On Wednesday, 22 November 2023, Minister for Home Affairs and Cyber Security, the Hon. Clare O’Neil MP, announced the 2023–2030 Australian Cyber Security Strategy, a strategy to which Forrester contributed in April 2023 via a submission to the discussion paper. The Australian government’s stated vision is “By 2030, Australia will be a world leader in cyber security … a future where stronger cyber defences enable our citizens and businesses to prosper, and to bounce back quickly following a cyber attack.”
Similar to US President Joe Biden’s 2023 National Cybersecurity Strategy, Australia’s strategy signals a government that intends to significantly ramp up not only its own cybersecurity capabilities but also those of the broader private sector and citizenry — a trend of governments around the world that are reclaiming their purpose in addressing seismic political and technology changes.
In the US, the security and risk (S&R) team published a blog demonstrating how Forrester research helps our US clients address the five pillars described in the full US National Cybersecurity Strategy document. Many parallels can be drawn between the five pillars of the US and the six cyber “shields” of the Australian strategy. Those seeking to see the full extent to which Forrester’s research capabilities can help them should review the US cyber strategy blog.
This blog outlines Forrester’s existing S&R research in areas that can help organizations navigate, manage, and prepare for the implications of some of the less obvious aspects of the Australian Cyber Security Strategy.
Overall Takeaways
Whether your organization is in the public or private sector, your cybersecurity program will feel the impact of the Australian Cyber Security Strategy. The strategy adopts a human-centered approach to cybersecurity, with the strategy document clearly noting that cybersecurity:
- Has full impacts that are felt by cities, workplaces, schools, and homes, as well as governments and industry. Therefore, the responsibility and accountability for cyber is a multi-stakeholder system requiring coordinated and concerted efforts.
- Yields business and societal benefits that extend beyond protection of data and citizens to the economic benefits of a vibrant cyber market, as well as placing trust as a stated outcome in several parts of the strategy.
- Is no longer a technical topic but a whole-of-nation effort.
- Can only be enabled by a diverse and professional cyber workforce.
Shield 1 — Strong Businesses And Citizens
(Awareness, Behavior, And Culture)
The strategy recognizes the role that citizens, governments, employees, industries, and the community play in Australia’s cyber landscape, along with plans to deliver awareness-raising campaigns promoting online safety. It draws a parrallel of the routine of cybersafety to hand-washing and putting on seat belts. It also realizes that genuine behavioral change will take time.
The government’s specified aim is to continue the national cyber awareness campaign to help citizens understand how to protect themselves online. The strategy indicates that it will partner with private enterprises to make this happen. Shield 4 (Protected Critical Infrastructure) also mentions that the government will work with state, territory, and local governments to build a nationally consistent and robust culture of cyber resilience but stops at specifying under which objective or action this will be required.
While the intent is solid, the focus on awareness, without mention of how to effect or measure the long-term behavior and culture change required, puts the strategy at risk of focusing on the method rather than the outcome, potentially perpetuating years of status quo in this space.
Get ahead of the curve and learn about the disruption that is occurring in the security awareness and training market — the future state of which is adaptive human protection, with human risk management being a medium-term stepping stone.
Relevant Forrester research on these topics includes:
Shields 4 And 5 — Protected Critical Infrastructure And Sovereign Capabilities
(A Large, Skilled, And Diverse Workforce)
One of the two objectives of Shield 5 (Objective 17) centers around growing and professionalizing the national cyber workforce. It aligns with one of the actions of Objective 15 in Shield 4, which is to uplift the cyber skills of the Australian Public Service.
(Attract, Retain, And Advance Talent In Cybersecurity)
This strategy does an excellent job in articulating its role in building a large, skilled, and diverse cyber workforce, makong great strides in defining diversity and inclusion (welcoming people from a wide range of backgrounds and fostering a workforce that is inclusive and offers strong career opportunities for diverse cohorts, especially women). The strategy provides a significant focus on not only attracting but also retaining talent, as well as the importance of building respectful workplaces and team cultures.
Relevant Forrester research on these topics includes:
(Manage Mental Health And Burnout Of Your People)
The strategy stops short of specifically calling out burnout in cybersecurity as a risk, which is a miss in such a human-centered approach to strategy. Perhaps the details will come later, once the specific plans around retention and building a physically and psychologically safe workforce are released. As a nation, we must ensure that cybersecurity teams have the tools, processes, and budgets to complete their jobs. There is a lot at stake, not just for them but for employees, customers, and society. And last but possibly most important, government can work to normalize the conversation around mental health and burnout.
Relevant Forrester research on these topics includes:
Shield 4 — Protected Critical Infrastructure
(Zero Trust)
One of the stated goals of this shield is to uplift the cybersecurity of the Commonwealth Government through a set of four actions that the government will take, including “strengthening the cyber maturity of government departments and agencies.” The intent is to build on the best-practice principles established within the Australian Signals Directorate’s “Essential Eight.” It specifies that the government will also draw on internationally recognized approaches such as Zero Trust and aims to develop a whole-of-government Zero Trust culture.
(Leapfrog To Modern Security By Embracing And Drawing On Zero Trust)
The government drawing on Zero Trust (ZT) does not come a second too soon. Introduced in 2009 by Forrester, and since then undergoing an evolution of scope and definitions, ZT is the de facto security model for a growing number of organizations both in Australia and globally. 2021 saw the launch of the Singapore’s Government Zero Trust Architecture, the US Cybersecurity & Infrastructure Security Agency’s Zero Trust Maturity Model, the release of President Biden’s Executive Order, and the US National Institute of Standards and Technology’s release of its Zero Trust Architecture.
ZT adoption in Asia Pacific and Australia has been slower, and it is thrilling to see the Australian government finally joining these ranks. “Zero Trust” is now a familiar part of the nomenclature and vocabulary here in Australia, and the government’s recognition of the strategy is a first step in moving toward a modern approach.
Forrester believes that the commercial ZT adoption landscape will be changed as organizations not only recognize the benefits of ZT but also see it as becoming a cost of doing business with the federal government.
Relevant Forrester research on these topics includes:
(Avoid “Essential Eight” Compliance-As-A-Strategy Approach)
The strategy intends to build on the best-practice principles established within the Australian Signals Directorate’s Essential Eight. Government departments and agencies can leverage ZT to comply with the Australian Essential Eight by using a ZT framework as the foundation for their security strategy and architecture. Forrester’s research in 2021 called for organizations to embrace ZT for Australia’s Essential Eight efforts. ZT provides a prescriptive roadmap to improved security posture and a way to continuously meet and, in places, exceed Essential Eight compliance requirements.
Relevant Forrester research on these topics includes:
(Communicate ZT To Gain Influence And Secure Budget)
The strategy aims to develop a whole-of-government ZT culture. While defining and implementing a ZT “culture” requires some more nuanced work, the government’s in-principle focus on instilling culture is admirable.
We know that security initiatives such as ZT fail due to lack of understanding, not technology. Whether you’re a public or private organization going on the ZT journey, you need to lock in support from stakeholders for a leading Zero Trust vision by communicating ZT definitions and business benefits, articulating your ZT implementation vision, and demonstrating how you will lead a culture of change to enable ZT.
Relevant Forrester research on these topics includes:
Use The Full Extent Of Forrester’s Research To Get A Head Start
Those wishing to see the full extent to which Forrester’s research can help with the other shields not discussed above should read the US cyberstrategy blog, with some examples noted below of Forrester research that can support government and industry players as the nation implements the six shields:
Let’s Connect
Forrester clients who have questions about the Australian Cyber Security Strategy can reach out to me via an inquiry or guidance session.