Introduction
A success marker in cybersecurity has traditionally been for an organisation to have an uneventful year – but this has become much harder to pull off. Even if an organisation manages to navigate the threat landscape without incident, it must still meet an ever-growing list of requirements just to maintain its license to operate.
Australian CISOs have never had to deal with a greater number of legislative and regulatory requirements being imposed to drive secure behaviours and uplift collective cybersecurity postures.
The country’s first standalone Cyber Security Act was passed at the end of last year, providing a legislative basis for action items in the 2023-2030 Australian Cyber Security Strategy. The Act imposes some immediate requirements on teams, and is set to be iteratively expanded over time in response to the threat landscape. The Strategy, meanwhile, asks organisations to comply with six “cyber shields” to defend against threats. For tech teams, this is a catalyst for the introduction of new rules. Baking security into all systems by default, and ensuring both they – and all staff in their organisation – have “the skills and resources they need to be cyber secure” are particularly important.
This builds on requirements for organisations in 11 sectors under the Security of Critical Infrastructure Act 2018, better known as SoCI. The latest requirement under SoCI imposes an ‘all-hazards’ approach to risk management, including mapping out and managing cyber’ risks “to digital systems, computers, datasets, and networks that underpin critical infrastructure systems”. Personnel risks around who can develop or interact with systems, with what clearances, also impact how – and who – organisations can hire.
On top of this, sector-specific regulations such as CPS234 in the financial sector impact the architectural, application development and infrastructure decisions of banks, insurers and other finance industry participants, by imposing rules designed to ensure the resilience of the sector to information security incidents such as cyber attacks.
There’s clear recognition in the legislative and regulatory direction that Australia is recognising security as an ‘everyone’ problem, and that the lion’s share of responsibility cannot continue to be shouldered exclusively by CISOs and their immediate security teams. Instead, the focus becomes more about sharing the responsibility and workload, by upskilling more internal cohorts in role-based security, and building a more expansive internal security culture.
Prioritising Learning Pathways
The introduction of secure-by-design requirements on systems and software has ensured that development teams now have a much more critical role in securing their work.
This is bridging a traditional disconnect between developers and attitudes toward application security. In a survey conducted only three years ago, developers acknowledged the importance of applying a security-led approach in the software development lifecycle, but 86% did not view application security as a top priority when writing code.
In more security-conscious organisations, shift-left methodologies such as DevSecOps helped to close that gap by incorporating security rules into the software development lifecycle (SDLC) and into code deployment pipelines. But tooling can only do so much: precision, job-relevant upskilling is really what drives a change in mindset, approach and practices when ‘on the tools’.
This needs to be more than basic annual compliance training in the form of video lectures. Security leaders must go beyond simple box-checking to choose the right continuous learning pathways and tools to modify behaviour, not just meet elementary recommendations. This holistic approach is necessary to truly arm developers with the skills to navigate common vulnerabilities in their codebase.
CISOs at the forefront of implementing developer-driven security programs choose upskilling solutions that can be customised to reflect the scenarios they’re most likely to encounter in the course of their work.
Measures of Success
Effort invested in delivering a comprehensive, positive security culture that places developers as the driving force behind vulnerability detection and mitigation — or, ideally, not creating unsafe coding patterns in the first place — will determine an organisation’s success in meeting the plethora of elevated security requirements placed upon them.
Still, CISOs will need to formally measure the effectiveness of their efforts to uplift security on an organisation-wide basis, in line with the new requirements. The more they lean into the ‘people element’ of security, the more difficult it becomes to gauge and improve with the backing of solid metrics.
Improving the overall state of the security program requires benchmarking and frequent assessments to ensure each component is aligned with meeting pre-determined goals, guidelines or regulatory requirements, but this can be elusive, especially in measuring developer security skills.
While compliance is an important measure of success, two additional metrics can provide an effective gauge of whether a security culture uplift has been effective.
First, it will be apparent in the number of pre-production vulnerabilities: How well has code been written from a security perspective, before being passed to the security team? Benchmarking assists immensely in maintaining higher software standards and tailoring learning to suit problem areas among the cohort.
Second, mean time to remediate – catching these vulnerabilities as early as possible in the process – is paramount. This metric can also deliver insights into how well a development team is achieving security outcomes while maintaining speed of delivery, which the right upskilling pathways will support.
By focusing on an organisation-wide security culture, CISOs can best prepare to meet burgeoning security requirements. Being able to prove the effectiveness of their program with easy-to-understand scoring is also invaluable in maintaining trust, ongoing budget and funding.
