Cyber Security
Better security through collaboration and reuse
T By Vaughan Castine
o misquote William Gibson - security is already here it is just not evenly distributed. This is a great way to sum up my viewpoint over the last few months, culminating in my impressions from the Perth BSides security conference in September. During the BSides talks I was pleased to hear about the great initiatives happening locally to strengthen governance, risk and compliance. We’re not just talking about initiatives such as policy adoption, attribute profiling, threat modelling and escalating risks to the board (not to diminish the value of any of these – in fact if you aren’t tackling these make sure you add them to your to-do list) but there are great strides happening with CI/CD pipelines, continuous testing and real-world incident response testing. (Note: torturing your work colleagues by running an unannounced red team disruption makes for a great talk but might find you drinking alone at the next work social event). Our industry has come a long way over the last couple of years, and that transformation journey is being lived and reflected by the people on the frontlines. I spoke with many security professionals who are supporting their
50 | Australian Cyber Security Magazine
business and working with business leaders to identify the assets, the potential risks and the protection requirements. There are less murmurs from security professionals complaining that "the business doesn't get it", and "it's all the fault of the end user." It is refreshing to see this change. Thankfully, focus hasn't just shifted to the latest shiny new tools that vendors promise will fix the business issues and sort out world hunger at the same time. The best initiatives I’m seeing are not attempting to reinvent the wheel. They are adopting, tailoring, and building on top of industry recognised standards and frameworks. Whether we are taking the lead from NIST, CIS, SANS, ISO, OWASP, ASD, Mitre, SABSA, Lockheed Martin, AWS, Microsoft or others (there are plenty to choose from - I won’t start a religious war by trying to pick a favourite). We must recognise that all of these can uplift the posture a typical enterprise is starting from. All these frameworks and approaches have more rigour applied to them than the processes most individuals dream up, especially based upon personal experiences. By starting with these strong foundations, it creates an opportunity to use our experience to build something greater, and to
