ASD as a statutory authority, and the ISM gets an update

Email update, 10 July 2018

Good morning.

Today’s email concerns the Australian Signals Directorate, Australia’s equivalent to the NSA in the U.S. or GCHQ in the U.K.

ASD becomes a statutory authority

As of last Tuesday, the Australian Signals Directorate is officially an independent statutory agency within Defence, one of the recommendations from the 2017 Independent Intelligence Review. This means that ASD will now have a lot more freedom to manage its own pay scales, independent of the existing Australian Public Service salary bands.

From iTnews:

One potential option now more open to ASD than previously is restructuring how roles within the agency are designed outside the traditional defence and public service mould so they become more appealing to cyber talent, especially younger recruits.

A known challenge both ASD and Defence have faced is a perception of limited mobility at less senior levels where people are often lured across to private sector jobs after substantial investment in training and security clearances.

It’s a difficult problem, and ASD has tried to address it with special approvals to apply salary loadings for technical specialists above the standard APS pay brackets.

Still, it’s very difficult to compete with industry when there’s such a high demand for those same skills, and working in the private sector comes with other benefits which can’t be matched by ASD: easier access to the internet, having your phone in your pocket, and the ability to talk about your work.

We’ve talked about this issue in a previous email, and it remains a systemic problem in government IT recruitment:

Conflating the technical and management streams also leads to significant problems in organisations where salary bands are highly structured and mapped to explicit position descriptions (quite common in government organisations). In this sort of model, earning over a certain amount—the management threshold—often means managing a team of employees, and little if any technical work.

This causes all sorts of issues when the management threshold is lower than the market rate for the specialists you need to keep the lights on. If you offer them market rate, they’re forced into management, and can no longer do the job they were hired to do. If you don’t offer them market rate, well… the results are predictable.

Anecdotally, I’ve heard many cases of talented technical people within ASD hitting a wall in terms of pay and seniority after only a few years in the job, and subsequently jumping ship to significantly better paid positions in the private sector. The result is that security teams in Australian and U.S. companies tend to be littered with ex-ASD personnel, and far too many of them end up heading overseas to positions in Silicon Valley.

This is a predictable outcome (and I can relate!), but one can also sympathise with ASD. Their hands have been tied by the rigid APS salary structures, and it’s always going to be difficult to match the private sector during a gold rush. Hopefully this new freedom will help them to stem the flow.

The Information Security Manual gets an update

There was an interesting article posted this morning by James Riley at InnovationAus:

The Australian Signals Directorate executive at the centre of an internal brawl over Microsoft’s Azure and Office365 cloud services being granted Protected Certification has quietly departed the intelligence agency.

Melissa Osborne, a 24-year veteran of Defence, had run industry partnerships and certifications at the ASD, and managed the agency’s Information Security Registered Assessors Program (IRAP) initiatives. It is understood she has now accepted a cyber role with a US vendor.

Note that in a later paragraph Riley states that Melissa Osborne was forced out by new director-general Mike Burgess, a claim which has been denied by Osborne herself. There’s clearly more to this story, so one should be careful not to draw too many conclusions from it.

With that caveat in mind, this paragraph rings true to me:

The accreditation role within ASD looks to have been caught between an ongoing adherence the government’s Information Security Manual – the list of rules and controls that departments and agencies must follow in relation to cyber – and the new management’s desire to quickly introduce an overhauled manual based on a risk management/mitigation approach.

The fact that the ISM is being updated has been public knowledge for a while now, and any major changes are bound to cause ruffled feathers (for one thing, there is a lot of money in providing security services around ISM compliance). It will be interesting to see where it lands.

More generally, the debate over “compliance-based” or “risk-based” approaches to security is one which is only going to become more relevant as major data privacy regulations like the European GDPR are enforced, and high-profile cases work their way through the courts.

I’m personally not a fan of the compliance-focused approach taken by many organisations, where adherence to policy can often take priority over actual technical security measures. In some cases, it’s enough to have a firewall in place to “tick the box”, and whether or not the firewall does anything useful (or is maintained properly) is a secondary consideration.

Proponents of the compliance model would argue that this is a fault of the checklist not being explicit enough, which is a fair point, but making these models overly prescriptive can hamstring defenders into building their network “the right way” (according to the particular compliance framework being used), with no allowances for business realities or the risk appetite of the organisation.

With apologies to Douglas Bader, compliance checklists exist for the guidance of good security teams, and the blind obedience of bad ones.

Or, to put it another way: you might pass your PCI compliance audit with flying colours, but that won’t stop you getting owned.