Conclusion: A Cloud strategy can take many forms. Whether you select a private Cloud, hybrid Cloud (on-premise with Cloud elements), native Cloud or a multiCloud implementation will impact the framework of your strategy. The success of your strategy will be driven by the motivation your organisation has to elect the move.

If your only motivation is the perceived cost

Conclusion: Cyber security is now one of the top priorities in many organisations. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to being regarded as a strategic enterprise risk. The role of the Chief Information Security Officer (CISO) has traditionally required strong technology skills to protect the

Conclusion: Two key supporting artefacts in the creation of pragmatic incident response plans are the incident response action flow chart and the severity assessment table. Take time to develop, verify and test these artefacts and they will be greatly appreciated in aiding an orderly and efficient invoking of the DRP/BCP and restoration activities.

Conclusion: A digital strategy and the need for organisations to undertake numerous projects to achieve digital transformation have become the new norm. Digital strategies often require organisations to complete major transformation projects to deliver the outcomes required of the strategy. However, a digital strategy is not just about technology, it is a holistic strategy

Conclusion: Stage gate reviews can be a highly effective governance tool that can materially enhance project outcomes; however, their value can be eroded by poor design, a lack of planning, or if they duplicate the objectives of other governance processes. To ensure stage gates are designed to deliver enhanced project outcomes, four key areas of consideration should be

Conclusion: Digital strategies often require organisations to complete major transformation projects to deliver the outcomes required of the strategy. A digital strategy is not just about technology, it is a holistic strategy that involves change across people, process and technology. The acceptance of technical debt and inaction around cultural change can have a severe

Conclusion: When engaging the market for consulting services, estimating the resource mix, including experience and skills, can form an excellent basis for evaluating if what is being proposed by consultants is likely to be optimal for the scope, and effective, given the environment of the purchasing organisation.
There are four main elements that should be

Conclusion: Identity has historically been a thorny problem with concerns over identity theft and the need for verification. Now that biometrics are becoming so accessible to register and verify customers and clients, the business rules used to define the purpose of any identity and access management system should be reassessed in the broader context of business integrity.

Conclusion: Consulting engagements are often scheduled under the assumption of ideal conditions. In reality, many engagements experience a ‘slow start’ due to the consultants needing to request information and data, schedule stakeholder meetings, understand assumptions and parameters, and define and agree on the appropriate governance processes. This is often followed by a

Conclusion: Analysts in general are correct to identify the challenges in the industry to develop appropriate skills, meet the demands of digitisation and to counter the security threats. When it is distilled down it is all about the business. The CIO is supporting business outcomes which will need specific technology solutions, which will, in turn, drive ICT strategy. The

Conclusion: Deterministic¹ project budgets do not convey any information about the range of possible outcomes for a project, or the associated risk factors driving the range. The ability to communicate the risk-weighted range of possible project outcomes can lead to much clearer expectations and understanding of project outcomes,

Conclusion: The adherence to the recently introduced guidelines under ISO:31000 2018¹ is key to every ICT manager’s responsibilities and leadership remit as they are key in driving and leading the adoption of risk management guidelines across an organisation due to the overarching responsibilities of creating and protecting value.

Conclusion: The ICT Disaster Recovery Plan (DRP) is, more often than not, focused on technology providing for redundancy of infrastructure and systems, including data back-up and data recovery. Whilst these components are important and necessary, we often oversimplify the need for business resumption of the ICT business, which in turn will impact ICT availability. The need to

Conclusion: ICT health checks enable organisations to better understand risks and prioritise activities to both maintain and improve the performance and reliability of ICT in support of business outcomes.

ICT health checks can be conducted as a light touch in the first instance, with detailed in-depth health checks being conducted as follow-up activities in specific

Conclusion: IT auditors typically consult with, and report their findings to, the board’s Audit and Risk Committee. Their POW (program of work) or activities upon which they will focus may or may not be telegraphed in advance to stakeholders, including IT management.

To avoid getting a qualified audit report for IT, e. g. when internal (systems) controls are weak or

Conclusion: ICT disaster recovery plans (DRPs) have been in place for many years. Fortunately, invoking these plans is rare, but just like insurance plans, it is wise to ensure the fine print is valid, up to date and tested on a regular basis to minimise restoration of business services reliant on the complex range of IT enablers in place. Adoption of general Cloud services

Conclusion: In times of business disruption, the value of a pragmatic and accessible incident response plan (IRP) will become the main tool in getting the business back to normal operation, and minimising loss of revenue, services and reputation. This holds true during the time of stress when attempting to get back to normal operations. Using the analogy of taking out

Conclusion: The development of a strategic relationship between suppliers and public government agencies needs to be approached differently to that in the private commercial world. Government bodies are bound by procurement rules which require government agencies to regularly market-test provision of services, where value for money is the primary consideration. Government

Conclusion: Recently, several architectural models and tools have become available to enable the microsegmentation of networks, which helps improve overall security within organisations and can help limit the scope of any potential breach within an organisation. This can be achieved by aligning microsegmentation of networks with the organisation’s mission-critical systems

Conclusion: Successful businesses need their people to be productive and to perform well. Effective communication may assist i.e.suring they do. Effective communication is about thought leadership, defining a purpose, informing tasking and priorities and, most importantly, listening. Opportunities that impact productivity and the fiscal performance of

Conclusion: Regular testing of the business continuity plan (BCP) has many benefits which go beyond ticking the mandatory compliance box to keep audit off the back of executives. Effective testing exercises ensure the BCP has been updated and includes sense-checking the completeness of resources required in the recovery strategies of critical business functions. Running

Conclusion: With both the NSW and commonwealth parliaments passing respective Modern Slavery Acts in 2018¹, there are now real implications and consequences for business leaders and their suppliers who ignore the risks of slavery within their supply chains.

Unlike the California Transparency in Supply Chains Act 2010 which

Conclusion: Telecommunications services and the supporting infrastructure have historically been complex, costly and difficult to change. The modern technology landscape now allows for greater flexibility in the design of networks, and the telecommunications services of voice, video and data they deliver.

The use of software defined networking (SDN), Cloud-based

Conclusion: Conducting effective business impact analysis details the business functions and provides further insight into the relative importance of each function and its criticality. The information is then used as the main source to develop business recovery strategies, the priority of restoration and identification of resources to aid in the restoration of business

Conclusion: Effective project managers prize the importance of capturing lessons learnt during the life of a project, but too often, it is just a necessary task to complete at project closure. By following simple tips and adhering to some techniques, project managers can get increased benefits for themselves and the organisations they work with.

Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.

The Agency

Conclusion: Organisations need to plan to quickly and successfully recover business operations by creating and updating business continuity plans (BCPs) supported by disaster recovery plans (DRPs). However, there are many challenges to overcome in order to keep these plans useful in readiness when business disruption eventuates.

Conclusion: What to monitor and how you respond to the data is often poorly documented and not fully understood until after a failure occurs. In this world of “no surprises”, effective monitoring is a key success factor. If an organisation’s ICT monitoring strategy is to be successful it must be structured around the organisation’s business outcomes. The monitoring strategy

Conclusion: Cloud offerings are now commercially available, allowing CIOs to engage the technology offerings with a high degree of trust that the service is secure and responsive at reduced cost to in-house solutions.

CEOs have an obligation to ensure their organisation’s IT systems are cost-effective and meet the security accreditation defined by government

Conclusion: Australians have become increasingly concerned not only with what data is being held about them and others, but how this data is being used and whether the resulting information or analysis can or should be trusted by them or third parties.

The 2018 amendments to the Privacy Act for mandatory data breach notification provisions are only the start of the

Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any

Conclusion: Keeping business continuity plans (BCP) succinct, up to date and easy to read will reap rewards when they are required during a business disruption.

Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework

Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and

Conclusion: In a world where organisations increasingly rely on the successful performance of their business systems it is important IT management takes the lead in managing the risk of systems failure and cyber security breaches from all sources.

Boards are ultimately responsible for monitoring risks. They direct IT (and business) management to create a framework and

Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if

Conclusion:Organisations know that they have legal obligations in terms of record retention and privacy. The foundation of good information management governance is an effective record retention schedule (RRS). Organisations need to regularly review and audit their RRS not only in terms of it being current, but also in terms of it being effective and being complied

IT consists of information and communications technologies (ICT) typically used in business, corporate or enterprise management (e.g. computer processing, data management, business processes and applications, customer service, enterprise networking).

OT consists of specific operational technologies used to run a business operation (e.g. capital assets, manufacturing process control,

Conclusion:In the last few years the structure and shape of ICT investment have undergone a series of shifts. The results are varied and complex and they reflect wider changes in the investment and use of ICT products.

It is important for organisations to take note of these transitions and to adapt and utilise methods which can improve the efficiency of their ICT

Conclusion:Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene

Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost

Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent

Conclusion: Mergers, acquisitions and divestitures are regular occurrences amongst ICT vendors. A lot of analysis of these announcements focuses on the potential impact on the future value of the organisations involved, particularly for investors. But each announcement means there will be changes for employees, customers and business partners.

Prudent organisations

Conclusion: Organisations must proactively manage exactly which data is kept, secured, and backed up, as well as which data must be archived or permanently deleted. Data hoarding adds considerably to storage costs as well as potentially exposing organisations to risks especially if the data is inappropriate, unencrypted, or could put an organisation’s brand at

Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not

Conclusion: The Australian Bureau of Statistics’ annual innovation survey quantifies the efforts of businesses in all industries. The status of innovation is quite mixed, between small businesses which tinker at the edges and larger enterprises which are more thorough.

Innovation is not one thing – it is a variety of actions which can be implemented. Improving

With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

Applying

Conclusion: Organisations considering applications migration to a Cloud service provider may lack the experience to understand potential risks or how to select a service provider. This may result in budget overrun or inability to meet business needs.

While planning to engage a service provider, a “Plan B” (to invoke in case of failure) is needed to strengthen the

Conclusion: IT executives in financial services organisations have expressed frustration at the seemingly vague requirements of APRA, but this misses the true intention of APRA. APRA is not anti-Cloud, but the regulator insists that financial services

Conclusion: As cyber security gains awareness among business leaders, many organisations are undertaking new cyber risk management initiatives. However, these initiatives can be misdirected if business leaders are not clear on why they are

Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool

Conclusion: Microsoft is completing a unified communications and collaboration (UCC) product suite development journey begun more than a decade ago as it finally offers missing critical components with Cloud-delivered telephony. In doing so it risks alienating its current UCC partners (especially those in telephony).

UCC strategy, planning and deployment

Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing,

Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be

Conclusion: The Australian market presents serious problems to marketers. The situation has been foreseeable for the last two years. The situation is likely to soften further, which will constrain their capacity to seek growth.

Solutions are available and require reappraisal of strategies and objectives. Applying intelligence and the right tools should

This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or

Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information

Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk

Conclusion: Big data and analytics projects can learn important lessons from the domain of information security analytics platforms. Two critical factors to consider when planning deployment of an analytics platform are: the need for a clear business objective and; the depth and duration of organisational commitment required. Without a clear understanding of the

Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences.

Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend

Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to

Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee

Conclusion: The first generation of the Internet of Things (IoT) is now reliably internetworking uniquely identifiable embedded computer devices.

However, the emerging Internet of Everything (IoE) will go beyond the IoT and its machine-to-machine (M2M) communications between devices, systems and services. The demands from popular consumer IT will lead to

Conclusion: Project Health Checks and Gateway Reviews are an excellent way of assessing the progress of a significant project, identifying issues and taking a corrective action approach that is in the best interests of the organisation. One of the obvious and highest risk periods for projects to go off the rails is the period between when a contract has been

Conclusion: As much as the industry should not blame the victims of cyberattacks, the industry must also learn from these crimes. There are important lessons that must be drawn out from these breaches, because most organisations would be equally vulnerable to similar attacks. Three key lessons are: look for indicators of compromise and be sufficiently resourced

Conclusion: When considering using cyber-insurance to deal with the potential costs associated with a successful attack, there are important considerations that CIOs and CISOs should be highlighting to operational risk and finance executives. Most organisations will need to raise their risk maturity substantially, and this means investment as well as changes to

Conclusion:Over the years, many ICT professionals have moved from roles in commerce to roles in Health without recognising the unique challenges presented by clinical environments. The result is an underperforming, expensive and misaligned ICT service that soaks up hundreds of millions of dollars annually for minimal patient benefit.

Conclusion:When implementing enterprise Cloud services, a disciplined and locally distributed approach to user acceptance testing in combination with real-time dashboards for test management and defect management can be used as the centrepiece of a highly scalable quality assurance framework. An effective quality assurance process can go a long way to minimise

Conclusion: HP’s split into two companies is more important as a sign of the dramatic changes in the IT infrastructure market than the impact it will have on HP customers. When combined with IBM’s exit from the PC and x86 markets and Dell going private, poor financial results from leaders such as IBM and SAP, it is clear we are in the midst of a major industry

Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not

Conclusion: Organisations must ensure they have taken reasonable steps to not release IT equipment which contains information assets. Leading software options for wiping data will be more than adequate for most organisations, and physically destroying disks is both excessively costly and environmentally unfriendly. However, as important as ensuring that sensitive data is

Conclusion: Failure to embrace the SMACC stack (Social, Mobile, Analytics, Cloud and Consumerisation) will result in the wider organisation working around the internal ICT provider. Job losses in the ICT team and a reduction in wider corporate capability will result.

Conclusion: Consumer-oriented software and online services are raising user expectations. To determine the aspects of user experience design, and the trade-offs that are appropriate in a particular business context, requires extensive collaboration across multiple disciplines. The cross-disciplinary nature of the work must

Conclusion: IT executives from Australia’s largest organisations are actively looking for ways to create cyber-resilience, not just in their organisations, but also in the ecosystem their organisations operate in. These executives are acknowledging that it is not enough for an organisation to

Conclusion: Many IT executives are still unclear as to their obligations under the amended Privacy Act. IT executives should use the Privacy Act as an opportunity to start transitioning into a technical advisor role for their organisation. They should avoid falling into the trap of trying to unravel the Act

Conclusion: The probability of an inside attack is hard to gauge and depends entirely on the inner state of the attacker, but the impact can range from inconsequential to disproportionately vast. CIOs must assess the risk of a malicious insider in the context of their organisation’s information assets and risk management

Conclusion: Debate over Microsoft’s mixed record of successes and slow innovation during the last decade has incited conjecture as to its long term durability. As many highly successful vendors have disappeared very quickly, the same inference for

Conclusion:Accusations against Huawei of spying for the Chinese Government are destabilising confidence in this vendor in the local market. Consequently, the key challenge for Huawei in the enterprise IT space will be a growing reticence by people to be trained in a technology that is being

Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial

Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the

Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR