Cyber risk, the likelihood of data loss or business disruption resulting from a cyber-attack, is now seen by Australian organisations as one of the biggest risks they face, according to Alastair MacGibbon, chief strategy officer at CyberCX and former head of the Australian Cyber Security Centre.
“Cybersecurity is now number one or two on any organisation’s risk register – public or private,” Mr MacGibbon said.
The increased awareness of the danger that cyber threats pose to their operations is leading to a shift in responsibility for cybersecurity from IT departments to other parts of organisations, according to privileged access management specialists CyberArk’s senior vice-president for identity security, Barak Feldman.
Goodbye CISO, hello BISO
Mr Feldman suggested a new role was emerging, that of business information security officer.
“We believe that security means taking more responsibility for the risk to the organisation, educating internally on awareness and how to prepare for a situation, and how to respond to it,” he said.
“Not just responding technically, but even how to respond to the media and different elements of a security attack.”
Mr MacGibbon said the increased focus on cybersecurity at board level had been rapid, with boards now showing a much more mature understanding of and response to cyber risk. Using traditional business risk language has helped boards to understand the impact of a cyber threat.
“Now most boards understand that what they’re dealing with is the concept of ‘cyber risk management’ and how resilient they are to cyber events,” Mr MacGibbon said.
“They recognise those events are likely to occur, an Assumed Breach Mindset, and it’s a more mature conversation than we were having at the launch of Australia’s first National Cybersecurity Strategy in April 2016.”
The increasing integration of operational technology with IT was also a factor in shifting responsibility for cybersecurity.
“We’re seeing a huge trend on the operational technologies side –manufacturing plants can work faster with more data analytics with remote access,” said Mr Feldman.
“I don’t need to go to the plant anymore, I can control it remotely and collect data on how fast I’m manufacturing my product, and so on. So that means the ownership is starting to be delegated into the business owners.”
Mr MacGibbon agreed, but suggested this was not a popular view. “I don’t believe chief security officers in organisation should report into an IT function because I don’t think that creates the right balance to have a proper risk discussion.”
Both cybersecurity experts were joined by CyberArk’s ANZ Regional Director Thomas Fikentscher for the final Security in Transformation episode of the Bridging the Cyber Divide podcast series.
Leaders and laggards
Mr Fikentscher suggested that this trend has still yet to make an impact in many traditional sectors, and that their tardiness was increasing the risk for the more advanced organisations that are become connected in order to leverage benefits.
“Some of the industries that have been in this space for a longer period of time, like the banking industry, have their house in order,” he said.
“But, they are concerned about business connectivity, the wider ecosystem and how they secure that ecosystem as they open up their systems to accelerate digital transformation. For example, to allow people to have a view into the last 10 years of claims management.
“Then you go to other industries, which might fall under the new Critical Infrastructure Bill [the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which will increase the scope of what is deemed to be critical infrastructure] like the food industry or the transport industry,” Mr Fikentscher said.
“Cyber risk management is something that is very new to them, and they need to start from the beginning and create a philosophy of how they attack that particular problem.”
It’s an ill wind…
And, unfortunate as the increase in cyberthreats is, Mr Fikentscher said it was having a positive impact by pushing many organisations to elevate cybersecurity to board level. “There are more cyber incidents, and that’s painful, but at the same time it wakes people up and focusses their minds on a very important element of their business.
“And, that’s not just happening in IT, it is reverberating through the business functions into the boardroom, and all of a sudden, people are starting to get things done.”
The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.