The Security Odyssey

How do we know if we’re doing information security well? How far along the journey to information security nirvana are we and what does that place even look like? George Arronis, the Head of ICT Risk and Security for Serco Asia Pacific has some views on positive and negative trends he’s seeing.

“Three key things that the industry has done well is that there is a growing security awareness, we’ve adopted security frameworks to guide our security thinking, and we’ve tackled major threat themes over the last while. Although attacks are still happening the industry has developed multi-layered countermeasures to those threats” he said.

So, what aren’t we doing well? “Whilst security awareness is growing it hasn't necessarily changed user behaviour in the way we want it to. That continues to be a challenge and the research has shown that humans continue to be the weakest link in information security,” according to Arronis.

In addition, Arronis says we need to get a handle on the economics of information security. “We need an understand things like ROSI - return on security investment. Another area is getting an idea of the real cost of security breaches in an organisation.”

In Arronis’ view some of the internal costs aren’t well understood as they are often absorbed by the business. There’s a need to get to a more detailed financial view of those losses. He says that a small number of organisations, identified as “true leaders” in a recent PwC security report are at that point but it’s not yet a mainstream level of business wisdom.

In response to the changing threat landscape, Arronis notes that we are moving away from the old “castle and moat” model to a new one where we are focussed on detecting and management of threats. This is because “the physical perimeter has moved".

"Our data footprint is quite extensive. Managing that is difficult. The focus for organisations is on knowing where the crown jewels are and putting protection around them”.

Over the last couple of years, there have been significant changes in how IT departments deploy and operate systems. In parallel, there are many instances where business units bypass IT and procure their own systems—often using external SaaS and IaaS providers—coupled with potential data leakage on mobile devices that might be unprotected.

“It’s about getting on the front foot with those emerging technologies,” says Arronis. “Consumerisation of IT has bolted and it is making it difficult for IT departments to catch up and manage that. But, even if it is to a degree retrospectively, organisations can put in a base level framework to manage those new threats. But it is a challenge and it goes back to being an ongoing odyssey. You fix one thing and something new comes up”.

For IT departments, this means being reactive and able to detect, restrain and counter threats when they occur but also being proactive and engaging with the business, and being more aware of the changing threat profile.

Join the CSO newsletter!

Error: Please check your email address.

More about PricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts