IT Brief Australia - Technology news for CIOs & IT decision-makers

Exclusive: Australian businesses urged to help shape new data security framework

Yesterday

The Australian Cyber Collaboration Centre (Aus3C), in partnership with CSIRO's Data61 and the Australian Department of Home Affairs, has issued a nationwide call for businesses to participate in shaping the Voluntary Data Classification Framework (VDCF).

The initiative forms a key part of the 2023-2030 Australian Cyber Security Strategy and aims to provide a unified, standardised approach to assessing and mitigating data risk.

The VDCF is being developed to assist businesses of all sizes and across all industries in classifying data more effectively, allowing them to identify and manage data security risks with greater confidence. Businesses are invited to contribute through a series of industry workshops, scheduled for late February, or via an online survey.

In a recent interview, Tyler Key, Program Lead at Aus3C, stressed the importance of collaboration in the framework's development.

"Industries often struggle with effectively identifying and assessing the value and sensitivity of their data, which varies significantly across sectors," he said. "This lack of a consistent framework leads to challenges in communicating data risk internally and with external partners and prevents them from implementing appropriate security measures, ultimately increasing enterprise risk."

Addressing industry-wide challenges

The VDCF is expected to be launched by late 2025 and will address long-standing issues businesses face in data classification.

Many industries operate under different standards and frameworks, making it difficult to ensure a common approach to data security. By providing a universal classification framework, the VDCF seeks to enhance Australia's cyber resilience and support organisations in protecting customer, employee, and business data.

Key explained that the collaboration between Aus3C, CSIRO's Data61, and the government strengthens the framework's development. "We are working across multiple sectors, from small businesses and the non-profit sector to large enterprises with greater access to resources," he said. "The framework needs to meet the needs of industry. Otherwise, it hasn't met its purpose, right?"

The workshops and survey will allow businesses to voice concerns, highlight challenges, and suggest improvements, ensuring that the framework is practical and widely adopted. "We need to make sure all organisations have the opportunity and access to better secure their data. We can only do that if they share their voice," Key added.

A tailored approach for different industries

Data security needs vary significantly between industries, from banking and finance to retail and healthcare. The VDCF aims to be flexible enough to accommodate these differences while providing a consistent structure. Key highlighted the importance of industry input to shape the framework effectively. "If you think about the banking industry, it is very different to, say, the retail industry," he said. "By incorporating different perspectives, we hope the framework will be practical, effective, and widely accepted—created by industry, with industry."

One of the VDCF's key goals is to align existing frameworks and guidelines, rather than replace them. Key noted that many organisations currently operate under multiple security standards. "In our work so far, we've identified that organisations may use one or up to parts of 10 different frameworks or guidelines," he said. "For a smaller business trying to improve its security, the first response is often, 'Where do we even start?'"

By streamlining communication between different security standards, the VDCF aims to make compliance easier and improve overall data security governance. "You might have organisations working with government already implementing the Protective Security Policy Framework, or those in industry following ISO 27001 standards," Key explained.

"One of the goals is to ensure that all these different frameworks across industries can speak to each other."

The framework will also make it easier for businesses to collaborate securely across industries. "You might want to work with a supplier or vendor from another industry using a completely different framework," Key said. "Thanks to the VDCF, you'll more quickly recognise that you can work together because you treat your data similarly. You'll know that your data isn't in risky hands."

How businesses can get involved

With the consultation process entering its final stages, businesses are encouraged to take part in upcoming workshops or submit feedback online. Workshops will take place in Sydney on Tuesday 18 February, Brisbane on Wednesday 19 February, and Melbourne on Wednesday 26 February. For those unable to attend, an online survey is available for businesses to provide their insights.

Key emphasised the significance of business participation in shaping the framework. "This is the last chance to get involved in the industry consultation," he said. "Workshops are taking place this month, but if people can't attend, we'd love them to complete the survey online."

The workshops will be interactive, allowing participants to share their experiences with data security, discuss their existing frameworks, and provide recommendations.

"All information provided is confidential and anonymised," Key assured. "It's really about understanding how organisations work with and treat data so that the framework is both comprehensive and adaptable."

Why industry input matters

Without meaningful industry engagement, the framework risks being ineffective or underutilised. Key warned that failing to gather input from businesses could lead to a framework that does not meet their needs. "We essentially would be creating an industry framework that industry may or may not actually utilise," he said. "This is really designed for industry, and we need that kind of input from industry for it to work for them."

With Australia facing growing cyber threats, the development of a national data classification framework is more critical than ever. Businesses of all sizes are encouraged to have their say in shaping a framework that will play a key role in strengthening Australia's cyber security landscape.

Key summed up the initiative's importance: "By contributing, businesses are not just shaping the framework—they are also strengthening the National Cyber Security Strategy."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X