At the beginning of this month, The Ortus Club brought together a group of CTOs, CIOs and other IT decision makers in Sydney for a dinner discussion at the Four Seasons Hotel. The topic discussed was “protecting most critical data and staying ahead of the game” with four main questions guiding the conversation:
- Current cyber threats – why is data being targeted differently?
- Which specific industries will most likely be at high risk of cyberattacks in this digital age and why?
- How can companies build an active defence against ransomware?
- How can companies enable zero trust security as their last line of defence?
The discussion was attended by:
- CIO at Cuscal
- CIO at Georges River Council
- CISO at Fire and Rescue NSW
- CRO, Corporate & Institutional Banking at National Australia Bank
- CRO at Ray White
- CTO, Cyber Security at Optus
- Board Director at Youi Insurance
- Advisor at IBRS
- Executive Director at Red Piranha
- SVP, Head of Central Compliance Australia at Citi
- VP, IT at Jefferies
- VP at Citi
- Global Head, Safety and Security at Standard Chartered Bank
- Head of Compliance at Blackmores Limited
- Head of IT at Busways Group
- Head of IT Security at Zurich Financial Services
- Head of Risk & Compliance at SocietyOne
- Head of Technology and CTO, Oceania at Nokia
- Head of Technology at Credit Simple
- Chief Architect IT Services at Zurich Financial Services
- General Manager at UOB
- WW Information Security Director at Cubic Transportation Systems
- Financial ICT & Operations Consultant at Singtel Optus
- Lead Consultant Government at Macquarie Government
Cyberattacks are becoming more frequent, causing greater loss of revenue, negative publicity, and customer distrust. Many organisations do not realise that their backup capabilities are not designed to withstand and recover from these attacks, and these vulnerabilities can have highly damaging and costly results.
While there has been an attempt to improve security in most areas, companies still need a way to quickly recover lost data to avoid costly downtimes. Enterprises need a comprehensive approach to cyber-risk mitigation: one that goes beyond threat detection and remediation. Incident response needs to be strengthened, as well as associated data security and recovery strategies.
Changing the approach to cybersecurity
While digitalisation and mobile connectivity are changing businesses in positive ways, they also bring significant risks. As companies’ global investment in security technologies continues to grow, so does the scale and impact of cyber-attacks. During our roundtable, most of the CTOs, CIOs and IT leaders agreed that there is still large space for improvement in terms of organisational resilience and corporate response to growing cyber risks.
Although upgrading the antivirus software is the first step of any cybersecurity initiative, the majority of attendees agreed that this is simply not enough. Understanding and applying real scenarios to cover holes in the system is much more complicated than just keeping up to date with the latest softwares. Companies try to be prepared for future attacks but they can’t do this without resolving who their “patient zero” is, what is needed to isolate their virus and what the best way to remediate it is.
All members of the discussion acknowledged that security in their organisations is not yet receiving the importance nor the attention it deserves. A company initiative shared by one IT leader was the implementation of a tabletop exercise of cyber resilience in which real-life cyber scenarios were brought into play and were answered by professionals from the sector. It was extremely helpful for his team to watch the interactions of the board in terms of administering cyber issues, and to gain an understanding of its impact, 5 layers down. Interactive projects like these can help companies raise awareness of the importance of cybersecurity.
Following cybersecurity frameworks
To be prepared for future threats, ideally, companies should not wait for governments to act and should develop their own effective cyber resilience strategies that go beyond technical cyber-security. Although most guests were aligned on their compliance to new regulatory cyber-frameworks, many admitted that they were still finding it hard to keep up with them. The building of cyber resilience is a complex and multidisciplinary process and, since the consequences of a data breach can be technical, social, and financial, it is imperative for every business to prioritise cyber resilience by integrating all their business operations with IT.
One of the biggest challenges for cybersecurity management is getting the decision-makers of companies on the same page as their security managers. At present, these issues tend to be treated as a separate entity altogether. As current legislations are now forcing companies to prioritise cybersecurity, the inclusion of security management as part of normal operations and investing time, money and people into these departments should be the way forward. Increasing cyber risks demand proactive decisions from the board for cybersecurity development.
Cyber resilience vs business performance
How are companies combating the scale and robustness of current cyber attacks without sacrificing their performance? There were a variety of answers from our guests on this matter: various leaders focused on keeping up to date on current cyber-risks in the market; others preferred to invest, transform and upgrade to new systems to protect themselves from attacks; some preferred to continue focusing their energy on company performance rather than coming to terms with these cyber-threats.
As previously stated, the group collectively agreed that increasing resilience needs to be led from the boardroom. Business leaders’ behaviours and culture are a vital part of an effective response to cybersecurity resilience. Establishing a cybersecurity governance and risk management program that business leaders are behind will help to focus time, money and limited resources in the areas that matter most to an organisation.
Applying cyber resilience capabilities and state-of-the-art security across an enterprise will allow an organisation to tackle its cyber risks with greater success. Transforming into a cyber resilient organisation requires a detailed roadmap that specifies how the organisation must develop and implement a cyber resilient IT infrastructure.
All CTOs, CIOs and IT from the table agreed that company executives should be risk enablers instead of risk mitigators. Understanding and unlocking the potential of being enablers will help build a more resilient security system. Combining evidence, foresight and operations into their decision making will not only protect their most critical data but will help their business fully exploit a digital advantage.