In an era where the security landscape is continually shifting, the words of American film producer Howard W Koch resonate: “There is no security for any of us unless there is security for all.” While the words did not originally relate to cybersecurity, the sentiment holds for the ambitious Australian government initiative to transform the nation into the most cyber-secure by 2030. 

The severe consequences of recent high-profile breaches, particularly among critical infrastructure industries, demonstrate the clear imperative for enterprises to fortify both their critical infrastructure systems and their cybersecurity posture. Today, almost every business deploys software, which means cyber risk is business risk. 

For example, the November 2023 DP World breach impacted 40% of Australia’s import/export capacity, underscoring the vulnerability of modern, highly interconnected supply chains.

Understanding Critical Infrastructure Responsibilities

However, many businesses remain unaware of their responsibilities under the Security of Critical Infrastructure (SOCI) Act. Did you know that if your organisation operates, owns, or holds a 10% interest in assets within the key sectors under the Act, or have an interest that puts you in a position to directly or indirectly influence or control the asset, the SOCI Act may apply to you? 

These responsibilities are expanding and organisations must pay attention. The federal government announced in November that while injecting $600M investment to fight cybercriminals, it is also putting additional onus on businesses. For example, companies must now disclose ransomware demands under a no-fault, no-liability reporting scheme.   

As cybersecurity minister, Clare O’Neil said on the release of the updated strategy, directors must educate themselves about their responsibilities under corporate law.  

Where to Focus

Amidst the SOCI Act responsibilities, organisations should place a particular focus on two critical areas:  

• Cyber and information security – these concern cyber risks to organisations’ digital systems, computers, datasets and the networks that underpin any critical infrastructure system. This includes improper access, misuse, or unauthorized control.  
• Supply chain – risk of disruption to critical supply chains leading to a relevant impact on the critical infrastructure asset. The threat could be naturally occurring, malicious or deliberate and it isn’t necessarily limited to external sources, but it can include the software on your assets.

Beyond Ticking Boxes – What Level of Protection Is Needed?

The SOCI Act mandates that responsible entities minimise or eliminate material risks “so far as it is reasonably practicable”.  

But what does this mean?  

Reacting to security threats with simplistic tool purchases and optimistic expectations is no longer acceptable. The government’s heightened interest in critical infrastructure security post-breach necessitates a proactive and demonstrably effective approach. Are your current measures robust enough to withstand such scrutiny? This ‘pay and pray’ approach won’t decrease your risk – rather the opposite. It will likely lead to wasting money and your security team’s time and effort. 

Organisations typically have to manage dozens of security tools on average, and wade through a complex maze of risk data from a collection of disparate solutions managed by different teams. As such, they are in fact trying to measure and remediate risk across their extended infrastructure with limited data. Because of this, they’re communicating cyber risk inaccurately to their stakeholders rather than reducing cyber risk effectively for their businesses.

A Unified Approach for Enhanced Risk Management

In the face of increased regulation, this is the time for CISOs to re-evaluate their organisation’s cybersecurity risks in alignment with the business’ most critical assets. Once this is clear, the first step is to understand which tech stacks would be most effective to invest in to protect these assets.  

Subsequently, CISOs can make an informed decision to allocate resources towards a consolidated and unified security platform that address these issues head-on. This platform would deliver a centralised view of risk within one single, scalable solution, facilitating a holistic approach to addressing security concerns, with actionable insights to communicate their cyber risk posture to internal security and business risk stakeholders.  

It also provides external executive stakeholders, from the board to cyber risk insurers, with the necessary data to make the right decisions. 

In addition, it should provide a robust security solution for attack surface management, vulnerability management and remediation, plus a higher level of orchestration between these solutions. As a result, security leaders can better measure, communicate and eliminate risk to maximise positive impact on their businesses. 

Need Further Convincing?

Moving beyond minimum requirements is a regulatory necessity and a business imperative.  

With ever-expanding attack surfaces and a growing threat landscape, cyber risk has become an elevated topic of importance and prominence for virtually every organisation, especially for the C-suite. Today, nearly 50% of CISOs report directly to the CEO, with over 90% regularly briefing their Board of Directors about their organisation’s exposure to cyber risk.  

Additionally, customers value proactive cybersecurity measures, especially when their sensitive data is at stake. 

In a world where interconnectedness amplifies cyber threats, organisations must elevate their cybersecurity strategies. The path to becoming a cyber-secure nation is not solely a governmental responsibility but a collective endeavour where each organisation plays a crucial role in fortifying the nation’s critical infrastructure.