Security & Risk - IBRS Sat, 26 May 2018 10:24:20 +1000 en-gb (IBRS) Applying The Five Knows of Cyber Security (Video) With the recent issues that the ABS has experienced trying to execute an online census, IBRS is sharing an Advisory Paper by James Turner which reviews a practical framework that helps organisations make better decisions with their information assets and service providers.

Applying the Five Knows of Cyber Security is a must read for organisations that may be exposing themselves to risks through their supply chain.

]]> (James Turner) Security Leadership Mon, 15 Aug 2016 02:39:16 +1000
Sometimes good security does not mention security Conclusion: Cyber security can be perceived by outsiders as an occult domain. Psychologically, people can respond in many ways to something they do not understand with responses ranging from denial to fear. Consequently, a frequent challenge to better security maturity is inertia, rooted in ignorance. It is imperative that security practitioners break down this barrier by communicating with decision makers in a way that empowers the decision maker. Consequently, valuable conversations about risk and threats can be grounded in conversations about reliability, resilience, safety, assurance and reputation. Security may not need to be mentioned and, in many cases, even raising the label of security can undermine initiatives that had security as an objective.

]]> (James Turner) Security Leadership Thu, 05 May 2016 00:04:00 +1000
Rethinking the delivery of information security Conclusion: The IT industry has hit a breaking point where the artificial grouping of information security and IT has left many organisations vulnerable. Business units have viewed information security as an IT problem, and IT has abdicated responsibility for many aspects of operations that should be viewed as basic hygiene. It is time for organisations that want to establish a reputation of trust with their stakeholders, to view information security very differently. This will require IT to take on more responsibility for security hygiene issues, and for many security practitioners to make the mental shift from technical do-ers to risk communicators. All organisations must know who, internally, is ultimately accountable for cyber-security and that this person is adequately informed, and empowered to execute on this accountability.

]]> (James Turner) Security Leadership Mon, 02 Nov 2015 03:03:30 +1100
IT security considerations in the supply chain This paper explores why IT security in supply chains is an important topic and sets out a model for organisations to review their exposure and then communicate these issues internally, and with suppliers.

The IT dependencies that organisations now have are largely invisible and can be easily taken for granted, much like the infrastructure involved to have electricity or water be provided to a home. And just like electricity and water, when there is an incident in the IT supply chain, the impact can be considerable on the end consumer.

 Security in the supply chain can seem like an overwhelmingly technical topic, and it is a large topic, but it is not insurmountable. An increasing number of security leaders are looking at the supply chain as the ecosystem that their organisations operate in, and are starting to work on securing the resilience of every link in the chain – and this will take time, effort, and collaboration.

]]> (James Turner) Security Leadership Wed, 12 Aug 2015 05:01:49 +1000
Applying the Five Knows of Cyber Security Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

]]> (James Turner) Security Leadership Sat, 01 Aug 2015 00:32:04 +1000
Should organisations use the Lockheed Martin Cyber Kill Chain framework? Conclusion: Lockheed Martin’s Cyber Kill Chain framework is a potentially valuable perspective for highly risk averse and highly targeted organisations. Its language is militaristic and technical, which means that it is most suitable for people already inclined to that way of thinking, but in contrast, it may be inappropriate and ineffective with other audiences. Due to its militaristic language, the policy intentions of this framework may be (and have been) reinterpreted by stakeholders, resulting in a misalignment of effort in managing risks.

]]> (James Turner) Security Leadership Fri, 01 May 2015 15:31:15 +1000
Securing IT for Executives travelling to high risk countries Conclusion: travelling executives must be under no illusion that if corporate information on, or accessible via, their electronic devices is of interest to the economic wellbeing of a foreign country, they will be targeted for electronic intrusion. The potential value of the information to a third party will be directly proportional to the effort they may expend in getting it. The more an organisation has at stake, the more important it is that this is a risk-driven conversation, not a technology one, because the technology does not matter if an executive’s behaviour does not alter to match the risk.

]]> (James Turner) Security Leadership Wed, 01 Apr 2015 00:30:00 +1100
AWS Backup and Recovery Conclusion: organisations moving traditional enterprise applications into production on AWS will find backup and recovery functional but immature compared to their existing on-premises Enterprise Backup and Recovery (EBR) tools.

Storage administrators need to understand the native backup and recovery methods in AWS and determine how these can be used to meet the business’ recovery objectives. The optimal AWS solution may require adopting new tools and rethinking long-held assumptions.

]]> (Kevin McIsaac) Security Leadership Wed, 01 Apr 2015 00:12:01 +1100
Security skills and the Cloud: Damned if you do and doubly damned if you don’t Conclusion: as cyber-security becomes a board-level topic, organisations in the A/NZ region are feeling the pinch of the security skills shortage. In this environment, moving IT services to the Cloud has the potential to streamline and/or automate some basic IT security practices. Cloud services are not an IT security silver bullet, but for many organisations, the scale and maturity of some Cloud vendors will be an improvement over their current IT operations.

]]> (James Turner) Security Leadership Sun, 01 Mar 2015 09:03:20 +1100
Security awareness campaigns – Engagement is the magic sauce Conclusion: Awareness of risks and threats, by itself, is not enough to protect an organisation. Security awareness campaigns are a sustained attempt at behaviour modification. But behaviour modification works best when an individual is not resisting the change. This means that the first step for any security awareness campaign must be to assess employee engagement. If employee engagement is low, this must be addressed before a security awareness campaign can be effective.

]]> (James Turner) Security Leadership Thu, 29 Jan 2015 19:42:03 +1100