Thursday, November 20, 2025

11:30 AM - 12:30 PM

Sutherland Theatre

---

Details

The Department of Defence acquires complex system-of-systems that span the boundary between operational technology (OT) and information technology (IT). However, the current process for managing cybersecurity risks—primarily through the extant Authority to Operate (ATO) framework—has proven inadequate in informing decision-makers about capability-level mission risks. This was highlighted in the 2024 Australian National Audit Office (ANAO) report, which noted that risk assessments conducted just prior to Initial Operating Capability (IOC) leave little opportunity for design changes, while the use of IT-centric standards like the Information Security Manual (ISM) on a system-by-system basis fails to provide a holistic view of mission risk. In response, Defence is trialling a Secure-by-Design approach to embed cybersecurity considerations throughout the capability lifecycle. Central to this is the adoption of Mission-Based Cyber Risk Assessments (MBCRA), which were piloted on a major Royal Australian Navy capability. This approach resulted in the issuance of an Authority to Operate – Conditional (ATO-C), contingent on ongoing risk management by the System Program Office (SPO) via maintenance of the MBCRA. Understanding and managing cyber risk early and continuously is critical to delivering resilient, Secure-by-Design capabilities. The trial demonstrated the value of using the Cyber Evaluation and Management Toolkit (CEMT) to support MBCRA, though several challenges remain. This presentation will outline the trial’s outcomes and share key lessons learned, including cultural shifts across the enterprise, challenges in process implementation, and difficulties in assuring the completeness of cyber risk assessments.

---

Speaker