Senior bank executives are more aware of and responsive to the growing cyber security threat than ever – and are investing to proactively address it, according to the ANZ Banking Group's global cyber-security head.
The change had been driven not only by the increasingly high-profile posture of cyber security threats, but by the recognition that security was critical as industry players moved to mobile-enable its business.
“It's a combination of putting together safe and sound capabilities, that meet the ability for all types of demographics in the community to be able to interact with the organisation,” ANZ head of information security and technology risk David Fisher told attendees at IBM's recent Solutions Connect conference.
As an enabler of that change, Fisher had acted to support “the conduit between security, technology and the business,” he explained. “My role really is about helping the business understand the environment in which it works, and helping it appreciate what it needs to do to respond to things such as security.”
That process – of conveying understanding to executives – had become far easier in recent years because of the growing awareness of the executive about issues of cyber security, Fisher said.
“The journey has accelerated over the past decade, and the language which we're using has changed,” he explained. “Previously people understood that it was there, but 'it never happened here so it doesn't exist' was prevalent.”
“The press [coverage] drives home the fact that these things are happening because management are seeing it firsthand. Once it becomes personal to you, you become interested in the topic and you understand – and the moment you've got that level of interaction, it becomes very easy to start to have a real conversation.”
Those conversations are driving real changes in the structure and interactions at the executive level, in terms of how the business and IT areas relate.
“It was always an understood thing that security used to be managed inside the realm of general business practice, but now information has become its own stream of risk,” Fisher explained.
“New titles are appearing, and CISOs are appearing – and as a result you are seeing organisations responding to the changing environment. If only from an organisational perspective, the organisation clearly now understands that the topic is real, relevant and becoming more so.”
As well as redefining boundaries around information risk, Fisher said improving dialogues between business and IT security staff had led to some new discussions about the way IT-security funding is allocated – and while overall security budgets had increased, it was not simply a case of throwing money at the problem.
“We are spending more [on IT security] but we're doing it in concert with strategy and not as a standalone function,” he explained.
“The topic of security is like rain: you can pour cash into it and the results aren't necessarily transparent to those that are funding it. So you do need to be able to demonstrate the appropriateness of the spending and how you spend, versus the risk and reward.”
While information-security executives were enjoying new status at the executive table, Fisher warned that they still need to ensure that they're communicating their message appropriately.
That included ensuring messages of security were not only being fed from a technology perspective: “clearly there are software elements of security that need to be understood across the organisation,” he explained.
“But for me it's really about how you take the broader message, pitch it to the right audience, and have a strategy around how and when you communicate that. We have a small team that are literally running awareness campaigns around the place.”
“There really is no secret formula to this,” he added. “These business guys are very smart and they understand the totality of what they're going to do.”
“Over time, the organisation gets to the point where it understands what its tolerance levels look like. Security-enabling the organisation these days is a very important component of how we operate.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.