James Turner

James Turner

James Turner is an IBRS emeritus Advisor who specialised in cyber security and risk and facilitates the CIO Cyber and Risk Network on behalf of IBRS. James has over a decade of experience as an industry analyst and advisor; researching the cyber security industry in Australia. As an IBRS Advisor, James authored over 100 IBRS Advisory papers, led dozens of executive roundtables, and presented at numerous conferences. 

Read latest work...

Connect with James

Have a specific question James Turner?

Email

Conclusion: Security awareness campaigns are actually an effort to change an aspect of organisational culture. Cultural change is famously difficult, takes a long time, and will ultimately fail if it does not have senior executive commitment. Specifically, senior executives must be seen to be exhibiting the behaviour of the new culture. The implication for security professionals is that awareness campaigns must start at the top and not move out across the organisation until there is behavioural change at the top.


Read more


Conclusion: Despite the vendor and media hype around malware threats to the hypervisor, the biggest risk to IT departments from virtualisation is insufficient procedural controls.

The risk stems from virtual machines being poorly managed, growing in number, and the consequent haemorrhage of money to support them. Virtual machines should be processed through a planned, and managed, lifecycle so that they do not sprawl out of control and absorb excessive resources. By using a chargeback mechanism, CIOs can ensure that each virtual machine instance is not further depleting the capacity of the IT department to support the organisation.


Read more


Conclusion: Organisations are potentially at risk from employee fraud, and a frequent motivator for the perpetrators is their gambling problem. While not all employees who gamble are going to commit fraud, it is imperative that the subject of gambling by employees is addressed as part of any organisational risk assessment. The subject is sensitive and complicated, but must be considered because of the direct cost of fraud.


Read more


In the numerous conversations I have had over the past few months, concerning the government’s ISP content filtering plan, a common pattern occurs. The people I’ve spoken to object to the plan, but when I ask what their specific objections are, nearly everyone provides ideological arguments – not technical. The most common ideological argument is a rejection of the government taking on the role of “Big Brother”.


Read more


Conclusion: Many economists currently agree that the global economy is at least a year away from improving. Until the economy recovers, many IT professionals will have their positions made redundant and organisations must handle these redundancies with great care. The expertise of IT professionals who feel a need to take revenge means that the impact of an insider attack could be very costly to an organisation which may already be struggling.

Organisations which have already deployed technical controls, such as Identity Management suites, and procedural controls, such as separation of duties, will be better positioned to help close the window of opportunity against sabotage and fraud. But, inside attackers frequently have a pre-existing grudge which is work-related, and so IT management attention must be given now to dealing with the “soft side” of their staff and contractors.


Read more


Conclusion: Historically, operating systems and applications were the richest source of software vulnerabilities for attackers to exploit, but the problem organisations are now facing is that web browsers and plug-ins are being targeted; and this is a trend that will only increase in the near future.

Internet-facing browsers are effectively part of the perimeter, and organisations must have a strategy which will not only protect the browser, but also protect against a compromised browser. This has implications for all browsers – including those on portable electronic devices (PEDs) which are increasingly pitched as mobile web-access devices.


Read more


Conclusion: Despite the growing body of information available on data breaches, many executives remain unjustifiably overconfident in their organisations’ security capabilities. (Ironically, this overconfidence is reflected in the contributing causes of data breaches.) Organisations will not be breached through their strongest points of defence – the points organisations have most confidence in – they will be breached through their weakest points. The lesson from past data breaches is that these weaknesses are likely to be areas which have been overlooked. It is the unknown unknowns that undermine information security.

These unknown unknowns can only be identified by people who have not been instilled with the same assumptions that the organisation is already working with. It is only through encouraging designated people, and third parties, to challenge assumptions and voice dissent that organisations stand a chance of avoiding the trap of insecurity-by-consensus.


Read more


Conclusion: The Payment Card Industry Data Security Standard (PCI DSS) is concise and promotes many effective controls – most of which can be achieved through business process reengineering or redesign. Software and hardware vendors talk about fines for non-compliance, but unlike the US, these fines are almost non-existent in Australia. As such, PCI DSS has no stick but there is the possibility of a carrot: a lower risk profile.

Many organisations confuse receiving credit card payment with handling cardholder data1. These are not the same thing and CIOs should challenge the assumption that it is necessary to handle the cardholder data. Only organisations that absolutely must handle cardholder data should become PCI DSS compliant. Otherwise, organisations should reduce their risk profile by not handling cardholder data at all.


Read more


IBRS conducted an online survey of prequalified IT decision makers in Australia & New Zealand. The respondents were asked questions focusing on their experience of operational issues relating to identity and access management. The results of this survey are presented in this report, and a high level analysis is given.

Conclusion: The threat of a data breach (unauthorised access to data) is not just from hackers, and not just as a result of malicious intent. Carelessness and oversight by trusted inside sources has been shown, repeatedly, to be the root cause of numerous data breaches. Recognising this, many organisations (particularly in government and finance) include security awareness training as part of an employee's induction.

But this one-time security awareness training is easily lost in the information overload experienced by new starters. Security awareness training is vital but in order to realise the benefits, and prevent the acts of carelessness, it is even more important to repeatedly expose employees to the training to keep their level of security awareness elevated. Elevated security awareness helps create the human firewall: probably the most cost effective security resource you can get.


Read more


Conclusion: Deprovisioning old accounts which are no longer required on corporate information systems is an essential process to managing complexity and supporting information security objectives. While provisioning and change management are aspects of identity management that often get more focus as they are seen as business-enablers; deprovisioning, as part of an identity lifecycle process, may not help businesses make money, but it does help mitigate risk. Failing to deprovision legacy accounts which then become a conduit for fraud could well be seen as a failing of due care and governance. After all, we are pretty good at stopping payments to employees once they have left; why aren’t the two processes combined.


Read more


Conclusion: The field of biometrics still has many challenges to overcome and is still on a steep developmental curve. As biometric authentication technology improves over the coming years, there may be a role for it in encouraging users to take responsibility for their actions. The belief that their actions on corporate networks are physically linked to them through multiple factors of authentication will help extinguish the lack of accountability which continues to undermine many organisations. This linking of action to identity will help increase the risk of detection in the mind of individuals contemplating fraud – as they will struggle to argue that someone else used their biometric credentials (and password and token) without their knowledge and/or consent. But it must be understood by CIOs that the value from biometric authentication comes from the “security theatre” that it creates in the minds of users; as the technology itself currently offers questionable additional value to existing strong authentication systems.


Read more


Conclusion: Biometric authentication can be an effective inclusion for organisations to reduce the risk of unauthorised access. However, as the general public becomes more informed on privacy issues, their tolerance for data breaches involving biometric data will plummet. Organisations that are named and shamed for failing to protect biometric data will suffer the consequences of excruciating scrutiny, as well as increased legislative and regulatory conditions. For the majority of Australasian organisations the cost and complexity of deploying biometric authentication correctly are prohibitive, and the costs of deploying it incorrectly are unacceptable.


Read more


Conclusion: Analysing the challenges of portable electronic devices (PEDs) through the PED trilemma model breaks down the problem into three addressable aspects which can more easily be tackled, often by non-technical means. IT departments can manage the inundation of PEDs into corporate networks; but only with unambiguous commitment from senior business managers. IT can get commitment from these managers by using charge-back models.

If we put a dollar sign in the middle of the trilemma, we can show that expansion on any of the three sides results in a total increase in support costs (represented by the area in the middle). IT should use charge-back models for PED support to the business units. An appropriate charge-back mechanism forces business units to carefully consider their choices. The days of gluing up USB ports are long gone.


Read more