ASD calls on government chief executives to up their cybersecurity game

The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.
Written by Asha Barbaschow, Contributor
Screenshot: Josh Taylor/ZDNet

While there has been much said recently around the skills shortage the Australian cybersecurity scene is said to be facing, according to Australian Signals Directorate (ASD) director-general Mike Burgess, a lack of talented folk entering the workforce isn't the issue, rather it's the chief executive officers within government entities.

Addressing a Senate committee looking into the digital delivery of government services on Wednesday, Burgess, who returned to the ASD in December after a stint as Telstra's CISO and as an independent information security consultant, said skilled people is not the critical issue when it comes to cybersecurity resilience and risk mitigation in Australia.

"Skilled people is not the critical issue here, it's the skill of the chief executive and his/her management team in identifying and managing this risk effectively and the skilled executive level that can actually work through that to ensure themselves the right thing is being done -- that for me is the real issue, not the skills shortage of bright young ladies or men who know how to configure firewalls or set up systems securely," Burgess explained.

"There's a demand for good IT people, absolutely, that's not the problem here; the problem is having the chief executives asking the right questions.

"That's not a cybersecurity skills shortage."

The man now at the top of the agency responsible for signals intelligence and information security said the best thing that can happen within a government entity is the chief executive engaging with this risk to understand what's important to their particular department.

According to Burgess, it is crucial they understand the risk so they can "truly know" what services they have, particularly those that are online, and be across what threats they face, at the very least.

Burgess' remarks were made after he was asked by the Finance and Public Administration References Committee if there was a uniform mechanism in place across government that required departments and agencies to monitor if cybersecurity-related practices were being baked in to everything they do.

"I have no evidence to suggest that's happening uniform across government at the moment, and I say that not as a criticism, although in my capacity I am compelled to call out problems where I see them -- and I would do that, I assure you -- my commentary there comes as a community-wide, in fact global, problem in terms of businesses or government actually making sure they are able to identify and manage their digital risks or cybersecurity risks effectively," he explained. "The world continues to struggle with this."

Burgess said departmental chiefs do ask the ASD to conduct pen-testing to determine what level of security is present.

"There is a possibility that those who aren't taking this seriously don't ask for our help," he conceded.

"That would be a risky strategy for any chief executive because things get found out other ways ... there are many criminals out there who are attempting to break into systems, including government systems, all the time and most of those do become public and are found out."

Burgess put department bosses on notice for not seeking help where it is needed, confirming his agency is in the business of intelligence collection. He also confirmed it does have intelligence systems that draw its attention to systems in Australia that are having security problems.

"We do go knocking on doors sometimes ... those who were not seeking help, we would, through other means, find out there are problems, and then we help," he said.

"There is good advice coming from my agency, but what is missing is, are senior executives know the value of their data and understand who has access to it, where it is, how it's being protected from a data security point of view.

"It's not just a privacy or confidentiality of information that's the problem, it's also the availability of systems that could be impacted."


Editorial standards