Main
Log in

Security Leadership

  • Conclusion: Relying on third parties to succeed in business has become the norm. Cost limitations and workforce requirements mean that businesses need to find efficient ways to achieve their goals. This regularly includes creating an ecosystem of organisations that offer technology, consulting and support services that can be leveraged when required for a fraction of the cost of employing a person or service in-house to the same end. This is great from a business perspective; however, engaging with third parties brings significant risk. Businesses are effectively opening their door to a perfect stranger and inviting them into their organisation to look around, share some data and stay a while. Managing the risk of having a third party connected to an organisation is important. An organisation’s security controls become meaningless once data is transferred to a third party. At the end of the day, if a cyber-attack occurs via a third party, there will be more than one reputation on the line in the eyes of current and future business partners, customers and clients. 

    While the impact of a third-party data breach cannot be completely prevented, the key to resilience, detection and management of connections is awareness, being upfront about the security expectationsand educating the workforce.

    Related Articles:

    "2FA is a no-brainer" IBRS, 2018-11-02 11:06:25

    "When it comes to security, when is enough... enough?" IBRS, 2018-10-04 11:56:31

  • Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
    The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.

    Related Articles:

    "Can IBRS assist on how to report on IT security metrics to business executives? " IBRS, 2018-05-13 23:32:09

    "IT management leadership role in risk management" IBRS, 2018-05-04 18:43:08

    "Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

  • Conclusion: The forthcoming General Data Protection Regulation (GDPR) legislation is being introduced by the European Union (EU), which has ramifications to organisations worldwide.

    Key aspects of GDPR relate specifically to what data exactly an organisation should be able to legally keep and for how long. The underlying principle is that less is best in terms of data collected and kept. For the data to have been legally collected, an individual has to have explicitly given their consent to the organisation to collect, keep and process their personal data.

    Related Articles:

    "Understanding GDPR requirements Part 4: Data portability" IBRS, 2018-06-01 04:21:44

    "Understanding GDPR requirements: Part 2" IBRS, 2018-03-31 07:03:46

    "Understanding General Data Protection Regulation requirements Part 1" IBRS, 2018-03-06 06:57:37

  • Conclusion: On 3rd April 2018, Microsoft announced the availability of its Azure Cloud running within Canberra Data Centres (CDC) facilities, and officially rated for protected workloads.

    Superficially, this appears to boost Microsoft’s ability to “check off” security concerns for government and other clients that have specific compliance demands.

    While removing compliance barriers to Cloud adoption is certainly welcome, there are more compelling factors for considering the new Azure facilities. These include: closing the gap between legacy solutions, hyper-scale, (selected) SaaS environments, and legacy solutions; reducing the distinction between public and private Cloud services; blending customer ecosystems for critical national infrastructure.

    The timing of this new infrastructure coincides with The Security of Critical Infrastructure Billintroduced to the Lower House in December last year, and passed by the Senate late last week.

  • Conclusion: UpGuard, Nuix and WithYouWithMe each have a proven capability to address an important aspect of the cyber defences of Australian organisations. WithYouWithMe is about people, UpGuard is about ensuring process is adhered to and exceptions are visible, and Nuix delivers technology which, through a data processing engine, enables organisations to make sense of large amounts of unstructured data.

    Related Articles:

    "Hot cyber security vendors for your shortlist Part 2 – Aussie startups" IBRS, 2017-01-01 10:35:40

    "Hot cyber security vendors for your shortlist – Part 1" IBRS, 2016-12-03 02:41:25

  • Conclusion: The General Data Protection Regulation (GDPR) legislation being introduced by the European Union (EU) in May has ramifications to organisations worldwide.

    Australian organisations that have already invested in ensuring that they comply with the Australian Privacy Act 1988, and have a robust privacy management framework in place, may find that they already comply with aspects of the EU’s GDPR. However, GDPR does have more stringent requirements including requirements that are not within the Australian requirements, so effort and investment will be required by organisations that need to comply with GDPR.

    When considering an organisation’s position and defensibility in terms of whether they complied or not, organisations will need to develop an understanding of the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”1.

    Related Articles:

    "Understanding GDPR requirements Part 4: Data portability" IBRS, 2018-06-01 04:21:44

    "Understanding GDPR requirements – Part 3" IBRS, 2018-05-04 18:57:12

    "Understanding General Data Protection Regulation requirements Part 1" IBRS, 2018-03-06 06:57:37

  • Conclusion: The foreseeability of cyber incidents is widely accepted, but many organisations still have not done the work to identify their own exposures and ascertain what they would do in a crisis. The openness of shipping giant Maersk in talking about the impact of the NotPetya malware on the organisation should be viewed through the lens of “what would that look like if it happened to us?” The business impact of NotPetya on Maersk is clear, but so too are many of the risk mitigations that should be put in place before a cyber incident – and many of these are not directly related to technology. Finally, risk management is just as much about recovering from an incident as trying to prevent one.

  • Conclusion: The forthcoming General Data Protection Regulation (GDPR) is new legislation being introduced by the European Union, which does have ramifications for organisations worldwide.

    Being new, there is still a lot to be learned about what exactly some of the specific requirements will mean in practice and how they will impact organisations in being able to show that they have understood and completely complied with the regulation.

    When considering an organisation’s position and defensibility in terms of did they comply or not, organisations will need to develop an understanding on the specific requirements, and how exactly they have implemented “technical and organisational measures to show that they have considered and integrated data protection into their processing activities”1.

    Related Articles:

    "Understanding GDPR requirements Part 4: Data portability" IBRS, 2018-06-01 04:21:44

    "Understanding GDPR requirements – Part 3" IBRS, 2018-05-04 18:57:12

    "Understanding GDPR requirements: Part 2" IBRS, 2018-03-31 07:03:46

  • Conclusion:Achieving the ability to comply with the new European General Data Protection Regulation is seen as a costly and burdensome overhead adding a new layer of complexity to how organisations will need to manage and secure Personally Identifiable Information (PII) records kept by them.

    However, organisations should view the potential benefits of being able to use obtaining and maintaining the ability to comply with GDPR as an opportunity to justify investments in technologies, process improvements and people to deliver better overall outcomes for the organisation.

    Rather than simply focusing on doing what is required to be able to comply, focus should be on using the opportunity to update tools and processes to improve organisational efficiencies, reduce costs, increase customer and employee loyalty, and improve productivity.

  • Conclusion:Third party bug bounty programs can be an effective way of incentivising security researchers around the world to share a discovered vulnerability. Third party bug bounty programs are invaluable as they help provide a structure for responsible disclosure and minimise the opportunity for the vulnerability to be exploited. When a bug bounty company uses crowdsourcing of security researchers, it adds the gamefied imperative for the researchers to report quickly in order to get the bounty before their peers. Engaging with a crowdsourcing bug bounty company not only demonstrates a reasonable security measure, it also helps close the window of opportunity for criminals.

  • Conclusion:Managing large IT environments and provisioning IT services within an organisation is complex and complexity will always exist. However, not all complexity is “bad”. “Good” complexity is the complexity required to simplify, to reduce costs, create value, improve security and improve overall operations and results.

    Focus needs to always be maintained on reducing “bad” complexity. “Bad” complexity is the complexity that makes it difficult to do things, difficult to secure, difficult to manage, difficult to innovate, or difficult to adapt to changes in the organisation. “Bad” complexity comes with high costs, including hidden costs in lost employee productivity and morale, potentially loss of new business opportunities, or higher staffing costs due to the limited availability of the skills needed.

    Organisations need to maintain a mindset of constantly managing initiatives to drive towards simplification in their IT portfolio, understanding that achieving this will involve sophisticated and often complex planning and the successful execution of those plans.

  • Conclusion:The security capabilities of Cloud vendors have evolved rapidly since 2008. Specifically, the three big Cloud vendors Microsoft, Google and AWS understand the importance of trust and assurance for their corporate and government customers and are each working aggressively on continual service improvement. Most customers are more likely to suffer security issues with their own architecture, configurations and processes when trying to work with Cloud services than they are from any exposure from these leading Cloud vendors. The implications for IT organisations engaging with Cloud vendors are clear: along with good vendor management practices, IT organisations should purchase and architect for minimal configuration as much as practical. From a security perspective, and if Cloud is appropriate, “Cloud first” should be viewed as a cascading decision tree: SaaS first, then PaaS, then IaaS.

  • Conclusion:Cyber security is an area in which organisations do not compete. They each face similar risks and threats, and it is only through the development of trusted relationships and the resulting collaboration that Australian organisations can work together to sustain their own operations and maintain the economic wellbeing of the nation in the face of cyber threats.

    There is still a way to go, and leading Chief Information Security Officers (CISOs) with international experience believe we are between six and nine years behind the US and the UK. Australia is coming off a low base, but we are getting better quickly.

  • Conclusion:Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.

  • Conclusion:The current wave of digital transformation will see the retirement of large numbers of legacy systems. Although the cost of operations, including storage of data, in newer Cloud-based solutions is often cheaper, the cost of migration of historical data to new platforms can be significant. IBRS has observed increasing numbers of digital transformation projects where the decision is being made to preserve legacy systems using back-up infrastructure techniques at the application and/or database level without any reference to regulatory records management requirements.

    Many legacy systems were not designed with a long-term view of key business records and information they capture and generate, nor are back-up technologies designed for long-term archival and retrieval of individual records. The result of these strategies is the potential for access to official records and chains of evidence to be interrupted – a situation likely to be viewed by regulators and stakeholders as a failure of the organisation’s record-keeping obligations.

  • Conclusion:Whilst the forthcoming General Data Protection Regulation (GDPR) is a European regulation, some Australian organisations are likely to be impacted and will need to comply. One of the requirements of the regulation is to appoint a Data Protection Officer (DPO), whose job role has very specific duties and legal responsibilities which are defined as part of the GDPR.

    However, the guidelines are not completely clear as to when it is mandatory for an organisation to appoint a DPO. Australian organisations should consider if, 1: will they need to comply with the GDPR, and, 2: will they need to appoint a DPO?

  • Conclusion:Cyber insurance is claimed to help recoup the losses sustained by an organisation from a raft of incidents that may or may not be “cyber”. It is imperative that organisations understand their data assets and business processes, and the risks to these, before engaging with an insurer. With a changing legislative environment, there is a role to play for insurance against losses relating to cyber incidents, especially around first party costs and third party impacts. However, cyber insurance is still a very new area and the insurers are still finding their way. This means that prospective customers need to be more informed than ever.

  • Conclusion:The recent high profile malware incidents, WannaCry and NotPetya, are a bellwether for a change in what the industry should reasonably expect online. WannaCry demonstrated that a group with nation state links can target everyone online, simply to harvest money. NotPetya demonstrated that a group with nation state links can target a nation’s economy with the explicit intention of causing economic trouble. Australia must prepare itself accordingly. It is no longer enough to know that we have a government agency that excels at cyber-spooking, we need a formalised capability to respond to global and national malware incidents.

  • Conclusion:Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.

  • Conclusion: Much like the fable of the Boy Who Cried Wolf, the security industry has a limited number of opportunities to channel enterprise and national attention to cyber incidents. The WannaCry ransomware worm runs the risk of using up that credit for the security industry as so little impact was felt in Australia. The lack of local impact was more due to luck, and we cannot count on being that lucky twice. Therefore, IT and cyber security leaders must use the lessons from this experience now to prepare their organisations for a foreseeable future that includes similar incidents.

  • Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.

  • Conclusion: Australian organisations and agencies need to embrace the European Union’s new General Data Protection Regulation (GDPR) legal framework for protecting and managing Private Individuals Information (PII). There is considerable risk to organisations that do not take action to comply, financially and to organisations’ brands.

    There are also potential upsides in embracing the requirements and being able to demonstrate compliance with the accountability principles, and implementing both technical and organisational measures that ensure all processing activities comply with the GDPR.

    Whilst Australian companies may already have practices in place that comply with the Australian Privacy Act 1988, GDPR has a number of additional requirements, including the potential appointment of “data protection officers”. Action should already be taking place, and organisations should not underestimate the time and effort it may take to reach and maintain compliance.

  • Conclusion: Security awareness programs are an attempt to change staff behaviour for the protection of an organisation’s information assets, and also an attempt to change corporate culture to support and encourage desirable behaviours. However, security awareness programs also run the risk of overwhelming staff with too much fear, uncertainly, and doubt. A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of “relaxed alert”, or “Code Yellow” in Cooper’s Colour Codes.

  • Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.

  • Conclusion: Bugcrowd, Hivint, Kasada, and Secure Code Warrior each has a proven capability to address an important aspect of the cyber defences of Australian organisations. The Australian Cyber Security Strategy, launched in April 2016, advocates the promotion of local capabilities where Australia can build globally competitive solutions. These four vendors are already being used by leading local cyber security executives, and their capabilities are acknowledged.

    Related Articles:

    "Hot cyber security vendors for your shortlist Part 3 – more Aussies" IBRS, 2018-03-31 07:06:21

    "Hot cyber security vendors for your shortlist – Part 1" IBRS, 2016-12-03 02:41:25

  • Conclusion: In the IBRS Security Leadership capability maturity model, buying more product is level 2: Alienated, and is typified by IT teams that are struggling to take on the challenge of cyber security because they address it as a technical problem. Buying product without a clear understanding of the business risk it is aiming to address is a guarantee for failure. But for organisations that understand that cyber risk is much more than IT, know there is a business risk that comes with cyber capability, and have the organisational will to address it, technology can make a significant difference in automating and accelerating capability. These three vendors, Crowdstrike, CyberArk and Tanium, are well regarded by leading Australian customers.

    Related Articles:

    "Hot cyber security vendors for your shortlist Part 2 – Aussie startups" IBRS, 2017-01-01 10:35:40

    "Hot cyber security vendors for your shortlist Part 3 – more Aussies" IBRS, 2018-03-31 07:06:21

  • Conclusion: Technical debt is intangible and its extent hard to measure. Organisations that compromise quality for expediency to meet schedules or defer software release upgrades accumulate technical debt unwittingly.

    Managers who let the debt increase and fail to reduce it could be digging an ever deeper and dry well that could cost them their jobs, leaving their successor to find the wherewithal to fill it and create valuable system assets.

  • Conclusion: While there is a limit to what organisations can do when criminals misappropriate corporate brands to run phishing campaigns against customers, this does not absolve organisations of all responsibility. Crime on the Internet continues to be an entirely foreseeable risk, so organisations should review their customer engagement processes to ensure they are not training their customers to be easy targets for criminals.

  • Conclusion: Community Clouds can provide the expected value of using “Cloud”-based services in a shared environment that may be more economical than a closed private Cloud or privately owned and managed IT solutions. But economics may not be the driving factor. Identifying a common “customer” need or client base can be the main driver to getting similar organisations to agree to use shared resources or services.

    The effort in getting organisations to recognise the opportunity to work together and to actually implement a community Cloud should not be underestimated. As in arranging car pooling, whilst the benefits may be clear, there is still the challenge of finding the other participants who all want to go to the same place, at the same time, and with agreed cost sharing. A “lead” organisation is necessary to help coordinate the required effort to create a Community Cloud.

  • Conclusion: To be effective a cyber security program that controls access to hardware, software and data needs to be comprehensive and include all stakeholders. The challenge for IT and line management is to shape the message to the audience in terms they understand so they take their responsibilities seriously.

  • Conclusion: This research note sets out and describes the Security Leadership capability maturity model. In using this model, organisations must be honest about their current level before they can even speculate on the benefits of working towards a higher maturity level. Working towards higher levels of maturity has clear benefits for both IT and the business, as well as business alignment of IT. However, a critical part of the journey will be dealing with any resentment from business units about their experience to date. Security Leadership cannot emerge unless prior bad experiences around service delivery are acknowledged and addressed, because it is a commitment to trust and resilience from the organisation as a team.

    • Gain valuable insights into how security leaders are positioning cyber-security and risk within their organisations
    • Be able to self-assess how your organisation measures up on the IBRS capability maturity model for security leadership
    • Learn how to position cyber-security so that it is aligned to business priorities 

    "This Master Advisory Presentation is designed to guide and stimulate discussion between business and technology groups, and point the way for more detailed activity. It also provides links to further reading to support these follow-up activities." James Turner, Author of the Security Leadership MAP.

    For a deeper understanding of how security impacts the way business is done, download your copy now. 

  • Conclusion: The introduction of Software Defined Networking (SDN) offerings touted a number of benefits around simpler and more agile network management and provisioning, lowering capital and operational costs.

  • With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

    Applying the Five Knows of Cyber Security is a must read for organisations that may be exposing themselves to risks through their supply chain.

    Related Articles:

    "Applying the Five Knows of Cyber Security" IBRS, 2015-08-01 00:32:04


  • Business leaders must accept that ransomware attacks are a foreseeable risk. 

    Conclusion: Ransomware has proven such a successful cash cow for criminals that it is unlikely they will voluntarily stop their attacks. This means that business leaders must accept that further ransomware attacks are a foreseeable risk. While there are important conversations around the level of appropriate technical controls that an organisation may wish to implement, this conversation can only occur after business leaders have decided whether they want their organisation to help fund organised crime, or not. For organisations with a strong corporate social responsibility ethos, this is a very easy decision to make, but it is imperative that business leaders understand why they are committing to better technical hygiene and accepting tighter technical controls.

  • Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.

  • Conclusion: Organisations must understand that cyber risk is not merely a technical issue that can be delegated to IT but is a business issue that comes hand-in-hand from operating in a modern, online, ecosystem. Until cyber risk is treated as a business risk, we will continue to see organisations fighting a rear-guard action to threats that should have been designed-against through better digital business strategy.

  • Conclusion: Unless an organisation has an already strong cyber security capability, or the budget and appetite to progress its maturity very quickly through expanding its headcount and changing business processes, it is unlikely that any security tool purchases will help. Instead, organisations aspiring to improve their cyber security maturity should focus on business alignment through risk driven conversations, and addressing and automating technical hygiene issues.

  • Conclusion: The role of a cyber security executive is challenging at the best of times, as they need to continually strike a balance between informing and influencing, without continually alarming. But the context surrounding why an organisation creates a cyber security executive role is critical to the success of cyber risk management. Executive level commitment is required continually to ensure that the cyber security executive’s message and mandate are understood by all. Ultimately, a neutered cyber security executive will result in a fragile organisation with excessive, inappropriate, or inadequate controls. Organisations with controls that are mismatched to their objectives will be easy pickings for both attackers and regulators.

  • Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

  • Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.

  • This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

    The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

     Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.

  • Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

    Related Articles:

    "Applying The Five Knows of Cyber Security (Video)" IBRS, 2016-08-15 02:39:16

  • Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.

  • Conclusion: Big data and analytics projects can learn important lessons from the domain of information security analytics platforms. Two critical factors to consider when planning deployment of an analytics platform are: the need for a clear business objective and; the depth and duration of organisational commitment required. Without a clear understanding of the objective of the analytics project, or adequate resource commitment, the project will likely fail to deliver on expectations. The worst outcome is that inadequate investment in people could result in an organisation drawing incorrect conclusions from the analytics platform.

  • Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.

  • Conclusion: CIOs and the IT management team continually wrestle with prioritising and coordinating planned and unplanned IT operational changes for both new and existing systems. The problem is compounded when senior managers use informal influence with IT staff to change the priorities, thereby jumping the queue and bypassing formal processes. Not only does this create disharmony, it can also cause system failures.

  • Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

    Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

  • Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.

  • Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.

  • Conclusion: Security leaders should approach security frameworks as a challenge to how the organisation secures its information assets. So, security leaders should be able to defend adherence, or variation, from any point on a chosen framework. Variance may be critical for business function, but the security leader needs to know this and be able to articulate it. This is not an argument for non-compliance, but toward a deep understanding of business requirements – and being able to defend this position to internal and external auditors.

  • Conclusion: The deadline for compliance with the Privacy Act passed in March, yet some organisations have not yet started reviewing their level of non-compliance. More mature organisations have been proactive and, in projects driven by the business, have reviewed and addressed areas of non-compliance. Some of these projects are still underway. These proactive organisations have the view that the cost of ensuring compliance is outweighed by the potential damage to the organisation’s reputation in the event of a publicly disclosed privacy breach where the organisation is found to be at fault.

  • Conclusion: Organisations that fail to recognise the difference between information and knowledge are at risk of haemorrhaging knowledge at a rate that at the very least has a measurable impact on the quality of service delivered by the organisation. In the worst case, a loss of knowledge poses an existential threat to a product line or to the entire organisation. Whilst tools can play an important role in facilitating knowledge preservation, it is information sharing between individuals and teams that fuels the creation of knowledge.

  • Conclusion: IT executives from Australia’s largest organisations are actively looking for ways to create cyber-resilience, not just in their organisations, but also in the ecosystem their organisations operate in. These executives are acknowledging that it is not enough for an organisation to survive, if the community they operate in is crippled. IT security executives are concerned that in the event of a severe attack the current, disparate, communications channels between private sector and government will not be effective. There is a need for a coordinated, national, response to a severe cyber-attack; and that everyone in the information security community knows what this response is

  • Conclusion: As physical and digital supply chains become more integrated across organisational, regional, and national boundaries, the potential impact of an emergency or crisis can be far reaching. A proactive approach to crisis management requires an awareness of all the high-impact crisis and emergency events that could affect an organisation, and requires appropriate tools for risk assessment and active hazard management.

  • Conclusion: In engaging with an external incident response provider, it’s vital that they are not walking blind into your environment. Equally, you need to know exactly who they are, what they are capable of, and what the agreed outcomes of the engagement will be. If you have been attacked, or are still under attack, your organisation’s information assets are potentially at their most vulnerable, so the trust in your incident response provider needs to have been established prior to the attack. This places higher than normal importance on your vendor selection process, and in engaging with the incident response provider as early as possible.

    Related Articles:

    "Preparing for cybercrime - communications" IBRS, 2013-03-24 00:00:00

    "Preparing for cybercrime: incident response" IBRS, 2013-09-25 00:00:00

  • Conclusion:CIOs must avoid being swept up by the hype concerning SaaS (Software as a Service) and approach each business case on its merits. While the immediate net benefits may be appealing, it is important to evaluate whether the long-term benefits are sustainable and the risks manageable before entering into a service contract.

  • Conclusion: Predictably, Apple’s lead with its Touch ID biometric reader will be followed by the smartphone industry, and we will see a flood of biometrics options for consumers. Many of these biometric deployments will not be well executed, and the failures of these systems will impact the feasibility of biometrics as a means of authentication. Reliance on biometrics, which are used across multiple systems, yet cannot be revoked, will make fingerprints an obsolete authentication credential which will need continual bypass options. Within the next two years, fingerprint authentication in the enterprise will be rendered obsolete.

  • Conclusion:Engaging with an incident response service provider is a process that needs careful research and planning. It’s valuable for your incident responders to know a considerable amount about your business operations so that they can help support the business in an incident, and not just stamp out technical fires, potentially doing further business damage. It is equally important that you know your incident response service provider; how they prefer to engage, what their capabilities are, their reference clients and, what their employment policies are. 

    Related Articles:

    "Preparing for cybercrime - communications" IBRS, 2013-03-24 00:00:00

    "Preparing for cybercrime; incident response Part 2" IBRS, 2013-11-27 00:00:00

  • Conclusion: Recent exposure of US intelligence community actions, to monitor data of non-US entities, has highlighted the tenuous control organisations have over maintaining the confidentiality of their data. Whether US intelligence explicitly, or informally, assists US commercial interests, non-US organisations have been served with a clear warning as to how they should see this new world.

    Organisations should review what information assets they are entrusting to US cloud vendors, and what the impact on the organisation would be if the confidentiality of these assets were to be compromised without the organisation’s knowledge.

  • Conclusion: Application whitelisting is a highly effective mechanism to minimise the impact of malware, and even ensure software licensing limits are enforced, but it is not a simple project and the technology to enforce a whitelist is still maturing. CIOs of Australian government agencies required to comply with theProtective Security Policy Framework and Information Security Manual (ISM)should have a clear plan to present to their Ministers on how this project will be delivered over the next 18-24 months.

  • Conclusion: In this era of targeted, self-obfuscating, and successful cyber-attacks, organisations must do three things. First, recognise that the organisation cannot prevent a dedicated attack. Second, understand what the organisation’s information assets are, and where they are. This is because we cannot always anticipate how the attacker may get in, but it is imperative to know what they are likely coming for. Third, increase your focus on detection and incident response, because you must be able to deal with a breach when it happens.

  • Conclusion: IT departments must alert both HR and legal counsel that the Mobile Device Management (MDM) platforms being deployed have the potential to put the organisation in breach of workplace surveillance legislation. MDMs can activate the cameras built into smartphones, activate the microphone, and access the smartphone’s GPS. Working with Legal and HR will likely result in new Acceptable Usage Policies for staff, and IT most likely needs to review controls for the MDM platform to ensure that these capabilities are not abused.

  • Conclusion: While the capability to filter content to corporate-issued smartphones and tablets is a capability that a number of organisations are interested in, very few organisations have taken this step. Most organisations are taking the view that the risk of an employee accessing inappropriate content while on a 3G/4G connection, and offending their colleagues, is low, and best managed through line managers and policy. Typically these trusted staff are also reasonably senior, hence their being issued with a corporate device. The perspective changes, though, if the organisation is concerned about field staff wasting time. In these instances, restrictions are seen as an aid to productivity and the device is heavily restricted.

  • Conclusion: The intention and skill of an attacker will ultimately determine the impact of the attack, regardless of the preventative technologies an organisation has. In this respect, a skilled attacker intent on destruction is akin to a natural disaster: measures can be taken but ultimately it’s out of your hands. We cannot prevent floods and earthquakes, so what makes a difference is how organisations respond to these disasters. It is imperative that organisations with disaster recovery and crisis management processes extend these to include responding to cybercrime. The first area to look is at how the organisation will deal with not being in control of its own IT, including communications systems such as email and VoIP.

    Related Articles:

    "Preparing for cybercrime: incident response" IBRS, 2013-09-25 00:00:00

    "Preparing for cybercrime; incident response Part 2" IBRS, 2013-11-27 00:00:00

  • Many years ago when I lived in Perth, one evening after work I was standing in chest-deep water at Cottesloe beach admiring the sunset. I happened to turn and look to my left and saw a fin sliding out to sea, about 10 metres away.

    I quickly realised that the fin was making the sine wave motion of a dolphin, not the sideways sweep of a shark. When I turned to face the beach, there was a small crowd of 20 or so people gathered at the water’s edge. As I got out, a lady said to me, “He was swimming right behind you”.

  • Conclusion: As organisations become increasingly dependent on computer systems, IT will have an increasingly important role to play in preventing and detecting fraud. CIOs must ensure that there are sufficient checks and balances minimising the risk of IT professionals abusing their elevated systems privileges, and that systems are configured to produce useful logs. CIOs should also ensure that policies for the prevention, and detection, of fraud are tested and enforced. Policies for log management and data retention should get high priority.

  • Conclusion: Two-thirds of all ICT projects fail to deliver all of their intended benefits on schedule and within budget1. This results in ICT Executives spending a lot of time explaining why project schedules have slipped, why projects have been abandoned, or why goals and requirements have changed.

    The Gateway Review Process(GRP) provides a well-proven and recognised approach to project assurance. Increasingly the process is being used as a basis for developing customised assurance processes in organisations across Australia.

    Knowing when and how to customise the process is non-trivial andmust be based on lessons learned from application of the GRP. Many aspects of the GRP have been based on careful design and research – changing those aspects unwittingly will greatly reduce the effectiveness of the custom process created.

  • Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.

  • Conclusion: Organisations which have gone down the Mobile Device Management (MDM) path with a view to enabling their staff to bring their own device (BYOD) are discovering the shortfalls of this device-control approach. A BYOD device is not a corporate asset and cannot be treated as such: it should be viewed as untrusted and treated accordingly. Consequently, leading organisations are treating BYOD as an exercise in remote access. Instead of trying to control the untrusted device, focus on user experience, and controlling access to the data.

  • Conclusion: One of the functions of a board1 is to minimise business risks to the shareholders. As signing a major contract with a managed services provider involves significant risks such as the failure to deliver critical IT services, boards need to be convinced the risks2 are known and can be minimised by vigilant management.

  • Conclusion: The success of a security professional is not measured by whether their recommendations are adopted, but whether the technical risks faced by the organisation have been identified and communicated in terms of business impact to decision makers. This enables the business to make informed decisions. Consequently, security professionals must make it their highest priority to be in communication with the business, because one of the most impactful technical risks is a communications gap between the security team and the business. IT security professionals must take on learning the language of their business, because it isn’t the business’s responsibility to learn to speak IT security.

  • Conclusion: Cloud services are not similar to a highly virtualised internal environment. Nor are they similar to the tightly controlled experience of time-sharing on a mainframe back in the 1970s. The supposed elasticity of the cloud has become a point of vulnerability because the elasticity is only partial, and only at certain points. The outcome is a service which is believed to be highly resilient, but which can actually prove to be surprisingly brittle.

  • Conclusion: Early adopters of cloud services often swept aside security and risk concerns, as these adopters were more interested in the end – a better IT service – rather than the means. But now organisations with mature risk and governance processes are looking at cloud services and risks are being identified and assessed for their potential impact. Cloud services can dramatically improve the IT service experience of an organisation, but organisations must be completely clear on what services they are, and are not getting as part of the engagement. As with all commercial engagements, the devil is in the detail.

    Related Articles:

    "How do you catch a cloud and pin it down? Part 1" IBRS, 2012-05-28 00:00:00

  • Conclusion: Every technology trend in the financial services sector (principally BYOD, changes in cybercrime, cloud, and DLP) has an aspect of identity and access management. IBRS research on the identity management market in Australia has found that there is a very small resource pool of sufficiently skilled practitioners. This means that the financial services organisations in Australia face a significant challenge in the coming years, primarily from a lack of good security people to architect, execute, support and monitor technical controls.

  • Conclusion: Identity management projects do not have a good reputation for successful delivery. Too often, the final implementation fails to live up to promises. Identity management projects can deliver genuine value to a business, including: compliance with regulation, improving customer satisfaction, or reducing risk. But if the business is not driving the project, then the project is probably off the rails and heading for failure. In this situation, CIOs must seriously consider terminating the project because a project not driven by the business is one being imposed on it – it is the tail wagging the dog.

  • Conclusion: IT security strategies are an invaluable resource as a means of coordinating security efforts and in improving funding approval for security projects – because they can be shown to be following a coherent consistent strategy. The process to create them is an overlooked source of value for the information that it uncovers. An IT security strategy must be closely aligned with what the business believes its security and risk priorities to be. The process of uncovering business impact against various systems is likely to bring up unexpected gaps in knowledge for both IT and the business, and it is here you will find additional gold.

  • Conclusion: Patching is now considered a standard part of IT operations. Vendors release patches either to mitigate against new risks, or to introduce new functionality. However, the application of a patch can not only result in the intended outcome (risk mitigation or expanded functionality), it can also have unintended consequences.

    Organisations looking at creating a patching strategy should ensure that the business stakeholders are clear on the potential impact of both patching, and non-patching. Either choice carries risk. What will make the difference for organisations are security professionals who can crisply articulate the balance of these technical risks as they pertain to the business requirements of the organisation.

  • Up to this point I’ve been a supporter of data breach notification. Coming at the issue as an industry analyst, I think that transparent information on the local experience of data breaches (such as what information is targeted by attackers, how much it costs a company to deal with a breach, the frequency of breaches, the avenues of attack, and so on) would be extremely valuable to the industry as a whole. This is the luxurious, wide-angle, perspective which is expected of an industry analyst.

    Then a storysuch as the hacking of Verisign comes along. In October 2011, Verisign disclosed in a quarterly report to the SEC that: “The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements.”

  • Conclusion: As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.

  • Conclusion: Most vendors emphasise their strengths and obfuscate to hide their weaknesses when responding to an RFT (Request for Tender) for IT products and services. Detecting their weaknesses by unravelling their obfuscation is often a major task for the evaluation team or panel. Failure to detect weaknesses could lead to the wrong vendor (tenderer) being selected and reflect poorly on the team.

  • Conclusion: Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.

  • Conclusion: Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.

  • Conclusion: Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.

  • Conclusion: There are three key areas of risk to an organisation in enabling staff access to social networking sites. These three areas relate to: the data being shared with the site, the people using the site, and adherence to organisational policies. The point of greatest impact to address all three areas of risk is in training the users to interact with these social networking sites safely and securely. The employees are consumers of IT both at work and at home and their personal risk appetite will guide their behaviour in both locations, so education is vital in order to change behaviour. The importance of this point will become increasingly obvious as organisations explore mobility and BYOD (bring your own device) initiatives.

  • Conclusion: The Stuxnet worm was a turning point for the development of malware. Over the last few years even the anti-malware vendors have been acknowledging that the signature-only approach for AV is insufficient. We must assume that we will not be able to detect the malware itself, we must rely on being able to spot the ripples of its passage. The next 12-18 months will see the early majority of organisations (pragmatists) crossing the chasm and joining the early adopters in looking at anomaly detection and event correlation products.

  • Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.

  • Conclusion: It’s easy to become complacent about emergency procedures. But the importance of emergency procedures which support health and safety in the workplace cannot be overlooked just because they are time consuming and boring. Just as preventative security technologies are only as effective as the diligence that goes into their configuration and ongoing support, emergency procedures are only as effective as the diligence with which they are maintained, communicated, and practiced. When something goes wrong, you need to know that your staff have been given every resource to handle themselves and the situation.

  • Conclusion: The demand from non-IT business units for cloud computing is symptomatic of their desire for better IT services and should be supported, if not driven, by IT. However, an engagement with a cloud vendor must be treated with the same level of risk assessment and diligence as any other outsourcing engagement. Organisations must ensure that corporate governance is not bypassed in a rush for the cloud.

  • Conclusion: Data Loss Prevention (DLP) technologies have matured over the last 12 months. They are more capable, but there is still a wide range of capabilities between the various products, and an even wider gap between the brochure and reality. Before proceeding with a proof of concept, IT must understand the very specific requirements that the business is expecting to achieve through a DLP deployment, and how willing the business is to pay for these. Failure to understand these requirements, and failure to get business stakeholder commitment, will result in project failure.

  • Conclusion: The transmission of pornography in email is a serious issue for all organisations which aim to comply with their own HR policies on providing a workplace free of sexual harassment. However, the technology currently available to support these policies, through filtering and classifying images, is far from perfect. CIOs and HR professionals must clearly understand that pornography in the workplace is better managed as a cultural issue, not a technology issue.

  • Conclusion: Security professionals are valuable not only for what they know, but also for how they think. However, this style of thinking can often result in them being alienated for “being too negative”. An alienated security professional is a waste of resources, so CIOs should adopt DeBono’s Six Thinking Hats, a thinking exercise based on role-play, to ensure that they get the most value out of their security people.

  • Conclusion: A less frequently considered aspect of protecting an organisation’s information assets is the preparation required for the immediate aftermath of a successful attack. This is the crossover point between incident response and crisis management. The prudent organisation with valuable information assets has already planned what steps will be taken in the event of a successful attack. Most of these decisions must be made by senior executives from business units other than IT, and they must be made well in advance of the attack occurring. IT will merely be executing their instructions because decisions concerning the information assets are not IT’s to make.

  • Conclusion: The recent attack on Google’s infrastructure (and resulting announcement by Google of the attack) has a number of important lessons for organisations which are also attacked by well-resourced hackers. These lessons are important and may not be immediately palatable to many, who would prefer to hush up an attack.

  • Conclusion: The introduction of a Data Loss Prevention technology into an organisation will have a significant impact on organisational culture. An important aspect of the cultural impact is that a DLP product, if deployed in active blocking mode, could prevent senior people from doing their job as they (legitimately) share sensitive information with trusted partners such as accounting and legal firms. People in senior positions must be trusted to act as they deem best for the organisation, but this trust must be verified.

  • Conclusion: Some organisations are deploying DLP, but the ones reporting successful deployments are the organisations that are able to invest more resources in both deployment and long-term support. Given the considerable overhead on staff, and the challenges of dealing with the deluge of alerts, organisations considering a DLP investment should first deploy endpoint encryption.

  • Conclusion: IT security managers in larger organisations in Australia and New Zealand are approaching cloud computing very cautiously. The leading concern is the geophysical location of data and the risk this introduces to organisations – primarily from the possibility of a data loss resulting in reputational damage. This means that organisations will have carry less risk if they retain data in a jurisdictional cloud.

  • Conclusion: Given that the deadline for Payment Card Industry Data Security Standard (PCI DSS) compliance has passed, and that most cardholder data in Australia/New Zealand is extracted via SQL injection attacks, local organisations should ensure that their website security gets priority attention. This is a classic instance of where a moderate degree of effort will result in an important reduction in an organisation’s risk profile.

  • Conclusion: Microsoft’s Forefront Client Security will need to achieve a “better than” market perception before security professionals will consider it to be a reasonable and acceptable enterprise response; and this relates to both its anti-malware effectiveness, as well as its ability to be managed and automated in a heterogeneous environment. Obviously, security is a sensitive subject for Microsoft, so its efforts in achieving a “better than” market perception will be considerable, but it will also take the healing passage of time.

  • Conclusion: Now, there is renewed pressure on new IT projects to prove their value. For IT security projects, managers may feel that they need to make excessively complicated calculations in order to prove a return on investment (ROI) and thereby justify the project, but this is an unnecessary complication. Rubbery figures will melt under close scrutiny – potentially sinking the project.

    A security business case needs to communicate the fact that organisations must also spend money to stop losing money. Security projects are undertaken for loss prevention. Like all projects with soft benefits, an IT security project should be shown to be in alignment with, and supporting of, organisational values: specifically risk appetite. More mature organisations will have less of an appetite, particularly in challenging times.

In the News

The pros and cons of shadow IT In today’s business world - WHICH-50 - 23 July 2019

Shadow IT sounds like a covert — quite possibly dark — force. And to some people it may well be. But the truth is both far simpler and more complex. According to Cisco, Shadow IT is the use of...
Read More...

Busting The Three Big Cloud Myths - WHICH-50 - 11 June 2019

Organisations that are resisting the shift to cloud computing are often basing their decisions on common misconceptions around security, price and integration. That’s a key finding in a recent...
Read More...

ANZ business users calling the shots in ICT decisions

Conducted by Australia’s Intelligent Business Research Services (IBRS) and commissioned by TechnologyOne, the survey of 261 business leaders in ANZ has shown that business functions are having more...
Read More...

Managed security: a big gamble for Aussie IT providers - CRN - 02 August 2018

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and...
Read More...

Kids, Education and The Future of Work with Dr Joseph Sweeney - Potential Psychology - 25 July 2018

What is the future of work and how do we prepare our kids for it? Are schools and universities setting kids up for future success? Does technology in the classroom improve outcomes for kids? Should...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap