How did you end up in your current role, and what attracted you to the industry?
After working in the field of science and financial services, I decided on a career change in 1999 and completed a computer science degree and landed a job in Canberra as a graduate. My placement was in the information security team and my interest in all things related to information security grew from there. At the time that I was looking to move to a different organisation, I was working in the financial services sector, superannuation specifically, as an information security manager. The Information Security Management System (ISMS) I had put in place at my previous employer was in the optimise phase and I had achieved all the outcomes that I had intended to achieve and was ready for a new challenge.
What attracted me to the role at Horizon Power was the challenge of the emerging cyber threat that the Operational Technology environment was experiencing and putting in place a program of work from start to finish to address these threats. There are amazing opportunities in the energy sector and cyber security solutions are key in capitalising on these.
What do you feel makes a CISO most effective, and what typically stands in their way from achieving that?
CISO's need to have enough positional power to make a change. If they are buried deep within an organisation with no ability to effect change then developing a good cyber security culture has no way of succeeding. Historically approaches to cyber security have been based on fear, uncertainty and doubt. CISO's have to shift the conversation to risk and quantifying that risk in a business context.
Culture is also a big barrier to success. Getting staff to embrace security can be hard if there are no tangible benefits. Personalising security and making it work in the broader context of an individual’s day to day work is a technique that every CISO should embrace.
Is the security industry getting better at using tools like threat intelligence and collaboration/policies to work together against a common threat?
In short the answer is yes. There has been a big push to establish common approaches and frameworks to cyber security threats. Organisations like the ACSC and the JCSC's in each of Australia’s states and territories are facilitating the sharing of information and allowing common industries to learn from each other.
The Cyber Security Research Centre in Joondalup, Western Australia also gives a global voice to these threats and sharing of information. Exercises like GridEx also provide the ability to test processes and continuously improve on incident response.
What do you see as the biggest gaps in the functionality of current cybersecurity technologies?
There are so many technologies in the market place at the moment so I don't actually believe there is a gap in functionality. The problem lies in choosing the correct one for your organisation. If I were to focus on one area that I am excited about and want to see progress, it would be in the area of artificial intelligence.
Using artificial intelligence to know what is normal behaviour in a zero trust model is going to provide so much value to security practitioners and will move us all along the path of automating some our analysis functions.
What has been your experience with data breaches over the past year?
The introduction of the Mandatory Breach Notification legislation has in a way made it OK to report and get assistance with data breaches. I still don’t believe we are seeing the full extent of what is actually happening in industry, but at least organisations are now reporting breaches in greater numbers than before. That can only be a good thing for cyber security awareness and changes the perception from “it can’t happen to us” to “let’s take this seriously and make it part of our core business”.
Those organisations that are proactive and transparent seem to come out of any major breach better than those organisations that cover it up. When you look at how much we rely on data to make decisions and the flow on effect of privacy, then a data breach, as strange as this may sound, helps highlight that organisations need to consider it as a real risk.
What security threats do you see as becoming the most problematic over the next year?
It will continue to be criminally funded attacks for financial gain. It’s not about the amateur hacker anymore but extremely well-funded criminal gangs that are targeting organisations for financial gain. The exponential increase that we see in reconnaissance is what keeps me up at night.
What technologies do you think will most transform security in coming years?
Carrying on from my previous comment, artificial intelligence and using data science techniques to extrapolate algorithms to detect anomalous behaviour. We are seeing some of this innovation in the firewall space and also end point detection. When you start to automate some of these threat hunting capabilities you free up your analysts to focus on the real threats.
Phishing. Does it still keep you up at night? How often do you or your team have to deal with this in your role? In your opinion what is the most effective way to prevent against phishing attacks?
Yes it does keep me up at night. While creating a culture of security awareness is necessary, there will be times where an individual inadvertently clicks on an email or is targeted as part of a social engineering campaign and the malicious insider suddenly has a very easy path into a network. You see breaches of this type being reported much more than in the past and it will only continue to grow. There are a number of controls you can implement like Multi Factor Authentication (MFA) but I find the best defence is still user awareness and education.
What impact do you think government involvement in cybersecurity will have on the industry’s development in the future?
It will force organisations down a compliance path and elevate the importance of cyber security. It also provides a good mechanism for the sharing of ideas and allows organisations to tap into solutions that already exist and not have to re-invent the wheel, as we all face very similar cyber threats.
What security-related behaviour or policy have you seen change the most in the past year?
I have seen staff becoming more aware of phishing emails and actively engaging cyber security staff for advice. As far as policy, the adoption of the C2M2 framework for providers of critical infrastructure is a big change. Transferring that rigour around cyber security that corporate IT adopt and transferring that to an OT environment is a big paradigm shift. The focus for OT has always been on availability, as it should be, and changing that culture is going to be a big challenge for a lot of organisations.