“One suggested option has been to explicitly include security as a ‘fourth pillar’ in evaluating proposals, alongside cost, quality and timescales …”
The ASPI report was funded by local data centre operator Macquarie Government and written by security consultant Dr Rajiv Shah.
Speaking at a webinar last week, Macquarie Government CEO Aidan Tudehope called for quick action, noting cyber’s potential as a job creator.
“The key here is if you embed [security] into procurement, that $10 billion at the Commonwealth level, the $3 billion of ICT spend in NSW, you provide a commercial incentive of businesses to invest in cyber security,” Mr Tudehope said.
Strategic approach lacking
The report highlights the multiple standards different agencies use and the lack of a national strategic approach to public sector cyber practices.
“Current approaches are fragmented and having limited impact, so a concerted national effort is needed, underpinned by major strategic changes in approach,” it says.
The report recommends the current array of supplier standards be simplified to a single set that enables suppliers to provide multiple levels that can be used for different risk levels and allows suppliers to demonstrate progress and enhanced levels of security.
On testing and certification, the report says a quick win would be to set up a centralised library of evaluations conducted by individual departments, so other departments can reuse work already done.
Requiring providers to have mandatory cyber insurance would ensure security risks are effectively factored into supplier quotes. This would be similar to the current requirements government have for suppliers to have liability insurance.
The report also calls for a “sovereign capability strategy” to ensure market opportunities for Australian companies and to build local capability.
“When I think about sovereign capabilities and sovereign skills, there is no area more important than cyber security,” Mr Tudehope said.
“It’s a horizontal theme, it goes across all sectors. And so by setting some clear frameworks that we then embed into government procurement, we provide commercial incentives for Australian businesses and overseas businesses to raise their cyber security posture, it is relatively straightforward.”
Speaking at the webinar, Michelle Price, the head of industry growth centre AustCyber, recommended federal agencies set up a procurement sandbox environment.
“We actually think that this is the best concept to be able to start to move the needle on the conception of risk, enable SMEs to be part of the equation.”
