How infosec gained primacy with ANZ Bank execs: cyber-security head

Senior bank executives are more aware of and responsive to the growing cyber security threat than ever – and are investing to proactively address it, according to the ANZ Banking Group's global cyber-security head.

The change had been driven not only by the increasingly high-profile posture of cyber security threats, but by the recognition that security was critical as industry players moved to mobile-enable its business.

“It's a combination of putting together safe and sound capabilities, that meet the ability for all types of demographics in the community to be able to interact with the organisation,” ANZ head of information security and technology risk David Fisher told attendees at IBM's recent Solutions Connect conference.

As an enabler of that change, Fisher had acted to support “the conduit between security, technology and the business,” he explained. “My role really is about helping the business understand the environment in which it works, and helping it appreciate what it needs to do to respond to things such as security.”

That process – of conveying understanding to executives – had become far easier in recent years because of the growing awareness of the executive about issues of cyber security, Fisher said.

“The journey has accelerated over the past decade, and the language which we're using has changed,” he explained. “Previously people understood that it was there, but 'it never happened here so it doesn't exist' was prevalent.”

“The press [coverage] drives home the fact that these things are happening because management are seeing it firsthand. Once it becomes personal to you, you become interested in the topic and you understand – and the moment you've got that level of interaction, it becomes very easy to start to have a real conversation.”

Those conversations are driving real changes in the structure and interactions at the executive level, in terms of how the business and IT areas relate.

“It was always an understood thing that security used to be managed inside the realm of general business practice, but now information has become its own stream of risk,” Fisher explained.

“New titles are appearing, and CISOs are appearing – and as a result you are seeing organisations responding to the changing environment. If only from an organisational perspective, the organisation clearly now understands that the topic is real, relevant and becoming more so.”

As well as redefining boundaries around information risk, Fisher said improving dialogues between business and IT security staff had led to some new discussions about the way IT-security funding is allocated – and while overall security budgets had increased, it was not simply a case of throwing money at the problem.

“We are spending more [on IT security] but we're doing it in concert with strategy and not as a standalone function,” he explained.

“The topic of security is like rain: you can pour cash into it and the results aren't necessarily transparent to those that are funding it. So you do need to be able to demonstrate the appropriateness of the spending and how you spend, versus the risk and reward.”

While information-security executives were enjoying new status at the executive table, Fisher warned that they still need to ensure that they're communicating their message appropriately.

That included ensuring messages of security were not only being fed from a technology perspective: “clearly there are software elements of security that need to be understood across the organisation,” he explained.

“But for me it's really about how you take the broader message, pitch it to the right audience, and have a strategy around how and when you communicate that. We have a small team that are literally running awareness campaigns around the place.”

“There really is no secret formula to this,” he added. “These business guys are very smart and they understand the totality of what they're going to do.”

“Over time, the organisation gets to the point where it understands what its tolerance levels look like. Security-enabling the organisation these days is a very important component of how we operate.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritycyber security

More about ANZ Banking GroupCSOEnex TestLabIBM Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts