The third and final phase, or “horizon” of the Australian Cyber Security Strategy for 2023–2030, will represent the cumulation of work done up to that point, and is set to take place in the years 2029-2030. This phase is more globally focused and aims to leverage the capabilities that Australia builds through phases one and two to become true global leaders in cybersecurity.
This is the most visionary and ambitious of the three phases, and with the timeline being so far extended, there are few concrete details of what form this will take. However, because phases one and two are so focused on the foundations and adaptability of Australian resilience, the transformative stage in phase three should naturally flow on from the work already done.
This is also the phase where there will be direct economic value generated from the overall strategy, as the country will lead the development of emerging cyber technologies capable of adapting to new risks and opportunities across the cyber landscape.
What can organisations do to start preparing now?
Ensuring that the organisation is aligned with the strategy and objectives of phases one and two will be critical in being able to fully embrace what will occur in phase three. Beyond that, organisations can start to do the groundwork for what is likely to happen once 2029 rolls around:
Firstly, organisations should focus on building the capabilities they need to lead the development of emerging cyber technologies. This involves investing in research and development, fostering innovation, and staying abreast of the latest technological advancements in the field. Organisations should also consider partnering with academic institutions, industry experts, and government agencies now, as these bodies will be at the forefront of innovation in this space.
Secondly, building a robust risk management framework that can identify, assess, and mitigate cyber risks will be key. Organisations should start leveraging threat intelligence and predictive analytics to anticipate and respond to emerging threats now to develop those advanced capabilities and skills in these areas in the years ahead.
In general, organisations should look at what they need to do to develop leadership in cyber security and move to address the gaps that stop them from doing so. In many cases, these gaps will be skills-related right now, but rather than simply hiring more skills, there is a more nuanced way to bring expertise into the organisation. Actively participating in the industry now will pay dividends, so contributing to industry discussions, sharing best practices, and influencing policy development are all important steps for organisations to take. Organisations can also demonstrate their leadership by achieving and maintaining industry-recognised cybersecurity certifications.
Furthermore, organisations should actively look to participate in the cyber security ecosystem. This includes collaborating with other organisations, participating in industry forums, and contributing to the development of cybersecurity standards.
In short, while the specifics of phase three have yet to be determined, the assumption is that it will build on what is done between now and 2029. The deeper the preparedness and foundation now, the more agile and adaptable the organisation will be to lead the discussion then.