Human Services takes aim at infosec compliance battle

The fast pace of revisions to the government’s information security manual (ISM) is putting pressure on departments to pick and choose what to comply with, says Department of Human Affairs CISO Narelle Devine.

DHS CISO Narelle Devine.

Speaking at RSA Conference Unplugged in Sydney earlier this month, Devine highlighted Human Services’ challenge on where to “snapshot” infosec compliance, given the fast-moving goalposts.

“The ISM used to change once a year,” Devine said.

“It used to have an annual review and we used to go, 'Right, now we have to work to this level'. 

“It now gets reviewed every month, so every month you get this new list of ‘things you need to do'. 

“Trying to budget and allocate time and project manage [against] moving goalposts [is difficult].”

Devine said the rapid flow of guidance made it challenging to work out what to comply with - particularly as it could take a while to achieve compliance, during which time the need for it could be reduced or disappear from the ISM altogether.

“Some of those capabilities might take two years to implement,” she said.

“Our system is massive - we've got the biggest mainframe in the southern hemisphere. 

“Some of the controls just don't exist so there are some things that you just can't be compliant with - even [with] your best effort. Legacy things are hard to keep up to date, but they're also less likely to get attacked because people aren't interested in them anymore so there's good and bad with that. 

“But if you look at a two year program of work, is that threat really still going to be there in two years or is the adversary going to have moved on? 

“Half the time they've moved on so by the time you catch up and implement something that makes you compliant, you've made yourself compliant with a rule that's two years old and might not even still be in the book, let alone mandatory.”

Devine said the rapid pace of change made the role of the CISO more important.

“That is one of the big roles of a CISO is to make those decisions about what are the risks that we're going to choose? What is my budget? How many people do I have to put on this? And as an aggregate, what does that risk appetite look like?” she said.

“It's a tough one. That's probably the bit that makes you not quite sleep so well at night.”

While there could be arguments for complying with the last major release of the ISM or even month-to-month - assuming the pace could be maintained - Devine suggested the answer was “to implement the things that are going to lower your risk”.

On this, Devine was supported by Tony Kitzelmann, general manager and CISO in the Australian Digital Health Agency’s information technology and cyber security branch.

Kitzelmann said he recently had to answer to the board of management on why My Health Record protected infrastructure had “96 percent assurance and ... why there was four percent of variable voluntary controls that I hadn't implemented.”

“You sit down and try and have a conversation: 'Well, it's about understanding risk, the context of the environment. This is a big piece of equipment, it's got a lot of data on it. We're never going to get 100 percent and we're never going to be 100 percent secure, but this is my risk tolerance, this is what I can do'. 

“I had to argue for four percent of the needle; 96 percent was pretty good, but I had to get back and discuss that, and then have that conversation of what's appropriate to do. 

“I don't want to spend $100 million securing a platform because that's potentially $90 million worth of lost business opportunity and risk is a part of doing business. 

“So we've got to encourage risks to be taken so that people can actually deliver business in a thoughtful way, and the legislation or instruments of conformance around mandatory controls are good, but they need to be considered as a guide, and understood in the context of your business.”

This has largely been recognised by the government and the Australian Signals Directorate (ASD), which earlier this year redesigned the ‘Essential Eight’ as a maturity model, leaving it up to agencies what they needed to comply with.