A panel discussion at the recent Emerging Cyber Threats Summit, held in Sydney, looked at cybersecurity and the future of the digital economy. With more and more commerce and collaboration taking place digitally, there are great rewards but new risks that need to be considered.
Moderated by Kate Healy, the Principal Cybersecurity Consultant at Aleron Security, the panel brought together Nigel Phair (Managing Director at the Centre for Internet Safety), Cyber Policy Advisor Jacob Boyle from the department of Prime Minister and Cabinet, Ashurst partner Sophie Dawson, IT Security Specialist Martin Brown from AUSTRAC, and Nick Ellsmore from Hivint.
The discussion commenced with the question "What is digital transformation? Why do we need to consider cybersec a part of strategy?".
Phair said it was a challenge to develop a corporate strategy that takes security into account. Rather than considering security in isolation, it needs to be part of the broader corporate strategy
"Security needs to be in the room," he said.
Boyle added that it was important that the business understands their responsibility. Wherever you are in the business you are accountable for securing the information you hold and handling the risks, he said.
Part of the problem, said Ellsmore, is a lack of maturity when it comes to matters of cybersecurity. He contended that the focus on availability as a key metric can get in the way of innovation. He said you need an "error budget" so you can innovate - perfect is the enemy of done. There is a need to accept some level of loss but understanding what an acceptable level of loss is remains contentious.
While operational matters are important, Dawson noted it was important to also consider the legal and regulatory environment and the need for both proactive and reactive planning.
Healy then asked, "How do you balance risk with how to innovate?".
Dawson said board level decisions need to be made with lots of information; there it's no one size fits all way of making decisions. Boyle agreed, and said balancing innovation and the national security strategy means we need to make assessments and judgements.
In some industries, making those judgements may be easier than others. Ellsmore said "Banks have it easy - they have a metric, money, but it's harder in other industries".
Ellsmores described the situation Ford in the United States found themselves in with the Ford Pinto. This car had a design flaw that resulted in cars catching fire and exploding following some rear-end collisions. Ford made an economic decision of car safety against the cost recall, concluding that the cost of a recall exceeded the costs they would incur in the event of a number of fatalities.
However, their assessment failed to consider massive costs that the company later incurred when it was revealed they knew about the design flaw but chose to not rectify it on economic grounds.
Quantifying risks remains a challenging task – a conclusion thayt was agreed by all the panellists.
In the event of an incident, Dawson said it was important to be prepared and have a checklist ready of who you need to contact if there's a breach. This would include specialist IT, PR, business, and legal support.
One of the recurring themes through the two-day conference was the need to better engage SMEs in cybersecurity matters. Phair noted that the council of SMBs is rolling out a cyber-insurance policy and that the use of encryption is increasingly seen as a pre-requisite by insurers. The new data breach legislation, which comes into effect in February 2018, is also important as many breaches remain unreported today. But the OAIC may be stretched if they lack sufficient investigative resources.
Ellsmore noted that small business is starting from a base of nothing. That means they need to focus on incremental improvement and use service providers as they lack the skills to do it themselves.
For enterprises, Boyle said the focus needs to start at the top – cyber-risk is an enterprise risk. Phair added that a good place to start is with the risk and compliance committee rather than the full board and to pitch the matter at the right level, avoiding too much technical detail.