Securing an environment can be a challenging task. What framework to select, NIST Cyber Security Framework, ISO27000 or others? The Center for Internet Security’s CIS Controls provide an approachable solution to that challenge.

Following on from his 'Use Security Principles to Guide Security Strategy' advisory paper, IBRS advisor Peter Sandilands conducted a webinar where he shares a simpler starting point to securing a security strategy:

CIS Controls are a pragmatic, measurable and scalable path to better security. This session will walk through the controls and show how an organisation can use them as a tactical pathway. Built around real world experience in deploying the controls the session will demonstrate usable approaches to prioritise control selection, leverage staffing and measure the impact. Log in or register to view the full webinar.

IBRSiQ is a database of client inquiries and is designed to get you talking to our advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

The Latest

22 February 2022: MetricStream has launched software solutions for governance, risk and compliance (GRC) that generate quantified, AI-powered risk insights for business growth, cybersecurity, and environmental, social and governance (ESG) reporting compliance. The SaaS company’s line of GRC software products address enterprises’ manual processes for GRC reporting with automation and improved visibility. The solutions consolidate fragmented and siloed data sources required to report on GRC.The solutions are available as three pre-configured packages, with the end goal being to enhance enterprise ESG scores.

Why it’s Important

Organisations with a lack of GRC capabilities can surfer from weaker strategic and operational processes. Without clear accountability and ownership, they run the risk of operating outside compliance boundaries, potentially with penalties and regulatory sanctions.

The purpose of GRC is to provide a centralised risk repository and reporting, in theory, leading to better transparency through enterprise regulation measures.

While it is possible to implement GRC within existing business intelligence and data management tools, not all Australian organisations can deploy GRC this way due to limited expertise and capacity constraints within the analytics teams. Furthermore, unlike in large enterprises where robust BI tools are integrated into their core information repositories and external data sources, small and medium enterprises have yet to achieve a more mature data management capability, and lack the budget for analytics and information management teams. In the end, compliance reporting costs them a lot of their financial resources to be at par with the quality of reporting that regulatory offices demand from them. Pre-configured GRC and ESG reporting tools may be a more viable option for these enterprises.

IBRS believes that GRC is becoming increasingly important among Australian organisations and will impact them across industries in terms of transparency through systemic workflows where real-time insights can be used to guide decision-making that meets minimum requirements from regulatory changes.

Who’s impacted

  • Business analysts
  • Risk managers

What’s Next?

Organisations need to be familiar with GRC and how they can best create a culture of compliance that ensures active oversight and adherence to applicable laws and regulations. Senior executives can drive a culture of transparency and efficient risk management by engaging in programs that meet GRC expectations, through compliance participation and implementation of preventive measures. This will improve risk control and promote good governance and organisational ethics.

To overcome the complexity of ‘build-it-yourself’ GRC and ESG reporting, consider if GRC software tools may complement the organisation's existing analytics platform through add-on solutions or dedicated products that make it easier to produce audit, accreditation and governance risk management reports.

Related IBRS Advisory

  1. IBM Acquires Data Analytics Firm Envizi
  2. More Evidence for Cloud Leading Sustainable ICT Charge

Conclusion: There are many frameworks available that can guide an organisation’s efforts to enhance its security capability. However, most are abstract and carry very little practical detail. Thus it can be difficult to establish how to implement the aims of a framework. This is a challenge to any organisation working towards minimising risk.

The Center for Internet Security (CIS) has been evolving the CIS controls for a decade or more. They are formulated in a way that makes them a superb tactical approach to cyber security. They do not subvert the available frameworks. Rather, they supplement most frameworks by filling in the details of what to do and how to do it.

Any organisation would do well to use the CIS controls as a measure of their current security stance.

The Latest: 

26 June 2021: Zoho briefed IBRS on Zoho DataPrep, it’s new business-user focused data preparation which is being included in its existing Zoho Analytics tool, as well as being available separately as a tool to clean, transform and migrate data. DataPrep is in beta, and will be officially launched on 13th July 2021.

Why it’s Important

Traditionally, cleaning and transforming data for use in analytics platforms has involved scripting and complex ETL (extract, transform and load) processes. This was a barrier to allowing business stakeholders to take advantage of analytics. However, several analytics vendors (most notably Microsoft, Tableau, Qlik, Snowflake, Domo, etc.) have pioneered powerful, drag-and-drop low-code ETL into their products.  

Zoho, which is better known for its CRM, has an existing data analytics platform with Cloud storage, visualisation and reports, and dashboards. While the product is not as sophisticated as its top-drawer rivals, it can be considered ‘good enough’ for many business user’s needs. Most significantly, Zoho Analytics benefits from attractive licensing, including the ability to share reports and interactive dashboards both within an organisation and externally. 

However, Zoho Analytics lacked a business-user-friendly, low-code ELT environment, instead relying on SQL scripting. Zoho DataPrep fills this gap by providing a dedicated, AI-enabled platform for extracting data from a variety of sources, allowing data cleaning and transformations to be applied, with results being pushed into another database, data warehouse and Zoho Analytics. 

All existing Zoho Analytics clients will receive Zoho DataPrep with no change to licensing.

However, what is interesting here is Zoho’s decision to offer its DataPrep platform independent of its Analytics platform. This allows business stakeholders to use the platform as a tool to solve migration and data cleaning, not just analytics. 

IBRS’s initial tests of Zoho DataPrep suggest that it has some way to go before it can compete with the ready-made integration capabilities of Tableau, Power BI, Qlik, and others. In addition, it offers less complex ETL than it’s better established rivals. But, that may not be an issue for organisations where staff have limited data literacy maturity, or where analytics requirements are relatively straightforward.

Who’s impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

The bigger take out from Zoho’s announcement is that ETL, along with all other aspects of business intelligence and analytics, will be both low-code, business-user friendly and reside in the Cloud. ICT departments seeking to create ‘best of breed’ business intelligence architectures that demand highly specialised skills will simply be bypassed, due to their lack of agility. While there will be a role for highly skilled statisticians, data scientists, and machine learning professionals, the days of needing ICT staff that specialise in specific reporting and data warehousing products is passing. 

Related IBRS Advisory

  1. Snowflake Gets PROTECTED Status Security Tick by Aussie Auditor
  2. IBRSiQ: Power BI vs Tableau
  3. Business-First Data Analytics
  4. AWS Accelerates Cloud Analytics with Custom Hardware
  5. IBRSiQ AIS and Power BI Initiatives
  6. Trends in Data Catalogues
  7. When Does Power BI Deliver Power to the People?
  8. Staff need data literacy – Here’s how to help them get it


While some bots may be benign, many are engaged in unscrupulous behaviour, such as stealing valuable commercial data or attempting to obtain access illegitimately. At best, bots are a drain on an organisation's resources, increase demands on infrastructure and causing the expenditure of resources, pushing up costs. In the worst case, they represent a significant cyber threat.

IBRS interviewed experts in the field of bot defence: Craig Templeton, CISO and GM Tech Platforms with REA Group and Sam Crowther, developer of the Kasada bot defence platform.

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

 IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.

Conclusion: The success of a security professional is not measured by whether their recommendations are adopted, but whether the technical risks faced by the organisation have been identified and communicated in terms of business impact to decision makers. This enables the business to make informed decisions. Consequently, security professionals must make it their highest priority to be in communication with the business, because one of the most impactful technical risks is a communications gap between the security team and the business. IT security professionals must take on learning the language of their business, because it isn’t the business’s responsibility to learn to speak IT security.

Conclusion: Organisations that may be at risk of a discovery action should have strategies to minimise the impact of eDiscovery requests. They should have agreed processes in place and have implemented a comprehensive information and records management system that will enable rapid responses and minimise cost when responding to such requests. Poor electronic information management, particularly in the areas of email and collaboration tools are certain to create eDiscovery problems and expenses.

Conclusion: Unless CIOs are able to provide business with a balanced and accurate picture of IT performance, it is likely that IT will be treated as ‘just another supplier’ in the minds of senior business executives. Moving IT up the value chain to become trusted and strategic business partners requires more than concerted efforts in delivering projects and keeping the IT lights on. It requires effective marketing and good communication. One of the ways of improving IT credibility is to develop an effective IT scorecard that highlights precisely how IT’s performance supports and indeed, adds value to the business. Further, providing scorecarding data to IT management and staff is likely to provide an incentive for them to lift IT performance levels.

Conclusion: Evaluation and measurement are creative activities in the technology business. In terms of evaluating the productivity benefit of broadband, the creativity needed is quite high. Finding a standard ROI assessment approach is not easy and designing better methods to locate broadband productivity is another challenge.

In terms of measuring broadband, the methodology applied, is critical for understanding how broadband contributes to productivity. As the broadband debate rages over both sides of the Tasman, the need for a better designed research project that determines the extent to which broadband contributes or not to productivity of knowledge workers should be a priority for organisations in the IT industry.

Conclusion: IT/MIS within an organisation can be thought of as a business and, like any business, should have an active marketing plan in place. Such a plan helps the CIO and key members of the MIS group actively promote to all parts of the organisation the value of the services delivered by the MIS Department. The plan should be couched in business terms understood by each user community and not in “IT-speak”.

Conclusion: Due to their scale of operation and the massive databases they need to manage, Australia’s major banks often act as a bellwether for other IT users. This is certainly the case at present as a number of banks commit to Master Data Management (MDM) in an effort to bring their management reporting into order.

Conclusion: Inexperienced organisations often see benchmarking as the process of measuring best performance and fail to achieve the real value of benchmarking which is the discovery and adoption of best practices that drive best performance. Done appropriately benchmarking can yield unexpected and significant benefits, but done inappropriately it wastes considerable time and money1.


Complexity is the enemy of good security. Complex strategies and complex roadmaps can be contributing factors in unsuccessful security implementations.

A better practice for a simpler starting point is creating a set of security principles as the first step in the evolution of a security strategy. Carefully crafted security principles can be a bridge to business understanding and buy-in to a successful security strategy.