James Turner

This email address is being protected from spambots. You need JavaScript enabled to view it.

James Turner is the IBRS Advisor who specialises in cyber security and risk. James has over a decade of experience in researching the cyber security and risk industry in Australia. Since joining IBRS in 2007, James has authored over 100 IBRS Advisory papers, led dozens of executive roundtables, presented at AusCERT, the ACSC Conference, the AISA national conference, and many other industry forums. James also frequently facilitates panel discussions, or participates on them. Before becoming an industry analyst, James held technical and IT management roles in Australia and the UK. From May 2013 to June 2016, James was the Chair of the Australian Information Security Association’s (AISA) Advocacy Group, and an authorised spokesperson for AISA; a membership body of 3,000 security experts from across Australia. In January 2015, James established CISO Lens, a peer networking group for cyber security executives in large organisations, to support them in their roles. James is frequently approached for commentary by the press, and is the longest serving cyber security industry analyst in the Asia Pacific region.

Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.


Register to read more...

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.


Register to read more...

Conclusion: IT executives must appreciate that managed security services is not a simple IT outsourcing function, because cyber security it not merely an IT problem. Engagement with an MSSP (managed security service provider) is using a vendor to help manage the highly dynamic risks of conducting operations in a modern, hyper-connected environment. This engagement has cost implications for both parties and will require a commitment to continually reviewing suitability of services. Executives should aim to evolve their own cyber risk management capabilities around people, process and technology, because this internal maturity is required to get the most from engaging with an MSSP.


Register to read more...

Conclusion: Security awareness programs are an attempt to change staff behaviour for the protection of an organisation’s information assets, and also an attempt to change corporate culture to support and encourage desirable behaviours. However, security awareness programs also run the risk of overwhelming staff with too much fear, uncertainly, and doubt. A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of “relaxed alert”, or “Code Yellow” in Cooper’s Colour Codes.


Register to read more...
 
IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
 

Register to read more...

Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.


Register to read more...

Conclusion: Bugcrowd, Hivint, Kasada, and Secure Code Warrior each has a proven capability to address an important aspect of the cyber defences of Australian organisations. The Australian Cyber Security Strategy, launched in April 2016, advocates the promotion of local capabilities where Australia can build globally competitive solutions. These four vendors are already being used by leading local cyber security executives, and their capabilities are acknowledged.


Register to read more...

Conclusion: In the IBRS Security Leadership capability maturity model, buying more product is level 2: Alienated, and is typified by IT teams that are struggling to take on the challenge of cyber security because they address it as a technical problem. Buying product without a clear understanding of the business risk it is aiming to address is a guarantee for failure. But for organisations that understand that cyber risk is much more than IT, know there is a business risk that comes with cyber capability, and have the organisational will to address it, technology can make a significant difference in automating and accelerating capability. These three vendors, Crowdstrike, CyberArk and Tanium, are well regarded by leading Australian customers.


Register to read more...

Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.


Register to read more...