The Australian Signals Directorate has recently removed all traditional references to “should” and “must” from the Information Security Manual. This means that there are no longer a defined set of security controls that must be in place to achieve accreditation of secure and classified networks. This represents a transition in the way that the government treats cyber security, and will enable and delegate the responsibility for government and industry partners to determine their own cyber security risk, their risk appetite, and in turn use these to determine what security controls they need to implement to achieve an accepted level of risk.
This presentation discusses the impact of these changes, as well as the industry wide transition from a compliance or “checklist” based cyber security strategy, to one more in line with traditional business or mission risk. We also discuss what you need to understand within an organisation to be able to qualify the cyber risk, and why cyber risk should not be considered an independent entity, rather reintegrated back into an overall consideration of business or mission risks. Finally, we discuss the clear benefits that this approach has, specifically the enabling of an organisation and its staff to do their job in a secure manner, with security being an enabler rather than a disabler.