“The challenge of the cloud is not cybersecurity; the challenge is changing the ways of working across your entire IT organisation.”

FST Media: Has AMP Life’s cybersecurity posture evolved over the last six months? What influenced this shift and how has it better prepared you to tackle imminent security threats?

Jillson: AMP Life is a brand new environment being architecturally designed now. We will be deploying our first environments in the next couple of months. I have a very strong focus on getting the basics right, ensuring there is effective assurance on primary controls and that services are secure by design to avoid bolt-on secondary and tertiary controls that have limited effectiveness and create unnecessary complexity and cost.

FST Media: How important are Government-led compliance directives, such as CPS234, in boosting in-house cyber resilience, or would a more proactive, industry-led approach prove more impactful?

Jillson: There will always be Government-led compliance directives; properly used regulations ensure a good outcome. You can be compliant without being secure, and you can be secure without being complaint. Regulatory compliance must be followed in the spirit of the compliance objectives. As you go through each requirement, strive to ensure that you have not only checked the compliance box but, more importantly, that you have achieved the required outcome to protect your clients and your brand.

I expect Australian regulations will quickly catch up with the US and the UK’s regulatory oversight, so we will continue to measure ourselves on global best practice frameworks (NIST CSF, CIS, Basel, for instance). Alignment to best practice in the fast-changing threat landscape of cybersecurity has the advantages of keeping your brand safe, maintaining your client’s trust, and minimising the risk of noncompliance with current and future regulations.

FST Media: How will the progressive adoption of cloud transform financial institutions’ approach to protecting their critical assets, particularly over the next five years as cloud technology matures?

Jillson: The challenge of the cloud is not cybersecurity; the challenge is changing the ways of working across your entire IT organisation. Cloud fundamentally changes every aspect of IT support, backup, monitoring, incident management, internal processes, reporting, capacity, assurance, etc. Once IT teams have updated their ways of working and understand the shared accountability models of where a cloud or PaaS (platform-as-a-service) vendor is accountable and where you are accountable, it opens up some excellent native controls that you can cost-effectively leverage and that may not have been a cost-effective or realistic option to deploy on-premise.

FST Media: Cross-border and cross-industry collaboration has proved decisive in strengthening cyber defences and mitigating attacks. What can our financial sector do to better promote transparency and mutually beneficial intelligence sharing that serve to boost overall cyber defences across industry?

Jillson: First off, there is always room for improved intelligence sharing and collaboration – the better we get at this, the harder we will make it for malicious actors. At a local level, Australian CISOs and heads of cybersecurity are very collaborative and helpful. We regularly share insights, strategies, lessons learned, and emerging threats with each other. There is also good work being done at the JCSC (Joint Cyber Security Centre), as well as endless options for industry roundtable discussions and security conferences. When it comes to real-time threat intelligence, we should have a global view, not a local view. Luckily, there many excellent options, both paid and open source feeds, that cyber teams should be integrating into their SIEMS (security information and event management) and contributing back to by reporting malicious IoCs (indicators of compromise).

FST Media: Industry currently faces a dearth of security professionals in the job market today. How can financial institutions nurture the next generation of cyber defenders or leverage their current resources to stay ahead of malicious actors and remain resilient?

Jillson: The current demand for security professionals is a significant challenge in the market today. We will continue to compete for the senior resources in the foreseeable future; but there are some excellent options to build the next generation of security professionals from graduate programs, or even moulding existing people within the business or IT backgrounds into security professionals that will bring in a diversity of thought.

FST Media: Communicating risk beyond IT and security teams remains a foremost challenge in financial services. How can security teams do a better job at communicating risk, particularly to the boardroom?

Jillson: Great question. Effectively communicating IT or cyber risk to a non-technical audience is a significant challenge. Too often, cyber teams will report risk as worst-case scenarios. The business reports risks as ‘likely impact’ and your organisation will have a crisis management plan to address worst-case scenarios. It is very important for us also to report likely impact. In the worst case, IT or cyber impact should be communicated and incorporated into crisis management plans.
FST Media: Lastly, on a personal note, what is the best career advice you’ve received and how have you sought to put this into practice?

Jillson: If you are not challenged or learning new skills in a role, change roles.

Rob Jillson will be a featured keynote speaker at the Future of Security, Melbourne and Sydney where he’ll explore how cloud and automation can be fully leveraged to scale cybersecurity resources and build a cost-effective and substantive cyber defence.