In our latest instalment of the Leaders of Tech Q&A series, we speak to Rachael Falk, CEO of the Cyber Security Cooperative Research Centre (CSCRC). Rachael takes us through the CSCRC’s top priorities, cyber security going mainstream and keeping pace with the evolving cyber threat landscape.
You're one of Australia's leading cyber security experts - how did you get your start in cyber security?
I started my career as a lawyer and worked for top tier firms in Australia and overseas, as well as an in-house lawyer at Telstra. I also was the lawyer for Corporate Affairs at Telstra as well as doing a stint as a spokesperson on legal matters in court. So it was there that I was able to see up close the power of influence and well-crafted communications. It was during my time at Telstra I was seconded into the cyber security team and I was hooked. I was subsequently appointed Telstra’s first General Manager of Cyber Influence, helping influence the organisation about key cyber security risks. A lot of my role was turning what most people believe is an intangible risk into a tangible risk with consequences. After this I worked briefly at auDA, where I learned the importance of Australia having a safe and trusted DNS, before branching out on my own as a cyber security consultant. That has ultimately led me to my current position as CEO of the CSCRC, which I just love.
The CSCRC exists to strengthen Australia's cyber security capability. What are its top priorities this year?
Impact is at the heart of everything we do. Our research has tangible outcomes with real-world applications. Central to this is collaboration with our Participants, that represent a wide range of sectors and with diverse cyber security needs. We are also really committed to help in the effective implementation of Australia’s Cyber Security Strategy 2020, to help ensure Australia remains a thriving digital economy and a safe place to do business.
While our overarching priority is to bolster Australia’s cyber security capacity and capability through the development of new technical solutions and ensuring the regulatory, legal and policy settings are right, there are three key areas we are homing in on. These are critical infrastructure, critical technology and small-to-medium enterprise cyber uplift.
People and businesses are more connected over the Internet than ever before. How has this changed the threat landscape for cyber attacks?
Quite simply, if you are on a device connected to the internet, you are vulnerable. While the pandemic has been really challenging, I think one of the positives to come from it is an increasing focus on and awareness of cyber security. While there is still a long way to go, cyber security is mainstream now and everyone has a much better understanding of why it is so important.
What keeps you motivated to continue driving change in how Australia responds to cyber threats?
This is not a static space – the goal lines are always shifting and there are always new and emerging exploits and threat vectors. The thing that keeps me going is keeping people safe, from the most vulnerable members of our community, children, through to SMEs, big business and governments. Cyber threat has such a broad spectrum, from personal safety right through to national security, and the sheer scale, while sometimes overwhelming, drives me to make Australia and the world safer. I also have a strong commitment to helping explain legal and regulatory changes in accessible language so that everyone can understand why changes to the law might be necessary and are not simply dismissed as ‘overreach’. Technology and cyber criminals move a whole lot faster than legal changes, so I see it is vitally important to talk about these risks publicly and raise awareness (particularly in the business community) that it isn’t about waiting for the law to change, it is about doing what is right.
Like auDA, the CSCRC has been involved in consultation with government on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. Should it pass, will it help achieve a more secure Australia?
The proposed amendments to Australia’s critical infrastructure legislation are vital to protecting Australian interests, and it is wonderful to see the auDA and the DNS classified as ‘critical infrastructure’ under the proposed changes.
Like everything, the legislation is not perfect and that is why it is being so carefully scrutinised by the parliament and the committee process. There should be no room for unintended consequences and that’s what is being worked through. As we know, the Parliamentary Joint Committee on Intelligence and Security has recommended the Bill be split, which would see mandatory reporting and government ‘step-in’ powers passed first, with the sector changes implemented later, via a separate Bill. It is a space to watch.
We know cyber attacks aren't limited to big organisations. What are three things individuals or small business owners can do today to stay more secure online?
At the CSCRC we have a three-Ps mantra – People, Patching and Passwords.
People are at the heart of cyber security and need to be adequately trained and aware of the risks. Patching is essential to keep systems safe, so as soon as an update comes through, patch. Don’t delay! And strong passwords are a key part of keeping cyber criminals out – ABC123 just doesn’t cut it.
If you get these three basic things right, you’re half the way there.
Find out more about the CSCRC here.
The views expressed are the interviewee’s own