Having made the switch from government to the private sector, ANZ's CISO Lynwen Connick was one of the architects of the national cybersecurity strategy and is now a user of that strategy. Connick notes that the majority of the country's critical infrastructure is owned by the private sector.
Connick said the highly connected world provides significant opportunities but businesses need to work together to stay secure. So, while data can be used by threat actors, to also offers us great benefits when used wisely.
With threats coming at an accelerated pace, greater scale and more sophistication than ever before. Threat vectors are evolving with direct exploitation of vulnerabilities. While email and web attacks are still common, Connick says we are seeing attacks using other tools. For example, WannaCry took advantage of a protocol flaw. And supply chain attacks, where threat actors attack via less secure third parties, are becoming more common.
In response, Connick said we need to move from older signature-based approaches, to stronger analytics that understand context and behavioural analytics. Ultimately, we need to develop an "immunisation" response where users are educated and stop attacks before they have a significant impact.
Connick said collaboration between government agencies and the private sector is improving. For example, the new Joint Cyber Security Centres are important - a new centre was opened in Melbourne this week. Brisbane's centre opened earlier this year and Sydney's will be launching soon. These centres also have portals so smaller businesses can engage with them.
One of things businesses can do is to make software more secure. She noted that as ANZ, through a concerted campaign, has reduced the number of errors per thousand lines of code from over seven to about one error per thousand lines of code over the last five years.
ANZ's security strategy takes a three-pronged approach that works in concert with the federal policy and other standards. They are focussing on protecting technology, enabling people and empowering communities.
While security often gets a bad rap when it comes to user experience, she said "Good security products should make life easier for people". New tools such as biometrics can make systems and transactions safer and improve the user experience she said.
In addition, Connick said the ANZ has engaged with a number of educational institutions to foster a pipeline of skilled professionals. In addition, she has been working on improving the cybersecurity skills of all staff across every discipline. Connick also noted diversity is important with a large proportion of the population excluded from many cybersecurity pathways.
Fortunately, new initiatives such as the @womenspeakcyber handle on Twitter (a resource for finding women who are available as speakers at security events) are also helping to foster efforts at increasing female participation in the infosec industry .
Also, ANZ is actively working with organisations who support people with Autism spectrum disorder - not just to provide jobs but to provide career and development paths.
Connick says there are three roles for every business as they develop their cybersecurity posture. They need cyber resilience, cyber culture, and cyber hygiene. This will help with the evolution of the bank as new payment platforms, changing regulatory obligations such as the mandatory data breach notification laws, the expansion of IOT, and increasing use of cloud.
"It's not all about managing risks", said Connick. "It's also about opportunities".