OCSC Co-Founder & CMM Lead Advocate
Formation of the Constellation Partnership
Why was the Cybersecurity Capacity Maturity Model for Nations (CMM) brought into Victoria?
Predominately we need to acknowledge The Hon. Philip Dalidakis MLC, former Victorian Minister for Innovation, who attended a UK Foreign Office’s International Leadership Programme in March 2015. Philip met with Professor Sadie Creese the Founding Director of the Global Cyber Security Capacity Centre (GCSCC) and Professor Michael Goldsmith the current Director of GCSCC given his previous professional involvement in cyber security.
Philip was impressed with the work that the GCSCC has completed through maturity reviews in the Asian region and believed that there was strategic intent for the CMM model to be deployed further afield in the Pacific and be done by a locally based partner. This was consistent with the Commonwealth Cyber Declaration which required Commonwealth nations to review their cyber maturity through a CMM model.
The vision was for Melbourne to leverage its existing cyber research capacity and to use its geographic advantage to deliver the CMM in the Pacific. Discussions began during Philip’s first visit to the United Kingdom as a Minister in September 2015 which set the foundation for negotiations to develop what we now know as the OCSC.
Whilst the GCSCC was keen to look at a regional opportunity over a 2-year horizon, due to Philip’s support and the commitment of the Victorian Government, I was tasked to deliver an outcome in 6-months. With the assistance of the Victorian Trade and Investment Office in London, intensive negotiations commenced shortly after the Ministerial visit and by mid-2016, the Victorian Government, the GCSCC, the newly formed Data61 and 8 Victorian universities had agreed to a model which would become the OCSC. In addition to delivering the CMM, the parties agreed that they would use the Centre to coordinate their cybersecurity research expertise and skills to better inform and support the cyber security maturity development and the deployment of the other projects.
One of the first initiatives was for the newly-hired OCSC CMM project team to be trained at the GCSCC and subsequently participating in a mission to Northern Macedonia with the GCSCC and the World Bank. The first Pacific CMM mission under the new model was Samoa in April 2018.
What was your vision back in 2016?
Cybersecurity was becoming more topical in 2016 and local industry was in need of better understanding of their obligations, the technology and its implications. Digital data and information management was commonplace, yet surprisingly few businesses had any understanding of cybersecurity. This was a policy concern shared by Philip Dalidakis and the Victorian Government and the OCSC was established as, at the time, a national leader in cyber security research. This pre-dated the first Australian Cyber Security Strategy so you can say we were ahead of the curve somewhat.
There was no widespread adoption of maturity models and policy was at a very early stage of development. The vision was to establish a centre which could deliver these three streams of work:
- to deliver CMM reviews and related research;
- to use the lessons learnt from CMM reviews and research to drive better policy outcomes; and
- to work with industry on their specific challenges.
Universities have always possessed significant talent for such purposes but connecting the three streams required a different approach to get the best out of our researchers and to drive better impact.
The goal was to have a Centre which was responsive to issues and could use the talent and research strengths available to deliver real world solutions and to work with governments to review national cybersecurity capacity, providing an evidence-based baseline and pathway to build capacity and strengthen resilience.
In a cyber context, what were and are your driving factors in building a better world for all?
To find and develop a balance in cybersecurity. There is an ongoing challenge to find a happy medium between privacy, security, information management, technology utility and public and business responsibility.
Governments need better information to improve their policy development. Businesses need better technology and skills to more effectively protect and manage their data. The public have to understand their responsibilities and the opportunities and risks in a digital world, so that they can transact and communicate safely. As Philip Dalidakis noted at the time, “Security is everyone’s business and the need for greater collaboration was hugely important. Criminals, espionage etc don’t respect borders so we needed to create cross border relationships that were meaningful and provided opportunities for academics, professionals, governments to all work together”.
Bringing Oxford’s CMM to Melbourne and the region was a critical step in demonstrating we were doing the right thing.
The intersection between these aspects is often not clear, and with research, education, assessment and evidence-based solutions, the gap between digital safety and cyber-vulnerability can continue to be narrowed and provide responsive solutions by connecting government, industry, academia and the public.
It will be organisations like the OCSC and its Constellation partners GCSCC and C3SA that will continue to address these challenges and provide a safer and more secure digital environment for our global citizens.