Does your Board paper have a section on cyber risk?

In other words, is your organisation ready to take on a single incident that can paralyse your business?

No single threat event has the ability to paralyse and force a business into administration or become a takeover target more than a cyber event.

These threat events are well planned, sophisticated, complex, smart and most of the time only detected when it is too late. Customers and investors are quick to turn from any company that is frivolous with their information. Regulators are usually behind in their approach and more often than not they stifle innovation when we need to increase our speed of innovation.

Never before has speed of change been more important to ensure competitive advantage and increased revenue. We need to begin working together as a country. A collaborative group of companies working together to address the threats to New Zealand infrastructure and commercial interests to become more transparent in the way we address cyber risk.

So many times I hear that cybersecurity is a business enabler but too many times I do not see how people are enabling New Zealand to achieve that. We all need to review our approach and ensure it is aligned to the most economic way to protect our assets and use effective and robust risk management to enable business decisions.

So why, historically, has it appeared in the “too hard basket” for many NZ companies? The usual suspects are cost, resources and lack of awareness of the real threats versus the Fear Uncertainty and Doubt (FUD) approach that many professionals perpetuate.

We need to join the collective Kiwi mind through creating a network of security professionals who communicate closely with each other.

In order to address these issues, we need to join the collective Kiwi mind through creating a network of security professionals who communicate closely with each other. Working with peers and providers alike is the only way for New Zealand companies to remain competitive on the global stage.

It is also imperative to link a formal cyber risk process to any transformational strategies the company has planned. This will ensure that we start to reduce wasteful, ill focused and ineffective spend on cyber immediately. After all, we all know that retrospective application of controls is vastly more expensive than from the design phase.

Read more: How CIOs can shift to a 'digital first' ERP mindset

Related: 2015 Global Information Security Survey: The top cyber risks for NZ in an interconnected world

Mission: Demystify cybersecurity

We must enable transparency and empowerment within an organisation and demystify cybersecurity! Working to introduce processes and educating people across an organisation is imperative. All processes should be clearly documented and available to enable successful training and so that we can visually identify where to insert cyber controls.

Read more: A ‘defensive shield’ for legal cybersecurity risks

Every single employee has a responsibility to help reduce spend on cybersecurity.

Effective, understandable, relevant and useable policies, and best practices should be made available to customers to show transparency and to gain trust that we will protect their information! I would also advocate no more than a two-page per security policy to really make them readable and empower groups of people to push the boundaries, increasing innovation, taking more informed risks.

Educating an organisation with basic awareness training is vital. As the attacks become more sophisticated we need users to act as a control; noticing potential incidents and reporting them for investigation. This will reduce the cost of the cyber reaction through early identification and minimal error in initial response. Every single employee has a responsibility to help reduce spend on cybersecurity. As it becomes more socially acceptable for companies to experience incidents the users will look for the supporting processes as a way to ensure confidence is maintained and a chance provided to the company that experiences the event.

We also need to start to be honest and open with each other about the impact that cyber has to our economy by recording and quantifying security incident impacts. This is a great way to show the benefit of security spend to any Board member.

Read more: Speed of technological change is top worry of New Zealand CEOs: PwC

To underscore the urgency of this matter I would like to call for all industry security experts from around New Zealand to contact me directly on David.Kennedy.NZ@gmail.com.

I will take it upon myself to ensure we are working together to develop a mechanism to address risk and obtain budgets for business growth. I promise to work with each and every one of you to build a network, work together, share information and enable you to have a process for providing a workable security posture to present to your management.

David Kennedy
David Kennedy

David Kennedy has worked as a CIO/CISO in public and private sector organisations across the globe. He has worked in cyber security for almost two decades with over 75 companies. He has an MBA from the The University of Edinburgh, and is on the faculty and Advisory Board for the Strategic CIO Program at the University of Auckland Business School. Reach him at David.Kennedy.NZ@gmail.com.

Read more: 10 'pain points' for global Boards - and how to tackle them

Send news tips and comments to divina_paredes@idg.co.nz

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Read more: ‘This article on diversity is not about gender imbalance’

Join us on Facebook.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritychange managementskills shortageCISOCSOdisruptiondavid kennedyGlobal Information Security Survey 2015CIO and board interactionsdigitalinformation security

More about CustomersFacebookTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Kennedy, CIO/CISO

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place