My Advice to Prime Minister Mr Turnbull

CEO & Founder, Cyber Management Alliance Ltd and ISACA UK - Chair Security Advisory Group

Amar, as chair of ISACA Security, and that broader perspective what would you like to see changed about the degree of cyber security international cooperation between countries and companies?

We are nowhere close to the ideal intelligence sharing and international cooperation. That does not mean that nothing is being shared. To the contrary, Interpol and other agencies are taking the threat of cyber very seriously and are constantly working on improving collaboration and intelligence sharing. This collaboration has resulted in the takedown of several cyber criminal outfits.

Some other initiatives in the UK and US include CISP from CERT UK, the CISA act in the US and several commercial threat exchange outfits. In addition, we have several industry specific ISACs or Information Sharing and Analysis Centres such as the FS-ISAC or financial industry ISAC.

However, overall, corporations, locally and globally, have a long way to go when it comes to international cyber corporation.

I am a strong advocate for simplicity and a step towards global cyber cooperation would be to:

  • Increase the education around cyber and threat intelligence sharing, at the board level.
  • Create an “idiot” proof sharing platform that would allow the timely sharing of threat intelligence.
  • Make is accessible to as many as possible.

This may appear as an easy task but making an easy to use sharing platform is, on its own, a massive undertaking. Well, let’s assume you achieve that you then have to convince companies to actually start sharing. (That’s a topic for another day)

You are about to be granted an audience with the Prime Minister of Australia, Mr Malcolm Turnbull who is strongly driving this country into a digital future. What 5 items of advice around Cyber Security would you offer?

My advice to Mr Turnbull, in no particular order:

  1. Ridiculous laws will be circumvented – let’s make them practical.
  2. Increase the nation’s true cyber capability (in all areas of tech including programming, hacking, telecommunications, encryption etc)
  3. Recognise that cyber attacks may cripple the nation - and prepare for that eventuality with deep focus.
  4. Incentivise all companies to increase cyber awareness within all their own staff
  5. Encourage and create an intelligence sharing community with government commercial partnership - involve everyone company not just the big corporations.
  6. Stop trying to weaken encryption technologies like the rest of the countries. Criminals are smart enough to develop their own strong (or stronger) encryption. Instead, promote the use of strong encryption and set an example globally.

In your career you have held CISO roles at large multinationals. What was the hardest assignment that you have ever had and why?

Another good question but client confidentiality comes first. However, with my ISACA turban and my practitioner experience: Organisations face some big challenges in their cyber endeavours including:

Security is almost always a cost centre. Consequently the cyber budget is the first to be squeezed when times are tough.

Protection, Detection or Response: Companies continue to focus on protection in the false belief that the higher and stronger the “castle walls” the better their chance of never being hacked.

Considering the percentage of revenue that is spent on Cyber Security, what do you think is the appropriate range of investment?

The range depends on the organisation’s sector and the specific contextual threats facing its business. There isn’t much evidence available that correlates with increased budgetary spend to increased security. To the contrary, many large organisations (mainly banks) which spend a stupendous amount of money on cyber and have still been hacked.

Deciding on investment can be made simpler if organisations consider the following:

  • Before allocating further budgets to Cyber, I ask my clients to carefully consider and answer the following “How would you destroy your business?” If the business owner or C-Level executive is unable to answer this question then we have a problem. Why? Because the cyber criminals know the answer.
  • Adopt a practical, risk-based approach to cyber. (No, this does not equate to “start a spreadsheet and dump some half baked useless risk statements in there)
  • Focus the spending on detection and response: companies need to stop focusing purely on protection and starting focusing on detection and more importantly their ability to respond. On balance, this often involves increasing the education and awareness on cyber incident planning and response within a company.

Once you consider the above you should be able to spend your dollars more effectively and efficiently.

When you are hiring new staff from straight from university levels, what are your thoughts around how long it takes you to get them to be fully trained? Are there any secrets to accelerating cyber security staff development?

I look for passion more than anything else. Why? Without passion we might as well be inanimate objects. With passion I have seen graduates become cyber ready within a year sometimes much less.

In addition, it is important to provide the new starters with industry specific hands on training as soon as possible to help in rapid learning. Finally, where possible, assign a mentor to the new starter. Good mentors can make a huge positive impact on learning and instilling a passion for the job.

As a person who is deeply involved in Cyber Security, how do you stay fresh and not get jaded?

Simple - I strongly believe in networking and constant learning. There is simply no way to know everything in today’s world. I use the following methods

  • Twitter - follow the right people
  • LinkedIn - for me almost all my relevant news is shared by network of friends and acquaintances and saves me from scouring the Internet.
  • One to one and one to many face to face discussions.

I’m interested in what Cyber Security startups are you tracking?

I have been trying to track startups related to blockchain, true AI type security analytics, companies focusing on the perennial problem of detection and response.

When giving advice to companies on Cyber Security and you have more demand than supply of resources and funds. How do you decide and prioritise?

It's quite simple.

First stop wasting your efforts on “protection” in cyberspace. Protection is a dangerous concept as it simply is impossible to protect an asset from compromise. Instead, focus on detection and response.

Education and awareness for all: Information security (or the security of confidential information, personal information and other importantly data) is the responsibility of all and thus everybody in an organisation, including the senior executives and the board, must be educated in cyber security and privacy essentials.

I ask my clients to carefully consider and answer the following “How would you destroy your business?” If the business owner or C-Level executive is unable to answer this question then we have a problem. Why? As the cyber criminals already know the answer.

Another way to look at this is focus on the top 5/10 processes and technology systems that can make or break a business)

What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?

Again, Education and awareness are the biggest single gaps at the board level. Most boards are simply clueless about the intricacies around cyberspace and it’s positive and negative impacts on business bottom-line. Furthermore, boards are not grasping the importance of getting right the response element when it comes to building cyber capabilities. In summary:

Cyberspace, cyber security and data privacy cannot remain in the IT dungeons and must become a board issue. For that to happen, every single board member must, without excuse, get to grips with the essentials of cyber security and privacy.

Cyber Incident Planning & Response: Boards and executives need to acknowledge that their organisation will be attacked and compromised. Consequently, they need to focus their efforts on increasing their organisations detection and response capabilities.

More of a message for the CISO and his/her teams. The world does not revolve around cyber security. To that extent, the cyber security function should become a regular BAU and strategic partner rather than a “special requirements” team.

Cyber Security is hardly a fun and jovial place. How do you keep your sense of humour when there is always pressure on?

LOL :) I think the challenge is how do you decouple or disengage from a profession that is always predicting gloom. Couple of points to be honest:

I am a very positive person and I carry that positivity about cyberspace too.

Also I think cyberspace, the Internet, call it what you may, provides us humans with an unprecedented opportunity to improve communication, build relationships and share knowledge and ideas.

We all need to stop selling cyber security as “the end of the world” saviour and rather make it a, boring, business as usual activity (good luck with that)

Join the CSO newsletter!

Error: Please check your email address.

Tags Malcolm TurnbullISACAIT careersIT SecurityCERT ukcyber security

More about InterpolISACATwitter

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place