Industry Responds to Protective Security Policy Framework Directive


The cybersecurity industry has responded to the Australian Government’s Protective Security Policy Framework (PSPF) Direction 002-2024, issued on July 8, 2024. The directive requires Australian Government entities to identify and actively manage the risks associated with vulnerable technologies they manage for themselves and others.

“We applaud this great initiative from the Department of Home Affairs to mandate Australian Government entities to identify and actively manage the risks associated with vulnerable technologies,” said Ashwin Ram, Cyber Security Evangelist at Check Point Software Technologies. “As we’ve seen time and time again, internet-facing vulnerable assets are easy pickings for threat actors as an entry point into any organisation, not just our critical infrastructure. Any government policy changes directing security practitioners to mature their organisations’ cyber risk management capabilities are a step in the right direction. To ensure Australian Government entities proactively reduce the risk of vulnerable assets, the PSPF could go a step further and suggest that Australian Government entities be cautious when procuring assets from manufacturers, suppliers, and providers that continually produce vulnerable technology assets.”

Wayne Phillips, Asia Pacific and Japan Field CTO at SentinelOne, said the spate of recent breaches caused by third-party service providers and unpatched internet-facing services had caught the attention of the Department of Home Affairs. “The Department is taking proactive steps to strengthen the underlying fabric of the Australian Government’s security practices,” he said. “It is hardening its stance on the risks associated with internet-facing cloud services to ensure proactive measures are taken to remediate risks associated with assets most likely to be targeted by attacks. The need for secure sovereign cloud services with robust systems that identify cybersecurity vulnerabilities across the whole of government has never been greater.”

Pieter Danhieux, Co-Founder and CEO at Secure Code Warrior, said the PSPF Direction 002-2024 could potentially shape a wider movement towards stronger security programs nationwide. “While this mandate is specifically designed to harden current technology safety processes within the government, this represents an opportunity for them to lead by example on cybersecurity non-negotiables as they relate to connected technology assets.” he said. “It’s certainly my hope that these directives catch on at the enterprise level. Ultimately, a mandate is one thing, but working towards the resources to respond successfully is another, and this is where we need to dig in and try a different approach, or risk yet another well-intentioned plan that is ultimately toothless.”

Anthony Daniel, ANZ Regional Director at WatchGuard Technologies, said the measures strengthen the overall security posture of government networks and protect sensitive information. However, to further enhance the security and risk management of technology assets, he suggests Australian Government entities should consider the following additional steps:

  • Implementing ongoing training for staff to stay updated on security practices and recognise potential cyber threats;
  • Conducting regular third-party security audits and assessments to identify and mitigate risks that internal reviews may miss;
  • Regularly reviewing and update security policies and procedures to adapt to the evolving cyber threat landscape; and
  • Continuously investing in and update security technologies such as encryption, multi-factor authentication, and secure access controls.