How did you end up in your current role and what attracted you to the industry?
What has always been interesting to me is the exploration and adventure of finding new ways to get software to do things that wasn’t intended or by design. This started in my teens when I participated in 2600 magazine meetups to exchange information. During college in Canada, I worked in telecom where I held roles in Systems Engineering specific to perimeter security. When I started to work in Australia, I consulted in network perimeter security which landed me roles in Banking, working and leading Payment Card Industry and Perimeter security projects. I left banking and entered the world of cloud when I found that security automation wasn’t being used to the extent that it should be in IT organisations. This is what brought me to my current role at Rackspace. I still have a passion for exploration and I share these discoveries and insights with our customers in the use of cloud for their business.
What do you see as the biggest threat we currently face?
I believe nation state sponsored cyber-attacks are fairly scary threat actors. We’re seeing evidence that this is increasing, such as the current escalation between the United States and Iran. Many organisations caught in these escalations who manage critical infrastructure (Banking, Utilities, Primary Resources, Health) and who have investments in IT security with solid practices are being targeted by these nation states. What is scary is, regardless of the investment in IT security labour, process, and tools is for these organisations, they cannot counter the resources of nation states if they decide that these organisations are a target.
What are some of the best practices that a CISO can implement in order to prevent some of the biggest security threats that challenge most Australian organisations?
The CISO must face their circumstances realistically: no organisation will ever reach a stage where they will be completely protected against cyberattacks. Instead, CISO’s need to take proactive steps to mitigate risk, minimise impact and insure themselves and their companies.
Misalignment between the C-suite and the rest of a business can result in ineffective security strategies, which in turn can expose an organisation to unnecessary security risk. The CISO must be the conduit to increasing communication between the C-suite and the rest of the business, relaying security strategies in order to decrease the organisation’s exposure to further risk during a breach.
What is the best way to win over employees so they help cybersecurity efforts rather than hinder them?
Australian businesses are starting to view cybersecurity with a new lens when thinking about the lines of communication within teams and throughout the organisation. Teams need to be trained and prepared for every possible threat across all different levels of the business, so that when an employee does encounter a security threat or potential breach, they follow the proper procedures to minimise risk and expedite the process – this involves becoming hyper-aware of their situation and learning how their response can affect the overall business. It is critical to understand the threat landscape in which a business is operating when developing a security strategy, but it is even more critical to create a strategy that is flexible, employee-accessible and capable of adapting to different cybersecurity risks.
How can Australian organisations, both larger and small to medium organisations, identify and fill security gaps within their business?
Organisations must look to fill the security gaps across all business units, not just at what the likely impact will be on IT. With 50 percent of Australian IT professionals not confident they have access to staff with the skills necessary to manage and combat business-threatening cybersecurity risks, organisations need to first adequately resource security processes and better understand the threat landscape they are operating in. Secondly, they must ensure that security priorities across teams are communicated effectively and are in alignment. Thirdly, they must invest in their cyber-skills force either by upskilling or outsourcing security needs to a trusted partner.
Is the security industry getting better at using tools like threat intelligence and collaboration policies to work together against a common threat? In your opinion, how do you feel the Security industry has developed and improved its use of tools like threat intelligence and security automation to work together against common threats?
The security industry is improving at using tools like security automation to give businesses the agility needed to keep up with the rapid pace of modern business. With DevSecOps, companies can move away from manual testing to automatic testing to mitigate the risk of a security breach. However, in order to get there, organisations need to make the effort to set a culture of responsibility – the benefits of which stretch further than just security.
By mandating and investing in the right tools and practices that mitigate risk within the development cycle, the DevSecOps discipline gives businesses more credibility in their security practices – a standardised way to promote and test software securely. This in itself is a selling point for businesses because many companies look for a partner with a clear set of practices that act almost like an insurance policy for their own business.
What do you see as the biggest gaps in the functionality of current cybersecurity technologies?
Today, security operates in silos and security experts are not communicating enough with engineers and developers. Additionally, technology is rapidly advancing and it is our responsibility as technology experts to ensure that we too advance with it.
Fortunately, there are platforms that businesses can utilise to train developers in security technology such as those offered by Pluralsight, a technology learning platform, and Secure Code Warrior, which gamifies security training. Services like these can help businesses train and equip developers to think and act with a security mindset every day. They also enable businesses to keep up with the speed of technology, work smarter and faster, and gain in-demand skills in areas like cloud, mobile, security and data.
What impact do you think government involvement in cybersecurity will have on the industry’s development in the future?
Cybersecurity is a shared responsibility between individuals, the private sector, state and federal governments. Recently, the Telstra Security Report 2019 found that 55% of organisations believe they have been fined for breaching national and international legislation, such as the General Data Protection Regulation (GDPR) and the Notifiable Data Breaches Scheme.
Government agencies like the Office of the Australian Information Commissioner are increasing scrutiny of security processes and require organisations to notify individuals when a breach is likely to result in serious harm. However, the reality is that 89% of Australian businesses have had breaches go undetected. Australian businesses simply do not have the cyber skills or workforce needed to keep up with the pace of today’s cybercriminals and their increasingly sophisticated attacks. The industry welcomes additional (and ongoing) government investment in the form of cybersecurity scholarships and training programs. This will bolster the next generation of security professionals and equip Australian businesses with the necessary skills and industry knowledge needed to address future security challenges.