An organisation should assess its environment and determine what is most appropriate given the need for security balanced against the need to conduct normal business operations – these are not mutually exclusive. All technologies have vulnerabilities, which is why an organisation should not rely on any single control, device, or technology to secure their environment.
FST Media: The industry has been calling for senior management and board to be held accountable for security breaches and to oversee information security. What are the crucial questions that senior management and board need to ask to ensure good governance around cybersecurity?
Wedd: In the financial services sector there is growing recognition of the need for boards to be accountable for overseeing an organisation’s cybersecurity strategy and programs, and to be responsible for cyber risk management. Recent regulations, such as the APRA Prudential Standard on Information Security (CPS 234), have emphasised this point, stating that “The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security”. While not an exhaustive list, an organisation should consider the following:
- Are there clearly defined roles and responsibilities within the organisation?
- What are the reporting structures for the cybersecurity team, and do they convey the message that cybersecurity is a whole-of-business responsibility and not simply a technology issue?
- Does the executive team responsible for cybersecurity require a direct reporting line to the board or board Committee to provide an additional level of independence and oversight?
- What is our cybersecurity strategy – what are our risks, key controls (prevention, detection, resolution and recovery), target maturity states, and roadmap to achieve them?
- Do we fully understand what our important data is and what controls are in place in these environments?
- What benchmarks do we use when developing our frameworks and policies (e.g. ISO 27000, NIST, ASD)?
- Do we have enough cyber expertise on our board?
- Are we getting the information that we need to objectively assess the cyber risk mitigation strategies, and are we hearing from the cybersecurity team on a regular basis?
FST Media: How should organisations benchmark cybersecurity governance? What problems do you see with a ‘zero tolerance’ approach to cyber incident management?
Wedd: There are a number of good cybersecurity frameworks and capability maturity models available. The key is to determine which of them is most appropriate to the size and nature of your business. Performing benchmarking against these is a good start, supplemented with external assurance and intelligence gathered from your peers and industry networks. Organisations should also consider a regular testing program, including penetration tests and phishing simulations, to raise security awareness, desktop scenario testing, and participation in industry simulations.
I’m not convinced a ‘zero tolerance’ approach to cybersecurity is appropriate or achievable. Even if a guarantee of never having a cyber breach was achievable (which it is not in any practical sense!), this would come at a huge cost to an organisation financially and in the way they do business. When an organisation is making use of available technology to perform normal business operations, some element of risk is inherent in the performance of those operations.
FST Media: More and more, CISOs and cybersecurity teams have been given voice in the boardroom. What other resources or responsibilities should these teams be equipped with in order to execute their cybersecurity strategy effectively?
Wedd: That’s a difficult question to answer! A voice in the boardroom is important and the board should be actively engaged in the implementation of the strategy. The cybersecurity strategy should outline things like the risks (following a risk assessment of the environment), controls, improvement, or focus areas, and target maturity states. It should also identify a roadmap to achieve the target states. The organisation then needs to decide the timeframe in which to implement the security roadmap – obviously, the longer the timeframe, the longer the organisation is accepting the risks associated with the improvement areas identified. The resources provided to the security team should correlate to the desired timeframe to implement the strategy.
FST Media: Facial recognition and digital identity technologies have been touted as the ideal digital security solutions for authentication. However, recent reports have revealed the potential for these technologies to be abused and thus undermine privacy. How should FSIs move forward with digital identity technologies whilst ensuring confidence in customer data privacy and protection?
Wedd: Multifactor authentication mechanisms, in various forms (and including biometrics), are becoming the norm for access to privileged environments and to perform sensitive transactions.
An organisation should assess its environment and determine what is most appropriate given the need for security balanced against the need to conduct normal business operations – these are not mutually exclusive. All technologies have vulnerabilities, which is why an organisation should not rely on any single control, device, or technology to secure their environment.
FST Media: How are FSIs finding new ways of handling customer data to bolster digital trust? What up-and-coming technologies do you feel could enable better customer data protection?
Wedd: An organisation needs to keep up-to-date, not only with changes in its own environment but also with industry developments in general. There are a number of ways to achieve this, including discussions with vendors (both existing and emerging), research, attendance at industry conferences, and engagement with peer networks.
There are a number of emerging technologies with developers investing in next-generation end-point detection and response (deep learning vs machine learning/artificial intelligence, for example), email scanning and filtering, rendering malware in attachments virtually un-executable (or claims to that end), virtualisation of IPS (Intrusion Prevention Systems) and IDS (Intrusion Detection Systems) systems in cloud environments, ‘security by design’ in IoT devices and embedding of authentication mechanisms into hardware, automated threat hunting and penetration testing services, and improvements in data loss prevention technologies.
FST Media: What emerging cyber threat do you predict will be the most significant disruptor of FSIs? How can the industry best mitigate this threat?
Wedd: The good guys will continue to develop new technologies to prevent, detect, and respond to cybersecurity risks, and the bad actors will continue to evolve and create new ways to exploit vulnerabilities in these technologies. An organisation cannot rely on technologies being updated as fast as attackers develop ways to compromise environments. This means that there needs to be a multifaceted and multi-layered response to cyber risk management. This includes appropriate technologies for the size and nature of the organisation that are supported by experienced security professionals, a good set of policies and procedures, and organisational commitment to cybersecurity awareness (e.g. an engaged board and management team and an educated user population).
While not an emerging technology, the biggest threat to an organisation is still the traditional phishing email or similar techniques that essentially target the end-user to deliver malware. As much as developments in AI/machine learning and deep learning continue to evolve, so too does the risk of these technologies being compromised and effectively turned against the organisation – a kind of internal ‘denial of service’ attack. It obviously doesn’t help when organisations like the NSA get compromised and their ‘secret sauce’ is made available to the wider hacker community!
FST Media: As an established cybersecurity leader in FSI, what advice can you offer to budding cybersecurity professionals looking to progress their career in the industry?
Wedd: I’m not sure much advice is required in today’s climate. Just about every report I have read on the subject points to a global shortage of security professionals – which means that it’s a great time to be starting out in the industry.
Regardless of whether it is in cybersecurity or another field, I’ve always believed that it’s a good idea to gain as much practical experience as possible when starting out, then decide what interests you the most and create a specialisation in that – it could be a specific technology or a specific genre – before casting a wider net if you feel you are getting ‘pigeon-holed’.
There is no substitute for experience and surrounding yourself with good people; however, this needs to be balanced with management capability, if that’s where you want your career to take you.
——————————————————-
Daryn Wedd will be a featured panellist at the Future of Security, Sydney on 2 April. Time is running out! Register here to secure your place at Sydney’s premier event for cybersecurity in financial services.