There are two key statistics that jump out of the ASX survey of the cyber risks facing Australia’s top 100 publicly listed companies and both reflect positively on boards of directors.
First, the majority of boards have a clear understanding of the potential impact from the loss of, or disruption to, key information and data assets.
Second, three-quarters of boards have engaged external parties to perform regular vulnerability or penetration assessments.
These are welcome findings from the first attempt by the ASX to report on how the boards of Australia’s largest companies are building their cyber resilience.
There are many other important findings from the survey, but suffice to say that those charged with overseeing the governance of corporate Australia are not asleep at the wheel when it comes to cyber risks.
That is not to say all the survey’s findings are positive. As with any fast-evolving threat to business there is work to be done to stay ahead of the game.
The survey, which is being released today at an event in Sydney hosted by ASX chairman Rick Holliday-Smith, found that boards of directors are not adequately informed about how their critical digital assets are being managed by third parties.
Boards were asked the following question: Does the board have an understanding of where the company’s key information or data assets are shared with third parties?
About a third said they had a limited understanding, almost half said they had a reasonable understanding and about 11 per cent said they had a clear understanding.
This is not reason for customers and shareholders of major companies to panic. But it does show the opportunity that is there to reduce potential vulnerabilities.
It is the opportunities presented by rising cyber risks that will be at the forefront of discussions when the ASX 100 Cyber Health Check report is released today.
The launch will be attended by Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, Australian Securities and Investments Commission commissioner responsible for financial markets, Cathie Armour, and the Special Adviser to the Prime Minister on Cyber Security, Alastair MacGibbon.
MacGibbon will release a separate report called Cyber Security Sector Competitiveness Plan, which is a product of a year’s work. This project has been given the support of Prime Minister Malcolm Turnbull.
Turnbull spent about two hours on Wednesday afternoon meeting senior executives from a range of companies and institutions to discuss the next phase of Australia’s response to the threats from cyber attacks.
MacGibbon says the establishment of the Australian Cyber Security Growth Network provides an opportunity to convert Australia’s leadership in cyber security patents into increased commercial success in building world-leading companies providing cyber protection.
The mismatch between research capability and commercialisation is a familiar story in Australia.
The growth centre initiative is one way of addressing this problem. This was announced last year as part of a plan to build the country’s competitive advantage in six industries, including agriculture and bioscience.
The idea is that through the investment of $250 million in federal government funds Australia will build high value sectors and enable organisations to become more innovative, collaborative and export-focused.
But the 100-page sector competitiveness plan, a copy of which has been obtained by Chanticleer, sets out a strategy for fixing this problem and transforming what is now a $2 billion industry into a $6 billion industry by the early 2020s.
One of the key findings of the competitiveness report is that Australia lacks the skills and workforce necessary to make the country a leading exporter of cyber security products.
There is no short-term fix for this problem. It involves lifting education levels and attracting people to study cyber security. The report says we can learn from the approach taken by the US and Israel.
There is an obvious attraction for those joining the industry. Cyber security workers can earn a 10 per cent premium over the wages paid to the average IT worker.
“Interviews with company executives, government officials and other stakeholders echo the perception that the Australian cyber security industry is grappling with an acute talent shortage,” the report said.
“Wage premiums paid by cyber security firms in Australia to attract and retain employees are symptomatic of the lack of available skills.”
The advantage of lifting educational standards is that cyber security education can itself be an export earner.
The report concludes that Australia needs to move fast to solve the shortage of cyber security workers. “This skills shortage needs to be addressed quickly. It is already hindering the growth of the Australian cyber security industry,” it said.
“This problem will only magnify in the future as more cyber security providers edge into the market, drawn by the prospect of servicing the growing global security demand. Without a strong education and training system that provides cyber security firms with a robust pipeline of employable graduates, Australia will struggle to grow its cyber security ecosystem and become a leading exporter of cyber security.
“This makes resolving the skills challenge an economic imperative – it lays the groundwork for any other strategy to advance the competitiveness of Australia’s cyber security industry.”