Could Australia’s Cybersecurity Strategy Benefit From More Data Science Rigour?


The success of Australia’s six-shield cybersecurity strategy could depend on how well the nation manages the vast pools of data that will underpin the identification and mitigation of cyberthreats.

Australia’s Home Affairs Minister Clare O’Neil recently revealed details of Australia’s Cyber Security Strategy 2023–2030. Designed to protect Australia in a fast-moving threat environment, the strategy would rely on building six cyber shields around the Australian nation.

Jessie Jamieson, staff research engineer for decision science operations at Tenable.

However, Jessie Jamieson, staff research engineer for decision science operations at cyber exposure management firm Tenable, said what has been absent from the strategy detail released so far has been a focus on the one thing that underpins everything: data science.

“There was a noticeable lack of attention paid to data and data science,” Jamieson said. “Without data we can use, trust and rely on, we are basically paralysed. We won’t be able to make effective cyber decisions and formalise an effective cybersecurity strategy we can depend on.”

Jump to:

Data science as Australia’s seventh cybersecurity shield

Australia’s six-shield strategy includes community education, safer technologies and a world-class threat sharing and blocking system. It will also prioritise the protection of critical infrastructure, build up local cyberskills and enhance regional and global partnerships.

SEE: Microsoft’s $5 billion investment in Australian cybersecurity posits it as another potential cyber shield.

Missing from the list was the pursuit of data science best practices. Jamieson said ensuring transparency and trust in data through practices like data validation and verification and the documentation of processes is essential for producing better cybersecurity outcomes.

“There hasn’t been much discussion about data science best practices and the implications for cybersecurity,” Jamieson said. “You could make the argument that treating this as a shield by itself would ensure we are able to use data to make the best cybersecurity decisions possible.”

Threat detection and prediction is data science dependent

The ability to detect cyberattacks or breaches in real time and shorten time to discovery using technology is heavily data dependent. Organisations need to be able to leverage a lot of data on the status quo of their cyber environment in order to correctly identify what is anomalous.

The same goes for predicting external threats. Organisations can design for enhanced security by leveraging data on threat actor patterns, like the different behaviours they tend to engage in in different scenarios, such as a ransomware attack or an attack on critical infrastructure.

SEE: What can Australian IT leaders do about the rising data breach costs?

“This depends on having data in the first place, establishing a baseline to detect if something strange is going on or coupling information about threat actors with your own information to allow for proactive action,” Jamieson said. “It all comes back to data. It is all data — it really is.”

Australia not alone in lacking data science focus

Australia’s lack of data science rigour is not unusual. In general, “everyone is a little behind from a data perspective,” Jamieson said, with the obvious recent example being the headlong rush around the world to use data as part of artificial intelligence models, including generative AI.

“Some companies are being more careful, but there is so much discussion at the moment about developing these things quickly without asking questions like how these plug into a data process or what the process is around generating training data,” she said.

SEE: Australia is adapting fast to a generative AI world.

With emerging technologies that rely on data now at the forefront of cybersecurity discussions, Jamieson said stakeholders in Australia needed to take a step back and focus on getting the data science right to ensure emerging technologies could be trusted to drive decision making.

Action on data not appealing enough to stakeholders

One reason data science best practice is not being given enough attention could be that the core things it asks of organisations “aren’t sexy,” Jamieson said.

“No one wants to talk about data validation, documenting processes, data privacy or about having a new policy mandating how an organisation will deal with data or incorporate it into decision making,” said Jamieson.

Organisations are also unlikely to jump at improving their data practices if it means upending existing, long-standing processes just to improve data transparency and confidence in data.

Elevating data science to enable cybersecurity

As cyber adversaries evolve, leveraging best practices in data science could provide organisations in Australia with the foundations for more proactively anticipating and counteracting cyberthreats. But what should local IT leaders do to make sure that happens?

“It is all about people, process and strategy,” Jamieson said. “My recommendation is to go back to basics and get those right. It’s so important now — with all of our technologies being built on data and ability to use it effectively — that we get the basics right.”

Support cybersecurity with a coherent data strategy

The first step for organisations that want to improve their data approach is to create a data strategy — something not all have yet done.

“A data strategy is a cybersecurity strategy and vice versa because it is now so essential to being cyber secure and resilient,” Jamieson said.

SEE: Discover how data governance affects data security and privacy.

Being as proactive as possible with a coherent data strategy can help organisations better control the “signal to noise ratio” by understanding from the outset what data is important to enable their cyber posture and ensuring those insights are available when it matters.

Strategy should drive the collection and use of data

Having more data science rigour means ensuring strategy drives the data, instead of the other way around. This means “not collecting data just because you can,” Jamieson said, which can actually result in a less focused approach and cause an “availability bias” in decisions.

SEE:Australian businesses are taking on an “assume-breach” approach to cyber security.

Refining a strategy and approach is art as well as science. For example, tabletop cybersecurity exercises or a counterfactual analysis after a cyber event are effective ways to couple data with real world experimentation and trials to improve cybersecurity postures over time.

Combine responsible risk taking with data best practice

An environment that encourages responsible risk taking and innovation with data should be encouraged, Jamieson argues, but should also be paired with the need to innovate responsibly. This will avoid organisations jeopardising data privacy or the transparency of data.

Best practice would include having a process for data verification and validation. Jamieson said data validation and verification can be done every six months to ensure organisations stay on top of their data, while processes can be continually improved through ongoing iteration.

Only use technology that helps you make decisions

Technology is now essential for making the best use of data to improve cybersecurity. However, Jamieson said that, while technology was becoming critical, if a tech system did not ultimately help an Australian business make decisions, they would be better off not paying for it.