A governmental and private sector focus on cybersecurity awareness is only one component towards creating sustainable cyber change.
Building robust risk management frameworks and prioritising cyber investments to meet objectives against a heightened threat landscape were the main concerns at a recent forum of Sydney-based chief information security officers (CISOs).
Centred around this discussion was closing the skills gap; the state of compliance; trust and security; and reframing challenges and building cyber resilience, with a primary focus on environmental, social and governance (ESG).
“Above all, organisations should beware of complacency,” said Vishal Salvi, the senior vice president, CISO and head of the cybersecurity practice at Infosys.
“Being alert and anticipative — for example conducting regular cybersecurity drills — is as essential as prioritisation, cyber resilience and adaptiveness in improving the security mindset of an organisation.”
A recent InnovationAus.com whitepaper, Building cyber resilience and leveraging cyber governance, was the result of a roundtable discussion led by InnovationAus.com’s publisher, Corrie McLeod. It addressed how building cyber resilience strategies and leveraging cyber governance frameworks bolster board-level program support.
Mr Salvi, who leads a team of 4,000 at the 345,000 employee-strong tech conglomerate, says cyber resilience differs from previous perceptions by accepting that security incidents are inevitable. With that acceptance, cyber resilience focuses on improving detection, alertness and response in those situations.
In terms of the industry-wide skills shortage, it’s not about “throwing more people at the problem”, but rather relies on a concerted, early-stage and ingrained educational effort.
Artificial intelligence automation is another viable data-centric solution that would benefit from cross-sector alliances.
“The share services model is the future of this industry,” Mr Salvi said. “We are no longer managing and imitating large data centres. Everybody is adopting cloud strategy because it’s easier to migrate, cost-effective, elastic, portable and transaction based.”
Dynamic change is also occurring at a compliance level, highlighted by a two-team dichotomy of compliance and regulation focus areas joining forces with mitigation operations to thwart cyber-crime. But these challenges are only just beginning.
“Companies have all these compliance ‘hoops’ to jump through – but hackers don’t have the same restrictions – they can just test and iterate to get the outcomes they want,” he added. “This creates an extra level of burden in terms of compliance and auditing expectations.”
In the area of cyber trust and security, the most pressing issue is the safety and uniformity of threat sharing in order to desensitise or negate cyber-attacks.
A deep dive on risk-assessment frameworks is key.
“How do you get to what your risks have to be relative to your control position? Having that threat-informed view, you can be more proactive, understand the threat’s relevance, figure out what your position looks like (i.e. your residual risk position) and that’s what you base your counter decisions on,” says David Sandell, the Chief Executive Officer and Managing Director at CI-ISAC.
CI-ISAC is a not-for-profit organisation that supports existing legislation and government initiatives to uplift cyber resilience across critical infrastructure sectors.
Research also shows that beyond protecting a business’s vulnerabilities and planning ahead to mitigate risk, cyber frameworks can also be a competitive advantage in the context of ESG.
But, perhaps the report’s key finding urges government and the private sector to imagine the power of centralisation in terms of value creation.
“Leveraging the network effects of shared critical infrastructure in a safe environment is paramount,” the report notes. “Just as cyber threats are not sector specific, there is an industry-wide consensus of using the network experience of mature players to help lesser-resourced or informed small-to-medium enterprises.”
Do you know more? Contact James Riley via Email.