In the past couple of years, the Australian National Audit Office (ANAO) has made a number of adverse findings on the cyber posture of the nation's agencies and departments.
At the start of the year, ANAO said tight deadlines lead AEC to ditch security compliance, a decision rejected by the AEC, and last year, ANAO found the Australian Taxation Office and the then-Department of Immigration and Border Protection were lacking on the information security front.
However, freshly-minted director-general of the Australian Signals Directorate (ASD) Mike Burgess told Senate Estimates on Tuesday night that taking a checklist approach to security is not always a good approach.
"Compliance with a list is not by itself good security," Burgess said. "There is no doubt [ANAO's] findings are their findings, but from that you should not necessarily draw that the heads of those departments, the agency heads, are not taking their responsibilities seriously, and they do work hard to identify and manage their security risks."
According to the ASD chief, the existence of legacy IT systems is hampering some agencies from implementing the mandated Top 4 Mitigation Strategies issued by the Signals Directorate.
"If you can't implement that because your IT systems are old and in need of investment, you can still manage that risk effectively by having other security controls in place that help you identify a problem," he said. "Anti-virus software is one such example of that, that enables you to effectively mitigate that risk whilst you can't technically implement application whitelisting at that point in time."
Fronting Estimates in his capacity as head of the Australian Cyber Security Centre (ACSC), Alastair MacGibbon said compliance decisions are a risk management exercise.
"Frankly speaking, I doubt whether there is ever going to be a situation where everyone is able to implement all of this advice," he said. "It depends on what they are doing, whether they can, for example, patch at a time if you have an essential system that has to be up all the time.
"Then it is much harder to patch within a certain period which would be recommended -- so that becomes a risk exercise between the secretary or agency head, and the concept of this best-in-breed advice."
MacGibbon -- who, as well as running the ACSC which is set to move underneath ASD come July, reports into the Peter Dutton-led Department of Home Affairs superministry on matter of policy -- echoed previous comments that the 2016 Census failure was a wake-up call and began a maturation within the Commonwealth on the concept of risk.
"As sad as it was that the Census website failed on that evening due to denial of service attacks, it was a useful exercise for talking about risk, talking about responsibility, and talking about how to make Commonwealth services more resilient," he said.
"There's still plenty of room to grow there, and our job is to keep raising it, to have those discussions, put out good advice, and make sure that advice is implementable."
"Because you can put a pristine piece of advice out and it could be too hard to implement, thus the concept of always reviewing the types of advice we give, working not just in the public sector but with industry themselves, to reduce risk to the Commonwealth.
When you have most of the cyber talent in the public service, why should you defer to an agency without a cybersecurity team?
Microsoft has received accreditation from the Australian Signals Directorate, allowing it to store highly classified government information up to 'protected' level on its Office 365 platform and specific Azure services.
The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.
Prime Minister Malcolm Turnbull has appointed Mike Burgess as the next director-general of the Australian Signals Directorate.
New Australian Signals Directorate chief Mike Burgess outlines his priorities for the restructured agency's next 12 months.
A flaw in T-Mobile's website allowing anyone to access customer data highlights the need for internal audits and authentication.