Phishing attack. Malware. Hacking, Denial of Service. Breach. – just some of the keywords business stakeholders dread to hear about on a business-as-usual day or worse, on a weekend! A typical mammoth in the room most business leaders conveniently chose to ignore. Top-lines and bottom-lines, mergers and acquisitions, market share and trend analysis, sustainability and corporate social responsibility – these are some of the ‘top-of-mind’ discussions that easily get preference over planning for cybersecurity. However, the security ‘cost-centre’ is significant in upholding the company brand long term by providing the force-field protection against future litigation expenses over data breaches leading to potential bankruptcy. With IoT and BYOD permeating into company networks, data touch points and exposure to vulnerabilities have exploded into echelons of geometric proportions for CISOs (Chief Information Security Officer) to reckon with.
The cyber threat landscape is evolving at a phenomenal rate. Moreover, it is not just new modes of attack or increased points of vulnerability that are proving problematic for security professionals; attitudes towards security are changing, too. Comfort levels with sharing information, transacting online and trusting third parties have never been higher. “Focus on utilising the FAIR (Factor Analysis of Information Risk) ontology to have appropriate conversations with the Board and business stakeholders. Change the language to gain Board and Executive buy-in, Utilise Cyber Risk Quantification to answer questions posed by the Board and adopt a recognized security framework and benchmark your organisation against industry peers”, says Jason Anderson, Head of Information Security, QSuper, while speaking at the recent CISO Leaders Summit Australia in Melbourne. FAIR is a cyber risk quantification exercise that allows for well informed decision making on cyber security risk. It has become the international standard to quantify the risk that all stakeholders can understand.
“People are your best and also weakest line of defense”, shared Berys Amor, Director of Technology, Corrs Chambers Westgarth, speaking at a panel discussion session. Working with HR to understand risks at the employee level about security certainly goes a long way in increasing the awareness. People not native to it do not find it fun to deal with and it is IT’s responsibility to spread that awareness and comfort level among them. Damien Scalzo, Chief Information Officer, Mercedes-Benz Financial Services AU/NZ, believes that the ROI to this topic is to have a framework that embeds security from start to finish. Raising awareness about consequences and being proactive is key. Employees need to be educated in bite-sized chunks and not in long e-learning modules and they need to be empowered to act in situations of breach by identifying it and not punishing them for incidents.
“It takes years to build a favourable company reputation, but today, company reputation can literally become severely damaged, if not irrevocably lost, in a single day” – Warren Buffet
For creating a strategy around security, understanding what the ‘crown jewels’ are, to start with, is of paramount importance. While having multiple layers of security around various types of data depending on their use and importance is key, smaller organisations do struggle with budget constraints to enable a robust protective solution.
“Digital transformation is not a moment in time, but a way you do business”, said David McGrath, Chief Digital Officer, Clubs Australia. He continues to elaborate, “When you are undertaking a big change, security has to be front and center. It’s about the risk and governance. When things go wrong, there is unlimited budgets to fix it.” There is a need to make the risk visual, understandable, and tangible that enables boards and execs to make that decision. Boards and CFOs are starting to put data as an asset item on the balance sheet. This makes it easier to fund the protection, growth, and resources needed to continue to evolve on it. This helps security not become a cost and creates the right budget to be able to execute the security strategy for businesses.
Engaging leaders from various industries to present and brainstorm on these kinds of topics has been Media Corp International’s strength over many years. Events like the CISO Leaders Summit across Australia and the Asia-Pacific region creates a highly collaborative platform for our delegates, speakers, vendors and sponsors to share ideas and knowledge from among the best brains in the industry.
– Jilfy Joseph
For all media enquiries please contact:
Stacey Alker – Marketing Director, Media Corp International
P: +61 (0) 484 963 072