Shameela Gonzalez, CyberCX Industry-lead for Financial Services, 13 December 2023
Now that we have had time to digest the Government’s 2023-2030 Australian Cyber Security Strategy, it’s worth considering what the Strategy means for the Financial Services Industry (FSI).
To explore this, I sat down with Shannon Jurkovic, CISO at Bendigo and Adelaide Bank to get the perspective of someone who leads a sizable cyber security practice inside one of Australia’s largest community-focused banks.
Strong businesses and citizens
The Strategy is built around six shields. Undeniably, the first shield – Strong businesses and citizens – is critical to the Australian ecosystem.
This is especially so when considering the mind-map of third parties that all organisations interchangeably rely upon for their services. Shannon’s view is that the Strategy “will ensure that a sophisticated approach to cyber security is embedded into good business practice by all, ensuring that no organisation is disadvantaged.”
In financial services, every entity is reliant on up to hundreds of third parties to support services like payments, marketing and communications, legal, and other services that are all critical to a bank’s ability to succeed. Therefore, they all need a supportive framework to be secured. In doing so, we secure the whole interconnected network of organisations supporting each other.
The larger end of the FSI has had the time and opportunity to undergo significant cyber security uplift in recent years – both due to customer expectations and heavy regulatory oversight.
With the new Strategy’s focus on strong businesses and citizens, coupled with the growing risk of third-party exposure, the industry should be thinking about how it can take that greater cyber security posture among the bigger players and spread it across the sector to help SMEs on their own journey towards uplifting their cyber security.
Closing the cyber security skills gap
Cyber security skills shortages are being observed across many sectors. Security leaders have called out the need for a nation-wide approach to either encouraging a greater pipeline through tertiary education or upskilling individuals in cyber-adjacent careers to be able to move horizontally.
Last year, CyberCX and Per Capita revealed a shortfall of qualified cyber security professionals forecast to hit 30,000 unfilled positions across Australia by 2026. Crucial to delivering on the Strategy’s mission of making Australia the most cyber secure nation by 2030 will be enabling the workforce of the future.
“Strategies that can help to quickly ease known shortages now – such as greater collaboration between industry and educational institutions to re-train mid-career professionals, or incentives for early-career cyber security professionals to finish their degree whilst working – are welcomed in the interim,” Shannon said.
In the FSI, there is a sizeable workforce of risk management, legal, marketing, and human resources professionals that all attain attractive, existing skillsets. If trained appropriately, these roles could prove incredibly valuable as additions to the cyber security workforce.
Existing experiences and skillsets make many of these roles ideal candidates for cyber policy, legal counsel, incident response, strategic advisory roles all adjacent to cyber and all critical towards the delivery of the Cyber Security Strategy.
When it comes to cyber security, the FSI is already one of the most regulated sectors.
In financial services, entities that are APRA-regulated need to demonstrate compliance with prudential standards around operational risk management and information security where these pertain to cyber risk, like CPS234 and CPS230.
A lot of financial institutions have also assessed their maturity against the Essential Eight strategies to mitigate cyber security incidents for the ease of reporting and to show compliance to a number of other official frameworks.
If these organisations also have sub-entities or a global presence, their cyber teams may also be required to show compliance to relevant international cyber frameworks and standards. As a result, a number of institutions are already exerting a significant amount of effort to demonstrate adherence to a wide range of standards and frameworks.
“We know effective and efficient regulation is necessary, but it is crucial we strike the right balance in meeting multiple industry and regulatory obligations and getting on with the business of protecting our customers and their data,” said Shannon.
Out of this Strategy, there is hope that the Government will look towards simplification of obligations and furthermore, establishing simpler guidance for smaller and medium sized entities.
As Shannon says, “streamlining of cyber obligations in a single reporting portal, co-designed with industry is a sensible first step.”
The pathway forward for FSI
Establishing the foundations of the Strategy is an important start. But seeing the fruits of that implementation will take time.
Shannon says that while “the existing initiatives outlined in the Strategy may be effective in the long-term, I expect it will take time for the expected benefits to flow through the economy.”
There is already a lot that the FSI does well. Uplifting the entire sector further with the same standards and reducing the cyber skills gap by retraining existing members of the sector with adjacent and complimentary skills are two critical ways the FSI can help fulfil the Strategy’s ambition.
Looking to the future, one additional area of commitment from the Government that would strengthen Australia’s response to cybercrime would be the introduction of regular touchpoint updates for the FSI that track meaningful implementation progress against the Strategy.