How did you end up in your current role, and what attracted you to the industry?
New Zealand-based Kordia acquired Aura Information Security back in 2015. In 2017, they approached me to set up their Australian operations and take advantage of what they saw as a growing market opportunity. I took the reins and set up the business here from scratch. I was attracted to cybersecurity by the diversity of what is involved and its relevance for Australian businesses. On a personal level, I was also interested in getting deeper domain expertise in an area of growing focus and importance for both the public and private sectors.
Having the opportunity to consult closely with organisations and see a tangible outcome for the effort is something I find very satisfying.
What do you see as the biggest threat to Australian business?
I see the biggest threats facing Australian businesses as the pace of change together with the feelings of complacency and confusion that exist in many areas – this is a concerning combination.
Complacency happens when an organisation thinks that nothing bad is going to happen to it. Management falsely believes that attacks only ever occur against others. Then, all too often, when organisations finally realise they do need to take steps to improve their cybersecurity, they stall because they are unsure what to do. This is dangerous because it can leave them exposed to potentially crippling attacks.
There’s also a threat from the growing sophistication and volume of attacks that are taking place. RedShield, a web-application shielding service is currently blocking more than five million attacks against organisations in Australia and New Zealand every week.
What are we doing wrong that means we are unable to stop these threats?
We still see cybersecurity as an IT problem when in fact it needs to be seen by the entire organisation as a significant risk and something that needs to be a part of their corporate DNA.
It’s also often the case that businesses are not stopping and getting their security basics right. Aura’s pen testers come across known vulnerabilities on a regular basis, some of which are years old and should have been patched long ago.
I find that many organisations believe they can build an ‘infinite wall’ to fully protect their digital assets, but this is simply not possible. In reality, security is a moving target where one day the bad guys are ahead and the next the good guys are ahead. It’s important to shift away from the mindset that it’s possible to defend against everything and everything will be OK – this is simply not going to happen. You have to accept that, no matter what you do, there is a very real chance that things are going to go badly.
People, processes and technology are all key components of a robust security strategy. Unfortunately, many organisations still think that they can simply invest in some technology and all their cybersecurity issues will be fixed. However, this doesn’t overcome the problem of the risks that stem from internal threats. This might be a staff member storing files on a cloud platform or another visiting a rogue website which leads to systems becoming infected. Regular user education is a key part of any security strategy.
Where should organisations be focussing their energy in the current threat landscape? What are the ‘easy wins’?
The first step to take is to have a comprehensive cyber threat readiness plan in place. In just the same way you would conduct fire drills, you need to be very clear about the steps that would be followed if and when a cyberattack takes place. Your plan also needs to be tested on a regular basis to ensure the organisation is always ready to respond. It is also worth considering working with a third-party expert who can come in and offer assistance.
Another important ‘easy win’ is to have what you can term basic security hygiene in place. This includes activities such as regular pen testing, staff training and ongoing planning for an attack. Having these elements in place can reduce the impact on business operations of an attack should one occur.
What is the best way to win over users so they help cybersecurity efforts rather than hinder them?
It’s a matter of taking all users on the cybersecurity journey. They need to understand the types of threats their organisation is facing and the steps they can take to minimise the chances of falling victim.
One way to do this is to make the exercise fun, and some organisations have successfully used gamification techniques to increase staff interest and buy-in. For example, staff could be rewarded for share examples of phishing attacks that have occurred in other places and offer insights on how they might have been prevented.
Within Aura, we use an e-learning programme developed by own team called CyberWise which all new and existing staff are required to complete. This helps to lift awareness of cybersecurity by making it a regular topic of conversation in the workplace. The more it becomes the ‘norm’ in this way the better.
It is also worth introducing tools such as phishing alerts. This allows staff who receive a suspicious email to click on the alert and report it rather than simply wondering what they should do, or ignoring it altogether. Simple things like this provide another layer of protection against attack.
Globally, there is a skills shortage in cybersecurity. What is the risk to Australia, and what is your organisation doing about it?
Aura is actively supporting graduate summer schools in cybersecurity where we encourage young people in university or at TAFE to come and undertake internships and learn more about the industry and the opportunities that exist within it.
We need to recognise that there is no short-term fix to this issue. It is going to take time to find the people and then train them in the skills they need to become security professionals. We also need to make sure that people who are already in the industry stay in the industry.
Aura, along with others in the sector, is also taking steps to encourage more women to consider cybersecurity as a rewarding career. This can be achieved by making the culture of the company as inclusive as possible and one where individuals can clearly see that their efforts and insights will be valued.
The risk of not doing these kind of things is huge because, to fight attacks, we need talented people and these people are increasingly hard to find. Aura’s team comprises more than 30 individuals who have been hand-selected from all around the world, and each brings with them a unique set of skills and expertise.
What impact do you think government involvement in cybersecurity will have on the industry’s development in the future?
Since the release of the then Turnbull Government’s cybersecurity policy, the appetite for both corporate and government to truly understand that cybersecurity threats are very real has significantly risen, and that is a great thing.
At the state level, governments are increasingly introducing the concept of Chief Information Security Officers to spearhead works undertaken by cybersecurity teams which is also very positive.
Mandatory breach reporting, which is now in place, is another positive step. This has increased awareness within organisations and led to changes in behaviour that reduces overall risk.
Aura operates in both Australia and New Zealand and we are also seeing increasing level of cooperation between the two governments.
How would you characterise the Australian cybersecurity ecosystem and how does this rate against the global backdrop?
Our cybersecurity ecosystem is unquestionably world class. We have organisations that have come out of Australia and New Zealand and now play on the world stage where their technology is being embraced internationally.
Sometimes the best answer to a problem is not necessarily to be found overseas. When it comes to cybersecurity, it may well be found much closer to home.
That said, the ecosystem still needs to be supported by both public and private sectors to ensure it maintains its status and level of achievement.
What steps do you believe need to be taken (and by whom) to encourage more diversity in the Australian cybersecurity workforce?
Everyone has a role to play in this. Governments, private-sector organisations and the individuals within them can all contribute in this area. It’s about creating an environment where people can get access to a different array of roles and bring their skills to bear in the most effective way possible. The types of roles in this industry are so varied that we can only benefit from having a more diverse workforce in place.
In many ways it comes back to education. We need to ensure that as many people as possible from as many different backgrounds and life experiences understand the opportunities that exist within the cybersecurity sector and how their individual skills can make a lasting contribution.
Some of the best cybersecurity people that I have seen have not necessarily come from a technical background. They bring knowledge and experience from other areas and put it to work very effectively. Building a divere workforce is critical for the sector’s future development and improvement.