Main
Log in

Security Leadership

 

 

Conclusion: Over the past decade, the role of the Chief Information Security Officer (CISO) has risen to be one of great importance in many large and mid-sized organisations. While this remains the case, protecting information assets is more likely to be successful through ensuring all threats are managed under the same set of policies and principles. Managing threats to organisations can no longer be separated between departments or siloed out to service providers. With data in the Cloud and people on the ground in new geographies, the need to evolve the relationship between logical and physical controls has increased. The key to holistic security is to bring all aspects of security under one umbrella to ensure all bases are covered.

Conclusion: Throughout the year, most businesses invite in a third party to conduct an information security risk assessment – as per best practice. Often this is a compliance exercise, other times it is just good housekeeping. Assessors are paid to find gaps in security controls based on the threat landscape and risk profile and provide recommendations for how to better secure the organisation with appropriate controls. With a thud-worthy report in hand, those charged with remediation must prioritise the recommended tasks to best use their resources to appropriately protect the organisation.

Conclusion: Relying on third parties to succeed in business has become the norm. Cost limitations and workforce requirements mean that businesses need to find efficient ways to achieve their goals. This regularly includes creating an ecosystem of organisations that offer technology, consulting and support services that can be leveraged when required for a fraction of the cost of employing a person or service in-house to the same end. This is great from a business perspective; however, engaging with third parties brings significant risk. Businesses are effectively opening their door to a perfect stranger and inviting them into their organisation to look around, share some data and stay a while. Managing the risk of having a third party connected to an organisation is important. An organisation’s security controls become meaningless once data is transferred to a third party. At the end of the day, if a cyber-attack occurs via a third party, there will be more than one reputation on the line in the eyes of current and future business partners, customers and clients. 

While the impact of a third-party data breach cannot be completely prevented, the key to resilience, detection and management of connections is awareness, being upfront about the security expectations and educating the workforce.

Related Articles:

"2FA is a no-brainer" IBRS, 2018-11-02 11:06:25

"When it comes to security, when is enough... enough?" IBRS, 2018-10-04 11:56:31

Conclusion: CIOs should consider the environments for their PROTECTED information, both when building new capability and/or when renewing older infrastructure and services. The need to have cost-effective infrastructure services (in-house or IaaS), accredited security of services and responsiveness for clients using the service are three key deliverables for any CIO.

The Australian Government has identified PROTECTED ratings be applied where systems and data are at risk and where the systems or data are critical to ensuring national interest, business continuity and integrity of an individual’s data. Critical business functions are a combination of the IT systems they run on and the data they consume.

Defining what should be afforded a PROTECTED rating and therefore adequately protected is an ongoing challenge. The Australian Government’s Information Security Manual (ISM) and recent legislation “Security of Critical Infrastructure Act 2018” detail the requirements and framework for reporting, on government-run IT systems and critical infrastructure. Using this framework as a base, organisations should assess whether the data or IT environments that support critical business functions should be treated as PROTECTED.

Related Articles:

"Canberra-based Azure is about much more than security" IBRS, 2018-04-14 13:43:57

"On-Premises Cloud: Real flexibility or just a finance plan?" IBRS, 2017-05-06 06:37:20

"Running IT-as-a-Service Part 33: How to transition to hybrid Cloud" IBRS, 2017-08-02 02:32:44

Conclusion: Fraud and cybercrime can both keep key stakeholders in a business awake at night. But these threats are often driven by very different malicious motivations. In the end, the two threats overlap but are very different. Fraud is a crime carried out for financial gain. Cybercrime on the other hand can be executed for many reasons including political, passion and even opportunistically, purely because a vulnerability was there. Aside from reasons/motivation, two other key differences include skill set needed to manage such threats and the delivery method of the event. Organisations need to prepare for both of these threats to be realised and cannot always rely on the controls of one to detect, prevent or manage the impact of the other.

Related Articles:

"When criminals hijack your organisation’s brand for phishing" IBRS, 2016-11-01 21:37:01

"When it comes to security, when is enough... enough?" IBRS, 2018-10-04 11:56:31

Conclusion: Passwords are the weakest link (some might say second to humans) in the enterprise security chain. With compromised credentials (a username and password) being the leading cause of data breach1, passwords and even the stronger passphrases are no longer sufficient to protect users or businesses from unauthorised access to critical data and systems. As such, an additional layer of security, namely two-factor authentication (2FA), is now commonly available. The term two-factor or multi-factor authentication has become commonplace and while it materially reduces a business’s risk to several cyber threats, many end users feel that it is an inconvenience, slows down productivity and prefer not to “opt-in” if that is at all an option. The bottom line is that 2FA is complementary to strong passwords – it is not a replacement for them. Raising education and awareness of the importance of strong passwords is still needed and 2FA is simply another layer of protection, akin to a more secure bolt on the door to our sensitive information.

Related Articles:

"Applying The Five Knows of Cyber Security (Video)" IBRS, 2016-08-15 02:39:16

"Securing IT for Executives travelling to high risk countries" IBRS, 2015-04-01 00:30:00

"Train your staff in esafety" IBRS, 2018-02-01 10:17:28

Conclusion: The question of “how much security is enough” often stems from attempts to define ballpark security budgets, meet compliance obligations and scope out security team size and make-up. But how much security is enough depends on a number of factors that an organisation must consider before seeking the endorsement of the security strategy and agreeing on an acceptable risk position.

Related Articles:

"Is security really an IT problem?" IBRS, 2018-08-01 08:53:13

"Sometimes good security does not mention security" IBRS, 2016-05-05 00:04:00

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

Conclusion: There has been a lot of talk about incident response since the new data breach laws came into effect in Australia and Europe. But the laws alone should not be the driving force to having a response plan in place. Having a plan in place means more than talking about a plan, planning a plan and signing off on a plan. Being prepared puts you way ahead of the curve but being truly prepared means testing your incident response plan through drills and tabletop exercises. A drill provides an opportunity to understand realistic outcomes for risk scenarios and apply the lessons learned to your incident response efforts during a crisis.

Related Articles:

"Cyber insurance – it’s not the cybers you’re insuring" IBRS, 2017-09-02 01:58:42

"Learning from the misfortune of others – the Equifax breach" IBRS, 2017-10-02 23:02:39

"Maersk and NotPetya – a case study on business impact and cyber risk management" IBRS, 2018-03-06 07:14:54

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

Conclusion: If the broader business is to commit to investing in security, both emotionally and financially, they will need to buy into their responsibility. Security is likely to be seen as an IT problem because historically the minimum level of protection came through network and operating system security staff embedded deep in IT. Technical controls are not sufficient to protect an organisation from all known and potential threats as they are only as strong as the rules and configurations implemented by human operators. If nothing else, raising the profile of security to a broader audience with relevant, personalised messaging will begin to show the business how they can extract full value from security investments and dispel the belief that IT should solve the “security problem”.

Conclusion: A major benefit from using a framework is to support better decision making and help deliver consistent outcomes. When it comes to security and risk, a framework is only as useful as the intellectual effort required to understand the framework and how it applies to an organisation’s risks. While some frameworks call for much documentation, IBRS argues that security policies for their own sake are not as valuable as reviewing existing business policies and processes with a risk management lens.
The goal is to have business executives making informed decisions. As an organisation’s cyber risk management practices mature, the creation of documentation as a point of agreement within the organisation becomes more important, but starting the journey with document creation misses the whole point of risk management. Any framework is only as useful as its ability to directly support business outcomes.

Related Articles:

"Can IBRS assist on how to report on IT security metrics to business executives? " IBRS, 2018-05-13 23:32:09

"IT management leadership role in risk management" IBRS, 2018-05-04 18:43:08

"Use the NIST cyber­security framework to drive for visibility" IBRS, 2018-06-01 04:19:32

In the News

ANZ business users calling the shots in ICT decisions

Conducted by Australia’s Intelligent Business Research Services (IBRS) and commissioned by TechnologyOne, the survey of 261 business leaders in ANZ has shown that business functions are having more...
Read More...

Managed security: a big gamble for Aussie IT providers - CRN - 02 August 2018

TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and...
Read More...

Kids, Education and The Future of Work with Dr Joseph Sweeney - Potential Psychology - 25 July 2018

What is the future of work and how do we prepare our kids for it? Are schools and universities setting kids up for future success? Does technology in the classroom improve outcomes for kids? Should...
Read More...

PageUp starts rebuilding and looks to learn lessons after data breach nightmare - AFR - 27 June 2018

The timing couldn't have been worse for PageUp; two days before Europe's new data protection regime came into force the Melbourne-based online recruitment specialist's security systems detected...
Read More...

Australia is still in the cyber security dark ages - AFR - 28 June 2018

In terms of cyber security years, Australia is still in the dark ages, a period typified by a lack of records, and diminished understanding and learning. We're only a few months into practising...
Read More...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry

Sitemap

Already a subscriber?

Login to read your premium content.

        Forgot your password?
Recently Viewed Articles
Related Articles