This year's CSO Roadshow was themed around the security of things. And while, to some, it may seem like a hopeless case to try and secure everything, there was an atmosphere of optimism as people at the event looked to find ways to deal with what lies before us.
With a wide range of different views, with representatives from government, enterprise and small, medium and large businesses across all industry sectors, the event, played out in three cities across Australia left and no stone unturned as people looked for ways to not just secure their own corporate environments but enhance the nation's cybersecurity posture.
Standards and frameworks
It's often said, in the security industry, that compliance s the enemy of security. There's a perception that once a company believes they have achieved compliance with a standard that they are secure. But the discussions over the roadshow moved forward from that perspective.
Standards are a way of bringing attention to an issue and establishing a minimum standard. When used properly, many attendees noted they could act in the same way as occupational health and standards (OH&S) did to help embed a security culture into companies. And, as some people noted, once the costs of OH&S were accepted, businesses realised there were measurable benefits to not only complying but exceeding standards.
There was optimism that this is where cybersecurity was heading although we are still some way behind the OH&S maturity.
It was suggested that government should initiate a multi-national direction in order to secure the IoT ecosystem in future and look for common goals with other countries. It was also suggested that standards are introduced and renewed regularly to maintain levels of security. Frameworks are already being developed by various associations.
The SME challenge
Michelle Price, from AustCyber, noted that 96% of the nation's economy was in the SMB sector. But that sector is notoriously difficult to access and to educate about the benefits of taking cybersecurity measures. For example, one attendee noted that an SME market they worked with fails to see security is an issue. The SMB, who was a jeweller, sought security and felt they achieved this by purchasing off-the-shelf security cameras - not considering that those very cameras, connected to the Internet could be their biggest security issue.
But some positive moves are being made. New programs such as Carbon Core Biz are being developed that provide smaller companies with the resources they need at a price they can afford.
Cooperation is a key
The security industry is still working to better cooperate as vendors, different customer verticals, service providers and the developers of standards continue to share information.
Some attendees were particularly keen on cooperation and did not see competition as a problem with the old chestnut of IP theft or competition a small issue in comparison to the bigger benefit of securing the IoT ecosystem. Many service providers were said they work with in-house teams from other organisations and that they use white labelling services to sell services to anyone under any brand.
The issue of collaboration goes to the requirement for governments, private sector and academia to work together to form partnerships.
Information security has, traditionally, been a bastion of men with very few women working in the sector. Similarly, there's limited opportunity for people coming from other disciplines because of the expectations of experience and education. But that is changing.
What will make things change?
When attendees discussed what sort of trigger it would take for IoT security to escalate into a major issue, many people believed no real change would be achieved until there was an issue of life and death when people die. Likening it the Grenfell apartment fires in London that resulted in changes to building codes, many believed only then would people would pay attention to the security risks for IoT.
However, many noted there was already a ground swell for government to respond to the potential threats.