An Interview with Mary Nottle, Head of Technology, Equipsuper
"Achieving an adequate level of protection, commensurate to the size and risk appetite of the organisation, can be costly to get right. Once upon a time, good IT environment hygiene (patching, end-point protection and environment audits, for example) was considered adequate. However, in today’s world of emerging and continuous cyber-threats, additional security controls and proactive response plans are a must."
FST Media: What do you rate as the most pressing cybersecurity threat facing today’s financial services organisations?
Nottle: The reputation of financial services institutions (FSIs) is built on trust and Equip’s research has identified that members place the security and use of their personal data in the top three priorities for us. At the same time members expect us to provide online digital services, anywhere, anytime, and on any device! Balancing this ‘always on’ demand with protection against cybersecurity risk is perhaps the biggest challenge we face.
Our reality is that data is considered the new commodity, which can be bought, sold and traded. Therefore, the intense desire by cybercriminals to get their hands on it for monetary value, or just general business disruption, will continue to be a key cybersecurity concern.
So, I rate the adequacy of protection of information assets for most, if not all, FSIs as a key concern.
FST Media: How prepared are super providers to adequately protect their digital assets?
Nottle: For many organisations, reliant upon third-party service providers for data management and customer service delivery, there is potentially an added level of vulnerability. Internally, even with cybersecurity training provided to employees, FSIs cannot completely control how the front line of defence will react to phishing and other cyber-attacks. Fall into these traps hook, line, and sinker and your most prized asset is at risk of being compromised. You must have adequate secondary security controls in place to reduce the risk of exposure and data breaches.
Achieving an adequate level of protection, commensurate to the size and risk appetite of the organisation, can be costly to get right. Once upon a time, good IT environment hygiene (patching, end-point protection and environment audits, for example) was considered adequate. However, in today’s world of emerging and continuous cyber-threats, additional security controls and proactive response plans are a must. As we know it’s not ‘if’, but ‘when’ a financial organisation will be a target of cybercrime. We need to be adequately prepared to respond and, when we do, we must learn and update our response plans post-event to improve the timeliness and efficiencies of our responses in the future.
I believe if super providers have
a) chosen to implement a cybersecurity framework as part of their security strategy;
b) can meet their obligations to report under both the Notifiable Data Breach (NDB) scheme and the EU General Data Protection Regulation (GDPR); and
c) are in good stead to comply with APRA’s Prudential Standard CPS 234 – Information Security, coming into effect on 1 July,
I think they will be adequately – if not better – prepared for cybersecurity attacks.
However, I also believe if super providers are not quite there, it’s better to start somewhere rather than to ignore the risk of a data breach occurring.
FST Media: With a significant rise of state and non-state cyber actors and the advent of machine-originated attacks, the threat landscape has undoubtedly intensified. How do you see this ‘threatscape’ evolving through 2019 and do you feel there a particular cyberthreat that financial services organisations are underestimating?
Nottle: I believe malicious or criminal attacks originating from the use of email will continue to be a cybersecurity threat within financial services but will become more targeted at individuals. Rather than the typical organisation-wide attacks, cybercriminals will target or impersonate high-value personnel or employees they consider to be the weakest link in the organisation. The Notifiable Data Breaches Quarterly Statistics Report, issued by the Office of the Australian Information Commissioner (OAIC) in Q3’18, indicates 57 per cent of notifiable data breaches were attributed to malicious or criminal attacks and 70 per cent of all data breaches were caused by human error.
Now more than ever is an important time to ensure that staff are adequately trained in data handling and are able to identify a phishing email. If they do fall prey, then the next line of defence – in security controls – needs to be implemented and continually assessed, tested, and updated in line with any changes to information assets and the ‘threatscape’.
According to the OAIC report, the second largest source for report notifiable data breaches (14 per cent) was the finance sector (including banks, wealth managers, financial advisors, superannuation funds, and consumer credit providers); this indicates there is an inadequate level of preparedness. Therefore, I think organisations in this sector need to assess their controls and prioritise continuous assessment, testing, and improvement to enable a quick and effective response capability.
From my experience, a lot of effort is spent in the ‘detect and recover’ phases of the organisation’s cybersecurity maturity and response plans; these are usually generic, reactive, and costly and can leave customers in the dark around the security of their personal and sensitive data.
FST Media: Inspiration can often come from unexpected places. Which non-FSI industry do you look to as an ideal model for superannuation cybersecurity leaders?
Nottle: As Head of Technology at Equip, I typically look to the expertise of cybersecurity leaders within the financial services industry to share and implement best practice cybersecurity controls and processes.
Equip adopted the NIST (National Institute of Standards and Technology) Cybersecurity Framework in 2017 to manage cybersecurity risks, and we have benchmarked our cybersecurity control maturity against industry peers. NIST sets out guidelines under five key functions to identify (information assets and critical infrastructure), protect against and detect cybersecurity breaches, and finally respond and recover from an attack. The framework was developed in the United States to secure critical infrastructure, under a mandate issued by President Barack Obama; what’s more, it is non-industry specific, so is quite broad in application across industries. We’re almost two years into its implementation, which has prepared us well for compliance with APRA’s Prudential Standard CPS 234 – Information Security on 1 July 2019!
FST Media: What cybersecurity or digital innovation would you like to see adopted by financial services?
Nottle: I think the next big advance for financial services and superannuation organisations will be the application of deep learning (Artificial Intelligence (Al) and Machine Learning) techniques to proactively manage cyber-attacks by automatic detection, alerts, and responses in real-time.
FST Media: As customer-centricity becomes industry orthodoxy, how do you see Australia’s superannuation providers evolving their tech capability to meet the demands of consumers?
Nottle: I touched on this briefly above, but I believe there has been a significant rise in customer’s expectations for organisations to deliver services online and in real-time, anytime, anywhere, and on any device. To enable this, there needs to be a significant uplift and shift from traditional ‘on-premise’ infrastructure and legacy applications to a more robust (scalable and flexible) environment that delivers a better digital experience for members, which also supports confidentiality, integrity, and availability.
Equip have recently embarked on a Human Centred Design (HCD) journey and we’re evolving creative ways of thinking to solve members' growing needs and wants. Technical solutions and operations support teams need to ensure their focus aligns with this.
FST Media: Moving forward, what emerging technology would you like to see play a more prominent role in the superannuation?
Nottle: I would particularly like to see Artificial Intelligence (AI) and Machine-to-Machine (M2M) learning play a prominent role in developing cost-effective and innovative cybersecurity solutions for real-time threat management and predictive breach analysis.
FST Media: The advent of the Industrial Revolution (4IR) is set to unleash a wave of technological transformation and disruption across all industries – some better, some worse for cyber defenders. How would you like to see Equip Super leverage innovations of the 4IR?
Nottle: We should never forget, we’re in the business of designing and offering products and services that are fairly and squarely focused on delivering great financial outcomes for our members. The value and effectiveness of what we prioritise, whether it is member-facing CRM or investment in back-end processing, must promote better member outcomes.
IT is the enabler for the business, and I would love to see the use of robotics and workflow automation to deliver digitisation more broadly across the organisation for the repeatable ‘mundane’ tasks, freeing up resources to spend valuable time on delivering those outcomes.
I would like our digital infrastructure to evolve to leverage the benefits of blockchain technology to enhance member engagement and to deliver online identity management for members. However, we would need to see more mature solutions and used cases being delivered first.
It would be great to leverage the benefits of Internet of Things (IoT) applications to enhance our member experience and convenience, including the integration of biotechnology for biometric authentication for access to account information, pre-populated planning tools, online trading, and greater data security.
FST Media: As a digital leader, how do you foster a culture of innovation in your team?
Nottle: Until recently, all Equip IT operations were outsourced to third-party providers and, as such, I had little influence in fostering an innovative team with suppliers as additional budget was required to do so. As a result, I had an increasing desire to build out the internal IT capability of the organisation with a diversified team of individuals. Having different people with different strengths, views and voices fosters innovation and is invaluable when delivering a better digital experience for our members.
Today, I lead a small diversified team and recently undertook a VIA Character Strengths survey to identify my key strengths, so I could understand how best to use them to further foster a culture of innovation in the team. I now use those key strengths and, in doing so, I operate with transparency and believe this empowers the team to take risks with innovative ideas, make decisions, and offer solutions to problems and challenges. We collaborate daily and, most importantly, I show gratitude to the team.
FST Media: With an evident shortage of cybersecurity professionals in the job market, how can financial services organisations maintain a viable defence against a rising tide of malicious cyber actors?
Nottle: To maintain a viable cybersecurity defence you need to ensure you have executive and board buy-in. You also need to understand people, process, and technology go hand-in-hand. Lack of attention or resourcing in any of these areas will result in a struggle to maintain cyber-defence capability.
The Office of the Australian Information Commissioner (OAIC) says that “preventing data breaches should be business as usual”. People across every organisation are the first line of defence and need to be continually educated on data handling and the types of threats they might encounter. More specifically, how to detect when, for example, they are being phished via any device. As I stated above, more than two out of three reported data breaches to the OAIC were the result of human error, which basically means employees had accidentally sent information to the wrong recipient or had fallen prey to the cybercriminal’s phishing attempts. Continuous education – through training, desktop exercises, and awareness campaigns – is therefore vital.
Ensure relevant policies, standards, and procedures have been developed and implemented, with training provided to employees. Without these, employees cannot be informed and held accountable for their actions should an insider threat or rogue employees pose a risk.
The Australian Signals Directorate (ASD) developed the Essential Eight, which is a prioritised list of cybersecurity mitigation strategies to help organisations develop a level of cyber resilience. I would recommend embedding these strategies at a minimum to help improve upon an organisation’s cybersecurity posture. This means enabling key information asset logging and ensuring they are monitored for suspicious or unusual activity; furthermore, organisations should look to adopt a cybersecurity framework and implement adequate controls, commensurate with the size and risk appetite of the organisation. Finally, if budget allows, employ an information security professional or engage with a third-party to dedicate efforts to staying ahead of malicious actors.
I would recommend staying current and being informed with what is happening in the cybersecurity threatscape by signing up to websites like the Australian Cyber Security Centre’s free Alert Service.
FST Media: We’re looking forward to your upcoming panel discussion at the 2019 Future of Security conference in Melbourne. Why do you feel such events are so important for the industry?
Nottle: Having events like FST’s Future of Security 2019 conference provides individuals and organisations with an opportunity to stay current and well-informed of the threatscape impacting the financial services industry. It enables information sharing in this space and also provides a great opportunity for individuals to network and organisations to showcase cybersecurity innovations.
This is my third year in attendance and it never disappoints. I always come away energised, having learnt something new and networked with new people in the industry!
FST Media: Finally, on a personal note, what do you enjoy doing in your spare time?
Nottle: I really enjoy spending time and keeping active outdoors with my family and friends. I love pottering about in the garden, listening to music (most genres), and learning new things!
-- With contributions from Patrick Buncsi