James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: IT executives in financial services organisations have expressed frustration at the seemingly vague requirements of APRA, but this misses the true intention of APRA. APRA is not anti-Cloud, but the regulator insists that financial services organisations consult with APRA so that APRA can gauge the maturity of the proposed plan. This is not a mechanism to forbid Cloud, but rather a sanity check to ensure the stability of the Australian financial market by ensuring that organisations are not abrogating their risk identification and management responsibilities.


Read more


Outside of the big four banks and Telstra, Australia lacks world-class cyber security teams.

by James Turner

A few weeks ago I was fortunate enough to attend the world's largest cyber-security event, RSA Conference, in San Francisco. This year was the 25th anniversary of the conference, and there were 40,000 attendees, and over 500 vendors exhibiting.

My experience at RSAC reflected my experiences at many other international cyber-security gatherings over the years. I have come to the conclusion that Australia has pockets of cyber-security leadership that are world-class, and in some instances, world-leading. But these pockets of capability – almost all at the top end of town – are insufficient for the nation's needs.

In Australia we have a small number of organisations with big cyber-security teams, and established leaders with excellent bench strength in their direct reports. Principally, these pockets of cyber maturity are in the big four banks, and a hothouse of talent that has emerged in Telstra.

Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.


Read more


Conclusion: As cyber security gains awareness among business leaders, many organisations are undertaking new cyber risk management initiatives. However, these initiatives can be misdirected if business leaders are not clear on why they are doing them. On the journey to improving an organisation’s cyber security maturity, the question “why?” is a powerful tool to test alignment of security to business requirements.


Read more


Conclusion: Organisations must understand that cyber risk is not merely a technical issue that can be delegated to IT but is a business issue that comes hand-in-hand from operating in a modern, online, ecosystem. Until cyber risk is treated as a business risk, we will continue to see organisations fighting a rear-guard action to threats that should have been designed-against through better digital business strategy.


Read more


Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool purchases will help. Instead, organisations aspiring to improve their cyber security maturity should focus on business alignment through risk driven conversations, and addressing and automating technical hygiene issues.


Read more


Conclusion: The role of a cyber security executive is challenging at the best of times, as they need to continually strike a balance between informing and influencing, without continually alarming. But the context surrounding why an organisation creates a cyber security executive role is critical to the success of cyber risk management. Executive level commitment is required continually to ensure that the cyber security executive’s message and mandate are understood by all. Ultimately, a neutered cyber security executive will result in a fragile organisation with excessive, inappropriate, or inadequate controls. Organisations with controls that are mismatched to their objectives will be easy pickings for both attackers and regulators.


Read more


Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing, mature cyber security capability. Organisations must understand how they will use a threat intelligence service and what business benefit it will deliver to their organisation.


Read more...


Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.


Read more


Conclusion: There are two compelling information security reasons for creating a sense of purpose and ownership within an organisation. The first is that a sense of purpose and ownership will empower staff so that they move from responding to basic security hygiene matters, towards pre-empting issues. The second reason is so that organisations look out beyond themselves and work towards a more resilient ecosystem.

This level of resilience maturity is vital and will be driven by leadership and a continuing commitment to talent development. Astute security leaders will use cultural indicators such as engagement and sense of purpose and ownership, as a guide to the ability of the organisation to withstand security incidents.


Read more


Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.


Read more


This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

 Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.


Read more


Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.


Read more


Related Articles:

"Applying The Five Knows of Cyber Security (Video)" IBRS, 2016-08-15 02:39:16

Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.


Read more