Nicholas Tan, the chief architect for digital services, cloud and cyber at News Corp and Andre Bertrand, the head of IT risk and security at Seek joined moderator Sam Stewart from Culture Amp to discuss the challenges of cyber during the recent Cyber in Buisness held in Melbourne.
As is almost always the case, it don’t take long for the security discussion to turn to the challenges created by an ongoing focus on compliance. Tan noted that there is so much to do within the business, with the company Noa continual march forward to embrace cloud technology that business functions are prioritised over compliance.
Bertrand agreed that the pace of adoption of new technology was so fast that businesses were continually evolving to keep up and take advantage of new opportunities. Developers could take advantage of news ways of doing things and there was also a challenge created by the increased connectivity between developers and other communities.
The ability to rapidly develop new business functionality presents a significant problem said Bertrand. Existing security systems and processes cannot scale at the same rate as the change as business systems change. Consequently, there needs to be a new way of thinking about security.
He said better automation will allow systems and people to manage the easier decisions themselves, allowing scarce security resources to be directed at managing the more difficult problems. Tan agreed, saying one approach News Corp was taking was to not reassess every security tool that the company decided to use.
Tan said that if a tool was already assessed and being used by another part of the multinational company, they would trust the other division’s judgment and either accept or reject the tool based on their recommendation.
The relationships between companies and vendors was also a focal point for the discussion. Both Tan and Bertrand agreed that existing procurement models don’t work in today’s world. Tan said the old way was about long-term deals but companies need to be prepared to procure, use and discard a tool within 12-months in some cases. Bertrand added this leads to a business requirement for better on-boarding and off-boarding processes for personnel and partners.
Both panelists agreed that the faster development, procurement and deployment of systems meant exisiting testing and assurance programs were no longer able to keep up with business needs.
Bertrand noted that Seek uses Australian company BugCrowd to crowd source hackers who are paid bug bounties for the detection of flaws. Depending on the severity of the bug, the hackers are paid anywhere from tens of dollars to thousands.
Tan said News Corp has found the use of beta programs to be effective, where pre-release software is made available to a limited pool of users who detect issues and report them.
With both panelists working at companies with broad global footprints, there was some discussion regarding the divergence and evolution of different privacy laws across the world. With the rules in the United States, European Union and China all evolving, as well as local laws, there is a need to constantly monitor what is going on.
When it came to assembling a security team that is adept at dealing with all this, both Bertrand and Tan agreed that embedding security into all activities, rather than having a separate security team works best in their experience. This allowed security to be incorporated into the build pipeline and created a two-way street for communication of security challenges, giving developers an opportunity to contribute to how security is handled.