Episode 6: Mike Cerny and Nicola Nicol on why Cyber resilience is key to safeguarding Australia’s future

Episode transcript

Peter Van Onselen: When the COVID-19 crisis struck few business functions shifted as quickly as corporate cyber security. As legions of employees suddenly found themselves working from home technologists rushed to secure connections networks and IT environments.

With the scale and sophistication of cyber attacks evolving rapidly, the federal government is stepping up its national cyber security measures too. In this episode we look at what the Federal Budget announcements mean for the nation's ongoing cyber safety. My name is Peter van Onselen and you're listening to the PwC Federal Budget Podcast.

I'm joined now by Mike Cerny and Nicola Nicol cyber and digital trust partners at PwC. Thanks both so much for your company. I guess there’s two questions out of the budget where we should probably start. The first is how important are cybersecurity and digital trust issues in the context of COVID? And how much is there in the budget to really go into that space? I might start with you Nicola if I can.

Nicola Nicol: Thanks Peter. So you know businesses rely on the availability and confidentiality of the digital services that we're using to live, work and study every day. And most organisations in the pandemic have moved to a remote workforce where they're fast tracking putting some of their services online.

So I'd say cybersecurity really has a renewed focus and it's critical for economic growth for two reasons. Firstly, part of it's actually about protecting against the risk and impact of an attack. And if you look at the Australian Cyber Strategy for 2020 the government estimated that a four week interruption to a digital infrastructure could cost the economy around $30 billion. And then partly it's about driving economic growth. Businesses have the opportunity to make capital investments in tech solutions and also create new meaningful jobs and cyber where we know there’s a skills shortage.

Mike Cerny: Just adding to that, I'd say that and looking at the strategy for 2020 that’s obviously within the budget it's really broken down into a few key areas. Primarily the largest portion of spend is going directly towards the Australian government's capability around cyber security. And this is both from law enforcement but also from other agencies and their ability to be able to defend as well as attack against other nation states that might be doing the wrong thing against us.

Other areas include around skills which Nicola just just just touched on. And obviously incentivising the private sector to be able to bring more skills into their workforces. And then finally support for small and medium enterprises but as well as vulnerable Australians. So for those people that have suffered identity theft and those types of things, providing them with support to be able to have to work through those issues.

They are the direct areas within the budget. But I suppose indirectly the benefits that have been provided to organisations around asset write-offs and tax offsets, obviously this will try to stimulate the economy in the private sector to be able to go for growth and be able to embark on their digital transformations. But as part of that as well it's an opportunity for organisations to bolster their cyber security by investing in those cyber technologies and be able to use some of those incentives to be able to strengthen their own defences.

Peter Van Onselen: Nicola give us a bit of a sense of how important you think it is to have those protections both for public and private organisations in the era that we're in?

Nicola Nicol: Yeah. So we’ve seen such an uplift even in cyber security attacks and issues during the pandemic. So the attackers are actually leveraging the fact that within this situation they're reaching out to both vulnerable organisations and vulnerable individuals to be able to try and take advantage of the situation we're in right now. So I think even more important at this point is that the country is able to increase and improve our defenses.

One thing I think is important in that context is that this is no longer a technology issue. Cyber security is really a business enterprise and organisational risk and we've really got to start thinking about it in that context. It can't be solved by technology alone. We've got to make sure we've got the right business processes. And we've got the right skills and training for people to be able to really strengthen our defenses at this critical time

Peter Van Onselen: And Mike we’ll bring this back to what's in the budget specifically as well as PwC clients what they need to really think about here in a moment. But it's interesting to me because I look at the impact of COVID and the suddenness of the shift in workplace cultures and the readiness and the immediacy of people working from home. How ready was business and indeed the government for doing that in the context of cyber threats?

Mike Cerny: Look I think everybody's disaster recovery plans and business continuity plans were all tested during COVID-19. And it's interesting to see that there was mixed results. But the one thing is that while some organisations maybe struggled over the first couple of weeks to a month I think a lot actually found their feet to be able to stabilise and be able to at least be productive in the workforce.

The area I suppose that there was struggle and I think there still is is just adapting to the new world from a cyber security perspective. I mean we saw over that period some of Australia's largest attacks on organisations and particularly we saw an uptick in certain things like ransomware which is really trying to look at well what are the vulnerable areas within organisations and how do attackers disrupt those avenues to then be able to cause the greatest harm.

And really when everybody's working offsite and remote going after those types of devices and making it very difficult for the workforce to actually operate and perform their activities, it has been a real focus for attackers and we're really seeing organisations having to change the way that they adapt and work through these new times.

Peter Van Onselen: And Mike again just quickly from my perspective from somebody who is not a cyber security expert the rhetoric coming from the politicians at least outwardly it seems like they really get it. They recognise that there's a threat here and they want to be seen to be strong in response to it. Does the rhetoric match the reality in your view?

Mike Cerny: I think it does. And look, the Prime Minister's announcement a few months ago I think was a very timely one particularly in the middle of a pandemic made it extra important and the fact that there were so many other things that he could have been focused on at that point in time. But then to come out and actually say cyber security is a real problem for Australia, really I think, just shows the importance that the government is placing on this space.

Nicola Nicol: And can I just jump in Peter and add to that that you know I hear a lot of clients ask, is it enough? And I think the reality is it's never enough. You know the bad guys out there are spending a lot of money on increasingly sophisticated attacks but I'm not sure that is it enough is really the right question.

It's about increased collaboration. So thinking about how we increase public and private partnership. How we make sure we're constructing a secure workforce for the future and actually really focusing on protecting the most critical services that we have in the country. You know I think that's where we've really seen some focus from the government this time round.

Peter Van Onselen: Nicola let me stay with you now as we get a bit more granular on the budget. PwC clients are both public and private. What was there in this space of cyber and digital trust that is your area of expertise in the budget for those clients?

Nicola Nicol: So two things I would call out. One, and Mike has mentioned this briefly,  is the opportunity for capital investment and technology. So I think one thing our clients should be thinking about is how to maximise that. You know a lot of what we do in the security space is still about making sure we’ve got secure technology and new security solutions because the volume of data and this space is overwhelming.

So to be able to actually have innovative solutions and innovative tech that helps you get through that volume of data is really important. But on the flip side we also need to make sure we combine our technology with our people, right, and optimise that combination. What we have seen this investment here from the government in upskilling workforces and that’s a really core part of us being able to continue to strengthen our cyber defenses.

So whether that's the new younger people coming into the workforce and being trained in cyber and if I think about the acknowledgement the Government's made on the fact that women have actually been significantly impacted in the workplace during the pandemic and they are investing $240 million in training and education to support women and entering into science, tech, engineering and maths roles. Again that's something that our clients come to leverage as they then strengthen both their people and their technology through this period.

Mike Cerny: Just adding to that Nicola, there's some really good points around the workforce piece. It's estimated that roughly 17,000 people are going to be needed in this space by 2026. And so Nicola’s comment there around upskilling the workforce is really important. What we're actually seeing as well is due to the effects of COVID-19 and the high rate of unemployment, there's a real opportunity to cross skill. And really having a look at your own workforce that you've got at the moment and actually going well where are the skills that we can move people across to cover those gaps within cyber security.

And really we're seeing a Hunger Games type environment at the moment within Australia. With the lack of people coming into the country obviously with the borders being closed means that there is a limited supply of highly skilled talent within Australia. So there's this piece around really focusing on the people, our people and upskilling them is going to be really important and it's great to say that the budget has elements in there like the Cyber Skills Partnership Innovation Fund and other elements like that to try to support that growth.

Peter Van Onselen: It seems you’re both pretty happy with both the government's attention and what's in the budget for clients in particular. Nicola if, not look to be glass half empty here, but if you're looking for things that aren't there or that you perhaps even non-critically might like to see there next time when the May budget rolls around. What are the next steps?

Nicola Nicol: So I think the next steps are really actually seeing through some of these things and really implementing them well. So whilst I think if we look at even the journey from the cyber security strategy 2016 through to this one in 2020 and the budget funding and announcements that have come with that. Really what I'd like to see is making sure we implement those new solutions well.

So whether that's really following through on training and education and upskilling the workforce through to making sure that we're investing in new business and actually really supporting and expanding out to covering and supporting our small and medium enterprises.

You know a lot of work in cybersecurity historically has been with bigger organisations, larger organisations who have probably got more funding and more capability to protect themselves. So what I'd really like to see is that continued focus on supporting the whole of Australia's ecosystem, right, and making sure the security fabric of the country through all levels, large scale business, small medium enterprise and individuals in the community, that we really see that through.

Mike Cerny: Couldn’t agree more with what Nicola said. And my only comment is just more money. I mean it's good to see the areas that they're spending. I can't agree more with the areas but in terms of the amount I'd like to see a bit more money spent on skills. The bulk is going on bolstering the government's defenses but I think there's more that can be done in relation to incentivising the private sector to really push into that space.

And the other piece is a greater emphasis on STEM and on universities and in schooling to be able to show the way that this is a great career. It's future proof. It's going to position Australia very well into the future as the world becomes more and more digitally integrated. And that's a space that I would like to see that over the coming budgets that there's an opportunity to potentially increase that and really promote that further.

Peter Van Onselen: Nicola Nicol and Mike Cerny cyber and digital trust partners at PwC Thanks so much for your insights.

Mike Cerny: Thank you.

Nicola Nicol: Thank you.

Thank you for listening to the PwC 2020 Federal Budget Podcast.

We hope you enjoyed our commentary. For additional in-depth analysis head over to pwc.com.au/federalbudget where you will find articles and information about the 2020 Federal Budget and what it means for the economy, our society and you.

This PwC 2020 Federal Budget Podcasts brings together together experts to explore what the budget means for you and your business. Don't miss an episode. Make sure you subscribe to this podcast via Apple podcasts Spotify or your favorite platform while you're there. Feel free to leave a writing or a review. Thank you for listening. Goodbye for now.