Acknowledging our faults.
Written by Toby Amodio, Director and Government Cyber Delivery Lead, MF & Associates, 2024
One of my colleagues started a meeting recently by asking the group to be vulnerable - open to talking freely in the session. Being in cyber security this provoked laughter about the need to be vulnerable about our vulnerabilities. What I mean by this the necessity to acknowledge the weakness of a system in order to facilitate remediation. While the session went on a separate tangent this concept stuck with me. The challenge of being vulnerable about being vulnerable is at the core of many of the issues across government cyber security.
For better or worse government cyber security team performance is often measured in reputation rather than risk. Being divorced from many of the financial realities that face businesses (the tax office isn’t going to go out of business) means that reputation often plays a greater role in measuring success for senior executive and the agencies. Many public service careers are built or destroyed on the back of bad press. This means that perceived success or failure is often linked to events that shape your reputation.
Your cyber reputation in government is most often affected in one of three ‘cyber’ events - a breach of your systems/data, an externally visible audit, or as part of your mandatory reporting. They each have their own challenges, but managing your reputation throughout can be a double-edged sword.
Lastly reporting in government is critical, the annual compliance report can make or break cyber careers. Unfortunately, due to cross-agency visibility and ministerial or executive reporting there is often a strong desire in executive groups to shape reporting. This is often achieved through selective scoping, creative interpretation, and misrepresenting posture. Complement this with a constantly shifting compliance bar this proves to be a rod for the back of the cyber security leader whose role is often to tell their boss how ugly their baby is.
This desire to minimise reputational hit has serious consequences for us as a profession. Without fear and frank transparency about the scale of the challenges facing government cyber we cannot mobilise the resources to reduce risk. In turn we fight our battles in isolation.
Without transparency we cannot learn from each other’s incidents to achieve the economies of scale in defence, we cannot use our audit processes to drive investment in the areas of most need and we cannot empower the coordination agencies with the data to support whole of government uplift.
Only together can we build resilient systems, and this includes being vulnerable about our vulnerabilities so that we can work together to address them.
Breaches are a fact of life and a reflection of the defender’s dilemma - the defender must get it right 100% of the time and the attacker only needs to get it right once. Despite this, following breaches, the narrative is often centred on blaming the victim. The story will focus on the missing controls, not the challenges that exist in implementing those controls across a complex ecosystem with 100% efficacy. You would never blame a person in a pub for being sucker punched, so we should not blame the compromised entity.
This victim shaming of organisations that share that they have been impacted depresses incentive for people to voluntarily come forward which in turn restricts the sharing of valuable lessons learned. In the inverse people are rewarded reputationally by not coming forward. It also reduces the greater community understanding of cyber-attacks, which can provide a false narrative that everyone is doing fine.
Continuing the theme of visibility, externally reported audits provide public transparency of government entities. The flip side is that, often due to constrained budgets, these audits must be prioritised which leads to agencies focusing on beating the audit, not managing risk. It’s like studying for the test but not the life that comes after the test. Being publicly named and shamed in an audit result often leads to pressure on the cyber team rather than the entities within the organisation which failed to maintain the controls. This is also not met with mandatory, ear marked, investment from government which can fund remediation or uplift. It’s one thing to point out an issue, but those areas need support to remediate the issue.
Toby Amodio, the former CISO at Parliament House and the ATO and now Director and Government Cyber Delivery Lead at MF & Associates.
Article originally written for AISA