The Australian Government has outlined a new strategy to strengthen cybersecurity across the Commonwealth, signalling a decisive shift from traditional perimeter-based security models to a more sophisticated approach known as ‘zero trust architecture’, writes Morey Haber.
At a time when cyber threats are evolving rapidly, the government’s Guiding Principles to Embed Zero Trust Culture consultation paper underscores the need for continuous vigilance and behavioural monitoring when safeguarding digital assets.
Zero trust operates on a simple yet powerful principle: never trust, always verify. Unlike traditional cybersecurity frameworks that rely on securing the network perimeter, zero trust assumes that threats can originate from both outside and inside a network. Essentially, they can occur at anytime and from any place.
Consequently, it requires strict identity verification, continuous validation of users and devices and their actions, and the implementation of least-privilege access protocols. These measures aim to minimise the risk of unauthorised access and data breaches.
The guiding principles
The consultation paper outlines five guiding principles that are central to embedding a zero trust culture across government entities and affiliated organisations.
(1) Enterprise-level cyber risk management
Cybersecurity must be integrated into an organisation’s overall risk management framework. Instead of treating cyber risks as isolated technical issues, they should be considered fundamental business risks. This approach requires a top-down commitment, with executive leadership driving cybersecurity initiatives across all levels of an organisation.
(2) Clear accountability and responsibility
Establishing well-defined roles and responsibilities for cybersecurity is crucial. Everyone in an organisation – from senior executives to frontline employees – must understand their role in maintaining a secure digital environment and have the right to identify and escalate a potential security risk.
(3) Resource awareness
Organisations must maintain a comprehensive inventory of their critical technology assets. This includes understanding the business criticality of these assets and prioritising risk mitigation efforts accordingly. A clear understanding of the infrastructure’s components – both physical and digital – is essential for effective cybersecurity planning. For experienced organisations, this is a natural extension of their ITIL implementations.
(4) A comprehensive cybersecurity strategy
A robust cybersecurity strategy must anticipate both current and future threats. The strategy should be aligned with financial planning to ensure that cybersecurity measures are considered in modernisation projects. By embedding security (specifically zero trust) into the early stages of project planning and technological upgrades, organisations can avoid the pitfalls of retrofitting zero trust mandates after implementation.
(5) Proactive incident planning
The zero trust model embraces an “assume breach” mentality, which means organisations must be prepared for potential security incidents at all times. Continuous monitoring and verification help ensure rapid detection of threats and swift response. This is why recommendations one and two are so important. Technology alone cannot solve the issues and the human equation should always be factored in for the overall success of any zero trust project.
Feedback on the guiding principles
The government’s consultation process is aimed at refining these guiding principles based on feedback from industry experts and stakeholders. Several key areas for improvement have been identified, including:
Unified cyber-risk identification
Successful cyber-risk management requires a unified approach across all business units. Regular cross-departmental meetings, shared risk assessment tools, and centralised risk management frameworks can foster collaboration and ensure that cybersecurity is treated as an enterprise-wide concern using the same language and models across all departments.
Preferred risk assessment frameworks
Organisations often rely on established frameworks such as the NIST Cybersecurity Framework or ISO/IEC 27001. These frameworks provide structured methodologies for evaluating internal systems and third-party services. The government’s guidance should encourage organisations to incorporate these frameworks into their zero trust initiatives as a component to measure success.
Defining roles and responsibilities
To ensure clarity, human resource departments should begin to add role descriptions to employee profiles and information security should conduct regular training sessions for zero trust projects. Embedding cybersecurity responsibilities into performance evaluations can reinforce accountability and promote a culture of ownership when everyone has a piece of ownership in the success of zero trust projects.
Employee training and awareness
Continuous cybersecurity education on zero trust can keep employees and contractors informed about emerging threats and how these changes will successfully mitigate risk. Regular assessments and feedback mechanisms can help measure the effectiveness of these programs and ensure that all personnel stay focused on the goal.
Vendor accountability
Distributed accountability is essential, especially when third-party vendors are involved. Clear contractual agreements outlining workflows related to zero trust (like remote access or data processing) should be a part of security assessments to ensure that all parties in the supply chain uphold the highest security standards.
Policy enhancements
The government’s existing frameworks, such as the Protective Security Policy Framework and the Australian Government Gateway Policy, should incorporate zero trust principles. This implies continuous authentication, least privilege access, and regular security posture assessments must become standard practices across the board in support of prior regulations.
Cybersecurity metrics
Establishing clear performance indicators, such as incident response times and compliance rates, can help organisations measure the success of their zero trust initiatives. Regular reviews of these metrics will ensure continuous improvement and help tweak implementations for optimum performance especially to improve the end user experience.
Achieving a zero trust culture
Implementing a zero trust culture requires more than technological upgrades. It necessitates a comprehensive transformation that intertwines technology, processes, and people. Cultivating a security-first mindset is essential whenever a mandate of this nature is embraced.
Every individual within an organisation must recognise their role in safeguarding digital assets and be committed to upholding security best practices to maintain a never trust but verify mindset. This approach helps adapt to modern threats and ensures that zero rrust principles are sustained effectively.
As Australia strengthens its cybersecurity posture, the adoption of zero trust principles will play a pivotal role in ensuring resilience against emerging threats. By embedding these principles across government entities and collaborating with industry partners, the Commonwealth can build a robust defence against sophisticated cyberattacks and be a model for governments around the world.
Morey Haber is the chief security officer at BeyondTrust
Leave a Reply