Taking A Borderless Approach To Cybersecurity Governance
Posted: Tuesday, Nov 26

i 3 Table of Contents

Taking A Borderless Approach To Cybersecurity Governance

Robust cybersecurity has never been more important as cyberattacks continue to increase. In fact, according to the Australian Cyber Security Centre (ACSC), there were over 76,000 reported cyber incidents in 2022-2023, marking a rise in cyber activity across all sectors.

With attacks becoming more frequent and sophisticated, thereโ€™s a compelling need for Australian organisations to strengthen their governance frameworks.

Fortunately, businesses arenโ€™t left to fend entirely for themselves without guidance. Governments are keen to reduce the risks to businesses and customer data by implementing regulations which help standardise defences against attacks. Failure to comply can result in significant fines for organisations in the event of a data breach.

This puts product manufacturers in a bit of a tight spot, as they must understand the regulations that customers will be subjected to and ensure that their products are compliant. This requires continued monitoring and vigilance, as regulations can change, arise, or different regulations adopted by different regions. Global manufacturers need to stay ahead of the regulatory curve to avoid future issues with the upgrades required to maintain compliance.

Governance vs compliance

From a customer perspective, adherence to regulations only represents the starting point for protecting critical data; organisations must focus on both governance and compliance. These terms can sometimes be confused because they are closely linked. Governance refers to the internal policies that organisations put in place themselves. These tend to be over and above government regulations and tailored to their risk profile and the industry threat landscape.

On the other hand, compliance represents the measures put in place to ensure adherence to these internal policies and regulations. These measures must balance security with the user experience, without introducing unnecessary friction to processes and can be audited by a third party and should stand up to scrutiny.

Both governance and compliance are continuously assessed as new threats emerge and vulnerabilities are discovered. As such, manufacturers are tasked with not only having products and services that meet regulatory compliance but also meeting the governance requirements of all customers.

Thinking globally about regulation

Unfortunately, regulations are not standardised across geographies. Global manufacturers of video surveillance technology are challenged by the differences in regulations between regions.

For example, in Australia the Security of Critical Infrastructure (SOCI) Act 2018 mandates that critical infrastructure sectors, such as energy and communications, maintain stringent security measures. Failure to comply can have both significant financial and legal implications.

Contrast this with the US, with Executive Order 14028 on Improving the Nationโ€™s Cybersecurity issued in 2021. This tasks federal agencies, but also those private businesses that provide products and services, to comply with the enhanced regulations.

Other countries and regions around the globe have their own specific approaches, creating a complex regulatory landscape. This is especially true if a business is based in one country, such as the US, and operates globally. They must adhere to the local standards of the countries they do business with, or risk being non-compliant.

Successfully navigating the different data protection and cybersecurity regulations between geographies starts with a deep knowledge and understanding of these regulations, coupled with the best practices to protect sensitive data against cyberattacks. This will determine what type of cybersecurity protection should be incorporated into products to support the customersโ€™ own compliance measures.

Maintaining strong product lifecycle management

Even with a vast knowledge of regulations, manufacturers cannot lose sight of the ever-changing threat landscape. Firmware on products must be updated periodically and in line with new vulnerabilities. Problems can be encountered where legacy products are still in use, and which sometimes can no longer be updated.

For this reason, cybersecurity must be considered as part of the product lifecycle management. If products are beyond a certain age, they may no longer be cyber-secure. This is complicated by changing regulations, which may also mean that the device is no longer compliant. Rectifying this may require the manufacturer to review software and firmware which is older than five years, which can be very difficult.

Beyond the manufacturerโ€™s four walls, another area which needs attention is the supply chain. As cybersecurity is a high priority, organisations within the manufacturerโ€™s supply chain must be able to demonstrate how they approach cybersecurity and data protection. This includes how they comply with regulations and why they are โ€˜safeโ€™ to do business with. Armed with this knowledge, manufacturers can be assured that they are not inadvertently introducing risk into their products.

With customers taking greater measures to ensure the products they buy are more compliant in areas such as component sourcing, product manufacturing, organisation sustainability, and cybersecurity, it is more important than ever for organisations to be transparent.

Being open about vulnerabilities, providing a list of components required in product software in the form of a Software Bill of Materials (SBOM), and software updates, to name a few, builds trust, which in todayโ€™s global landscape is an important commodity.

A Unified, Borderless Approach to Cybersecurity Governance

Cybersecurity threats may be borderless, but effective governance requires a coordinated and comprehensive approach that considers local regulatory landscapes, global best practices, and evolving threat vectors. For Australian organisations, aligning with domestic standards such as the SOCI Act, while keeping abreast of international developments, can provide a robust foundation for resilience.

As cyber threats continue to grow in volume and complexity, a borderless approach to cybersecurity governance is not only prudentโ€”itโ€™s essential for safeguarding the Australian digital landscape.

Wayne Dorris
Wayne Dorris is the Cybersecurity Program Manager for Axis Communications, Americas, wherein he generates awareness and assists with cyber strategy and demand in Axis products. With more than 30 years of experience in the security industry, Wayne influences IP solutions relative to cybersecurity through relationships and networking with all standards organizations, associations, partners, customers. He is a Certified Information Systems Security Professional (CISSP) and is Chair for the Cybersecurity Advisory Board for the Security Industry Association.
Share This