James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: Big data and analytics projects can learn important lessons from the domain of information security analytics platforms. Two critical factors to consider when planning deployment of an analytics platform are: the need for a clear business objective and; the depth and duration of organisational commitment required. Without a clear understanding of the objective of the analytics project, or adequate resource commitment, the project will likely fail to deliver on expectations. The worst outcome is that inadequate investment in people could result in an organisation drawing incorrect conclusions from the analytics platform.


Read more


Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.


Read more


Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.


Read more


Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.


Read more


Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.


Read more


Conclusion: As much as the industry should not blame the victims of cyberattacks, the industry must also learn from these crimes. There are important lessons that must be drawn out from these breaches, because most organisations would be equally vulnerable to similar attacks. Three key lessons are: look for indicators of compromise and be sufficiently resourced to respond, review exposure through third parties and, consider compliance to security standards as a bare minimum for required effort.


Read more


Conclusion: When considering using cyber-insurance to deal with the potential costs associated with a successful attack, there are important considerations that CIOs and CISOs should be highlighting to operational risk and finance executives. Most organisations will need to raise their risk maturity substantially, and this means investment as well as changes to practices, before they are in a position to be able to take advantage of cyber-insurance.


Read more


Conclusion: There are a number of traits and behaviours to look for in an effective security leader, which are different from a traditional IT leader. The measure of an effective CISO is not whether their organisation has had a breach, or not. The measures of an effective CISO are the types of incidents their organisation has, and how their organisation responds to these. Consequently, an effective CISO is a requisite component for comprehensive risk management and organisational resilience.


Read more


Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not an argument for non-compliance, but toward a deep understanding of business requirements – and being able to defend this position to internal and external auditors.


Read more


Conclusion: Organisations must ensure they have taken reasonable steps to not release IT equipment which contains information assets. Leading software options for wiping data will be more than adequate for most organisations, and physically destroying disks is both excessively costly and environmentally unfriendly. However, as important as ensuring that sensitive data is destroyed, it is equally important that the organisation has an audit trail to demonstrate that the data destruction policy has been followed. The more sensitive the information is, the greater the need for the assurance of an audit trail.


Read more


Mandatory data breach disclosure is exactly what it says: legislation that obliges an organisation to reveal that it has experienced a data breach and lost control of its customers’ personally identifying and/or sensitive information. The industry buzz really started in 2003 with California Senate Bill 1386 which obliged organisations to inform their customers if there was, or reasonably believed to have been, a compromise in the confidentiality of the customers’ data (which meant “lost” + “unencrypted”).  


Read more


Conclusion: Cyber-insurance will be an inevitability for all organisations. However, executives should be clear on what level of cover they are buying, what incidents they are getting cover for, and the costs and impacts on the organisation that insurance cannot (or may not) cover.

An exploration into the feasibility of cyber-insurance is likely to raise good questions about whether an organisation has sufficient controls in place, as well as to what degree the organisation is willing to self-insure. But these questions, like the purchase of cyber-insurance, can only be addressed by the business.


Read more


Conclusion: The deadline for compliance with the Privacy Act passed in March, yet some organisations have not yet started reviewing their level of non-compliance. More mature organisations have been proactive and, in projects driven by the business, have reviewed and addressed areas of non-compliance. Some of these projects are still underway. These proactive organisations have the view that the cost of ensuring compliance is outweighed by the potential damage to the organisation’s reputation in the event of a publicly disclosed privacy breach where the organisation is found to be at fault.


Read more


Conclusion: IT executives from Australia’s largest organisations are actively looking for ways to create cyber-resilience, not just in their organisations, but also in the ecosystem their organisations operate in. These executives are acknowledging that it is not enough for an organisation to survive, if the community they operate in is crippled. IT security executives are concerned that in the event of a severe attack the current, disparate, communications channels between private sector and government will not be effective. There is a need for a coordinated, national, response to a severe cyber-attack; and that everyone in the information security community knows what this response is


Read more