Troy would you please describe your average day as CISO at Australia Post? Do you have a particular routine for the start and end of day??
One of the things that I love most about this industry and this job is that there is no “average day”. Each day is different because of the variety in our work. This can include strategic discussions, solving customer problems, investing in our great people and of course keeping a careful watch on attacks, threats and our cyber activities. I have no fixed routine other than getting into the office as early as I can, which is typically around 6am, to get as much done as possible so I can spend time with my family at the end of the working day.
It is clear to me that “trust” is a key critical component of the Australia Post brand. Does “maintaining trust and the brand” appear on your own personal performance accountabilities that you are judged on?
This is definitely one of the great strengths of Australia Post and something that everyone, right across the company, takes seriously. It is not just my job or my team. Not just our Enterprise risk teams or brand and marketing teams. It really is everyone that cares about our customers, our brand and reputation. As such we are all accountable and measured on a range of brand and trust related aspects.
Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
I personally believe there are two main reasons why large organisations have done this. The first is clearly in response to threats, breaches and media attention. The second however is where more mature organisations have understood early, ahead of all of this recent media attention, just how critical cyber security is to customer trust, brand and to new products and services that take advantage of software and technology. To the credit of our Executive Leadership team and Board, Australia Post is squarely in the second category. As an organisation we have been rapidly building a strong capability right across the business over a number of years.
On a scale of 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
The answer to this is very much a 5 – though I’ll expand on the definition of “investment’ to mean more than just money. Our business strategy is very clearly focused on providing eCommerce products and services for our customers. This includes helping consumers transact and shop online, enabling small businesses to sell online and partnering with larger businesses and government in their digital transformation.
As such Cyber and Information Security plays a critical role in our business strategy so we will continue to invest in the security of our customers, people and the community. Our spend profile will fluctuate – as it should. We’ll dial it up and down depending on our customers’ needs and business strategy, the threats and attacks that we face and also our risk appetite.
How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
One of my primary responsibilities is to build and maintain a great team and culture. And then invest in their personal growth in leadership, soft skills and security capability. I have a great team who look after much of the day to day. This enables me to spend as much time as possible with our businesses, helping deliver great products and services for our customers, helping enable our business strategy and steering the security strategy. I am a strong believer in leading by getting out of the way and giving great people opportunities – but being there when they need me.
There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I think the most interesting battle ground at the moment is on the end point. The old generation of anti-virus vendors are struggling to reinvent themselves and move at pace while a range of smart, well-funded startups have entered with a very different approach and value proposition.
What do you regard as the crown jewels within Australia Post that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
Our crown jewels are easy to find in our business strategy. We are an eCommerce company with a growth vehicle in trusted services that wants to deliver more and more value for our customers. Clearly that translates for my team into protecting and helping our customers use the services that we provide to them. We have a good understanding of this and over the years have done a range of incident and breach response preparation. Every time we do something we learn more and certainly have taken lessons from others in the industry.
Digital and online is clearly a key strategic part of where Australia Post is repositioning. How do you personally stay in touch with this digital channel which is exploding with developments?
There is no way I can, or should, do everything myself. I am a strong believer that great people solve hard problems so for me, leadership and culture is the answer to just about everything. From a digital and online perspective we have some exceptional people that have chosen to work at Australia Post and deliver great results. As an example we took the build of a new infrastructure environment down from over 20 days to less than 10 minutes – with a range of security patterns and tools pre built into the environment. I learn constantly from our teams and from immersing myself in what we do. I also learn from my peers in the industry whenever I can. Cyber Security is a team sport and the sharing network within Australia, and in some areas internationally is exceptional. I know that I can ring a whole range of CISOs and they’ll answer and happily share – which I will also do for them.
Within the Australia Post environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?
Honestly both of these and more. There are so many ways, both malicious and accidental, that an organisation could suffer an incident or breach. By the same token I am also worried about “too much” security that leads to driving away customers through poor experiences or in slowing down our business so much that we can’t compete. Our approach is to align our security program against our business strategy – with a non-negotiable on protecting our customers.
What key attributes do you look for when selecting a new staff member? I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??
From an industry perspective I say that we have a glut of people in certain areas and a massive shortfall in others. I can easily hire for a security operations role or to work in risk or compliance. However finding great agile security engineers or customer security leaders is a massive challenge. Our approach when recruiting is based on culture, leadership and communication skills first. Then we look at security and technology skills. It is far easier to teach someone security content knowledge than to teach a positive mindset, a collaborative personality profile or a customer centric pragmatism. As a result our recruitment timing varies. Some roles are a matter of days while others can take months. We’ll wait for the right person rather than recruit someone with the wrong culture or leadership attributes.
When you choose partners to work with are there gaps in the Australian marketplace that you can’t find capabilities that you have demand for? (Could you provide some examples)
Yes definitely. I have found over the years that our partnership model tends to follow people rather than companies. Having said that there are still gaps. Finding a partner to do old world penetration testing is easy. Finding a partner to do secure software development in agile teams is a major challenge.
Finally what keeps you awake at night?
My 2 boys under 3!
And from a work perspective “coverage”. We have great executive support, leadership and I am lucky to have a wonderful team. We have built some exceptional capability and have done some really innovative things such as our agile security development and our customer cyber security services. The coverage issue though is that despite all of that “good” it only takes one gap, one mistake or one unknown that could lead to that customer data breach or material security incident. As such I worry about covering everything that we need. Are we enabling all parts of our business effectively? Are we protecting all customers? Have we looked at every piece of code? Do we understand every partner? Can we cover every threat and every risk? Trusting in great people and taking a threat and risk approach is critical.