AGL is a large generator, distributor and retailer of energy including alternative sources. Where do you spend most of your attention?
AGL is transitioning its business, focusing on how it can deliver reliable, affordable energy to its customers and decarbonise its generation portfolio over time, and the digital agenda.
From a security perspective, this is causing a change to AGL’s threat and risk landscape which we have to prepare for. My main focus at the moment is Governance, Security Awareness and improving risk management.
That is, know our risks, what we need to protect and focus the resources on those areas.
I’ve noted the recent Ukrainian power cyber security incidents. I’m curious what’s your reaction when you hear of such events?
For organisations, the view has to be taken that it is a matter of when, not if (that a cyber incident will occur). The Ukrainian incident appears, on face value, to be Nation State driven and it will have flow on effects as the methods used become mainstream.
This is what happened with the event in Iran a few years ago, that is, Stuxnet. It does highlight that we have to be vigilant, continually thinking not only about the basics but also trying to anticipate what could and will happen.
While the threats are increasing and evolving we have to ensure that we become creative in understanding how we could be compromised and respond accordingly.
The CISO has to educate the Board and executive team in a way that enables understanding of the risks and that we are not able to protect/secure everything. Again focus is key in the areas that manage the risks.
The anticipatory nature of what we do as security professionals is key, though we don’t always get it right, the opportunity to support the business proactively is immense.
Are you actively collaborating with your peers in critical infrastructures around threat intelligence both here in Australia and overseas?
This is a key area for me and I have sat on a number of industry boards in the US and Europe over the years to create a core capability within organisations. Every organisation should have an approach to Threat Intelligence, which provides not only the operational aspects but more of the broader non-technical areas which may have an impact.
In bringing this together it assists in becoming a more proactive capability within the organisation. Why Threat Intelligence for collaboration? Historically this has been viewed as a very technical space when in fact it should be a strategic driver and communication medium.
It should have a technical aspect underpinning it and must have an integrated approach for the gathering of all forms of information and dissemination inside and outside the organisation.
I’ve managed to build an extensive global network throughout my career and as such I am able to draw on this to both share and gain relevant information. Though my industry is not as mature and interconnected as the banks, which is a common theme globally across various sectors, the energy industry does have mechanisms to enable sharing.
I encourage my staff to be involved in relevant industry forums such as AusCERT and the like, which often I measure them on to share information.
Interestingly enough, this is becoming more and more topical at the Board level and as a number of Non-Executive Directors are sitting on multiple Company Boards, it is encouraging more of a community to be established across sectors. This is a positive.
We are seeing more and more organisations move into the cloud, what’s your view on managing these threats?
My long standing view in this area is that it pushes the controls to be more focused on the securing/handling of company information and getting stronger in the vendor/contract management space.
Organisations need to establish an effective governance mechanism to control the proliferation of cloud technologies which expose organisations to risk unnecessarily, but this is no different to a full, in house model.
Every organisation should have in place or be putting in place a mechanism to identify Critical Systems and core valuable information. Once this is clear and agreed across the business there is an opportunity to focus resources and expenditure on the areas that can expose the company to a higher level of risk. The security role has now truly evolved into one of a risk advisor and is more about protecting information.
Cloud provides business with opportunities and challenges just like anything else and the CISO’s role should be to ensure the right conversations happen to understand the risks.
More mature organisations will have in place a methodology to assess risks within projects and provide for an ongoing assurance process of suppliers to ensure they are continually doing the right things in line with their contract obligations.
In my view, a lot of these things are not a lot different to a “historical” environment.
John, you have a new AGL CIO that is your new manager. What’s the approach you take around orientating the boss on your domain?
I’ve been very fortunate with the CISO roles I have held to date, in that I have worked for someone who gets it or has an understanding of the basics. Simon Moorfield is a CIO who gets it, so it enables us to work in partnership to tackle the problems and we are often on the same page without much discussion.
The key for any new CISO or security leader is building the plan out and the basic roadmap to get going plus providing the confidence that things will move forward. Again, a good governance structure is important for this.
I’ve learnt that in getting the governance structure right it is able to build support across the business to achieve the agreed goals and the CISO is not the lone voice pushing an agenda but a collaborative individual understanding the business needs.
What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?
The majority of Company Boards are becoming more cyber security savvy. Where a number of Boards can improve though, is often they list on the risk register Cyber Security as a risk but it isn’t broken down to indicate what it actually means.
They don’t have to be tech savvy but probing to understand the underlying risks and threats that make up the Cyber Security threat ‘bubble’ is key.
Boards should probe in three areas to begin with:
1) How is the governance structured and operating?
2) Is there an effective security awareness program in place and do people know what is expected?
3) Is incident management tested? That is, what are the gaps that can be pushed through governance to improve the capability? This forms a good feedback loop so the organisation can continually improve.
I’m interested to understand your view on Cyber Security Insurance. Is it critical or is this just a crutch?
Over the years I’ve done a lot of investigations regarding the need for Cyber Security Insurance speaking to Lloyds of London, Underwriters, legal professionals and non-executive Directors. My view is that the jury is still out. The challenge is what do you insure against, what is the amount of the claim/impact, what constitutes an incident (when does it stop and become a further event?) and finding an insurer that does not have a large number of ‘get out’ clauses that restrict a claim.
Cyber Security Insurance is simpler if it is focused on recovering costs associated with restoration of the business, for example getting a system rebuilt and forensic investigations. At the end of the day, every business has a risk decision to make regarding whether to self-insure or spread the risk through insurance. Previous businesses I’ve worked in have chosen to self-insure, others have taken out nominal insurance.
People have to remember that insurance will not save your business, but it may reduce the initial costs of the incident. It however may impose additional costs on the business to bring the environment up to a level that is acceptable to the insurer.
What makes a ‘CISO’ great? What attributes do you really admire??
I’ve had the pleasure of working with or being involved with a number of good CISO’s over my career whom I have learnt a lot from. The ones that have impressed me the most have been those who have a high level of business acumen underlined with a solid technical background, which does not have to be an IT one. A few spring to mind immediately such as Rob Coles the CISO at GSK (UK), Ray Archer the CISO at Scotiabank (Canada) and Shamla Naidoo the CISO at IBM (US).
They can visualise the outcomes needed, use the technical or domain requirements and paint a story that people can buy into. They are able to build momentum that will make a security capability relevant to the business. Each of these people have come from different career paths and are able to bring first-hand experience to the conversation. Their ability to be able to clearly articulate the problem is what impresses me.
When you are hiring new staff, are there any qualifications that you believe are important to look for?
The things I look for are people who are articulate, bright, understand the space and willing to learn more. I’m not someone who focuses on industry based qualifications, as I often place experience over those types of qualifications.
Education is paramount. Being qualified at degree or post graduate level, on the other hand, is really important, so I do place a lot of emphasis in this area. This demonstrates that a person has a drive and a passion to continue learning, plus is able to problem solve.
Again the softer skills are really important – you can have the most qualified person who is really, really smart but if they cannot interact and communicate then they will struggle to make an impact.
What’s your thoughts around the largest gaps in the market around new cyber technologies?
The area that I’d like to see more focus on is data. How to secure it, manage digital rights, handling/classification through applications and systems, that is something that can deliver a data centric security model.
This is not DLP, which has failed due to the overheads and the lack of ability to integrate across the estate, this is pie in the sky stuff but it is where I’d love to see the industry head.
I remember chatting to Jay Chaudry the founder of zScaler and he said that the reason he started the company was to pick up something that was not quite working in the market and start again. I think in a number of areas that is what is needed. A clean slate. It will frustrate some people and will require boldness to do it, but it has to be done.