James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: Many IT executives are still unclear as to their obligations under the amended Privacy Act. IT executives should use the Privacy Act as an opportunity to start transitioning into a technical advisor role for their organisation. They should avoid falling into the trap of trying to unravel the Act from a legal perspective. It is paramount that the business understands that while IT can take leadership on a project for compliance with the Privacy Act, compliance is a business obligation and not an IT problem.


Read more


Conclusion: The probability of an inside attack is hard to gauge and depends entirely on the inner state of the attacker, but the impact can range from inconsequential to disproportionately vast. CIOs must assess the risk of a malicious insider in the context of their organisation’s information assets and risk management priorities. Astute CIOs will know that technology alone will not mitigate this risk, and that an ongoing


Read more


Conclusion: The rapid adoption of SaaS by HR departments is a herald of the way IT departments will need to reinvent themselves. SaaS means that IT will not control everything, but there is an important role for influencing how the organisation adopts. IT needs to proactively develop relationships with business units in order to establish itself as a partner to business and create an environment which will ensure that advice is sought early, and not only when integration issues arise. This mind shift, from utility to partner, is critical but may not come naturally to the mindsets that have been so good at running traditional IT departments.


Read more


Conclusion:Accusations against Huawei of spying for the Chinese Government are destabilising confidence in this vendor in the local market. Consequently, the key challenge for Huawei in the enterprise IT space will be a growing reticence by people to be trained in a technology that is being positioned by the intelligence community as a political pariah. This will create a shortage of people trained in Huawei enterprise network equipment and will lead to a sellers’ market for these skills. This will add considerably to the ongoing costs of opting for a cheaper vendor.


Read more


Conclusion: Windows XP will not stop working in April 2014 when Microsoft stops supporting this popular operating system. However, as time passes, this OS will become an increasing burden on organisations, due to third party support, security challenges, increasingly specialised skillsets, and perception. Windows XP will quickly become a legacy environment, with all the associated challenges. Consequently, CIOs should have a clear plan for any remaining Windows XP machines. The value of a clear plan is two-fold: firstly for common understanding within the IT department, but also for communicating to stakeholders.


Read more


Conclusion: In engaging with an external incident response provider, it’s vital that they are not walking blind into your environment. Equally, you need to know exactly who they are, what they are capable of, and what the agreed outcomes of the engagement will be. If you have been attacked, or are still under attack, your organisation’s information assets are potentially at their most vulnerable, so the trust in your incident response provider needs to have been established prior to the attack. This places higher than normal importance on your vendor selection process, and in engaging with the incident response provider as early as possible.


Read more


Related Articles:

"Preparing for cybercrime - communications" IBRS, 2013-03-24 00:00:00

"Preparing for cybercrime: incident response" IBRS, 2013-09-25 00:00:00

In 2010, IBRS wrote that “My dog is a cloud” and noted that defining cloud was an exercise in fuzziness, there’s a gap between expectations and experience, and the self-promotion by cloud vendors is relentless. The more things change, the more they stay the same.

IBRS recently ran a series of roundtables where CIOs were able to meet and discuss the impact of the cloud on IT departments and their organisations. An interesting theme was that the CIOs often experienced great frustration with the cloud. Promises of lower costs, transparent billing, responsive support, and integration often varied from reality. Some of the stories sounded like a commercial version of Russian Roulette, or what it would be like dealing with an unregulated banking industry.


Read more


Conclusion: Predictably, Apple’s lead with its Touch ID biometric reader will be followed by the smartphone industry, and we will see a flood of biometrics options for consumers. Many of these biometric deployments will not be well executed, and the failures of these systems will impact the feasibility of biometrics as a means of authentication. Reliance on biometrics, which are used across multiple systems, yet cannot be revoked, will make fingerprints an obsolete authentication credential which will need continual bypass options. Within the next two years, fingerprint authentication in the enterprise will be rendered obsolete.


Read more


Conclusion: Engaging with an incident response service provider is a process that needs careful research and planning. It’s valuable for your incident responders to know a considerable amount about your business operations so that they can help support the business in an incident, and not just stamp out technical fires, potentially doing further business damage. It is equally important that you know your incident response service provider; how they prefer to engage, what their capabilities are, their reference clients and, what their employment policies are. 


Read more


Related Articles:

"Preparing for cybercrime - communications" IBRS, 2013-03-24 00:00:00

"Preparing for cybercrime; incident response Part 2" IBRS, 2013-11-27 00:00:00

Conclusion: Recent exposure of US intelligence community actions, to monitor data of non-US entities, has highlighted the tenuous control organisations have over maintaining the confidentiality of their data. Whether US intelligence explicitly, or informally, assists US commercial interests, non-US organisations have been served with a clear warning as to how they should see this new world.

Organisations should review what information assets they are entrusting to US cloud vendors, and what the impact on the organisation would be if the confidentiality of these assets were to be compromised without the organisation’s knowledge.


Read more


Conclusion: Application whitelisting is a highly effective mechanism to minimise the impact of malware, and even ensure software licensing limits are enforced, but it is not a simple project and the technology to enforce a whitelist is still maturing. CIOs of Australian government agencies required to comply with the Protective Security Policy Framework and Information Security Manual (ISM) should have a clear plan to present to their Ministers on how this project will be delivered over the next 18-24 months.


Read more


Conclusion: In this era of targeted, self-obfuscating, and successful cyber-attacks, organisations must do three things. First, recognise that the organisation cannot prevent a dedicated attack. Second, understand what the organisation’s information assets are, and where they are. This is because we cannot always anticipate how the attacker may get in, but it is imperative to know what they are likely coming for. Third, increase your focus on detection and incident response, because you must be able to deal with a breach when it happens.


Read more


Conclusion: IT departments must alert both HR and legal counsel that the Mobile Device Management (MDM) platforms being deployed have the potential to put the organisation in breach of workplace surveillance legislation. MDMs can activate the cameras built into smartphones, activate the microphone, and access the smartphone’s GPS. Working with Legal and HR will likely result in new Acceptable Usage Policies for staff, and IT most likely needs to review controls for the MDM platform to ensure that these capabilities are not abused.


Read more


Conclusion: While the capability to filter content to corporate-issued smartphones and tablets is a capability that a number of organisations are interested in, very few organisations have taken this step. Most organisations are taking the view that the risk of an employee accessing inappropriate content while on a 3G/4G connection, and offending their colleagues, is low, and best managed through line managers and policy. Typically these trusted staff are also reasonably senior, hence their being issued with a corporate device. The perspective changes, though, if the organisation is concerned about field staff wasting time. In these instances, restrictions are seen as an aid to productivity and the device is heavily restricted.


Read more