James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: The intention and skill of an attacker will ultimately determine the impact of the attack, regardless of the preventative technologies an organisation has. In this respect, a skilled attacker intent on destruction is akin to a natural disaster: measures can be taken but ultimately it’s out of your hands. We cannot prevent floods and earthquakes, so what makes a difference is how organisations respond to these disasters. It is imperative that organisations with disaster recovery and crisis management processes extend these to include responding to cybercrime. The first area to look is at how the organisation will deal with not being in control of its own IT, including communications systems such as email and VoIP.


Read more


Related Articles:

"Preparing for cybercrime: incident response" IBRS, 2013-09-25 00:00:00

"Preparing for cybercrime; incident response Part 2" IBRS, 2013-11-27 00:00:00

Many years ago when I lived in Perth, one evening after work I was standing in chest-deep water at Cottesloe beach admiring the sunset. I happened to turn and look to my left and saw a fin sliding out to sea, about 10 metres away.

I quickly realised that the fin was making the sine wave motion of a dolphin, not the sideways sweep of a shark. When I turned to face the beach, there was a small crowd of 20 or so people gathered at the water’s edge. As I got out, a lady said to me, “He was swimming right behind you”.


Read more


Conclusion: As organisations become increasingly dependent on computer systems, IT will have an increasingly important role to play in preventing and detecting fraud. CIOs must ensure that there are sufficient checks and balances minimising the risk of IT professionals abusing their elevated systems privileges, and that systems are configured to produce useful logs. CIOs should also ensure that policies for the prevention, and detection, of fraud are tested and enforced. Policies for log management and data retention should get high priority.


Read more


Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.


Read more


IBRS, along with many other organisations, has written extensively about “the cloud”. Every organisation selling a product and/or service puts its own spin on what the cloud actually is.

The appeal of cloud computing cannot be denied,and the buzz in the market for the last few years is evidence of the desire of IT organisations to find ways to deliver IT services that are: better,cheaper, more resilient, more secure, and moreuser friendly.

Cloud services are not similar to a highly virtualised internal IT operating environment, although cloud vendors may use virtualisation extensively. Nor are they similar to the tightly controlled experience of time-sharing on a mainframe back in the 1970s, although cloud vendors may price their services in a similar user-pays model. Even though webmail, a form of Software as a Service,has been available to consumers since the 90s, cloud vendors have moved well beyond that simple offering.

While there are excellent and crisp definitions of what the cloud should be, for example the definition provided by the National Institute of Standardsand Technology1 (NIST), what really makes cloud new is how the term itself has become both all encompassing, and yet completely useless at defining the nature of the service!


Read more


Conclusion: Blackberry 10 will, at best, bring Blackberry functionality to where iOS and Android have been for over a year. However, most organisations are moving away from Blackberry, either publically or in a steady, quiet, exodus as users choose which handset they’d rather have. BB10 will not stop this exodus as it is designed for the enterprise, not the consumer. The steady decline in fortunes for RIM will be painless for most organisations, except the few that are tightly coupled to the Blackberry ecosystem. These organisations should act now to minimise the coming impact of dealing with a company with a bleak future.


Read more


Conclusion: While there’s surprising level of interest inside some IT departments to build their own data centre within an office complex, the arguments against this strategy are overwhelming. The few organisations that can financially justify building their own data centre are those organisations that prefer spending Capex to Opex, have the Capex to spend and, ideally, can distribute this cost to others. While the idea of an on-premises data centre can be driven by a misplaced belief in control, there are many risks that come with this strategy that most CIOs should not be interested in managing, and there are costs that most CIOs would not want to pay.


Read more


Conclusion: Organisations which have gone down the Mobile Device Management (MDM) path with a view to enabling their staff to bring their own device (BYOD) are discovering the shortfalls of this device-control approach. A BYOD device is not a corporate asset and cannot be treated as such: it should be viewed as untrusted and treated accordingly. Consequently, leading organisations are treating BYOD as an exercise in remote access. Instead of trying to control the untrusted device, focus on user experience, and controlling access to the data.


Read more


Frederick Herzberg, a psychologist who was very influential in management theory last century, created a model variously called the Motivation-Hygiene theory, or Two-Factor theory. The theory proposes that there are factors in the workplace which increase satisfaction, and there are other factors that decrease dissatisfaction; and that these factors may not be the same.

For example, when you stop hitting your head against a wall, your dissatisfaction will decrease, but you have not necessarily increased your satisfaction. I think that this model casts an interesting light on the challenge of mobility, and particularly around the ownership issue of BYOD accessing corporate data.


Read more


Conclusion: The success of a security professional is not measured by whether their recommendations are adopted, but whether the technical risks faced by the organisation have been identified and communicated in terms of business impact to decision makers. This enables the business to make informed decisions. Consequently, security professionals must make it their highest priority to be in communication with the business, because one of the most impactful technical risks is a communications gap between the security team and the business. IT security professionals must take on learning the language of their business, because it isn’t the business’s responsibility to learn to speak IT security.


Read more


Conclusion: Cloud services are not similar to a highly virtualised internal environment. Nor are they similar to the tightly controlled experience of time-sharing on a mainframe back in the 1970s. The supposed elasticity of the cloud has become a point of vulnerability because the elasticity is only partial, and only at certain points. The outcome is a service which is believed to be highly resilient, but which can actually prove to be surprisingly brittle.


Read more


Conclusion: Early adopters of cloud services often swept aside security and risk concerns, as these adopters were more interested in the end – a better IT service – rather than the means. But now organisations with mature risk and governance processes are looking at cloud services and risks are being identified and assessed for their potential impact. Cloud services can dramatically improve the IT service experience of an organisation, but organisations must be completely clear on what services they are, and are not getting as part of the engagement. As with all commercial engagements, the devil is in the detail.


Read more


Related Articles:

"How do you catch a cloud and pin it down? Part 1" IBRS, 2012-05-28 00:00:00

Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial services organisations in Australia face a significant challenge in the coming years, primarily from a lack of good security people to architect, execute, support and monitor technical controls.


Read more


Conclusion: Cloud offerings, particularly Software as a Service, have many technical risks to iron out before they are palatable for any organisation that has a mature governance requirement. The vendors know this, and because they don’t want to raise these issues in the minds of less mature organisations, their master subscription agreements are typically thin on details or accountability, and heavy on indemnity. Given these unaddressed risks, CIOs should ensure that business executives are informed of the potential for service failure, as well as the implications and potential business impact.


Read more


Related Articles:

"How do you catch a cloud and pin it down? Part 2" IBRS, 2012-07-27 00:00:00