CISO Interview Series: Trevor McDougall, CIO, Open Colleges

3 ways we keep the executive & board versed on Cyber Security

Open Colleges is an online educational business, and I assume that you have students all over the world. Does this make your role harder?

Actually expanding internationally is a relatively recent event at OC, we have expanded into New Zealand and India and this strategy is still in its infancy. As we continue to expand internationally this does significantly increase our profile and exposure to cyber threats. Complexity is increased because we have a more complex network and new staff in multiple regions which all need to be educated for phishing attacks.

As a business with 100% of infrastructure on cloud platforms I don’t need to worry about data centres which has enabled us to move quickly into overseas territories. We are very careful when selecting cloud partners as we rely heavily on there security practices to protect our data and IP.

How well is Cyber Security understood within the Open Colleges management ranks and with the business?

OC is a digital education business so we have a mix of management awareness of cyber security. Luckily for me Nic Cola our MD came from Fairfax Digital and is very familiar with the threat of cyber attacks on an online business. The rest of the group has a mix of digital and education backgrounds who understand to different levels. Overall as a digital business we are well aware of the risks involved.

But we do need to continually remind all staff on the threats and how to protect ourselves. That’s also my job!

Trevor what approaches have you used to ensure that your Board also well versed on the critical nature of cyber security?

There are 3 main ways we keep the executive team and board versed

  • Each attack is communicated so they can see the level of activity
  • Each request for investment in cyber security comes with a report detailing the latest threats and analysis of OC threat risk.
  • We also conduct “disaster” planning scenarios where cyber treats are one of the main threats
Read more: Scams dominate Australian cyber crime

What’s your opinion around Social Media, you have to use this to engage with your audience – but it potentially makes you a target as 3rd parties know more about you?

Social media is heavily used by both our marketing to engage with leads and support teams to engage with students. We have seen an increase in the number of attacks as a result of our brand profile increasing, we only see this trend continuing.

We will continue to use these channels as they are very effective for OC but are prepared to invest cyber security resource as the risk increases.

Have you ever been spear phished? (from my personal experience it’s not a fun event – but I did share this with my management committee members)

There are have been attempts but todate none have been successful - the socially engineered phishing attack posses the greatest risk.

If we were to lose our student data it would be a bad event for our business.

This is one area we plan to increase our investment to ensure we can minimize the risk of such an attack. To me this is the type of attack which I lose the most sleep over.

Secure by Design is critically important in the online world. How do you ensure your developers maintain this mojo?

Firstly this starts with the talent we hire, they all must understand how to build secure applications. We also rely heavily on the team leadership where we have a strong Dev manager and DevOps AWS architect who responsibilities and KPI include a security focus.

The dev manager coaches and mentors all members of the team and we have peer code reviews built into the process.

We leverage the DevOps resource who is responsible for tooling (eg cloudflare) and monitoring this looks for when shortcuts have been taken and blocks the code. We also have the basics covered ensuring everything and is patched etc.

On a scale 1-5, would you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?

I expect our investment in cyber security to increase significantly (4) over the next 3-5 because of the following reasons.

  • Australian digital businesses are and will continue to be prime targets for cyber espionage and attacks
  • As our brand profile increases we become bigger target
  • Hacktivism or “Hacking as a service” will make it easier for anyone with a grudge to target OC.
  • Attacks and threat will continue become more sophisticated and coordinated.
  • Phishing attacks are not something a product or expert can fix and constant regular security training and awareness for staff is required, this is expensive.
  • Our move internationally increased our network exposure and staff.

What’s the most important attribute that you must see to select new staff members to your team?

Customer or student focus is still the most important attribute, as this drives us produce better outcome not cool technology.

In terms of security we look for people who have worked on consumer products as they tend to be more security focused.

I’ve assumed that you are not working in a heavily regulated environment, do you think this helps or hinders the focus on information security that your team has?

Actually the education sector is heavily regulated and I believe this helps provide the basic level of protection designed for traditional education business, this is not good enough for digital education business so reliant on online platforms.

Therefore, it only hinders if you think compliant is good enough.

Finally what makes you excited to come to work?

Building a great online learning product for students, At OC we have build our own online learning platform which we have seen significant improvement in student engagement and gives us a competitive advantage. We have an exciting roadmap of features which all aimed at improving the experience and outcomes for students, trainers and support teams.

Join the CSO newsletter!

Error: Please check your email address.

Tags riskAWSCloud PlatformsFairfax DigitalFairfax Digitalcloudfarecyber threatOpen Collegestargeted attackspear phishingDevopsonline platformIPcyber secuitysocial mediaphishing attacks

More about AWSFairfax Digital

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place