Leaders of Tech Q&A: Hamish Hansford

Australia, and indeed the world, is increasingly becoming more interconnected and reliant on digital infrastructure. This underscores the importance of ensuring a robust and fit for purpose security posture that supports that underlying digital infrastructure. Last year we saw the global ramifications that can occur when a single company is impacted through a technical outage, demonstrating our high level of interconnectedness.

The bright note is that, despite this environment, we see a much more engaged and curious set of stakeholders across governments and industry seeking to answer the questions of how best do I prepare my business or agency for a cyber incident as well as what do I do when I am subject to a cyber incident.

Since commencing in the critical infrastructure job in 2021, I have been pleased to see a massive increase in focus on cyber security.

We all rely on an open, free and interoperable internet. It’s brought great advances in global prosperity, connectivity and fundamentally improved our lives. I was born in a period before the internet and have straddled two massive generational changes from analogue to digital.

However, having a secure internet that has rules of engagement that are consistent with our values is also important. The internet needs defending because the same rules that apply in the real world should, arguably, apply in the online world. Working together on these global rules for a technology that transcends our national boundaries and jurisdictions is profoundly important and essential to building trust.

The Australian Government, as part of the funding for the Cyber Security Strategy, has invested in the cyber resilience of the Pacific. One initiative which is foundationally important to the security of the Pacific is the Rapid program. This allows support for those who have been subject to a cyber attack to help with their response.

Equally though, some Pacific countries with the emergence of the internet (such as the Cook Islands) have seen a massive uptake of internet from low earth orbiting satellite infrastructure bringing relatively inexpensive internet connectivity to areas that previously were challenged with internet connectivity.

This means that there is instant connectivity that requires an uplift in online safety and security in rapid time. The Australian Government is committed to working in partnership with our Pacific friends. I recently attended the Counter Ransomware Initiative with Pacific partners and spoke very much about how we might be able to collaborate on countering cybercrime.

An “all hazards” risk approach takes a different view of security risk. In the critical infrastructure space, we start from the premise that any hazard or risk might have an ability to cause a material impact to the functioning of infrastructure.

This means that we recognise a risk from a trusted insider (either maliciously or unwittingly), a physical threat from a flood, fire or act of sabotage, a digital impact (such as a cyber attack or a technical outage), or indeed, an impact from a supplier to a business, may impact critical infrastructure.

Looking at business risk generally, rather than from the perspective of critical infrastructure security risks, puts a different frame on the problem. It is not a security add on but rather the risks that will stop a critical infrastructure asset from functioning. This is important because if you just looked at cyber risk from a technical standpoint it doesn’t take into account the fact that people are perhaps the biggest cyber threat nor does it take into account other supply chain issues.

Treating national security risk is about more than just looking in isolation at individual risks particularly given the challenging geo-strategic environment Australia faces in the coming decade, most recently outlined in the Director-General’s Annual Threat Assessment 2025. By taking a broader view, this helps to build a much more resilient set of critical infrastructure that is able to deal with any security challenge manmade or naturally occurring.

My best piece of advice is to think about two questions. The first is what would happen if something goes wrong? This question then really sharpens the mind about follow up and subsequent issues to look at, like, who would I call if something went wrong? Where is my data hosted? Do I have staff contacts in my phone that I can call? What do I need to protect and what do I value the most? Which suppliers do I rely on?

This is a great thing to do for any company, big or small. To assist with this, I cannot recommend highly enough the Australian Cyber Security Centre’s Exercise in a Box.

The second question is: what can I do to make my business more digitally resilient inclusive of cyber security and information security protections? It’s a different conversation to have if you are deploying new technology or buying a service you should ask yourself: am I buying or using the best product that will last with security built in and will it provide me with longer term better outcomes than a less secure cheaper product? This concept is often called “secure by design” and ensure cyber security is considered at the start of considerations, rather than it being added at the end.

The views expressed are the interviewee’s own.