Cybersecurity experts praise new Australian Government mandate

The Federal Government's recent mandate, PSPF Direction 002-2024, aims to significantly bolster cybersecurity measures within Australian Government entities by requiring them to identify and actively manage risks tied to vulnerable technologies. The announcement has sparked reactions from key figures in the cybersecurity industry, who have shared their insights on its implications and potential impacts.

Pieter Danhieux, Co-Founder and CEO of Secure Code Warrior, highlighted the broader implications of the new directive. "The PSPF Direction 002-2024 from the Australian Government has the potential to shape a wider movement towards stronger security programs nationwide," he noted. Danhieux believes this mandate is an opportunity for the government to lead by example on cybersecurity essentials, especially regarding connected technology assets. He stressed the importance of data-driven insights into the skill levels of developers and suggested that providing solid learning pathways could help address code-level vulnerabilities early on. However, Danhieux cautioned that while the mandate is a good step, ensuring the resources to implement it successfully is crucial to avoid another "well-intentioned plan that is ultimately toothless."

Ashwin Ram, Cyber Security Evangelist at Check Point Software Technologies, expressed admiration for the initiative. "We applaud this great initiative from the Department of Home Affairs," Ram stated. He emphasised that vulnerable assets, particularly software vulnerabilities, are a common attack vector for threat actors. Ram pointed out that the Technology Asset Stocktake is an invaluable step in effective risk management, allowing entities to identify, analyse, and evaluate risks to prioritise cyber investments and efforts accordingly. He also recommended automating the asset stocktake process to ensure up-to-date risk management decisions. He suggested a more cautious approach when procuring assets from manufacturers or suppliers who consistently produce vulnerable technology assets.

Wayne Phillips, Field CTO for Asia Pacific and Japan at SentinelOne, acknowledged the growing awareness of risks posed by third-party service providers and unpatched internet-facing services. "The Department of Home Affairs is taking proactive steps to strengthen the underlying fabric of the Australian Government's security practices," Phillips observed. He stressed the need to adopt a "thinking like an attacker" mentality to manage threats proactively. According to Phillips, while most government organisations have some asset and vulnerability management level, the scope often remains limited to legacy systems and tends to be reactive. He also underscored the importance of secure sovereign cloud services capable of comprehensively identifying cybersecurity vulnerabilities across the government.

Adding to the discussion, Anthony Daniel, Regional Director for Australia, New Zealand, and the Pacific Islands at WatchGuard Technologies, outlined four additional measures to enhance security and risk management. These measures include implementing regular training and awareness programs to keep staff updated on security practices, conducting third-party security audits to identify risks missed by internal reviews, regularly updating security policies to adapt to the evolving cyber threat landscape, and investing continuously in security technologies such as encryption and multi-factor authentication. Daniel remarked that these steps would further bolster the security posture of government networks and safeguard sensitive information.

The responses from these cybersecurity experts collectively underscore the importance of a multifaceted approach to managing technology risks. They advocate for continuous improvement, regular training, and vigilant assessment to ensure the government can respond effectively to the ever-evolving cyber threat landscape.