James working across Asia Pacific – what is the scorecard that you give Australia and Singapore – A, B C in terms of Cyber Security readiness?
In my view, it isn’t that black and white across Australia and Singapore. For both jurisdictions many organisations are cyber risk aware. However they are not so ready to respond effectively when an incident occurs. In the recent ‘Crisis in Confidence’ Deloitte global survey, the Boards of only just over 50% of Australian big businesses believe they have adequate plans in place to respond to a cyber security crisis. While globally 70% of the survey respondents identified cyber crime as their second most vulnerable area after reputation
My view is that most organisations do not invest enough in Cyber Security. When you talk to CFOs, how do you try to convince them that they need to reconsider this position?
From my experience, the best way to cover this topic with a CFO is to elevate the conversation to business risk. And then identify the importance of cyber risk in that context. I believe that the largest cyber risks are in the business, not in IT. It is only through such a conversation that it will be possible to acquire the necessary funding to manage that risk.
As organisations move into the cloud and into effectively hybrid environments what is your view on managing these threats? Surely the risks are higher and the skills required are increased?
The reality is that many cloud providers have better security than most organisations. This is because security is critical to their ongoing business and their ability to achieve economies of scale.
To this end cloud service providers have to focus on security as part of their core business. They also can and do hire the world’s best talent and as with any prudent business, continue to monitor their service. But let’s be clear you can’t outsource accountability.
James, you work with many CIO and CISOs. When you think about the ones that you really rate – what are the attributes that really count?
The attributes of CIOs and CISOs that I rate, they have great soft skills and knowledge. In my view these best are:
- Faciliators - Great at facilitation to work closely with their organisation’s executives, and board members given the complexity of cyber security.
- Educators - To educate business leaders and other stakeholders given their perhaps limited understanding of cyber-crime motivations.
- Awareness - These CIO/CISOs also have good ‘self awareness’ and can comprehend the impact of a cyber breach on the business in terms of extensive repercussions from reputation damage and loss of revenue, to decreased share price and increased regulatory scrutiny.
- Deep Knowledge - Savvy CIO/CISOs see the bigger picture of effective cyber security and the unauthorised data loss or exposure across the whole business. They do not just focus on IT.
- Proactive Communications - They conduct monthly reporting and regular board briefings to elevate the cyber conversation and embed it into the organisation’s management framework. (briefings cover current maturity levels, unsuccessful breach attempts, response activity to breaches and emerging threats)
- Committed: They role model executive and board commitment to cyber security as this can help the rest of the organisation follow suit. By instigating cyber security discussions at management meetings and encouraging senior management to communicate with staff members when issues arise, the organisation will be better able to respond to breaches of cyber security and ensure and rehearse proper protocols and controls.
What’s your view around the awareness of boards of the risks of Cyber Security in enterprises - is enough being done to educate them?
In short not enough. A recent global Deloitte Survey (February 2016) shows a significant disparity between the Board’s perception of being ready and how ready their organisation actually is. More than three-quarters of the 317 global board members (76%) surveyed, believe their companies would respond effectively if a crisis struck tomorrow. However, less than half of their companies either monitor or have playbooks to respond to a likely crisis scenario. Even fewer, (32%) say their companies engage in crisis simulations (war gaming) or training.
The most vulnerable crisis areas according to the board members were reputation (73%) and cyber-crime (70%). To better educate boards, CIOs and CISOs can use various tools from independent advisors to interactive dashboard visualisations. These will assist executives take ownership of an organisation’s cyber security. And configured correctly, a dashboard can present key information in an intuitive and visual way that makes cyber security more approachable for the C-suite.
Many organisations are embarking on transformation journeys to reshape their business and move into digital. Do you see them understanding the importance of Cyber Security in that change?
An organisation needs consumer trust to be successful in this transformation journey. Deloitte’s recent Privacy Index shows that consumer trust is key to a faster adoption of new products and services and that cyber security, together with the privacy it engenders, are key enablers in this transformation journey.
The Australian Privacy Index shows that more than half of the respondents (2000+) were not current consumers of organisations they did not trust. However too often there is a divide between those embarking on digital transformations and those responsible for cyber security. These silos need to be broken for the journey to be successful.
What in your view is the maturity of cyber security outside financial services and in particular with critical infrastructure?
The maturity within Financial Services is not consistent. There is a big difference between big players and small, as well as between banks, insurers, and wealth and asset managers. The reality is that what constitutes critical infrastructure is not well defined. However when considering utilities such as power, water and telecommunication, there is a growing maturity around cyber security, particularly around operational telemetry. This is an attractive area of significant new investment.
What is your personal level of interest with cyber security start-ups. Which areas are you watching?
This is an area of significant interest, we sponsor Plug & Play a large global start-up incubator, hub that is extending its reach to Australia and includes cyber start-ups in fintechs etc.
Personally I also closely follow the recent Government announcements regarding the $30m cyber growth funds. We work with universities and education providers around STEM subjects (science, technology, engineering and mathematics)which will help to equip Australian talent with the skills to combat cyber risks.
How do you keep your team up to date with developments in Cyber Security?
In our global leadership team I actively share our insights on trends with the team and discuss how we can best apply these learning for our clients. The team has access to the Deloitte University with its dedicated cyber risk curriculum and a comprehensive professional development programs. We also actively participate in vendor, alliance, partnership, and start-up incubators to constantly scan the horizon and evaluate current roadmaps.
How did you get into this Cyber Security domain – was this by plan or did you get here through events?
Well, as a teenager I ran a Bulletin Board system on the pre-internet FIDOnet. And when I discovered people tried to cheat in the games I looked for ways to expose this, which whet my appetite for cyber security. Later I studied a joint honour degree in Computer Science and Management Science where I also learnt coding and business operations.
The nexus of these two disciplines pushed me to the business side of risk management and cyber security in particular. Then post university I worked for a UK Government agencies dealing with actual cyber attacks before I joining Deloitte and was subsequently fortunate to be responsible for Deloitte’s overall information security, resilience and cyber advisory services to the UK Government. Also I had the privilege of assisting the London 2012 Olympic Games leadership team with its cyber incident response, crisis management and forensics.
During this period I established the locally based 24/7 Cyber Intelligence Centre 24x7 services to clients, overseeing its implementation in the UK in 2013. Most recently I joined Australia practice to establish the Asia Pacific network of Cyber Intelligence Centres which we launched in 2015 to link with the Deloitte Cyber Intelligence Centres across North America, Europe and the Middle East.