The case for vendors in public-private advisory committees


By Rob Van Es, Vice President of Illumio APAC

It’s a sign of strong governance when you see public departments reaching out to the private sector for its input. In Australia, the main vehicle for this is through advisory committees, including the home department’s industry advisory committee on cyber security. Announced this year, this committee features a great list of senior cybersecurity professionals at nationally important enterprises.

There’s just one thing missing – representation from the security vendors themselves. There’s a case to be made here that this is an oversight, but first let’s address the main objections to vendors speaking directly to the government.

Of course, there is the potential conflict of interest. Any cynical infosec professional (or journalist) will be quick to point out the interests of the security vendor is to spruik their stuff, not necessarily to solve problems in the most efficient manner. Further to this, other vendors that are left out of advisory committees might also cry foul – especially if a vendor wins a contentious tender whilst also having a place on an advisory committee.

These are strong reasons for why committees are often shaped the way they are (without vendor involvement), but there’s a few equally important points in the vendor’s favour.

First is that it’s often private vendors who are solving these problems to begin with. At Illumio, we’ve seen an enormous increase in ransomware attacks across a wide range of industries since the global pandemic began. As a result, we expedited the development of our endpoint micro-segmentation technology, Illumio Edge, a solution specifically designed to neutralize malware. Whilst no single vendor will have the same solution to each problem, discussing with the vendor community their own approaches and experiences in working with private businesses on these problems will give the government something invaluable: a working perspective on how efficiently the private sector can tackle such problems on its own, and where more resources might be needed to fill the gaps.

On a related note, vendors also have a unique perspective on the relative strengths and weaknesses of important state assets and private institutions. Let’s take a purely hypothetical example – compliance with global security frameworks such as the EU’s GDPR or, more locally, with APRA CPS 234. These are areas where private organisations  actually have their own conflict of interest when on these special advisory boards. It’s the vendors who are ushered in and told ‘how it really is’ that will have a keen understanding of how the private sector is coping with ever-increasing regulatory burdens.

Finally, there’s the big picture. Cybersecurity is a profession that sees constant innovation and disruption. Vendors often have a way of viewing the world which informs their products and ultimately ends up shaping the status quo. When it comes to state assets, being ahead of the curve is vital.

Today, the old paradigms of patching and fixing every system against outside threats are being beaten by savvy attackers moving laterally throughout a network, bypassing these formidable defences entirely. In response, vendors and private organisations are turning towards Zero Trust security models. They have begun accepting that breaches will happen and that a patch won’t always be available when it’s needed, focusing their efforts on a default-deny approach that only provides access to those with explicit authorization in the first place.

The current government resources such as the Essential Eight are behind the curve, and mean public agencies are not being guided on adoption of Zero Trust and other important security innovations. This may change in the future, to a model similar to NIST in the United States, but there is more to be done at present.

We need to see more from the Australian government when it comes to involving vendors in these high-level discussions. Yes, the exact format of how vendors interface with government stakeholders will need to be different and carefully managed to guard against the objections listed at the top of this article. What we shouldn’t do is discount the importance of vendor input because of these objections. That’s throwing the proverbial baby out with the bathwater.