Cyber Security

Luke Hally

Zero-Trust Culture II: Capstone Intro

September 21, 2024
Categories:
Tags: , ,

Following the university accepting my project proposal outlined in Part I: Pitch, this part of the capstone project will introduce the concept of zero-trust culture called for in the Australian 2023-2030 Cybersecurity Strategy, and explore how we can work towards it.

Task

  • Create a five minute presentation which
    • Introduces the concepts of zero-trust, operational security and zero-trust culture.
    • Makes a connection between the above concepts and Australia’s cyber security strategy.
    • Contextualises the above concepts in relation to government organisations.

Presentation

In this presentation we explore what a zero-trust culture is and how we can build one.

Transcript

Slide 1

This is the twelfth and final course of my masters degree, during which I’ve developed an interest in the human element of information systems, non-technical vulnerabilities and how we can mitigate them without impinging on peoples’ agency and rights. ​

Coincidently, and aligned with my interests, the 2023-2030 Australian cybersecurity strategy calls for a “whole-of-government zero trust culture” (Dept Home Affairs, 2023b, p. 43), but neither the strategy nor its accompanying action-plan describe what this culture looks like or provide guidance on how to achieve it. ​

Slide 2

This leads us to consider, what is a “zero-trust culture”? But first, what is zero-trust? It is emerging as a leading approach to cybersecurity. ​

It’s best described with a picture, on the left we have a traditional perimeter defence, once a breach occurs and an adversary is inside, they can move laterally within the perimeter to achieve their goal. On the right, we have zero-trust, following a breach makes it much harder for them to achieve their goal. It’s the way of the future for cybersecurity and we currently have a project to implement it underway at CASA.​

Back to culture. The Victorian government’s State Services Authority describes organisational culture as “the shared values and beliefs  that guide” our approach to work and how we interact with each other. We know the importance of trust when interacting with others, it is closely aligned with psychological safety (Evans-Greenwood et al., 2023) and the APS Values and Code of Conduct states that “Workplace relationships are critical to organisational performance and individual well-being”. These are hard to achieve that without trust.​

So when we look at a zero-trust culture, we are  going to focus on the “approach to work” part of this, as Aristotle said, “We are what we repeatedly do.” and in an organisational context, what we repeatedly do, is how we undertake our BAU or run our operations.  This is where we will focus and I propose that by applying zero-trust principles to our approach to work, we can create a zero-trust culture.​

Slide 3

Why is this important?​

We’ve just touched on the 2023-2030 Australian cyber security strategy, but this wasn’t the driver for this project. The real driver is the world we live in, ​

  • Our systems are becoming more complex as we become more connected​
  • Adversaries are becoming more capable and organised, even industrialised in some regions​
  • And attacks are happening more frequently​

Cybersecurity has traditionally been seen as a technical problem in need of technical solutions, however as systems and attackers become more complex we are realising that it is socio-technical in nature and in need of solutions that are both technical and non-technical. ​

And with 68% of Australian government reportable data breaches being caused by human error, this highlights the need of security in our ‘approach to work’, in the security realm this is known as operational security, or OpSec.​

This is our why, to create a holistic approach to information security, expanding the scope beyond technical systems to better protect our assets, people and organisation.​

Slide 4

Project outline (this presentation)​

  • Overview of the project​
  • Confirming expectations​

Presentation and executive briefing​

  • This will provide a brief on the information environment, looking beyond IT systems​
  • And cover why security of the information environment is important and where opsec fits in​

Report​

  • This will build on today and the next presentation to provide an in depth look at opsec, zero-trust, how they can be integrated​
  • Strategy proposal, to move towards a zero-trust culture​

Project artefacts​

  • Surveys, these will provide me with feedback to use in my self reflection​
  • Project/comms plans, happy to share these if you’re interested​
  • Personal reflection, this is where I will reflect on how I undertook the project and identify what worked and what could be improved​

Slide 5

This is going to be fast paced, my masters runs on an accelerated model which is quite intense, but I’ve designed this project to optimise your involvement. 

  • Kick off email ​ (1 July)​
  • Pre project survey ​(4 July)​
  • Send exec briefing ​(17 July)​
  • Presentation​ (22-26 July)​
  • Send Report​ (30 July)​
  • Post project survey​ (5 August)​
  • Debrief​ (9 August)​

​Slide 6

Thanks again for being involved, having stakeholders at work have meant I can focus on a topic that I’m interested in and will hopefully start a conversation at CASA and lead to a change.​

I’m looking forward to the journey we are about to take and hope you find it informative and interesting.​

Have you got any questions? Are you happy with the level of involvement?​

References

Davis, M. C., Challenger, R., Jayewardene, D. N. W., & Clegg, C. W. (2014). Advancing socio-technical systems thinking: A call for bravery. Applied Ergonomics, 45(2), 171–180. https://doi.org/10.1016/j.apergo.2013.02.009 

Dept Home Affairs. (2023a). 2023-2030 Australian cyber security strategy discussion paper. https://www.homeaffairs.gov.au/reports-and-pubs/files/2023-2030_australian_cyber_security_strategy_discussion_paper.pdf 

Dept Home Affairs. (2023b). 2023-2030 Australian cyber security strategy. https://www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdf 

OAIC. (2024, February 22). Notifiable data breaches report: July to december 2023. OAIC. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023 

Space Operations Command. (2023, January 5). OPSEC history: From ancient origins to modern challenges. Space Operations Command (SpOC). https://www.spoc.spaceforce.mil/News/Article-Display/Article/3260002/opsec-history-from-ancient-origins-to-modern-challenges 

State Services Authority. (2013). Organisational  culture. https://vpsc.vic.gov.au/wp-content/uploads/2015/03/Organisational-Culture_Web.pdf 

Recent posts

© Copyright 2021, Luke Hally