Integrated approach required for cyber security
Summary: Achieving an effective level of cyber resilience requires organisations to adopt a holistic approach to security that extends far beyond the IT department.....
Participants in a recent round table discussion, hosted by The Australian Financial Review and ACS, agreed a new approach is required that will ensure security issues and tactics become embedded in all areas of business activity.
Jill Slay, director of cyber resilience initiatives at the Australian Computer Society, says that – all too often – cyber security is viewed by boards and senior managers as a technical issue that needs to be solved. This attitude needs to change if Australian businesses and public sector organisations are going to withstand the growing range of cyber threats causing problems around the world.
"We haven't treated information security or cyber security as a multidisciplinary issue," says Slay. "We haven't had generations growing up who understand law and policy and technology.
"You can't solve the problem unless you actually understand what it is you're protecting and how you'll protect it. Until we've come to grapple with that a bit more, I don't think we're going to solve the problem."
Maria Milosavljevic, chief information security officer for the New South Wales government, agreed that a broader approach to cyber security is required within organisations of all sizes.
"If you get an electrician to fix the wiring in your house, you don't have to have a safety person with them – they know safety, and they were trained on safety," she says. "But we've still got graduates coming out of universities who can code, but they don't know how to code securely. We've got to reframe what a professional looks like in this space."
Milosavljevic points to the evolution of motor car safety as the type of path that needs to be followed when considering cyber security and resilience. As cars become faster and more powerful, risks increased and more controls and safety features were added to reduce risk of injury.
"We've evolved and adapted and said, we're not prepared to tolerate that risk, and so how do we minimise that risk to something that we think is actually tolerable. It's about finding that balance."
Acknowledging the approach taken by car manufacturers, Singtel Optus head of cyber security Simon Ractliffe says that when it comes to cyber security, the challenge is one of timing.
"There needs to be sense of urgency," he says. "To train an architect to think as a security architect [and ensure] everything is cyber secure by design is going to take some time to evolve – I'm not sure we have that much time."
Gavin Matthews, practice director, cyber security and risk at GHD, agrees, saying the threats facing Australian companies are growing at an increasing rate. "We're up to a major breach every fortnight, so the reality is we've got to get better at this," he says.
"In organisations here in Australia, boards and C-level executives need to understand the questions to ask. Taking that information and doing something with it, that's the key thing."