Log in

Security Leadership



With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

Applying the Five Knows of Cyber Security is a must read for organisations that may be exposing themselves to risks through their supply chain.

Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.

Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

 Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.

Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.

Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.

Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.

Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.

In the News

New data breach notification scheme will be a barometer for business maturity - AFR -12 March 2018

Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed...

The Future of Work: The Role of People - Adobe - 31 Jan 2018

The Future of Work: The Role of People Foreword by Joseph Sweeney, IBRS Advisor For the past 30 years, organisations have applied technology to people to make the workplace more productive. But...

Businesses unprepared for new data breach notification laws - AFR - 29th January 2018

Thousands of Australian small businesses remain woefully unprepared for the introduction of new laws that will require them to publicly disclose if their customers' data is breached by hackers or...

Intel chip meltdown flaw shows new vulnerability - AFR - Jan 5th 2018

Cyber security experts have warned the long-term implications of chip vulnerabilities nicknamed Spectre and Meltdown discovered by researchers this week are still unknown, despite it appearing that...

Business experience should help parents keep kids safe online - AFR - 28th Nov 2017

The adults in the lives of young people need to know more about security and safety in an online world and they could be learning this at work The Office of the eSafety Commissioner deals with some...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry


Already a subscriber?

Login to read your premium content.

Recently Viewed Articles
Related Articles