A digital security expert says education and planning are the ways to get past the fear and misunderstanding around cyber-security.
Organisations need to have a clear understanding of the role of digital security in the overall running of their business, and knowing how to respond to an event must be woven into the culture from the top of the organisation down.
This was the message of Palo Alto Networks vice-president and regional chief security officer for Asia-Pacific, Sean Duca, at the Conference of Major Superannuation Funds 2017.
“I think it’s probably fair to say that [among] the majority of business leaders, boards of directors and executives, there’s a lot of fear around being held accountable and responsible for some sort of cyber-security challenge that pops up,” Duca said. “Every business leader needs to have proper tools and guidance around how to deal with and manage cyber-risks today, in the digital world we’re in.
Cyber-security is sometimes still seen as a “mysterious risk” even though it isn’t, Duca said.
“I think we need to go as far as dropping the ‘cyber’ moniker in front of cyber-risk, and say, ‘It’s just risk.’ Business leaders manage technical risk, financial and reputational risk, and damages to a business – this is the same thing.”
Beyond the IT team
An approach to understanding and preparing for cyber-risk should form part of the culture of the organisation.
“It’s not something that should be relegated to the ranks of the IT team to manage, because it’s not a technology piece; it’s a conversation around how you leverage people, processes and technology to achieve the outcome of being a secure business.
“At a board level, you should be asking your people who are in charge of risk or security inside your business, ‘What is it that we’re trying to do to manage this?’ ”
Aside from the normal day-to-day running of an organisation and its technology, there are key projects during which security has to be discussed from the outset.
“If you are looking to move to cloud, or you’re doing some big project that’s going to transform the business, security needs to underpin all of those projects,” Duca said. “The question I want people to start asking is: ‘How are we securing that?’
“If you’re doing a big initiative and you’re moving to new premises, or there’s some new technology that you’re going to be taking as a new route to market, what’s the security element to it?”
In 2014, Palo Alto Networks partnered with the New York Stock Exchange and asked the president of the NYSE, Tom Farley, whether any of the 2800 listed companies in the stock exchange ever sent their fiduciary responsibilities when it came to cyber-security? And the answer was no.
“Palo Alto Networks gathered together 44 US business leaders to provide their best practice around cyber-security. [The publication Navigating the Digital Age] set out to empower business leaders around cyber-security,” Duca said.
Last year, Palo Alto did a similar project in Australia, lining up 10 Australian business leaders, including: former chief information security officer of Telstra, Mike Burgess; Australia’s first cyber-ambassador, Dr Tobias Feakin; and chief executive of the Business Council of Australia, Jennifer Westacott, to provide their insights on protecting businesses.
“We ask, ‘What do you do in a crisis?’ What’s the communication plan?’” Duca said.
“I spend many days each week in front of executives and I ask them to do a tabletop exercise: There’s an extortion attempt, and it happens to come through a cyber-channel. How do you go about managing that?
“Sometimes, people are basically pointing fingers at everyone, saying, ‘Isn’t that your job? Isn’t that your job?’ How do we get to a co-ordinated point where we’re not picking the team on the day of the game? [We want to be able to say], ‘We’re prepared. We’re preventing this from happening. We’re leveraging a combination of people, process and technology. We’ve built up this cyber-security culture where our people, our employees, from the top down, are all empowered and understand the challenges that are out there.’ ”
Super funds’ challenges
The superannuation industry has its own specific challenges it must face, including multiple levels of legacy technology systems that are still in place.
“There are definitely a whole bunch of changes that need to happen,” Duca said. “There are different levels of maturity – some superannuation funds are good in their processes and how they manage their security; whereas, I’m sure in others there are programs of work in place as to how they can [accomplish] that.”
Duca spoke to Investment Magazine ahead of the Conference of Major Superannuation Funds on the Gold Coast 22-24 March, 2017, where he participated in a panel discussion titled ‘Cyber Security – Not Just an IT Problem’.