Hitting the cyber gym
Written by Toby Amodio, Director and Government Cyber Delivery Lead,
MF & Associates, 2024
Following university, I joined the public service, where I started my first desk job. I immediately learnt that sitting at a desk for eight-plus hours a day is not good for my back or my waistline. In response to this, I begrudgingly started structured exercise – a journey that has had its ups and downs, but that continues to this day. In parallel with this physical journey, I fell into a cyber career that has mirrored those physical ups and downs.
Exercise has given me an understanding that sometimes the good things in life can be hard, that there is a difference between being sore and being hurt, and that abs are extremely difficult to obtain. No matter how fit you are, there is always someone more fit; however, your level of fitness is relative to your own personal goals. The same can be said of cyber goals being relative to each organisation’s business objectives.
Cyber has given me an appreciation for how ICT systems work as an ecosystem to achieve a greater business outcome; how you need to unify people, processes, and technology; how the threats will always adapt to the controls; and, of course – as with exercise – how the journey never ends.
Over recent years, the term ‘cyber hygiene’ has become common for articulating the regular, fundamental practices required to help ensure that an ICT environment is secure. It has also been used to describe the health of the organisation, with poor cyber hygiene being attributed to regular breaches, and good cyber hygiene being defined by fewer successful intrusions or interruptions to business. Unfortunately, the use of the word ‘hygiene’ can be deceptive – betraying the effort and work required, and undermining the message.
Human hygiene is typically understood as the basic daily preventive tasks that we undertake to ensure that we protect ourselves from external threats, such as illness, disease and poor nutrition. To combat these threats, we do things like wash our hands, brush our teeth, and exercise – all relatively low-cost, necessarily brief and menial tasks. The key emphasis in the definition surrounding human hygiene is the repetition and frequency of the tasks. Herein lies the flaw in this language when applied to a cyber context – where human hygiene is achieved through menial repetitive tasks, in the case of cyber security, this definition does not appropriately capture the cyber reality with which we are presented.
Hygiene is universal in its application; fitness is tailored and focused to the individual or the goal. This is pertinent; if you need to set the deadlift world record, then running for many hours a day may not help you to achieve your objective. If you patch your server operating systems, that won’t protect your web services against application security flaws.
Hygiene rewards consistency, yet this is not guaranteed in fitness. If you keep doing the same things in the gym, then your results will drop over time. You need to constantly adapt as your body’s needs and the environment change. In an ICT environment, the systems and threats are constantly evolving, and require new and innovative approaches to maintain a healthy state.
There is merit in focusing on those things that we need to repeat, and ensuring that we all do the basics beautifully. But cyber fitness is more complex than that – it requires ongoing exertion, adaptation, consistency, self-reflection, innovation and investment.
So, next time you hear about cyber hygiene, supplement it – focus on the whole ICT body and aspire to achieve cyber fitness. If you aim to run a cyber marathon as opposed to simply brushing your cyber teeth, we may all end up in a more holistically secure position. Also, get out of your chair and walk around – your back will thank you for it.
The reality is that cyber has more in common with the steps and discipline required for fitness than it does with human hygiene.
While it is true that both require consistency, hygiene tasks rarely change over time and represent easy steps to protect yourself, whereas fitness is hard, requiring constant exertion, discipline and adjustment to achieve minor improvements. As you get older, fitness requires even greater investment and diligence to achieve or maintain the outcome. Anyone who has managed the enforcement of security controls can vouch that it is more akin to lifting weights than washing your hands, as the nature of these are tied to an ever-evolving cyberthreat landscape.
Similarly, when you skip a hygiene activity it can be made up quickly; when you skip fitness, however, it drops off considerably and can be even more challenging to return to where you once were. Everyone has those legacy systems, where the business has lost focus over time, that now require more than just a patch to return them to a fit cyber state.
Toby Amodio, the former CISO at Parliament House and the ATO and now Director and Government Cyber Delivery Lead at MF & Associates.
Article originally written for AISA