James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

IGNORING the use of personally owned portable electronic devices in the corporate network is a trap IT departments must avoid, a study shows.

Users of personally owned PEDs are increasingly expecting full functionality and interaction with corporate resources, according to analyst IBRS.
 

A briefing paper, titled Portable electronic devices (PEDs): a frog close to the boil, warns that Apple's iPhone and Google's Android will exacerbate the situation in the short term. It says IT managers must focus their response to PEDs on the corporate network or face a gradual but substantial drain on IT resources.

Original article here... 

Conclusion: Personally owned Portable Electronic Devices (PEDs) are being introduced into the corporate network and users are increasingly expecting full functionality and interaction with corporate resources. Apple’s iPhone, and Google’s Android will exacerbate the situation in the short term. Looking at the problem using the perspective of the PED trilemma - ubiquity, multiformity and capability – presents an opportunity for IT departments to work on a strategy for control. Just like the fire triangle (heat, fuel, oxygen) if you can control one aspect, then the situation becomes manageable. IT managers must use the three aspects of the PED trilemma to focus their response to PEDs on the corporate network, or face a gradual though significant drain on IT resources


Read more


At AusCERT 2007, a software programmer from Australia’s Defence Signals Directorate delivered a fascinating presentation on a simple strategy they had developed to help manage the influx of malware, browser exploits and malicious web content. The strategy was designed around risk transference through personal accountability, rather than threat mitigation1.


Read more


Conclusion: Both black lists and white lists are effective security measures, but these two approaches are opposites and therefore, have different issues and applications. If only a few items need to be forbidden, then a black list is adequate. But if only a few items need to be permitted, then a white list is the efficient way to enforce policy.

When used in conjunction with business policy and procedures for acceptable content, white lists can be a very powerful mechanism creating a culture of individual responsibility that enables users to access necessary business information while holding individuals to account for the information they access.


Read more


Conclusion: In 20-30 years time Generation Y will be running not only IT departments (in whatever form that takes) but they will also be running other business units, and in fact entire organisations. How we engage with them, train them, empower them, and become mentors to them; will sculpt their ability to make decisions. It is vital that the hard-earned knowledge of the last 50 years of IT is not lost from lack of mentoring and succession planning by the retiring Baby Boomers. This research note looks past the immediate skills shortage and into the area of lost industry knowledge.


Read more


Conclusion: Data leakage prevention (DLP) it is an information management tool, not a threat mitigation tool like anti-virus or intrusion prevention. The DLP market is still very immature, and the products are not integrated with other related technologies, such as: enterprise content management (ECM), enterprise rights management (ERM), and identity management systems. When the vendors who specialise in information management have integrated DLP into their existing suites, then the story will be compelling. We’re not there yet.


Read more


Conclusion: Rather than resist selective sourcing, IT organisations should accept that many IT tasks are either highly repetitive or commoditised; and are not unique to your organisation. These tasks do not need to be done in-house and by IT professionals whose value is high because they know how to deliver quality while respecting organisational idiosyncrasies. Managed Service Providers (MSPs) could be an excellent ally in augmenting internal IT resources. Once freed from the routine tasks, internal IT staff can be assigned to high value tasks or implementing innovative solutions: these help organisations to become better at what they do.


Read more


Conclusion: Privacy is now a public issue. Consequently, many of the recommendations for the Australian Privacy Act will likely be accepted because they reflect good practice, and are in harmony with international data privacy trends. However, these amendments to the Privacy Act will introduce added complexity and expense to the management of personal data.

The danger right now is that organisations may try to dodge the cost of compliance by doing as little preparation as possible. Widespread, legally mandated, disclosures of data breaches would wreak havoc with consumer confidence in online transactions. Australian organisations, both large and small, cannot afford that loss of faith.


Read more


Conclusion: The combination of new requirements for quality control in software development and the looming skills crisis in Asia will drive multiple initiatives in the software industry. These initiatives include: vendor consolidation (particularly in platforms); a fundamental shift in the role of internal IT organisations; and an explosion of innovative and pragmatic mini-applications that are developed and owned by the business unit rather than traditional IT departments. Because these mini-apps are driven and owned by the business unit, they are more aligned to business needs than the current wave of mismatched ‘collaborative Web 2.0’ applications.


Read more


Conclusion: The securing of online banking through one time passwords delivered via SMS: provides two factors of authentication, is cheaper to deploy than tokens, increases the customers’ sense of security, and introduces online banking customers to the idea of secure banking on their mobile phones.

However, introducing a widely adopted, variable-cost, service like one time password via SMS is not sustainable because it is inevitable that the cost of the SMS service will exceed the cost of online fraud, which is already at very low levels1. Until mobile banking and EMV smartcards become more commonplace, banks should choose the better strategy of using SMS authentication, as it supports the product roadmap for online and mobile banking.


Read more


Conclusion: Easy venture capital money and a highly fragmented market are driving consolidation in the Managed Service Provider (MSP) industry.

Whether your MSP is the target or the buyer, the M&A activity will be accompanied by organisational changes and strong pressure from the VCs to maximise returns. In the low margin MSP industry, this could have implications on the MSPs’ willingness to retain the resources which provide the resiliency that you need. In any outsourced relationship, it is advisable to clearly define the service being sourced, the service level expectations and to perform due diligence on the capabilities of the service provider that enable them to deliver this. In a consolidating market, IT organisations need to pay even greater attention to these activities.

Commoditising your infrastructure and technology achieves two important outcomes: standardised skills, which are easier to find; and easier transition to (and between) MSPs as they also have resource constraints.


Read more


Conclusions: Microsoft’s new BitLocker feature, available in select versions of Vista, offers easy access to ‘whole disk’ encryption, which benefits several areas including; identity management, data security, and asset management.

While BitLocker is a workable and well-integrated security feature, it is not a complete solution to data protection requirements. Whole disk encryption products have limitations and must be viewed as a part of a wider security initiative.

BitLocker’s benefits and limitations must be evaluated and factored into Vista migration plans, especially for organisations looking towards virtualisation and mobility.


Read more


Conclusion: Dedicated IT security people are too expensive for SMB organisations. The market trend is towards outsourcing security tasks, and the SMB market must embrace this. Large organisations (500+ people) should make internal security people the managers of internal security programs, and managers of the relationship with managed security service providers (MSSPs) and outsourcers. Security is an operational responsibility which should be shared by everybody in an organisation.


Read more