The Voice of Cyber®

Security Round-up: Marty Edwards | Compliance Costs and Enhanced Protections: Australia’s New Cybersecurity Protocol
First Aired: May 29, 2023

In this episode of KBKast, we take a look into the recent announcement from the Australian government about their new cybersecurity regulations for businesses. The new risk management protocol covers cybersecurity, physical security, personnel security, and supply chain security, all aimed at encouraging companies to enhance overall protection measures rather than punishing directors for noncompliance. Marty points out that Australia’s situation with cybersecurity is similar to other countries in the world, with many governments implementing baseline standards to encourage better cybersecurity practices. However, some organizations have made progress in cybersecurity, while others need more government intervention to ensure critical infrastructure security. He also touches on the importance of investing in operational technology systems, including industrial control systems, which have been underinvested in cybersecurity, despite their vital role in operating electricity, gas, water, and transportation systems. As more governments require cybersecurity standards for these systems, both public and private sector organizations should invest in the security of these systems.

Marty Edwards is a globally recognised Operational Technology (OT) and Industrial Control System (ICS) cybersecurity expert who collaborates with industry, government and academia to raise awareness of the growing security risks impacting critical infrastructure and the need to take steps to mitigate them. As Vice President of Operational Technology Security at Tenable, Edwards works with government and industry leaders throughout the world to broaden understanding and implementation of people, process and technology solutions to reduce their overall cyber risk. Prior to joining Tenable in 2019, Edwards—a 30‐year industry veteran—served as the Global Director of Education at the International Society of Automation (ISA). While at ISA, he was recognized by his industry peers with the SANS ICS 2019 Lifetime Achievement Award. Prior to ISA, Edwards was the longest‐serving Director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT). Edwards also served as a program manager focused on control systems security at the Department of Energy’s (DOE’s) Idaho National Laboratory (INL) and has held a variety of roles in the instrumentation and automation fields. Edwards holds a diploma of technology in Process Control and Industrial Automation (Magna cum Laude) from the British Columbia Institute of Technology (BCIT), and in 2015 received the institute’s Distinguished Alumni Award. In 2016, Edwards was recognized by FCW in its “Federal 100 Awards” as being one of the top IT professionals in the U.S. federal government.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

KB [00:00:14]: The Australian government has announced new cybersecurity regulations that will require businesses to increase their investment in cybersecurity protection. Companies deemed as running infrastructure critical to the country's national interest, including those in energy, healthcare, water, food, transport and communication sectors will have to comply with the new risk management protocol. The cost of compliance for affected companies has been estimated to be almost 10 billion Australian dollars over the next decade. The new protocol will cover cybersecurity physical security, personnel security, and supply chain security. It aims to encourage companies to enhance their overall protection measures to get up to the required standard rather than punish company directors for failing to comply. I wanted to investigate more on this topic, so I've gone to my network to retrieve some much needed answers. Marty Edwards of Tenable responded. So please keep on listening. Marty Edwards [00:01:18]: What's happening in Australia is very similar to what's happening in a number of other countries around the world. We're very encouraged to see governments starting to put in place baseline cybersecurity standards of care. I believe for far too long, entities, whether they're private or public entities and organizations have been left to their own devices with regards to cybersecurity. So although there are some organizations that have made relatively great strides and are doing a fairly good job of cybersecurity, there's others that really need, I guess, a little bit more of a nudge from the government in order to make sure that all of our critical infrastructure is secure. From a cybersecurity standpoint, I think everybody understands in the corporate or enterprise world where we do phishing tests or social engineering tests or there's a fairly good tempo and pattern of behavior that's been established with regards to securing those environments. But often what gets forgotten about, quite frankly, really ignored from a security standpoint are these operational technology systems, the industrial control systems that are required to do things like operate our electricity grids or our gas pipelines, or our water supply and water treatment facilities, or even transportation like railways and things like that. These systems have been significantly underinvested in from a cybersecurity perspective. And so it's very encouraging to start to see governments put out requirements for these kinds of systems and yes, even consider penalties for companies or organizations. As I said, this is not just a public sector problem. This is public sector or private sector organizations. They need to be aware that boards of directors should be held liable if companies or organizations are not performing their due diligence in investing in the security of these organizations.
Share This