James Turner

This email address is being protected from spambots. You need JavaScript enabled to view it.

James Turner is the IBRS advisor who specialises in cyber security and risk. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. Since joining IBRS in 2007, James has authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. James is a sought after speaker, facilitator and panel participant. He is the author of the IBRS Security Leadership MAP. James is frequently quoted in the media on industry issues, and is the longest serving cyber security industry analyst in the Asia Pacific region. He contributes a regular opinion piece for the Australian Financial Review covering issues in the local cyber security industry. James is also the founder of CISO Lens and the program manager of the CIO Cyber & Risk Network. These two peer-networking programs are designed to support executives in their roles as leaders for their organisations in the fast-moving space of cyber risk.

Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.


Register to read more...

Conclusion: Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.


Register to read more...

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.


Register to read more...

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.


Register to read more...

Conclusion: The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.


Register to read more...
IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Register to read more...

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.


Register to read more...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 


Register to read more...

Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.


Register to read more...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 


Register to read more...