He was commenting on the release of recommendations on Tuesday by the Federal Government's Industry Advisory Panel on the country's next cyber security strategy.
Duerden said the Australian Government has been showing signs of moving towards this mindset by applying the globally recognised NIST and Mitre ATT&CK frameworks – both outlined by the Australian Cyber Security Centre.
He said the appetite existed for rapid change and rapid adoption of new approaches to risk management in cyber, but appetite was not always coupled with the structure for implementation.
"The reality is that the cyber security landscape can evolve exponentially in a period of six months. Confining agencies to a list of checkbox compliance items is also a huge challenge in effectively addressing cyber risk.”
Verizon Business Group's Asia Pacific regional vice-president Robert Le Busque said the company he represented was pleased to see the recommendations.
He particularly welcomed the call for real-time sharing of threat information and increased inclusion of the private sector in economy-wide cyber-security initiatives.
"The lack of a common-language structured framework for data breach reporting, in addition to tactical engagements with the wider industry, has often been an Achilles heel for the cyber-security community," he pointed out.
Photo by Gerd Altmann of Pixabay.
"As such, greater threat intelligence and a closer working partnership across all sectors, will allow for better situational awareness, and fewer shortcuts and assumptions in terms of compliance and understanding the threat landscape, and enable all organisations to better measure and manage security risk.”
Thomas Fikentscher, regional director of CyberArk Australia and New Zealand, the IAP recommendations underscored the fact that though its recommendations were built around a framework, with five key pillars — deterrence, prevention, detection, resilience, and investment — the report underscored the fact that cyber crime was a pervasive and endemic threat.
"It's the most significant threat in terms of overall volume, costing Australians and Australian businesses billions of dollars each year," he said.
"With the country facing a surge of domestic cyber criminals and nation-state attackers alike, now is the time for the Australian Government, in collaboration with the private sector, to invest in strengthening our cyber security defences.
"It’s all about planning and preparing for the long game by redefining how to approach risk, especially in terms of securing business models that underpin digital workflows securely accessed by digital identities. No matter what the future holds, the actions taken by government and organisations today will inform what our collective tomorrow looks like, especially as we become increasingly reliant on the digital economy.”
Email security firm Mimecast's ANZ country manager Nick Lennon said his company's team of local security experts welcomed the recommendations.
"It is reassuring to see that cyber security is increasing in priority and that the government is encouraging both the public and private sectors to build resilience and take security more seriously than they have to date," he observed.
"The security industry has been lobbying for a much more substantial level of attention and investment in Australia’s cyber defences for some time, which has been challenging due to the reluctance of businesses to invest in cyber security as it’s intangible and difficult to attribute return on value/investment."
Lennon said the announcement of the massive data breach of Western Australia’s coronavirus management system was a glaring example of what could happen when end-to-end security and privacy was not invested in sufficiently or proactively.
"The importance of cyber security goes beyond the performance of our national technology infrastructure, into our absolute dependence on critical infrastructure, businesses keeping their doors open and the livelihood of our citizens," he added.
Richard Watson, Ernst & Young's lead partner for APAC Cyber Security Risk Management, said there was a real lack of understanding in Australian boardrooms around cyber security, which was largely a function of boardroom demographics.
"EY's Global Information Security Survey 2020 says that 72% of Boards are worried about cyber security, but only 48% of CISOs believe their board has the understanding they need to approve the investment required," he pointed out. "Boards have long needed to consider how the total cyber budget is allocated, particularly around the security operations centre.
"Our data shows that while the single biggest expenditure for our clients is the security operations centre, only around a quarter of attacks are discovered by the SOC.
"We're finding that many organisations continue to operate with first-generation manual SOCs, with automating the SOC and identity management accounting for the majority of cyber CAPEX spend."
He said when one summarised things, there was a technology angle, a cultural angle, and a process angle to discuss and implement. But if one looked at where the regulation needed to point to, patching was the biggest issue as it's where organisations were most vulnerable. It also illustrated how valuable customer data ended up on the dark web for sale.
"It's so easy if you're not updating the systems for attackers to scan the network and see you're running an old version of Windows or Internet Explorer and just use a commonly available attack, Watson said. "A benchmark for cyber security spend is one of the most asked questions we get and we recommend 7% to 10% of IT spend depending on sector."
"CISOs rank procuring/justifying budget as the hardest part of their job, closely followed by proving to management and the board that security is performing to expectations."