The moment you hear “cyber-security”, everyone thinks the responsibility lies with the IT Department; but should it?
It was clear when attending the Cyber in Business Conference in Sydney, that the spotlight has shifted, and rightfully so, as cyber-security is not “just an IT problem”, but a business problem.
In a number of the panel sessions held, cyber-security as a business risk was discussed and topics included:
- Cyber incident communications response
- Communicating cyber at a board level
- Effecting behavioural and organisational change relating to cyber-security
A common topic highlighted in a number of the sessions was related to the education and expectations of senior executives and board members; where panelists shared their experiences on how to assist IT executives in constructing the right approach and messaging that could resonate at those levels. Ted Pretty, CEO and MD of Covata, shared a number of insights drawing upon his vast experience working at the senior executive and board level. He also shared that you should never underestimate the board and the experiences and skills at the board level. He did clarify that the board members have different obligations, being more focused towards shareholders, customers and their own staff. Boards tend to worry about (in his personal view) risk and risk management under three key areas:
- Financial – In terms of risk, what are the things that will affect us from a financial perspective?
- Reputation – What affects us from a reputational point of view?
- Compliance – What are those things we could get wrong where we will incur some kind of regulatory oversight or penalty?
An additional consideration Ted highlighted was how are we going to address the risk and do we have sufficient internal capability to do it ourselves? Just because you may have appointed a titled executive (e.g. Security Officer) doesn’t necessarily mean you have addressed the issues.
It’s about looking at each aspect of your business and identifying the risk, then assessing the level of risk and then assessing the level of response. Not to mention “what can I afford”? The answer to that question will be dependent on the size of the organisation and what resources and options you have available to apply them in the best possible way to the problem at hand. Does this include internal or external resources; or a mix of both? When considering what you can afford, you need to ensure it is proportionate to the risk itself.
It was Dr Maria Milosavljevic’s (NSW Government Chief Information Security Officer (GCISO)) opening address that really set the tone of the conference when she touched on three key areas:
Digital government and digital business are underpinned by “trust”.
When considering “user experience”, we need to take into account the full breadth of experience people can have; the good, the bad and the ugly. Poor user experience degrades trust.
Noting we can’t design the good user experiences if we don’t factor in the worst.
Maria reminded us that the internet is still young, around 20 years and look how it has become critical to our everyday. Security has been a reactive measure, not proactive. We have to move very quickly to a world where security is “front and centre” rather than something that is an after thought.
A Shared Problem
When looking at cyber-security strategies around the world, you will find one very important common thread; this is a common problem, this is a shared problem and we have to work together to solve it.
To address this problem, we will have to build a world which is based on shared responsibility. That entails working closely with private sector and public sector organisations, academia and citizens. Doing this domestically and internationally; as this is not a domestic problem, it is a global problem.
Cyber-crime is an ever evolving and increasing business risk.
We have to stop thinking this is an IT problem alone. It is actually more of a business problem than an IT problem, as is actually about business and culture. The assumption it is only about IT is getting in the way of us solving the root causes.
Cyber-resilience in an organisation must extend beyond the typical domain and into the domains of people, culture, process and authorisation.
Therefore Maria’s focus and what she believes should be the focus of every other Chief Information Security Office needs to be “Trust”; a whole of business, risk-based approach to securing our information and digital processes.
Maria shared some real-life examples highlighting that some of the worst possible user experiences could be due to the failure of our information or cyber security defence systems. Here are some of the sobering examples that Maria shared:
- You lose your life due to failure of medical equipment or the because your medical records weren’t available during surgery.
- You incur financial loss and a poor credit rating because someone stole your identity.
- You lose your livelihood, the business you have built because someone hacked you and your customers decided they can’t trust you and they walked way.
- You get off the plane at a less developed country only to find that you are arrested, that someone had stolen your driver’s licence or had a fake copy and they had been incurring a criminal record in the process.
- Finally and most importantly, you lose your bio-metric data. Your bio-metric data is who you are and you can’t change that, which means you are at risk for the rest of your life.