Main
Log in

Risk Management

  • Cloud strategy considerations

    Conclusion: A Cloud strategy can take many forms. Whether you select a private Cloud, hybrid Cloud (on-premise with Cloud elements), native Cloud or a multiCloud implementation will impact the framework of your strategy. The success of your strategy will be driven by the motivation your organisation has to elect the move.

    If your only motivation is the perceived cost

    ...
  • The role of the CISO in the digital era

    Conclusion: Cyber security is now one of the top priorities in many organisations. With an ever-increasing number of cyber-related incidents, cyber security risk has evolved from a technical risk to being regarded as a strategic enterprise risk. The role of the Chief Information Security Officer (CISO) has traditionally required strong technology skills to protect the

    ...
  • Incident response planning: Key artefacts

    Conclusion: Two key supporting artefacts in the creation of pragmatic incident response plans are the incident response action flow chart and the severity assessment table. Take time to develop, verify and test these artefacts and they will be greatly appreciated in aiding an orderly and efficient invoking of the DRP/BCP and restoration activities.

    Related Articles:

    "ICT disaster recovery plan challenges" IBRS, 2019-08-03 20:43:12

    "Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

    "Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

    "Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

    "What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

  • Digital strategy: Considerations

    Conclusion: A digital strategy and the need for organisations to undertake numerous projects to achieve digital transformation have become the new norm. Digital strategies often require organisations to complete major transformation projects to deliver the outcomes required of the strategy. However, a digital strategy is not just about technology, it is a holistic strategy

    ...
  • Being a good customer of consulting Part 3: Maximising the value of stage gates through considered design and definition of unique objectives

    Conclusion: Stage gate reviews can be a highly effective governance tool that can materially enhance project outcomes; however, their value can be eroded by poor design, a lack of planning, or if they duplicate the objectives of other governance processes. To ensure stage gates are designed to deliver enhanced project outcomes, four key areas of consideration should be

    ...
    Related Articles:

    "Being a good customer of consulting Part 1: The importance of a client-side project manager in consulting engagements" IBRS, 2019-11-02 01:24:20

    "Being a good customer of consulting Part 2: Driving value and successful outcomes by aligning RFP scope to supplier skills" IBRS, 2019-12-05 05:15:44

  • The cost of technical debt and cultural change inaction

    Conclusion: Digital strategies often require organisations to complete major transformation projects to deliver the outcomes required of the strategy. A digital strategy is not just about technology, it is a holistic strategy that involves change across people, process and technology. The acceptance of technical debt and inaction around cultural change can have a severe

    ...
    Related Articles:

    "What does it mean if an IT vendor is a ‘leader’?" IBRS, 2020-01-07 21:32:29

  • Being a good customer of consulting Part 2: Driving value and successful outcomes by aligning RFP scope to supplier skills

    Conclusion: When engaging the market for consulting services, estimating the resource mix, including experience and skills, can form an excellent basis for evaluating if what is being proposed by consultants is likely to be optimal for the scope, and effective, given the environment of the purchasing organisation.
    There are four main elements that should be

    ...
    Related Articles:

    "Being a good customer of consulting Part 1: The importance of a client-side project manager in consulting engagements" IBRS, 2019-11-02 01:24:20

    "Being a good customer of consulting Part 3: Maximising the value of stage gates through considered design and definition of unique objectives" IBRS, 2020-01-08 03:32:07

  • A fresh look at identity management

    Conclusion: Identity has historically been a thorny problem with concerns over identity theft and the need for verification. Now that biometrics are becoming so accessible to register and verify customers and clients, the business rules used to define the purpose of any identity and access management system should be reassessed in the broader context of business integrity.

    ...
    Related Articles:

    "2FA is a no-brainer" IBRS, 2018-11-02 11:06:25

    "Identity management projects need business engagement" IBRS, 2012-04-21 00:00:00

    "Sourcing Monthly August 2019 – September 2019" IBRS, 2019-10-02 01:31:47

  • Being a good customer of consulting Part 1: The importance of a client-side project manager in consulting engagements

    Conclusion: Consulting engagements are often scheduled under the assumption of ideal conditions. In reality, many engagements experience a ‘slow start’ due to the consultants needing to request information and data, schedule stakeholder meetings, understand assumptions and parameters, and define and agree on the appropriate governance processes. This is often followed by a

    ...
    Related Articles:

    "Being a good customer of consulting Part 2: Driving value and successful outcomes by aligning RFP scope to supplier skills" IBRS, 2019-12-05 05:15:44

    "Being a good customer of consulting Part 3: Maximising the value of stage gates through considered design and definition of unique objectives" IBRS, 2020-01-08 03:32:07

  • Soft skills that make a CIO more effective

    Conclusion: Analysts in general are correct to identify the challenges in the industry to develop appropriate skills, meet the demands of digitisation and to counter the security threats. When it is distilled down it is all about the business. The CIO is supporting business outcomes which will need specific technology solutions, which will, in turn, drive ICT strategy. The

    ...
  • A probabilistic approach to cost estimation

    Conclusion: Deterministic1 project budgets do not convey any information about the range of possible outcomes for a project, or the associated risk factors driving the range. The ability to communicate the risk-weighted range of possible project outcomes can lead to much clearer expectations and understanding of project outcomes,

    ...
  • Tips for managers implementing the new risk management framework in an ICT environment

    Conclusion: The adherence to the recently introduced guidelines under ISO:31000 20181 is key to every ICT manager’s responsibilities and leadership remit as they are key in driving and leading the adoption of risk management guidelines across an organisation due to the overarching responsibilities of creating and protecting value.

    ...
    Related Articles:

    "Risk management – Tips and techniques" IBRS, 2017-10-02 22:35:45

    "Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

  • ICT availability: From disaster recovery to business resumption

    Conclusion: The ICT Disaster Recovery Plan (DRP) is, more often than not, focused on technology providing for redundancy of infrastructure and systems, including data back-up and data recovery. Whilst these components are important and necessary, we often oversimplify the need for business resumption of the ICT business, which in turn will impact ICT availability. The need to

    ...
  • ICT health check: Win-win for ICT and business

    Conclusion: ICT health checks enable organisations to better understand risks and prioritise activities to both maintain and improve the performance and reliability of ICT in support of business outcomes.

    ICT health checks can be conducted as a light touch in the first instance, with detailed in-depth health checks being conducted as follow-up activities in specific

    ...
  • For job security, get the house in order before an IT audit

    Conclusion: IT auditors typically consult with, and report their findings to, the board’s Audit and Risk Committee. Their POW (program of work) or activities upon which they will focus may or may not be telegraphed in advance to stakeholders, including IT management.

    To avoid getting a qualified audit report for IT, e. g. when internal (systems) controls are weak or

    ...
  • ICT disaster recovery plan challenges

    Conclusion: ICT disaster recovery plans (DRPs) have been in place for many years. Fortunately, invoking these plans is rare, but just like insurance plans, it is wise to ensure the fine print is valid, up to date and tested on a regular basis to minimise restoration of business services reliant on the complex range of IT enablers in place. Adoption of general Cloud services

    ...
  • Incident response planning: More than dealing with cyber security breaches and outages

    Conclusion: In times of business disruption, the value of a pragmatic and accessible incident response plan (IRP) will become the main tool in getting the business back to normal operation, and minimising loss of revenue, services and reputation. This holds true during the time of stress when attempting to get back to normal operations. Using the analogy of taking out

    ...
    Related Articles:

    "Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

    "Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

    "Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

    "What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

  • Strategic vendor management in government

    Conclusion: The development of a strategic relationship between suppliers and public government agencies needs to be approached differently to that in the private commercial world. Government bodies are bound by procurement rules which require government agencies to regularly market-test provision of services, where value for money is the primary consideration. Government

    ...
  • Microsegmentation: Improving IT security

    Conclusion: Recently, several architectural models and tools have become available to enable the microsegmentation of networks, which helps improve overall security within organisations and can help limit the scope of any potential breach within an organisation. This can be achieved by aligning microsegmentation of networks with the organisation’s mission-critical systems

    ...
    Related Articles:

    "Network Virtualisation – Security drives adoption" IBRS, 2016-09-02 05:06:16

  • Effective communication is a combat multiplier for business

    Conclusion: Successful businesses need their people to be productive and to perform well. Effective communication may assist i.e.suring they do. Effective communication is about thought leadership, defining a purpose, informing tasking and priorities and, most importantly, listening. Opportunities that impact productivity and the fiscal performance of

    ...
  • Testing your business continuity plan

    Conclusion: Regular testing of the business continuity plan (BCP) has many benefits which go beyond ticking the mandatory compliance box to keep audit off the back of executives. Effective testing exercises ensure the BCP has been updated and includes sense-checking the completeness of resources required in the recovery strategies of critical business functions. Running

    ...
    Related Articles:

    "Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

    "Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

    "What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

  • Modern day slavery: Are you conscious of the human implications of your sourcing choices?

    Conclusion: With both the NSW and commonwealth parliaments passing respective Modern Slavery Acts in 20181, there are now real implications and consequences for business leaders and their suppliers who ignore the risks of slavery within their supply chains.

    Unlike the California Transparency in Supply Chains Act 2010 which

    ...
  • Telecommunications capability: Not the way we have always done it

    Conclusion: Telecommunications services and the supporting infrastructure have historically been complex, costly and difficult to change. The modern technology landscape now allows for greater flexibility in the design of networks, and the telecommunications services of voice, video and data they deliver.

    The use of software defined networking (SDN), Cloud-based

    ...
  • Challenges when conducting business impact analysis

    Conclusion: Conducting effective business impact analysis details the business functions and provides further insight into the relative importance of each function and its criticality. The information is then used as the main source to develop business recovery strategies, the priority of restoration and identification of resources to aid in the restoration of business

    ...
    Related Articles:

    "Business continuity planning challenges" IBRS, 2019-03-04 13:41:18

    "Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

    "Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

  • Projects: The importance of lessons learnt

    Conclusion: Effective project managers prize the importance of capturing lessons learnt during the life of a project, but too often, it is just a necessary task to complete at project closure. By following simple tips and adhering to some techniques, project managers can get increased benefits for themselves and the organisations they work with.

  • PROTECTED Cloud: Cyber considerations

    Conclusion: The Agency Head/CEO is responsible to accredit the ICT system for use at the PROTECTED level. The accreditation process is specific to the services being delivered for the organisation. The Australian Signals Directorate (ASD) certification process is a generic process that assesses the Cloud Service Provider’s (CSP) level of security only.

    The Agency

    ...
    Related Articles:

    "Running IT-as-a-Service Part 38: Successful hybrid Cloud requires multi-provider governance framework" IBRS, 2018-02-01 10:08:33

    "Running IT-as-a-Service Part 49: The case for hybrid Cloud migration" IBRS, 2019-02-03 01:26:59

    "Should elements of your IT environments and data holdings be classified PROTECTED? Why and what to consider" IBRS, 2019-01-06 22:27:44

    "The value proposition for PROTECTED Cloud" IBRS, 2019-02-03 01:32:06

  • Business continuity planning challenges

    Conclusion: Organisations need to plan to quickly and successfully recover business operations by creating and updating business continuity plans (BCPs) supported by disaster recovery plans (DRPs). However, there are many challenges to overcome in order to keep these plans useful in readiness when business disruption eventuates.

  • ICT monitoring strategy: First principles

    Conclusion: What to monitor and how you respond to the data is often poorly documented and not fully understood until after a failure occurs. In this world of “no surprises”, effective monitoring is a key success factor. If an organisation’s ICT monitoring strategy is to be successful it must be structured around the organisation’s business outcomes. The monitoring strategy

    ...
  • The value proposition for PROTECTED Cloud

    Conclusion: Cloud offerings are now commercially available, allowing CIOs to engage the technology offerings with a high degree of trust that the service is secure and responsive at reduced cost to in-house solutions.

    CEOs have an obligation to ensure their organisation’s IT systems are cost-effective and meet the security accreditation defined by government

    ...
  • Beyond privacy to trust: The need for enterprise data ethics

    Conclusion: Australians have become increasingly concerned not only with what data is being held about them and others, but how this data is being used and whether the resulting information or analysis can or should be trusted by them or third parties.

    The 2018 amendments to the Privacy Act for mandatory data breach notification provisions are only the start of the

    ...
  • Should elements of your IT environments and data holdings be classified PROTECTED? Why and what to consider

    Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any

    ...
    Related Articles:

    "Canberra-based Azure is about much more than security" IBRS, 2018-04-14 13:43:57

    "On-Premises Cloud: Real flexibility or just a finance plan?" IBRS, 2017-05-06 06:37:20

    "Running IT-as-a-Service Part 33: How to transition to hybrid Cloud" IBRS, 2017-08-02 02:32:44

  • Pragmatic business continuity planning

    Conclusion: Keeping business continuity plans (BCP) succinct, up to date and easy to read will reap rewards when they are required during a business disruption.

    Related Articles:

    "Astute Leadership needed in a crisis" IBRS, 2017-01-01 10:35:45

    "Investing in Business Resilience Planning - the CIOs hardest sell" IBRS, 2012-08-31 00:00:00

    "Running IT-as-a-Service Part 40: Aligning business continuity and IT disaster recovery plans" IBRS, 2018-03-31 06:56:00

  • Use the NIST cyber­security framework to drive for visibility

    Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework

    ...
  • Three levers tightening up the cyber security of Australia

    Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and

    ...
  • IT management leadership role in risk management

    Conclusion: In a world where organisations increasingly rely on the successful performance of their business systems it is important IT management takes the lead in managing the risk of systems failure and cyber security breaches from all sources.

    Boards are ultimately responsible for monitoring risks. They direct IT (and business) management to create a framework and

    ...
  • Maersk and NotPetya – a case study on business impact and cyber risk management

    Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if

    ...
  • Ensuring records retention schedules are effective

    Conclusion:Organisations know that they have legal obligations in terms of record retention and privacy. The foundation of good information management governance is an effective record retention schedule (RRS). Organisations need to regularly review and audit their RRS not only in terms of it being current, but also in terms of it being effective and being complied

    ...
  • Master Advisory Presentation: Enterprise IT and OT

    IT consists of information and communications technologies (ICT) typically used in business, corporate or enterprise management (e.g. computer processing, data management, business processes and applications, customer service, enterprise networking).

    OT consists of specific operational technologies used to run a business operation (e.g. capital assets, manufacturing process control,

    ...
  • ICT Budget Trends

    Conclusion:In the last few years the structure and shape of ICT investment have undergone a series of shifts. The results are varied and complex and they reflect wider changes in the investment and use of ICT products.

    It is important for organisations to take note of these transitions and to adapt and utilise methods which can improve the efficiency of their ICT

    ...
  • Cyber insurance – it’s not the cybers you’re insuring

    Conclusion:Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance

    ...
  • Ransomware versus secure by design

    Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene

    ...
  • Organisations must have an appreciation of their own cyber risks to effectively engage an MSSP

    Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost

    ...
  • Considerations for cyber security audits

    Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent

    ...
  • Mergers, Acquisitions and Divestitures: What does it mean to your business?

    Conclusion: Mergers, acquisitions and divestitures are regular occurrences amongst ICT vendors. A lot of analysis of these announcements focuses on the potential impact on the future value of the organisations involved, particularly for investors. But each announcement means there will be changes for employees, customers and business partners.

    Prudent organisations

    ...
  • Data: An Asset and a Liability

    Conclusion: Organisations must proactively manage exactly which data is kept, secured, and backed up, as well as which data must be archived or permanently deleted. Data hoarding adds considerably to storage costs as well as potentially exposing organisations to risks especially if the data is inappropriate, unencrypted, or could put an organisation’s brand at

    ...
  • When criminals hijack your organisation’s brand for phishing

    Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not

    ...
  • The Top 6 Innovation Drivers

    Conclusion: The Australian Bureau of Statistics’ annual innovation survey quantifies the efforts of businesses in all industries. The status of innovation is quite mixed, between small businesses which tinker at the edges and larger enterprises which are more thorough.

    Innovation is not one thing – it is a variety of actions which can be implemented. Improving

    ...
  • Applying The Five Knows of Cyber Security (Video)

    With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

    Applying

    ...
    Related Articles:

    "Applying the Five Knows of Cyber Security" IBRS, 2015-08-01 00:32:04

  • Going to Cloud: Plan to fail to improve success

    Conclusion: Organisations considering applications migration to a Cloud service provider may lack the experience to understand potential risks or how to select a service provider. This may result in budget overrun or inability to meet business needs.

    While planning to engage a service provider, a “Plan B” (to invoke in case of failure) is needed to strengthen the

    ...
  • APRA and the Cloud: Organisations must be able to show their working

    Conclusion: IT executives in financial services organisations have expressed frustration at the seemingly vague requirements of APRA, but this misses the true intention of APRA. APRA is not anti-Cloud, but the regulator insists that financial services

    ...
  • Best intentions are incapable of mitigating Cyber Risk

    Conclusion: As cyber security gains awareness among business leaders, many organisations are undertaking new cyber risk management initiatives. However, these initiatives can be misdirected if business leaders are not clear on why they are

    ...
  • Advancing cyber security capabilities requires continual maturation

    Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool

    ...
  • Evaluating Skype for Business

    Conclusion: Microsoft is completing a unified communications and collaboration (UCC) product suite development journey begun more than a decade ago as it finally offers missing critical components with Cloud-delivered telephony. In doing so it risks alienating its current UCC partners (especially those in telephony).

    UCC strategy, planning and deployment

    ...
  • Considerations for engaging a threat intelligence service

    Conclusion: The challenge with handling threat intelligence is in assessing its relevance to an organisation, determining an appropriate response and then continual execution and reassessment. Consequently, the more comprehensive the threat intelligence service is, the greater the requirement for a customer to have existing,

    ...
  • Why Organisations need an Information Security Executive

    Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be

    ...
  • Marketing’s Priorities and Pressures

    Conclusion: The Australian market presents serious problems to marketers. The situation has been foreseeable for the last two years. The situation is likely to soften further, which will constrain their capacity to seek growth.

    Solutions are available and require reappraisal of strategies and objectives. Applying intelligence and the right tools should

    ...
  • IT security considerations in the supply chain

    This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

    The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or

    ...
  • Applying the Five Knows of Cyber Security

    Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information

    ...
    Related Articles:

    "Applying The Five Knows of Cyber Security (Video)" IBRS, 2016-08-15 02:39:16

  • Why Organisations need an Information Security Outreach Function

    Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk

    ...
  • Lessons from security analytics projects

    Conclusion: Big data and analytics projects can learn important lessons from the domain of information security analytics platforms. Two critical factors to consider when planning deployment of an analytics platform are: the need for a clear business objective and; the depth and duration of organisational commitment required. Without a clear understanding of the

    ...
  • Should organisations use the Lockheed Martin Cyber Kill Chain framework?

    Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences.

    ...
  • Securing IT for Executives travelling to high risk countries

    Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend

    ...
  • AWS Backup and Recovery

    Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

    Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to

    ...
  • Security awareness campaigns – Engagement is the magic sauce

    Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee

    ...
  • Collaboration will make the Internet of Things into the Internet of Everything

    Conclusion: The first generation of the Internet of Things (IoT) is now reliably internetworking uniquely identifiable embedded computer devices.

    However, the emerging Internet of Everything (IoE) will go beyond the IoT and its machine-to-machine (M2M) communications between devices, systems and services. The demands from popular consumer IT will lead to

    ...
  • Keeping projects on track – The softer cues to watch

    Conclusion: Project Health Checks and Gateway Reviews are an excellent way of assessing the progress of a significant project, identifying issues and taking a corrective action approach that is in the best interests of the organisation. One of the obvious and highest risk periods for projects to go off the rails is the period between when a contract has been

    ...
  • Lessons from Data Breaches: Silver Bullets do not fire themselves

    Conclusion: As much as the industry should not blame the victims of cyberattacks, the industry must also learn from these crimes. There are important lessons that must be drawn out from these breaches, because most organisations would be equally vulnerable to similar attacks. Three key lessons are: look for indicators of compromise and be sufficiently resourced

    ...
  • A Cyber-insurance Conversation will open a useful Can of Worms

    Conclusion: When considering using cyber-insurance to deal with the potential costs associated with a successful attack, there are important considerations that CIOs and CISOs should be highlighting to operational risk and finance executives. Most organisations will need to raise their risk maturity substantially, and this means investment as well as changes to

    ...
  • Why Health ICT is failing Patients

    Conclusion:Over the years, many ICT professionals have moved from roles in commerce to roles in Health without recognising the unique challenges presented by clinical environments. The result is an underperforming, expensive and misaligned ICT service that soaks up hundreds of millions of dollars annually for minimal patient benefit.

    Related Articles:

    "Why Health ICT is failing Patients (Part 2)" IBRS, 2014-12-03 16:44:03

  • Risk management and quality assurance of large enterprise Cloud service rollouts

    Conclusion:When implementing enterprise Cloud services, a disciplined and locally distributed approach to user acceptance testing in combination with real-time dashboards for test management and defect management can be used as the centrepiece of a highly scalable quality assurance framework. An effective quality assurance process can go a long way to minimise

    ...
  • What does HP’s split mean to the customer?

    Conclusion: HP’s split into two companies is more important as a sign of the dramatic changes in the IT infrastructure market than the impact it will have on HP customers. When combined with IBM’s exit from the PC and x86 markets and Dell going private, poor financial results from leaders such as IBM and SAP, it is clear we are in the midst of a major industry

    ...
  • Security Frameworks – know the rules before you break them

    Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not

    ...
  • Secure IT Equipment Disposal

    Conclusion: Organisations must ensure they have taken reasonable steps to not release IT equipment which contains information assets. Leading software options for wiping data will be more than adequate for most organisations, and physically destroying disks is both excessively costly and environmentally unfriendly. However, as important as ensuring that sensitive data is

    ...
  • The Revolution needs You

    Conclusion: Failure to embrace the SMACC stack (Social, Mobile, Analytics, Cloud and Consumerisation) will result in the wider organisation working around the internal ICT provider. Job losses in the ICT team and a reduction in wider corporate capability will result.

  • User Experience Design: More than meets the eye

    Conclusion: Consumer-oriented software and online services are raising user expectations. To determine the aspects of user experience design, and the trade-offs that are appropriate in a particular business context, requires extensive collaboration across multiple disciplines. The cross-disciplinary nature of the work must

    ...
  • Cyber-resilience: A national response is required

    Conclusion: IT executives from Australia’s largest organisations are actively looking for ways to create cyber-resilience, not just in their organisations, but also in the ecosystem their organisations operate in. These executives are acknowledging that it is not enough for an organisation to

    ...
  • The Privacy Act Amendments - a Primer for IT Executives

    Conclusion: Many IT executives are still unclear as to their obligations under the amended Privacy Act. IT executives should use the Privacy Act as an opportunity to start transitioning into a technical advisor role for their organisation. They should avoid falling into the trap of trying to unravel the Act

    ...
  • Privileged users that turn malicious - rare but formidable

    Conclusion: The probability of an inside attack is hard to gauge and depends entirely on the inner state of the attacker, but the impact can range from inconsequential to disproportionately vast. CIOs must assess the risk of a malicious insider in the context of their organisation’s information assets and risk management

    ...
  • Will Microsoft survive?

    Conclusion: Debate over Microsoft’s mixed record of successes and slow innovation during the last decade has incited conjecture as to its long term durability. As many highly successful vendors have disappeared very quickly, the same inference for

    ...
  • Choosing Huawei could be risky - but not why you think

    Conclusion:Accusations against Huawei of spying for the Chinese Government are destabilising confidence in this vendor in the local market. Consequently, the key challenge for Huawei in the enterprise IT space will be a growing reticence by people to be trained in a technology that is being

    ...
  • IT security and risk issues in the financial services sector

    Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial

    ...
  • Cloud security - the real risks

    Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the

    ...
  • What IT security lessons should you draw from the Verizon DBIR?

    Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR

    ...

In the News

Outdated work from home policies bog down Aussie businesses - Computer Reseller News - 6 April 2020

IBRS analyst Dr. Joseph Sweeney provides best practice-advice on working from home in the current pandemic situation. Dr. Joseph Sweeney discusses current working from home policies which are...
Read More...

Centrelink crashes under demand for crisis payments - Australian Financial Review - 23 march 2020

IBRS workforce transformation advisor Joseph Sweeney said many government departments had to navigate difficult IT environments that were only part-way through their digital transformations, with...
Read More...

Inside EY's security work at ANZ - Australian Financial Review - 3 March 2020

"There is more security work to go round than there are resources. So I don't think the market is that crowded. It's important to remember that security is not something you buy and then it's done;...
Read More...

Google cloud boss looks to AI as it fights Amazon, Microsoft duopoly - Australian Financial Review - 2 March 2020

IBRS analyst Joe Sweeney has been tracking the three major Cloud vendors capabilities in AI and said Google is right to believe it has an edge over AWS and Microsoft when it comes to corpus (the...
Read More...

What should be in Australia’s next cyber security strategy? - Computer Weekly - 10 Feb 2020

Peter Sandilands, an advisor at analyst firm IBRS, called the discussion paper “a pre-judged survey” that is mostly looking for answers. He also questioned if the resulting recommendations would be...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap