James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.


Read more


Related Articles:

"Can IBRS assist on how to report on IT security metrics to business executives? " IBRS, 2018-05-13 23:32:09

"IT management leadership role in risk management" IBRS, 2018-05-04 18:43:08

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

The timing couldn't have been worse for PageUp; two days before Europe's new data protection regime came into force the Melbourne-based online recruitment specialist's security systems detected suspicious activity.

By May 28 – three days after the General Data Protection Regulation went live – PageUp knew client data may have been compromised and that it had 72 hours to alert the British Information Commissioner's Office, due to the UK's incredibly stringent laws on breach disclosure.

It has also liaised with the Office of the Australian Information Commissioner as required under the mandatory data breach notification rules, which came into force in February.

On June 1 it alerted its customers; on June 5 it confirmed the breach publicly.

Read More

In terms of cyber security years, Australia is still in the dark ages, a period typified by a lack of records, and diminished understanding and learning.

We're only a few months into practising mandatory data breach notification, while many parts of the world have been doing this for years. The United States has been disclosing breaches for more than a decade.

Countries where data breach notification is the norm are still maturing, and there is no upper limit for our understanding on managing cyber risk. But you can see that by the steps other parts of the world are taking that they do see security incidents very differently to Australia.

This month, at the annual gathering of the Society for Corporate Governance in the United States, Commissioner Robert Jackson Jr. from the Securities and Exchange Commission (SEC) said investors are not being given enough information about cyber security incidents to make informed decisions.

Read More

Cyber security and risk advisor at analyst firm IBRS, James Turner, said the cyber skills shortage was prompting a wider rethink around the domain in terms of resourcing for the last few years.

“It’s partly about talent scarcity but it’s also about bringing fresh eyes. It shows up in the diversity of thinking around cyber issues,” Turner said.

“Diversity is incredibly valuable, it counters groupthink. You want that in your security team, and definitely in any good red team.”

Turner said human history was “littered with disasters that stemmed from a group of people all thinking the same way and not contemplating that there could be other views.”

“I’ve seen people from not just analytics backgrounds but also as broad as history, languages and music go into cyber security and be highly effective.” 

Full Story

 

PageUp People, a successful Australian Software-as-a-Service vendor, has been the victim of a crime, with a data breach that could be extremely damaging for its prospects. There are two lessons for the industry that are worth drawing particular attention to.

The first lesson is that we need the victim to survive. Once PageUp is safely through this incident, one of the most valuable things its executives can do for the industry is to share their experiences and the lessons learnt.

Sharing this information is important because, as one security executive from an ASX50 company said to me, it could have been any of us. And, it is only through sharing these experiences and the lessons from these crimes that we, as an industry, can improve.

Despite years of security incidents and data breaches worldwide, many Australian executives think their organisations are magically immune. It's far too easy to underestimate the potential impact, the flow-on consequences, and the personal cost for people involved or affected.

 
 

Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework will make application of the framework much more valuable. Aiming for visibility will enable an organisation to accurately gauge itself against each function, category and subcategory. Visibility will enable an organisation to honestly assert current capability, and the gap to a more desirous level of capability. Achieving visibility will require ongoing collaboration with business stakeholders which, in turn, delivers visibility to these same stakeholders and ultimately enables informed decision making.


Read more


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.


Read more


Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers.

Rather there are three new regulatory forces impacting specific points of the cyber security posture of the Australian economy, where relevant businesses will face all kinds of trouble if they fail to keep up to speed.

These external obligations are the Notifiable Data Breach (NDB) scheme, the Security of Critical Infrastructure Bill, and APRA's draft of Prudential Standard CPS 234.

There are lessons to be learned from all three of these external obligations. At a simplified level, the NDB scheme addresses the security of people's data; the Security of Critical Infrastructure Bill addresses the technology that supports our lives, and CPS 234 addresses the processes and governance that protect our wealth.


Full Story:

Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and organisations should look at all three for insight into what is now expected to constitute reasonable and appropriate practice in cyber risk management. In turn, they address the importance of data value to customer trust, the importance of system control and supply chains to national security, and the importance of resilience to our economy.


Read more


More than 60 data breaches have been reported in the first six weeks of the country's new Notifiable Data Breach (NDB) scheme, with healthcare providers making up almost a quarter of the mandatory notifications.

Of the 63 notifications revealed in the first report by the Office of the Australian Information Commissioner since the laws came into effect on February 22, legal, accounting and management services businesses made up 16 per cent, while finance institutions composed 13 per cent.

IBRS cyber security advisor James Turner said many companies in the healthcare sector still did not realise the gravity of the responsibility on their shoulders in terms of keeping people's data safe.

"I've been talking to healthcare providers around the traps and I'm stunned by the lack of awareness of the NDB scheme. I'm hoping the industry bodies and royal colleges are doing something to raise awareness," he said.

Full Story



 

Conclusion: UpGuard, Nuix and WithYouWithMe each have a proven capability to address an important aspect of the cyber defences of Australian organisations. WithYouWithMe is about people, UpGuard is about ensuring process is adhered to and exceptions are visible, and Nuix delivers technology which, through a data processing engine, enables organisations to make sense of large amounts of unstructured data.


Read more


Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed dramatically over the last 20 years, but the way many people view security is stuck in the 1990s.

Here in Australia, we're now under the Notifiable Breach Disclosure scheme and it's worth using this as a barometer to understand how well executives actually appreciate that they run digital companies working in a digital economy, with all the risks that come with hyper-connection and digital interdependence.

How well an organisation understands itself and its ability to work through responding to a suspected data breach is a direct reflection of how well it understands its business, as well as its dependence on technology and data. In other words, how well does the company understand and manage risk? Yeah, governance, that old chestnut.

People talk about digital transformation and disruption as though these were destinations to get to. But, digital transformation is a continual process and risk management is a necessary component. There is no finish line for transformation or risk management, there are only companies that will cease to be competitive.


Full Story

Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if it happened to us?” The business impact of NotPetya on Maersk is clear, but so too are many of the risk mitigations that should be put in place before a cyber incident – and many of these are not directly related to technology. Finally, risk management is just as much about recovering from an incident as trying to prevent one.


Read more


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
 

Read more