AISA CyberCon in Melbourne
Last week, Yonni Shelmerdine, Global VP of Product at SentinelOne, led a session at AISA CyberCon in Melbourne, on 12 October. We caught up with Yonni to get his take on cybersecurity in Australia.
In your opinion, what is the state of cybersecurity in Australia, and how does it compare to other parts of the world?
At a very high level, Australia is a very sophisticated, first-world, technologically advanced, and economically strong country. The country, with a population of about 25 million people, spends more on cybersecurity than India, which has over a billion people in it. In terms of investment, knowledge, and understanding, they are actually doing quite well.
However, Australia doesn’t have a large population, so there is a massive skills shortage here. Additionally, and this is an estimate, it seems that about 80% of cybersecurity spending is done by 10% of the country’s enterprises – banks, insurance companies, mining companies, and some large government organisations, such as defence.
When you step past that first tier of companies, there is a significant drop in cybersecurity maturity, which is probably similar to many other countries in the world outside of the United States and the European Union.
However, the last two weeks have most likely made a permanent impact on Australia’s cybersecurity posture. First, we had the Optus breach, where nearly half the country’s population had their data breached, and 3 million people had their highly sensitive personal data exposed. Then, Medibank, a health insurance company, was breached, exposing millions of people's health data and personal data. After that, one of Australia’s largest energy companies was also breached, and several others as well.
This isn’t the first time we’ve seen headline breaches in Australia, but it is the first time that the impact is so broad and frequent.
In response to those breaches, the Australian Government has just announced that they'll increase the penalties for Data Breaches. What are your thoughts about this? How does this regulation compare to the US and EU regulations?
Before this latest series of cyberattacks, organisations could not be fined more than $2M under the existing legislation. Many companies did not recognise any incentive to invest above baseline controls, due to the penalty of a breach being almost irrelevant. However, with the new proposed legislation, companies can find themselves facing significantly higher fines that could impact their bottom line.
As a result, those lower-tiered organisations will have to start viewing cybersecurity as an investment rather than an expense, which should help upgrade cybersecurity across Australia.
In terms of comparing Australia to the US and EU, we usually view Australia as being about two years behind the EU and three years behind the US in terms of wide-scale adoption of new technologies and programs - having said that, Australia’s homegrown cyber ecosystem of software vendors and system integrators has exploded in the last 5 years. With this new legislation, we aren’t going to see those hundreds of millions of dollars in penalties that are assessed in the US, but relative to market size, the financial impact that will be caused by these penalties is comparable. The current proposed legislation is $50M or 3% of company turnover during the period, a significant increase.
In the EU, they protect privacy with GDPR, and that’s enforced through high penalties. Australia doesn’t have that stringent of protection for individuals yet, but there is a lot of talk within the Australian government of adhering to a similar standard.
What are your thoughts on Australia recently appointing a ministry for cybersecurity?
Cybersecurity used to be hidden within a ministerial portfolio in the federal government, but now that it is standing on its own, it actually will make a difference. In the past, if you asked someone on the streets of Melbourne or Sydney about cybersecurity, they may have told you something about an antivirus software they installed, but they never gave it much thought unless their data had been stolen.
Giving cybersecurity its own portfolio and assigning a minister to it means it becomes a political position for parties. When Australian citizens go to vote, they are going to have to consider their party’s position on cybersecurity. This will help drive cybersecurity education across Australia, which is a positive for business and society as it will raise Australia’s overall cyber posture.
Hon Clare O'Neil MP holds the Cabinet position for Home Affairs and Department for Cyber Security. This has proven a defining move by the Albanese government in light of recent events.
Your session at ASIA's CyberCon was about debunking cybersecurity myths. What is one myth that you think will resonate with Australia, and how is the country doing in debunking it?
Many elements in the cybersecurity industry will have you thinking that auxiliary products like SIEM and SOAR are the only logical next step in light of the growing quantities of data and the growing number of cybersecurity products.
In practice, that assumption alienates most organizations - either because they don't have a budget to store all the data, the headcount to manage and continuously monitor the products, or the expertise to use them effectively.
One of the things we see in Australia is a more intentional approach to investment in cybersecurity. That ranges from prioritizing high-ROI products, a balance of products and services, and – most importantly – a goal-oriented approach that helps them determine the outcomes that are most critical to them. We're thrilled to be a part of that process with some of Australia's largest enterprises.
