By Dr Jordan Plotnek and Craig Petrie CSC from Anchoram Consulting
The atmosphere has been a bit glum after the recent series of Commonwealth budget cuts to the commercial space sector. However, it does not spell the end of space innovation in Australia – not by any means.
At Anchoram Consulting we have noticed a trend with our clients and in the general space market toward Defence collaboration. This makes sense given the awarding of the JP9102 Defence Satellite Communications project, which represents Australia’s biggest ever space contract at an estimated $4B and will require numerous subcontracting companies to assist with delivery. It also makes sense in the current political climate, where military investment and expenditure is increasing both in Australia and globally. With the rise in geo-political instability comes an increased need for a highly competent and resilient sovereign Defence industry to support Australia’s national security interests.
How then do you prepare your business to take advantage of Defence opportunities and support our nation’s security?
The answer lies in the Defence Industry Security Program (DISP), of which membership is a pre-requisite for working with Defence and handling sensitive and classified information. Being able to compete directly for Defence contracts or partner with larger prime contractors is the primary benefit of DISP. However, DISP membership also shows that you have met security benchmarks and so demonstrates that you are a trusted partner for other commercial ventures and prospective customers. Your security risk will be better managed, and you will be less likely to suffer the financial and reputational damage of a data loss or security breach of your organisation.
The DISP program requires organisations to demonstrate that their level of security is adequate for commencing a relationship with Defence. The program has several tiers to support entry-level organisations all the way through to those needing access to Top Secret data as part of their support to Defence programs. It is also important to note that once your entity is part of the Defence supply chain it will become of greater interest to a wider range of threat actors with significant capability. This is why Defence has established DISP, to help organisations defend themselves as they enter a higher risk industry.
The DISP adopts an integrated whole-of-security approach. This includes the four security pillars of Policy and Governance, Personnel Security, Physical Security, and Information / Cyber Security. The various levels of DISP membership are determined by the classification of information that a provider needs to access. Suppliers that are removed from end-state design and delivery may not need access to classified information and therefore may only need a lower level of DISP membership. Whereas those organisations entrusted with managing operational supporting services or final products may require higher levels of security assurance and thus a higher level of DISP.
As you might imagine, it takes time and effort to determine what DISP level your company should obtain, assess your current security status, and identify and design any missing security controls. Then there is the actual work necessary to implement the risk treatments, such as hardened facilities and IT Systems, personnel security clearances, and policies and procedures that tie everything into an effectively integrated security framework.
All-in-all, the DISP process requires competence and leadership and should not simply be assigned to the least busy or most junior member in your team. If your organisation is planning to work with Defence, it is important to plan ahead, appoint a Chief Security Officer (CSO) and Security Officer (SO) to lead and execute the process, support them, and if necessary, seek external assistance. Finally, once DISP membership is granted, the framework and its constituent parts must be maintained to ensure a good return on security investment (ROSI) and to prepare for Defence Industry Security Office (DISO) audits.
An investment to treat security risk is, like insurance, an investment against potential damage to your business, partners, and clients. Reach out to one of our Anchoram consultants if you need assistance in this area.