The government pledged to invest $1.67bn over the next 10 years © Thomas Trutschel/Photothek via Getty Images
The government pledged to invest $1.67bn over the next 10 years © Thomas Trutschel/Photothek via Getty Images

Government should use buying power to improve cybersecurity

posted by Charlie Hart
24 August 2020

Australian governments are failing to maximise ICT procurement spend to drive improved cybersecurity and more secure supply chains, according to a report. 

The report, by the Australian Strategic Policy Institute (ASPI), said government efforts to improve cybersecurity were “hampered by a fragmented approach, differing standards and regulations, and procurement approaches that don’t facilitate value being attached to innovative security approaches and sovereign capability”.

Earlier this month, the Australian federal government unveiled its Cyber Security Strategy 2020, in which it pledged to invest $1.67bn over the next 10 years to protect businesses and vital infrastructure. However, ASPI warned the investment would not be enough alone.

Federal government spend on ICT has grown significantly, from $5.9bn in 2012-13 to almost £10bn in 2018. State and local governments also spend a lot on technology, with the New South Wales government IT budget reaching $3bn a year. 

The report warned supplier security failures had the potential to generate “major systemic cyber and operational risks”. 

“Government can harness its spending power to not only improve its own cybersecurity, but to drive better cybersecurity throughout the wider economy. However, current approaches are fragmented and having limited impact, so a concerted national effort is needed, underpinned by major strategic changes in approach,” it said. 

The report recommended federal, state and territory governments should establish a single coherent set of security standards expected from suppliers. 

“The standards need to be more than just a tick-the-box exercise to set a minimum standard – they should provide multiple levels through which suppliers can seek to progress by continuous improvement.”

ASPI argued if the government set expected security standards from its suppliers, it may help to lift standards across the board. 

“Companies will be incentivised to lift their standards in order to qualify to do business with the government, and it will often be easier for them to apply those standards across their whole enterprises rather than just for their government contracts,” it said. 

It added procurement frameworks must provide “commercial incentives for suppliers to improve their security”.

 Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates