"Incident response plans are ‘war gamed’, and are done so on a regular basis"

CISO Interview Series: Kevin Shaw, Head of Security, Foxtel

Could you describe your average day as Head of Security at Foxtel? Do you have a particular routine for the start and end of day??

I try not to settle into predictable routines, but there are a number of tactical priorities I like to address at the start of the day. Things like reviewing threat intelligence, checking over the managed security service dashboard, and checking in with the security team for status updates.

Generally my day is split between operational security matters, supported by our Operational Security Manager, responding to requests for advice from business units and project teams, and driving our strategic security agenda.

Something that is a continual focus and almost daily activity is finding ways of ensuring that security is front of mind with our executives so we can continue to maintain a good security culture throughout all levels of the organisation. A good chunk of time is spent looking at how to generate meaningful security metrics and communications for the executive from the ever growing pool of operational data.

Like most security professionals, there is no clearly defined ‘end of the day’, but I do tend to focus more on reading security news and trends and networking with others in the security community.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?

There is certainly a heightened awareness at the executive and board level, which has led to changes in security leadership and the size and mix of security teams. These organisations are realising that traditional security approaches and technologies are no longer adequate on their own and are looking to security leaders who can build capability in the areas of detection and response, rather than classic defend/deflect capabilities. They are looking for individuals who are well connected to the global security community, which keeps them informed of emerging threats, interesting new technologies and players, and who can leverage their professional networks to the advantage of the organisation.

Change such as this takes time to wash through the system, and while I am seeing early indicators of change such as fewer and fewer security leaders with IT or IS in their titles, the vast majority are still reporting into a CIO or similar function, which indicates that to some degree security continues to be perceived as an IT issue to be ‘fixed’ rather than a business issue to be continually “managed”.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??

I won’t give a scale rating but I do see investment increasing over the next 3-5 years largely driven by changes in how we do business, such as cloud adoption, outsourcing business processes, and data management, impacting on traditional security models. These changes to security architectures and adoption of new technologies and services come on top of the existing security costs of maintaining ‘good hygiene’

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

It’s a juggling act but I am fortunate to be part of a team of good technical security professionals, ably supported by an operations security manager, that take the initial response to issues arising. Having an incident response plan and a third party cyber security incident response service certainly allows me to spend more time on our longer term security agenda.

My assumption is that for your line of business a “Man in the Middle” attack, with a 3rd party hacking onto your live broadcast is a serious threat. Is this the worse thing that could occur to Foxtel?

I take it you are referring to something like the TV5 Monde attack? While there is no arguing that that was a very serious incident, like most incidents lessons are learnt and shared, and procedures and measures are updated and we all benefit from this.

That incident was a great example of the need to change from a mainly defensive model into a more detect and response posture. These days it is becoming difficult to prevent or even predict all attacks so organisations are being judged by the public and the regulators on how well they identify attacks and how effective their response is. I am not advocating losing defensive capability, which is basic security hygiene, but being better equipped to discover and deal with the ‘worst thing that could happen’ when it happens.

I have to assume that the crown jewels within Foxtel is this the content such as prime time new series shows that have the highest level of security? Is that close to the truth?? How do you conduct ‘mock’ incidents so that the team is prepared for such potential data breaches?

Content security is important to Foxtel and we do have, and do execute, a duty of care to protect this on behalf of the content creators and owners. Our crown jewels are no different than that of other organisations, being customer data, financial information such as credit cards, intellectual property, and so on.

I certainly advocate that incident response plans are ‘war gamed’, and are done so on a regular basis. They tend to knock out the kinks in the plan and provide ‘muscle memory’ so when people are acting in a high pressure environment the right actions are taken, it’s something the military have recognised for a very long time that is taking root in the corporate world.

There are many new cyber security start-ups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?

Certainly are a few that I am keeping a watch on and ‘kicking the tires’, for example: Elastica in the CASB (Cloud Security Access Broker) sector, HIVINT in the security community portal space, Soltra in the threat intelligence arena.

Within the Foxtel environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?

It’s a very much contextual answer in that securely designed, configured, and patched technologies change over time, and circumstances can cause individuals to occasionally behave in less than acceptable ways. So I would say they are only two of the many risk indicators we look at on a continual basis, and manage through a continuous compliance monitoring regime underpinned by a focus on security culture.

What key attributes that you look for when selecting a new staff member?I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??

Given there is a shortage of talent in the industry and we are competing with the financial services sector and consulting worlds for resources, I look for individuals who embrace and thrive on change, are willing to learn, able to accept accountability, are straight talkers, and are self-managing. Often to end up with good capable professionals it is a case of focusing their enthusiasm, giving clear expectations, providing the right training and career path, and recognising their contribution.

On the same note, given that it is hard to find talent. How successful have you been in training to other IT professionals into a Security career?

Over my time at Foxtel the majority of our security team have come from other areas of the business and IT department and most have stayed in the team. Not everyone enjoys the unpredictability and pressure that comes with a security career but when you come across those who do you need to hold onto them. It helps if you have a strong strategic plan that you can articulate well, where you can clearly lay out their role and development opportunities.

Finally what keeps you awake at night?

Many and varied things can keep me awake from time to time and sometimes do, but worry is a wasted and debilitating emotion. It’s better to be able to go to sleep knowing that you have the support of the executive, are further along your security journey each day, you have better detection and response capabilities than in the past, are supported by effective third party security services, and have a capable security team maintaining a good security hygiene level. Then if something happens you will at least be fresh when you come to invoke your incident response plan.

Join the CSO newsletter!

Error: Please check your email address.

Tags strategic discussionscyber activitiesKevin Shawsolving customerCISOfoxtelDavid GeeCISO Leaders

More about ElasticaFoxtel

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place