19 April 2022

Is your data centre ready for the critical infrastructure changes? 3 questions you must ask now

By George Dionisopoulos, Head of Security

Australia’s Federal Government is making important legislative changes to enhance the security and resilience of the nation’s critical infrastructure, amidst heightened cyber security threats and fear of disruption to essential businesses and services.

These changes are going to have significant commercial and operational implications for many Australian businesses, particularly those who house their digital infrastructure in a data centre environment. It will become much harder to win government work if you can’t demonstrate you meet and understand the new requirements - and eventually, we expect other enterprises to follow the government’s lead.

Additionally, those who are responsible for managing the infrastructure (including data centres) will soon need to demonstrate they are taking a best practice, ‘all hazards’ approach to integrated security management.

Read more: Australia’s critical infrastructure laws are changing: This is what it means for your digital infrastructure

We suggest asking your data centre partner these three questions now, to ensure they are ready for the upcoming changes - which will minimise any impacts on your own business.

1. What is your understanding of the legislation and your obligations under the proposed changes? Have you identified the changes you need to make to get up to speed?

We published a quick summary of the key changes in our recent blog, but the overall picture is more detailed than that.

Of course your data centre partner should be able to talk confidently about the scope and timeline of what’s happening. But more importantly, do they have a clear grasp of where they might be lacking under the new regime - and have they been making or planning any changes to get up to speed?

That work needs to happen now, and if it isn’t already underway, there is going to be a mad, last-minute scramble to meet the new obligations. Or worse still, some elements will be overlooked and organisations will be risking non-compliance.

2. What is your experience in engaging and working with government, regulators and communication bodies?

A key focus of the new legislation is developing what’s described as a ‘team effort’ between government and industry in the ongoing efforts to keep our critical infrastructure safe and secure.

This means your data centre partner should have staff dedicated to engagement with government departments, agencies, regulators and other key bodies, as part of a program that is built into the security portfolio. Ask to see the details of this program.

Read more: NEXTDC’s Integrated Security Guide - building a universal security posture

3. How mature is your security risk program?

Once the new Risk Management Program Rules arrive later this year see our previous blog for more on that, it’s going to be critical that your data centre partner’s internal security risk program is completely aligned with these rules - or else you’ll be scrambling to meet your own obligations.

You can get a sense of the maturity of a partner’s own security risk program by looking for the following:

  • Does the program have buy-in across the business, particularly at the executive and Board level? Who signed off on it?

  • This should give a good indication of whether security risk is ‘baked into’ the organisational culture, or if it’s more of a ‘tick a box’ exercise.

  • Do they have ISO 31000 certification? This is the most stringent, universally recognised international standard for risk management and is the most difficult to achieve.

  • What does the high-level, enterprise-wide risk register look like? Does it have more detailed pillars underneath it that support the high-level aims?

  • Have critical infrastructure assets, including data centres, been clearly identified in the risk matrix? This is a requirement under the proposed legislation.

  • What are the interdependencies across the risk portfolio?

  • Does the program identify not only mitigations, but also areas where risk can be tolerated and accepted when balanced against the benefits?

This is a particularly strong indication of a mature security risk agenda. Not all risk can be mitigated out of existence - sometimes the costs to mitigate or avoid a particular risk are too great to justify given the likelihood of it occurring, or the likely nature of its impact.

Reach out to NEXTDC to find out more about how Australia’s critical infrastructure laws are changing, and how we can help you manage the security and risk implications for your business.