James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

"If your organisation is producing value then you must confront cyber risks because you have something at stake. WannaCry and NotPetya were just the latest in a long line of cyber security wakeup calls where industry runs the risk of just hitting the snooze button, yet again.
 
"Many top ASX companies have chief information security officers, or CISOs, to help them identify and manage cyber risks. If you've got a CISO then your organisation has had the epiphany that it is a digital business and it thrives, or withers, on its ability to deal with cyber risks in a hyper-connected world."
 

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.


Read more


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 


Read more


Who wasn't moved by the story of Alan Turing, the brilliant English mathematician whose dedicated team cracked the Nazi Enigma code and saved countless lives during World War 2?

Fast forward more than 70 years and the ability of terrorist groups such as Islamic State and al-Qa’ida to harness ­encryption methods on the internet has created its own Turing doomsday imperative. Either we crack the codes or our law enforcement agencies will remain in the dark about terrorist plans for more carnage.

Next week, political and ­national security chiefs from Australia, New Zealand, the US, Britain and Canada will meet privately in the Canadian capital, Ottawa. High on the agenda will be ways to combat terrorism, and one of the key points will be cracking encryption in messaging apps.

The task at this conference, known as Five Eyes, is incredibly difficult — nearly impossible.

Some of the most common messaging apps are Apple’s iMessage, Facebook Messenger, Whats­App, Signal, Telegram and Wire. Every day, millions of people send billions of messages to each other, secure in the knowledge that new-age encryption technology means their conversations will remain private.

Full Story

Experts say efforts to get technology and social media firms to cooperate with the authorities in decrypting communications will be hard to achieve. The Australian government wants smartphone companies and social media platforms to ensure terrorists cannot hide behind anonymous posts or encrypted messages, but it has not said how or when.

In his recent national security statement to parliament, Australia’s prime minister Malcolm Turnbull said traffic on encrypted messaging platforms was difficult for security agencies to decrypt.

Most of the major platforms of this kind are based in the US, where a strong libertarian tradition resists government access to private communications, as the FBI found when Apple would not help unlock the iPhone of the dead San Bernardino terrorist,” he said. “The privacy of a terrorist can never be more important than public safety.”

James Turner, cyber security analyst at advisory and consulting company IBRS, added: “You can’t build crumple zones into encryption systems because it puts up big neon signs saying there’s a vulnerability.”

Instead of trying to gain access to the encrypted communications, Turner said governments should “aggressively target the endpoints”, especially as services such as Apple’s iMessage were being re-engineered to make encrypted content inaccessible to even Apple itself.

Full Story

 

Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.


Read more


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 


Read more


It's now a year since the launch of the Australian Cyber Security Strategy. Could progress be better? Of course. But the progress is good. Actually, it's great.

The collaboration between government and the private sector has had a fresh wind touch its sails and the level of cyber security collaboration between many of Australia's largest organisations is at an unprecedented level. The recent global wave of ransomware, variously termed WannaCry or WannaCrypt, was a live-fire exercise for testing the efficacy of this collaboration.

The recent launch of the ASX 100 Cyber Health Check report was an excellent step on the journey to a more complete understanding of what will come to be viewed as due care in the domain of cyber risk management, and the launch of the Australian Cyber Security Growth Network is already making waves for the local start-up community.

The prevailing sentiment is that we don't really have a choice other than to work together because we absolutely have to be good at this. Collaboration is

Full Story

Cyber security experts said Australian businesses and government agencies got lucky in avoiding potentially devastating effects from a global ransomware cyber attack, which wreaked havoc around the world at the weekend, but warned problems could emerge as organisations return to work on Monday.

Unlike in Britain, where some hospitals ground to a halt, no major victims of the so-called WannaCry malware attacks have emerged in Australia, where there was only one unnamed case of infection, after companies called in security staff on Saturday to quickly update software patches.

However, despite Prime Minister Malcolm Turnbull seeking to calm any local alarm over the weekend, the government's cyber security experts have copped some criticism for failing to show sufficient leadership in proactively advising organisations about the threats and required course of action.

Full Story

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.


Read more


Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost implications for both parties and will require a commitment to continually reviewing suitability of services. Executives should aim to evolve their own cyber risk management capabilities around people, process and technology, because this internal maturity is required to get the most from engaging with an MSSP.


Read more


Conclusion: Security awareness programs are an attempt to change staff behaviour for the protection of an organisation’s information assets, and also an attempt to change corporate culture to support and encourage desirable behaviours. However, security awareness programs also run the risk of overwhelming staff with too much fear, uncertainly, and doubt. A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of “relaxed alert”, or “Code Yellow” in Cooper’s Colour Codes.


Read more


 IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.


Read more


Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.


Read more