James Turner

This email address is being protected from spambots. You need JavaScript enabled to view it.

James Turner is the IBRS Advisor who specialises in cyber security and risk. James has over a decade of experience in researching the cyber security and risk industry in Australia. Since joining IBRS in 2007, James has authored over 100 IBRS Advisory papers, led dozens of executive roundtables, presented at AusCERT, the ACSC Conference, the AISA national conference, and many other industry forums. James also frequently facilitates panel discussions, or participates on them. Before becoming an industry analyst, James held technical and IT management roles in Australia and the UK. From May 2013 to June 2016, James was the Chair of the Australian Information Security Association’s (AISA) Advocacy Group, and an authorised spokesperson for AISA; a membership body of 3,000 security experts from across Australia. In January 2015, James established CISO Lens, a peer networking group for cyber security executives in large organisations, to support them in their roles. James is frequently approached for commentary by the press, and is the longest serving cyber security industry analyst in the Asia Pacific region.

Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.


Register to read more...

Conclusion: Bugcrowd, Hivint, Kasada, and Secure Code Warrior each has a proven capability to address an important aspect of the cyber defences of Australian organisations. The Australian Cyber Security Strategy, launched in April 2016, advocates the promotion of local capabilities where Australia can build globally competitive solutions. These four vendors are already being used by leading local cyber security executives, and their capabilities are acknowledged.


Register to read more...

Conclusion: In the IBRS Security Leadership capability maturity model, buying more product is level 2: Alienated, and is typified by IT teams that are struggling to take on the challenge of cyber security because they address it as a technical problem. Buying product without a clear understanding of the business risk it is aiming to address is a guarantee for failure. But for organisations that understand that cyber risk is much more than IT, know there is a business risk that comes with cyber capability, and have the organisational will to address it, technology can make a significant difference in automating and accelerating capability. These three vendors, Crowdstrike, CyberArk and Tanium, are well regarded by leading Australian customers.


Register to read more...

Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.


Register to read more...

Conclusion: This research note sets out and describes the Security Leadership capability maturity model. In using this model, organisations must be honest about their current level before they can even speculate on the benefits of working towards a higher maturity level. Working towards higher levels of maturity has clear benefits for both IT and the business, as well as business alignment of IT. However, a critical part of the journey will be dealing with any resentment from business units about their experience to date. Security Leadership cannot emerge unless prior bad experiences around service delivery are acknowledged and addressed, because it is a commitment to trust and resilience from the organisation as a team.


Register to read more...

"This Master Advisory Presentation is designed to guide and stimulate discussion between business and technology groups, and point the way for more detailed activity. It also provides links to further reading to support these follow-up activities." James Turner, Author of the Security Leadership MAP.

The key takeaways from the Security Leadership Master Advisory Presentation are :

  • gain valuable insights into how security leaders are positioning cyber security and risk within their organisations
  • be able to self assess how your organisation measures up on the IBRS capability maturity model for security leadership
  • learn how to position cyber security so that it is aligned to business priorities

For a deeper understanding of how security impacts the way business is done, download your copy now.


Register to read more...

A security leader understands today’s cyber risks, how these apply to their organisation and market, and has management’s confidence to address these risks responsibly. A security leader guides the organisation through the realities of the new business environment, aligning the organisation’s practices and technologies to its risk appetite, and ensures these controls match and support the organisation’s desire for growth and innovation.

This MAP is designed to guide and stimulate discussion between business and technology groups, and point the way for more detailed activity. It also provides links to further reading to support these follow-up activities.


Register to read more...

With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

Applying the Five Knows of Cyber Security is a must read for organisations that may be exposing themselves to risks through their supply chain.


Register to read more...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.


Register to read more...

Conclusion: Ransomware has proven such a successful cash cow for criminals that it is unlikely they will voluntarily stop their attacks. This means that business leaders must accept that further ransomware attacks are a foreseeable risk. While there are important conversations around the level of appropriate technical controls that an organisation may wish to implement, this conversation can only occur after business leaders have decided whether they want their organisation to help fund organised crime, or not. For organisations with a strong corporate social responsibility ethos, this is a very easy decision to make, but it is imperative that business leaders understand why they are committing to better technical hygiene and accepting tighter technical controls.


Register to read more...