Main
Log in

James Turner

This email address is being protected from spambots. You need JavaScript enabled to view it.

James Turner is the IBRS Advisor who specialises in cyber security and risk. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. Since joining IBRS in 2007, James has authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. James is a sought after speaker, facilitator and panel participant. He is the author of the IBRS Security Leadership MAP. James is frequently quoted in the media on industry issues, and is the longest serving cyber security industry analyst in the Asia Pacific region. He contributes a regular opinion piece for the Australian Financial Review covering issues in the local cyber security industry. James is also the founder of CISO Lens and the program manager of the CIO Cyber & Risk Network. These two peer-networking programs are designed to support executives in their roles as leaders for their organisations in the fast-moving space of cyber risk.

Conclusion: There are three levers being applied to the cyber security maturity of specific parts of the Australian economy. These three levers are the Notifiable Data Breaches Scheme, the Security of Critical Infrastructure Bill, and Prudential Standard CPS 234 “Information Security”. These levers each address an area of importance for the national economic wellbeing, and organisations should look at all three for insight into what is now expected to constitute reasonable and appropriate practice in cyber risk management. In turn, they address the importance of data value to customer trust, the importance of system control and supply chains to national security, and the importance of resilience to our economy.


Register to read more...


Conclusion: UpGuard, Nuix and WithYouWithMe each have a proven capability to address an important aspect of the cyber defences of Australian organisations. WithYouWithMe is about people, UpGuard is about ensuring process is adhered to and exceptions are visible, and Nuix delivers technology which, through a data processing engine, enables organisations to make sense of large amounts of unstructured data.


Register to read more...


Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if it happened to us?” The business impact of NotPetya on Maersk is clear, but so too are many of the risk mitigations that should be put in place before a cyber incident – and many of these are not directly related to technology. Finally, risk management is just as much about recovering from an incident as trying to prevent one.


Register to read more...


IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.
 

Register to read more...


Conclusion: Security awareness campaigns are essential for educating staff on security behaviours. However without staff engagement, these campaigns can fail to change behaviour – and behavioural change is the only outcome that really matters. Instead of continually focusing on security for the work environment, start focusing on esafety and educate staff on how to protect themselves in their online lives outside work. This has the benefit of informing staff on many of the risks that they can face personally, as well as educating them on practices and technologies that can help. Training staff on esafety also has the additional benefit of being the right thing to do and demonstrates corporate social responsibility.


Register to read more...


Conclusion: Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.


Register to read more...


Conclusion: The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.


Register to read more...


Conclusion: Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.


Register to read more...


Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.


Register to read more...


In the News

The three cyber security challenges Australian businesses can't ignore - AFR - 6 May 2018

Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers. Rather there are three new regulatory forces impacting specific points of the...
Read More...

OAIC report reveals 63 data breach notifications in first six weeks of NDB scheme - AFR - 11 April 2018

More than 60 data breaches have been reported in the first six weeks of the country's new Notifiable Data Breach (NDB) scheme, with healthcare providers making up almost a quarter of the mandatory...
Read More...

New data breach notification scheme will be a barometer for business maturity - AFR -12 March 2018

Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed...
Read More...

The Future of Work: The Role of People - Adobe - 31 Jan 2018

The Future of Work: The Role of People Foreword by Joseph Sweeney, IBRS Advisor For the past 30 years, organisations have applied technology to people to make the workplace more productive. But...
Read More...

Businesses unprepared for new data breach notification laws - AFR - 29th January 2018

Thousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap

Already a subscriber?

Login to read your premium content.

        Forgot your password?
Recently Viewed Articles