perspective of addressing business needs right now, hands-on training in secure coding for the development cohort is an absolute necessity to start reducing common vulnerabilities, and must be part of a functional security program.
As security experts, we need to do more to help companies all over the world understand the importance of building an internal security program that goes beyond simple foundational measures of awareness. Spending time to upskill developers takes the pressure off overworked AppSec specialists, and ensuring the entire organization is as security-aware as possible within the context of their role is vital in reducing the threat surface attack area in software.
Developer upskilling is time well spent, so why are so many companies ignoring it?
A recent survey by DDLS concluded that there is very little sense of priority when it comes to cybersecurity training in Australian organizations. In fact, it didn't even make the top three training priorities, despite 77% of respondents ranking cybersecurity awareness as "extremely" or "very important" in their business.
It's little wonder, then, that Australia is struggling to close the widening skills gap, and has some work to do to create a more resilient infrastructure, from essential services to retail, and everything in between.
There is an enormous opportunity here for governments to create a security skills baseline certification, or regulation, and the strategy alludes to this as a way to work with finite resources. However, once again, this seems to be a future-state proposal, and we have the tools to start much sooner if we target high-impact areas first. For me, the beacon of hope lies in the development teams within each organization, and given the tools and knowledge to succeed, they can cut off common vulnerabilities at the pass and significantly reduce the risk of a data breach within their organization.
In 2019, 24% of all data breaches were caused by human error - namely security misconfigurations - which are usually relatively simple, code-level fixes. If training is made a priority here, in conjunction with building company-wide security awareness, I'm betting that there would be fewer CISOs signing off on breach notifications to thousands of compromised customers.
With 2020 seeing an enormous spike in remote working, plus continued large-scale data breaches and an increasing focus on the consequences of compromised privacy online, there has never been a sharper public focus on cybersecurity. As a result, governments around the world have stepped in to reshape and update their cybersecurity plans and infrastructure, including strategies and regulations that businesses are required to follow when handling our most precious digital resources.
Strategic protection guidelines for cybersecurity are not a new concept, and organizations like NIST have informed the policies of global government departments for many years. As we have moved through digital advancement at a cracking pace, it has become difficult for many to keep up with the number of threats, possible attack vectors, and compliance requirements that are part of an ever-changing landscape.
A recent breach of 54,000 New South Wales driver's licenses as a result of an easily accessed, misconfigured S3 bucket on a third-party server has compromised thousands of individuals, with the security researcher who reported it conceding that the data may already have been sold on the dark web. The sad thing is, this is an easy fix and would have been unlikely to happen at all had security been front-of-mind for those configuring the cache.
The Australian Government recently released the Australian Cyber Security Strategy 2020, highlighting new initiatives and a $1.67B funding boost to be used over the next decade, to achieve their "vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend". This is clearly a very welcome review and updated plan, especially since one of the chief objectives is:
"Action by businesses to secure their products and services and protect their customers from known cyber vulnerabilities".
While government bodies tend to focus on (as they should) the security measures concerning a country's critical infrastructure -- areas that are ripe for a catastrophic organized attack -- what was lacking in the past were guidelines for the companies that collect and use our data every day.
Now, when it comes to official strategy like this, it's not always beer and Skittles. It can be a little hard to interpret, and vague on the details, leaving it up to an organization's security team to piece together a plan based on non-specific guidelines. This issue is not unique to Australia's government, but let's analyze their brand new release.
A focus on reaction, not prevention.
The updated Australian Cyber Security Strategy is a more relevant uplift to the last release in 2016, with fairly comprehensive plans for businesses, especially SMEs. The strategy outlines:
"Government and large businesses will assist small and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability. The Australian Government will work with large businesses and service providers to provide SMEs with cyber security information and tools as part of "bundles'of secure services (such as threat blocking, antivirus, and cyber security awareness training)."
This will provide SMEs with a decent basic foundation on which to protect their business from cyber threats, but it is largely a reactive approach, and the focus is on detection tooling - a relatively small part of the cybersecurity landscape.
There is also surprisingly little information on how large enterprises can protect themselves and reduce their attack vectors. While many may be part of the plans to protect critical infrastructure (such as telecommunications, transportation), financial services, retail, and many other verticals have a lot to lose when it comes to a successful cyberattack. Perhaps this will be part of forthcoming legislation, but even so, highlighting the importance of meticulous cybersecurity best practices at the enterprise level is fundamental to seeing significant change, and a drop in compromised data and cybercrime.
Overall, when considering the strategy as a whole, it is built around a reactive approach. Countering cyber attacks, disrupting active cybercriminals and ensuring their prosecution, as well as intelligence sharing with international allies, are all important factors, but imagine if the nation-wide standard for protection was focused on prevention. Along with protective measures for critical infrastructure, if security was front-of-mind in every business, and every person touching the code that creates our digital world was properly equipped to block attacks before they happen, the savings in time, money, and heartache for victims is immeasurable.
Resilience is possible, but it must be planned.
It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level. Like any other malicious attack that has the ability to disrupt our way of life, resilience is absolutely crucial - not just to withstand such an attempt, but to act as a deterrent to it happening at all. At the end of the day, even threat actors can be lazy, and they will move to an easier target to achieve their goal if too many barriers are put in the way of their success.
At the moment, we face a global cybersecurity skills shortage, and this is something that keeps CISOs around the world awake at night. Billions of lines of code, constant large-scale data breaches, and more risk of penalty (Marriott alone received a USD $123M GDPR fine for their 2018 data breach... and they had another breach this year) than ever before has created a demand chasm for security specialists that, realistically, is unlikely to be closed. There is simply too much code, and too little resources to ensure it is fortified from every angle.
So, should we give up on the idea that we will ever truly stand tall in the face of cyber threats? Not a chance. Resilience requires using all available resources, and thinking one step ahead. And for many companies, their developers can unlock a powerful method of fortification right as code is written. When paired with a visible, positive security culture across the whole business, this provides a secure foundation that is difficult for many attackers to shake and break. However, this method requires taking the suggestions from the Australian Cyber Security Strategy, as an example, and diving deeper into how they can be customized to support effective change that is relevant to the business.
To that end, it is important to break down a couple of the tips:
- Security awareness training: This is specifically called out for SMEs, and in the context of the whole report, is mainly aimed at teaching all staff basic security hygiene (e.g. spotting phishing emails, not clicking unknown links, etc.). Realistically, it must go much further than that and become role-specific, especially for those who touch code, like developers. It is imperative that security awareness training is a component of preventative measures and building resilience
- Education: In a refreshing change, there is an in-depth plan to address the cybersecurity skills shortage over the next decade, by way of emphasis on cybersecurity training from primary and secondary school, through to tertiary education. This is sorely needed if we are to build the security superstars of the future, but from a perspective of addressing business needs right now, hands-on training in secure coding for the development cohort is an absolute necessity to start reducing common vulnerabilities, and must be part of a functional security program.
As security experts, we need to do more to help companies all over the world understand the importance of building an internal security program that goes beyond simple foundational measures of awareness. Spending time to upskill developers takes the pressure off overworked AppSec specialists, and ensuring the entire organization is as security-aware as possible within the context of their role is vital in reducing the threat surface attack area in software.
Developer upskilling is time well spent, so why are so many companies ignoring it?
A recent survey by DDLS concluded that there is very little sense of priority when it comes to cybersecurity training in Australian organizations. In fact, it didn't even make the top three training priorities, despite 77% of respondents ranking cybersecurity awareness as "extremely" or "very important" in their business.
It's little wonder, then, that Australia is struggling to close the widening skills gap, and has some work to do to create a more resilient infrastructure, from essential services to retail, and everything in between.
There is an enormous opportunity here for governments to create a security skills baseline certification, or regulation, and the strategy alludes to this as a way to work with finite resources. However, once again, this seems to be a future-state proposal, and we have the tools to start much sooner if we target high-impact areas first. For me, the beacon of hope lies in the development teams within each organization, and given the tools and knowledge to succeed, they can cut off common vulnerabilities at the pass and significantly reduce the risk of a data breach within their organization.
In 2019, 24% of all data breaches were caused by human error - namely security misconfigurations - which are usually relatively simple, code-level fixes. If training is made a priority here, in conjunction with building company-wide security awareness, I'm betting that there would be fewer CISOs signing off on breach notifications to thousands of compromised customers.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
With 2020 seeing an enormous spike in remote working, plus continued large-scale data breaches and an increasing focus on the consequences of compromised privacy online, there has never been a sharper public focus on cybersecurity. As a result, governments around the world have stepped in to reshape and update their cybersecurity plans and infrastructure, including strategies and regulations that businesses are required to follow when handling our most precious digital resources.
Strategic protection guidelines for cybersecurity are not a new concept, and organizations like NIST have informed the policies of global government departments for many years. As we have moved through digital advancement at a cracking pace, it has become difficult for many to keep up with the number of threats, possible attack vectors, and compliance requirements that are part of an ever-changing landscape.
A recent breach of 54,000 New South Wales driver's licenses as a result of an easily accessed, misconfigured S3 bucket on a third-party server has compromised thousands of individuals, with the security researcher who reported it conceding that the data may already have been sold on the dark web. The sad thing is, this is an easy fix and would have been unlikely to happen at all had security been front-of-mind for those configuring the cache.
The Australian Government recently released the Australian Cyber Security Strategy 2020, highlighting new initiatives and a $1.67B funding boost to be used over the next decade, to achieve their "vision of creating a more secure online world for Australians, their businesses and the essential services upon which we all depend". This is clearly a very welcome review and updated plan, especially since one of the chief objectives is:
"Action by businesses to secure their products and services and protect their customers from known cyber vulnerabilities".
While government bodies tend to focus on (as they should) the security measures concerning a country's critical infrastructure -- areas that are ripe for a catastrophic organized attack -- what was lacking in the past were guidelines for the companies that collect and use our data every day.
Now, when it comes to official strategy like this, it's not always beer and Skittles. It can be a little hard to interpret, and vague on the details, leaving it up to an organization's security team to piece together a plan based on non-specific guidelines. This issue is not unique to Australia's government, but let's analyze their brand new release.
A focus on reaction, not prevention.
The updated Australian Cyber Security Strategy is a more relevant uplift to the last release in 2016, with fairly comprehensive plans for businesses, especially SMEs. The strategy outlines:
"Government and large businesses will assist small and medium enterprises (SMEs) to grow and increase their cyber security awareness and capability. The Australian Government will work with large businesses and service providers to provide SMEs with cyber security information and tools as part of "bundles'of secure services (such as threat blocking, antivirus, and cyber security awareness training)."
This will provide SMEs with a decent basic foundation on which to protect their business from cyber threats, but it is largely a reactive approach, and the focus is on detection tooling - a relatively small part of the cybersecurity landscape.
There is also surprisingly little information on how large enterprises can protect themselves and reduce their attack vectors. While many may be part of the plans to protect critical infrastructure (such as telecommunications, transportation), financial services, retail, and many other verticals have a lot to lose when it comes to a successful cyberattack. Perhaps this will be part of forthcoming legislation, but even so, highlighting the importance of meticulous cybersecurity best practices at the enterprise level is fundamental to seeing significant change, and a drop in compromised data and cybercrime.
Overall, when considering the strategy as a whole, it is built around a reactive approach. Countering cyber attacks, disrupting active cybercriminals and ensuring their prosecution, as well as intelligence sharing with international allies, are all important factors, but imagine if the nation-wide standard for protection was focused on prevention. Along with protective measures for critical infrastructure, if security was front-of-mind in every business, and every person touching the code that creates our digital world was properly equipped to block attacks before they happen, the savings in time, money, and heartache for victims is immeasurable.
Resilience is possible, but it must be planned.
It is clear from the Australian Government's push to get serious about cybersecurity that it has been identified as a key risk area on a national level. Like any other malicious attack that has the ability to disrupt our way of life, resilience is absolutely crucial - not just to withstand such an attempt, but to act as a deterrent to it happening at all. At the end of the day, even threat actors can be lazy, and they will move to an easier target to achieve their goal if too many barriers are put in the way of their success.
At the moment, we face a global cybersecurity skills shortage, and this is something that keeps CISOs around the world awake at night. Billions of lines of code, constant large-scale data breaches, and more risk of penalty (Marriott alone received a USD $123M GDPR fine for their 2018 data breach... and they had another breach this year) than ever before has created a demand chasm for security specialists that, realistically, is unlikely to be closed. There is simply too much code, and too little resources to ensure it is fortified from every angle.
So, should we give up on the idea that we will ever truly stand tall in the face of cyber threats? Not a chance. Resilience requires using all available resources, and thinking one step ahead. And for many companies, their developers can unlock a powerful method of fortification right as code is written. When paired with a visible, positive security culture across the whole business, this provides a secure foundation that is difficult for many attackers to shake and break. However, this method requires taking the suggestions from the Australian Cyber Security Strategy, as an example, and diving deeper into how they can be customized to support effective change that is relevant to the business.
To that end, it is important to break down a couple of the tips:
- Security awareness training: This is specifically called out for SMEs, and in the context of the whole report, is mainly aimed at teaching all staff basic security hygiene (e.g. spotting phishing emails, not clicking unknown links, etc.). Realistically, it must go much further than that and become role-specific, especially for those who touch code, like developers. It is imperative that security awareness training is a component of preventative measures and building resilience
- Education: In a refreshing change, there is an in-depth plan to address the cybersecurity skills shortage over the next decade, by way of emphasis on cybersecurity training from primary and secondary school, through to tertiary education. This is sorely needed if we are to build the security superstars of the future, but from a perspective of addressing business needs right now, hands-on training in secure coding for the development cohort is an absolute necessity to start reducing common vulnerabilities, and must be part of a functional security program.
As security experts, we need to do more to help companies all over the world understand the importance of building an internal security program that goes beyond simple foundational measures of awareness. Spending time to upskill developers takes the pressure off overworked AppSec specialists, and ensuring the entire organization is as security-aware as possible within the context of their role is vital in reducing the threat surface attack area in software.
Developer upskilling is time well spent, so why are so many companies ignoring it?
A recent survey by DDLS concluded that there is very little sense of priority when it comes to cybersecurity training in Australian organizations. In fact, it didn't even make the top three training priorities, despite 77% of respondents ranking cybersecurity awareness as "extremely" or "very important" in their business.
It's little wonder, then, that Australia is struggling to close the widening skills gap, and has some work to do to create a more resilient infrastructure, from essential services to retail, and everything in between.
There is an enormous opportunity here for governments to create a security skills baseline certification, or regulation, and the strategy alludes to this as a way to work with finite resources. However, once again, this seems to be a future-state proposal, and we have the tools to start much sooner if we target high-impact areas first. For me, the beacon of hope lies in the development teams within each organization, and given the tools and knowledge to succeed, they can cut off common vulnerabilities at the pass and significantly reduce the risk of a data breach within their organization.
In 2019, 24% of all data breaches were caused by human error - namely security misconfigurations - which are usually relatively simple, code-level fixes. If training is made a priority here, in conjunction with building company-wide security awareness, I'm betting that there would be fewer CISOs signing off on breach notifications to thousands of compromised customers.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.