At a glance.
- Australia issues corporate cybersecurity governance principles.
- Industry wish list for NIST Cybersecurity Framework 2.0.
- The US’s Critical Infrastructure Security Fund could serve as a global example.
Australia issues corporate cybersecurity governance principles.
The Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) have released a set of cybersecurity governance principles with the goal of providing “a clear and practical framework for organisations to build stronger cyber resilience.” Taking into account input from government as well as industry leaders, the principles largely focus on the role directors should play in managing the company’s cyber risk. The document sets out guidelines for oversight across five areas: defining roles and responsibilities, developing and evaluating a cyber strategy, incorporating cyber into risk management, building a cyber resilient culture, and preparing for and responding to significant cyber incidents.
As CRN Australia notes, the guidelines address the role of cyber insurance, which Australian companies have been slow to acquire. “There is a limited pool of providers of cyber insurance in Australia and the often-tailored nature of policies means they can be relatively high cost and may have specific conditions or exclusions of particular cyber incidents (e.g. act of war),” the document reads. The principles go on to urge directors to educate themselves on what is and what is not covered by cyberinsurance. AICD managing director and chief executive officer Mark Rigotti MAICD stated, “Cyber security is a crucial area for boards and we know they are looking for as much support as possible. Building cyber resilience within organisations is ultimately about building resilience across the nation as well as capacity within our teams and organisation.” The principles come as the Australian government reassesses the country’s cyber legislation in the wake of a wave of recent high-profile cyberattacks.
Industry wish list for NIST Cybersecurity Framework 2.0.
In an effort to keep up with the ever-changing cybersecurity landscape, the National Institute of Standards and Technology (NIST) is planning a significant update to its Cybersecurity Framework (CSF). As TripWire explains, CSF was originally created in 2014 and most recently updated in 2018. In order to incorporate feedback from stakeholders, NIST released a Request for Information (RFI) titled “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework and Cybersecurity Supply Chain Risk Management.” Over one hundred responses were received to the RFI, including suggestions for improving on the framework and making it more compatible with other resources. Seven main themes emerged, including maintaining the CSF’s ease of use, aligning the CSF with existing NIST and non-NIST efforts, and offering more guidance to entities aiming to implement the CSF. As well, respondents stressed the importance of keeping the CSF technology-neutral, defining assessment and evaluation metrics, and taking into account the security risks faced by supply chains.
The US’s Critical Infrastructure Security Fund could serve as a global example.
As part of the Biden administration’s $1.2 trillion infrastructure deal signed last year, the Department of Homeland Security announced last month that it would begin distributing funds to critical infrastructure providers to address cybersecurity vulnerabilities. $1 billion will be given out over the next four years, with $185 million of funding granted to this first wave of applicants. The money couldn’t come at a more convenient time, given the increase of attacks on US infrastructure like schools and supply chain systems. Blackfog notes that such incidents have been surging all over the globe, citing recent attacks on victims like the UK Public Transport Company and the republic of Montenegro. Countries experiencing social or economic unrest or geo-political crises make attractive targets, as infrastructure operators are often too overwhelmed to focus on cybersecurity, and other nations should perhaps take a page from the US’s book when it comes to providing financial support for critical infrastructure.