Log in

Security Leadership



Conclusion: Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.

Conclusion: Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.

Conclusion: Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.

Back when I was at university, I had two particularly interesting lectures in the same week; one from the school of management, and one from the school of marketing. What made them so interesting was the timing as well as the content of the two lectures. Management said, “perception is not reality”. Marketing said, “perception is reality”. (I agree with both statements.)

Management said that just because I felt a certain way about a situation, my feeling didn’t make my opinion the truth. Perception is not reality. Marketing said that even if you have the best product, if the consumers think another product is better, then the other product is better! Perception is reality.

Which brings me to the consumerisation of IT and mobile devices.

Conclusion: There are three key areas of risk to an organisation in enabling staff access to social networking sites. These three areas relate to: the data being shared with the site, the people using the site, and adherence to organisational policies. The point of greatest impact to address all three areas of risk is in training the users to interact with these social networking sites safely and securely. The employees are consumers of IT both at work and at home and their personal risk appetite will guide their behaviour in both locations, so education is vital in order to change behaviour. The importance of this point will become increasingly obvious as organisations explore mobility and BYOD (bring your own device) initiatives.

Conclusion: The Stuxnet worm was a turning point for the development of malware. Over the last few years even the anti-malware vendors have been acknowledging that the signature-only approach for AV is insufficient. We must assume that we will not be able to detect the malware itself, we must rely on being able to spot the ripples of its passage. The next 12-18 months will see the early majority of organisations (pragmatists) crossing the chasm and joining the early adopters in looking at anomaly detection and event correlation products.

Conclusion:The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.

Three recent events have cast serious doubts on the viability of public cloud computing in the Australian marketplace. These events have raised critical concerns about the security, reliability and regulatory aspects of emerging cloud platforms in both public and private sectors.

Conclusion: It’s easy to become complacent about emergency procedures. But the importance of emergency procedures which support health and safety in the workplace cannot be overlooked just because they are time consuming and boring. Just as preventative security technologies are only as effective as the diligence that goes into their configuration and ongoing support, emergency procedures are only as effective as the diligence with which they are maintained, communicated, and practiced. When something goes wrong, you need to know that your staff have been given every resource to handle themselves and the situation.

Conclusion: The market for third party mobile device management platforms is immature and there are differences in capability between products, but these middleware platforms are producing positive outcomes. While this market will commoditise quickly, the real risk for IT departments is that they design their applications and mobility strategy in such a way as to (yet again) lock themselves into a specific device/OS combination. The device shouldn’t matter.

In the News

AMP does maths on infosec shortage - ITnews - 18th June 2018

Cyber security and risk advisor at analyst firm IBRS, James Turner, said the cyber skills shortage was prompting a wider rethink around the domain in terms of resourcing for the last few years....

How Australia must use the PageUp data breach to become stronger - AFR - 18th June 2018

PageUp People, a successful Australian software-as-a-service vendor, has been the victim of a crime , with a data breach that could be extremely damaging for its prospects . There are two lessons...

The three cyber security challenges Australian businesses can't ignore - AFR - 6 May 2018

Australian businesses currently face a cyber security triple threat that has nothing to do with warding off hackers. Rather there are three new regulatory forces impacting specific points of the...

OAIC report reveals 63 data breach notifications in first six weeks of NDB scheme - AFR - 11 April 2018

More than 60 data breaches have been reported in the first six weeks of the country's new Notifiable Data Breach (NDB) scheme, with healthcare providers making up almost a quarter of the mandatory...

New data breach notification scheme will be a barometer for business maturity - AFR -12 March 2018

Do not mistake cyber security for being merely a technical discussion about IT problems to be fixed. Cyber security is now, and always has been, purely a response to risk. The risks have changed...

Subscribe to IBRS Updates

Invalid Input
Invalid Input
Please enter a valid email address
Please enter your mobile phone number
Invalid Input

Get in-context advice from our experts about your most pressing issues or areas of interest

Make an Inquiry


Already a subscriber?

Login to read your premium content.

        Forgot your password?
Recently Viewed Articles