James Turner

This email address is being protected from spambots. You need JavaScript enabled to view it.

James Turner is the IBRS Advisor who specialises in cyber security and risk. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. Since joining IBRS in 2007, James has authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. James is a sought after speaker, facilitator and panel participant. He is the author of the IBRS Security Leadership MAP. James is frequently quoted in the media on industry issues, and is the longest serving cyber security industry analyst in the Asia Pacific region. He contributes a regular opinion piece for the Australian Financial Review covering issues in the local cyber security industry. James is also the founder of CISO Lens and the program manager of the CIO Cyber Academy. These two peer-networking programs are designed to support executives in their roles as leaders for their organisations in the fast-moving space of cyber risk.

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.


Register to read more...

Conclusion: Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.


Register to read more...

Conclusion: The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.


Register to read more...
IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Register to read more...

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.


Register to read more...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 


Register to read more...

Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.


Register to read more...

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs. 


Register to read more...

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.


Register to read more...

Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost implications for both parties and will require a commitment to continually reviewing suitability of services. Executives should aim to evolve their own cyber risk management capabilities around people, process and technology, because this internal maturity is required to get the most from engaging with an MSSP.


Register to read more...