How did you end up in your current role, and what attracted you to the industry?
I had the opportunity to work with and build a positive relationship over time with Telstra’s CISO at the time (Mike Burgess) and the Cyber Security team through the provision of internal audit services. I found that the opportunities for improvement identified as part of various audits had a significant impact in reducing the organisation’s security risk but was limited in my ability to implement recommendations due to the need to be independent. At that stage I reached out to Mike where he asked what I enjoyed about audits where I mentioned the stakeholder engagement component and ability to work across the organisation. He then asked what I missed most about my role where I mentioned the limitation to be hands-on to drive change and outcomes. I recall Mike coyly mentioning at the time that he was always on the look out for those wanting to deliver and drive outcomes.
Since transitioning into Telstra’s Cyber Security team, I have spent time harmonising and looking for efficiencies in how we pro-actively engage and service the organisation through sound security advice, assistance and assurance. I’m now lucky enough to lead a team of passionate individuals who are driven to work hand in hand with the business to drive risk-based security outcomes – which is also how I ended up landing the opportunity to lead Belong’s security efforts on an interim basis by not taking a black/white approach to security but by being pragmatic applying a risk lens across problems and challenges.
What makes a CISO most effective, and what typically prevents them from achieving that?
When security is seen as a team-sport and the organisation as a collective see cyber security as a business risk that everyone must manage and has a role to play. The security function can then provide specialist advice and expertise to enable the business to deliver customer outcomes.
The pitfalls are when the business perceives security risks to be the role of the organisation’s security function to own, manage and resolve in an isolated bubble. This is where you end up with poor security and accountability driven by ill-considered decision making.
How has the increasing climate of governance and compliance changed your approach to security, and changed your engagement with board members and executives?
I have tackled this on two fronts when it comes to senior engagement on security. Firstly, articulated security risk as a business risk, that is therefore owned and managed by the business with support from SMEs such as ourselves to be a trusted advisor. Secondly, that by applying good security discipline and risk management first a foremost that it’ll result in good compliance. With finite budget and investment, the key is informed prioritisation of activities. Taking a risk based approach ensures we are focusing on the things that matter most to the organisation and not just striving for a compliance uplift. Classic example is a specific remediation or activity may improve our operational security risk posture significantly but may not result in a corresponding significant compliance uptick. These types of activities should be prioritised over pure compliance improvements.
What is the best way to win over users so they help cybersecurity efforts rather than hinder them?
Make it relevant and relatable to users. Make it ‘real’. I often sprinkle examples to their every day lives or how it impacts our customers. I also use examples (if available) that are directly from our organisation as there is a perception (rightly or wrongly) that some users think it will never happen to them. This is supported by positive reinforcement and we run a leading edge Cyber Influence program here at Telstra that goes beyond awareness but looks at how we get users involved and make it fun along the way through gamification, competitions and inter-activeness.
How has the nature of your engagement with customers changed in the last few years?
Customers are becoming more security-aware, maybe not at a technical level but certainly on the real business impact it can have on their personal lives and organisations. Telstra is a unique organisation in the sense that we have such a diverse customer base, in terms of what their focuses are and the different products and services they consume from us. However, what is common is that there is an increasing demand and expectations (even from a community standpoint) that security is mandatory and not simply an add-on – especially for Telstra as a trusted brand to so many Australians and customers globally, where poor security practices and breaches would seek to undermine this.
We partner closely cross-functionally with our product, sales and support teams to ensure our approach to security is integrated and understood, or as someone awesome alluded to me ‘security is baked in and not sprayed on after’.
How have you managed the need to evaluate and extend security protections to third parties across your business supply chain?
An organisation such as Telstra works with many partners and they form a key part of our security strategy, controls and capability in protecting our customers and data. We have a multi-faceted approach when it comes to managing and mitigating supply chain risk. There is diligence before we engage a partner, protections or security alignment in place from a contractual perspective and on-going assurance activities applied throughout the partner engagement through direct assessment or by leveraging independent reviews.
Our success is dependent on effectively working directly with the business and support functions such as Procurement and PMOs to ensure we are not creating a cumbersome processes or additional checks to unnecessarily slow down the business but to enable them via an integrated risk management process using existing checks already in place.
What has been your experience with security incidents over the past year?
Whilst security incidents for many organisations across the industry are increasing, it is difficult to conclusively state this is a result of increased number of security incidents or better awareness and capability to identify and report such activity. However, my personal experience in the past year is that security incidents are either often self inflected or the result of poor security hygiene, in terms of having the basics in place.
These often relate to known vulnerabilities being exploited as a result of poor patching or life-cycle management, unmanaged access controls (including not changing passwords and falling victims to stuffing type attacks where disclosed credentials from prior breaches are used for other accounts and services) or user error through clicking of suspicious links from websites or phishing emails.
What is involved in building a viable business case around remediating security risks?
The old adage of ‘what’, ‘so what’, ‘now what’ holds true in my experience. Articulating security risks as business risks and what the business impacts are (both upsides and downsides) are key to getting business cases over the line. Be prepared to provide several options pending your organisation’s risk appetite as there may not be a means to get everything done at once (whether that is due to financial or other organisational constraints). This is where taking a risk based approach really helps as it allows the decision makers to prioritise based on what really matters and what will address risks to an acceptable level.
Additionally, at the end of the process there is often a means to identify what the residual risk may be and what needs to be managed by the organisation.
How has availability of skills affected your ability to deliver security risk outcomes?
Whilst there seems to be a universal increasing demand for security capability and resourcing, I think we need to look beyond the existing pool of talent and look at building and nurturing a healthy pipeline of potential talent through higher education programs and automation (with smarter use of tooling) and those currently not actively in profession that have the passion, interest and attitude to build their security knowledge. I’ve successfully observed and managed to bring a number of team members without an existing security background into the team as I know they’ll drive better outcomes because they enjoy what they do and they are motivated by that to get out of bed every day and get excited.
How has your legacy environment impacted your ability to maintain a robust security posture?
With such a large footprint and a complex environment grown and added to over time, it is a real challenge to manage security in a legacy environment both from a supportability perspective in terms of end of life systems and infrastructure to constrained funding for anything not necessarily aimed at building the future or new systems. It becomes increasingly more difficult when investments to maintain or improve an environment’s security posture doesn’t necessarily add tangible or visible functional benefits, increase in market share or revenue. We have had to be creative in how we articulate this messaging from a risk perspective so we have appropriate ownership. I’ve often found that getting the right visibility and understanding to the appropriate risk owners results in action through tackling this both from a top down and bottom up perspective, whilst leveraging the mechanism available to maximise all possible communication – think of the existing steering committees, forums, meetings, reports where this information can be shared.