Govt agencies urged to adopt a 'culture of security'


By Dylan Bushell-Embling
Monday, 27 March, 2017

Govt agencies urged to adopt a 'culture of security'

The Prime Minister’s top cybersecurity advisor has urged the ATO and other government agencies to draw lessons from the bungled 2016 online census and take steps to build a ‘culture of security’ into the organisation.

In a submission to a parliamentary inquiry into the tax system, Alastair MacGibbon said a key lesson from the eCensus incident is that security must be “baked in” to the design and delivery of digital government services.

“Government can develop a more ‘shared service’ consultancy approach to cybersecurity to boost agency capacity and allow resources to be reallocated to service delivery,” MacGibbon said.

He criticised government agencies for all too often displaying a “‘tick box’ compliance culture”, which means that “agencies will consider themselves secure if they get their internal ICT area and their subcontractors to put in place and uncritically follow prescribed security procedures. But compliance does not equal security.”

He instead urged agencies including the ATO to develop a culture of security allowing them to adapt to changing threats and educate their staff on good cyber hygiene.

In the wake of the incident, government agencies must also think critically about how they manage their relationships with vendors. Currently, outsourcing of technical capabilities is the norm, which makes managing cybersecurity risks more challenging, MacGibbon said.

“Trust is good, but trust without verification is dangerous,” he said. “Agencies need to verify the security capabilities of their vendors through regular testing and exercises. Agencies should also be cognisant that their ICT contractors also have downstream subcontractors involved in the service delivery who need to be trusted and verified as well.”

Finally, agencies need to learn from the eCensus event and improve the way governments engage with the public in the wake of a disruptive event or crisis, which should involve actively communicating with the public through social media channels.

“Agencies that do their business online with the public online need to speak to the public online too. Social media skills need to be raised across the Commonwealth,” MacGibbon said.

Image credit: ©duncanandison/Dollar Photo Club

Related News

CrowdStrike to buy Adaptive Shield

CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...

LockBit named nastiest malware of 2024

LockBit, a ransomware malware known to have been used to attack Australian targets, has been...

Extreme Networks launches ZTNA solution

Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd