Main
Log in

James Turner

info@ibrs.com.au

James Turner is an IBRS Emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.


Register to read more...


Related Articles:

"Can IBRS assist on how to report on IT security metrics to business executives? " IBRS, 2018-05-13 23:32:09

"IT management leadership role in risk management" IBRS, 2018-05-04 18:43:08

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

Conclusion: The updated NIST cybersecurity framework (CSF) is a pragmatic tool to enable an organisation to gain clarity on its current level of capability for cyber risk management. Remembering that visibility, as a principle, is both an objective of the framework, but also a guide when working through the framework will make application of the framework much more valuable. Aiming for visibility will enable an organisation to accurately gauge itself against each function, category and subcategory. Visibility will enable an organisation to honestly assert current capability, and the gap to a more desirous level of capability. Achieving visibility will require ongoing collaboration with business stakeholders which, in turn, delivers visibility to these same stakeholders and ultimately enables informed decision making.


Register to read more...


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.


Register to read more...


Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and organisations should look at all three for insight into what is now expected to constitute reasonable and appropriate practice in cyber risk management. In turn, they address the importance of data value to customer trust, the importance of system control and supply chains to national security, and the importance of resilience to our economy.


Register to read more...


Conclusion: UpGuard, Nuix and WithYouWithMe each have a proven capability to address an important aspect of the cyber defences of Australian organisations. WithYouWithMe is about people, UpGuard is about ensuring process is adhered to and exceptions are visible, and Nuix delivers technology which, through a data processing engine, enables organisations to make sense of large amounts of unstructured data.


Register to read more...


Related Articles:

"Hot cyber security vendors for your shortlist Part 2 – Aussie startups" IBRS, 2017-01-01 10:35:40

"Hot cyber security vendors for your shortlist – Part 1" IBRS, 2016-12-03 02:41:25

Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if it happened to us?” The business impact of NotPetya on Maersk is clear, but so too are many of the risk mitigations that should be put in place before a cyber incident – and many of these are not directly related to technology. Finally, risk management is just as much about recovering from an incident as trying to prevent one.


Register to read more...


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
 

Register to read more...


Conclusion: Security awareness campaigns are essential for educating staff on security behaviours. However without staff engagement, these campaigns can fail to change behaviour – and behavioural change is the only outcome that really matters. Instead of continually focusing on security for the work environment, start focusing on esafety and educate staff on how to protect themselves in their online lives outside work. This has the benefit of informing staff on many of the risks that they can face personally, as well as educating them on practices and technologies that can help. Training staff on esafety also has the additional benefit of being the right thing to do and demonstrates corporate social responsibility.


Register to read more...


Conclusion: Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.


Register to read more...


Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.


Register to read more...


In the News

How Do You Choose The Best Application Environment For Your Business? - WHICH-50 - 8th October 2019

According to a new IBRS study, spend on enterprise solutions is set to increase in 2019-2020. Both IT and line of business buyers need to consider how they manage procurement of these new solutions...
Read More...

The pros and cons of shadow IT In today’s business world - WHICH-50 - 23 July 2019

Shadow IT sounds like a covert — quite possibly dark — force. And to some people it may well be. But the truth is both far simpler and more complex. According to Cisco, Shadow IT is the use of...
Read More...

Busting The Three Big Cloud Myths - WHICH-50 - 11 June 2019

Organisations that are resisting the shift to cloud computing are often basing their decisions on common misconceptions around security, price and integration. That’s a key finding in a recent...
Read More...

ANZ business users calling the shots in ICT decisions

Conducted by Australia’s Intelligent Business Research Services (IBRS) and commissioned by TechnologyOne, the survey of 261 business leaders in ANZ has shown that business functions are having more...
Read More...

Managed security: a big gamble for Aussie IT providers - CRN - 02 August 2018

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap