Why cybersec teams are being let down by a basic data governance failure

Security Panel

As a highly developed and highly digitalised economy, it is little surprise that Australian businesses – despite the country’s relatively small population – are among the world’s most cyber hacked. Recognising that a data loss event is far more a when not if prospect, financial services businesses are seeking new and creative solutions to limit the damage from any successful breach.

We’ve taken a snapshot of our featured Industry Leaders’ Panel showcased at FST’s Future of Security, Sydney 2023 conference. Our expert panellists from across the cybersec and financial services sectors discuss why Australian organisations are being let down by their lacklustre data classification standards (and the risk this ultimately brings to cybersecurity teams), how to better protect data held by less cyber-aware third-party partners, and lessons for upcoming cyber professionals seeking to make their mark on the industry.

Featured panellists:

·  David Gee, Global Head Cyber, Technology and Data Risk, Macquarie Group

·  Grae Meyer-Gleaves, CISO, Hollard Insurance

·  John Cunningham, Vice President and General Manager, APAC, Securiti

Moderated by Luke Hannan

Hannon (MC): Diving straight into data storage. What are your ‘must haves’ to keep data safe?

Cunningham (Securiti): I suppose the most important thing is to understand what data you’ve got and where it is. These are some of the biggest challenges that we’ve seen in Australia over the last 12 months, with organisations not knowing what data they’ve got, where it is, and whose data they have. If something happens, and you need to protect it, the concern is that you don’t really know where it is.

Meyer-Gleaves (Hollard): Get it classified. As regulated entities, most of us are expected to have that in place. But make sure that it’ll be classified for confidentiality or sensitivity as well as for integrity, availability, etcetera.

One thing that really empowers the whole organisation is being able to effectively classify data.


From there, we as security professionals can make sure that we protect it appropriately. We’re not trying to say ‘Encrypt everything’ and we’re not trying to mask everything. We want to apply the right controls to that data, noting John’s point ‘Know where it is’.

Cunningham (Securiti): That classification helps you then also identify where you’ve got multiple copies, to understand breadcrumbing and document clustering. There’s somewhat of a gap there at the moment.

Gee (Macquarie): The panel has already answered the question, but fragmented data is unfortunately the norm for most organisations.

Also, ‘encryption by default’ is certainly one measure we can take. We may get there for some data – not all data, because it’s not operationally possible. But being fully encrypted will protect you when you’ve been breached or when your cyber defences aren’t strong.


Hannon (MC): Each of us can empathise with the fact that we all have a lot of data. So where do we start with classification?

Gee (Macquarie): Most organisations over-classify data, and there’s a question of, well, how much is over-classified?

I’d say between 15 to 20 per cent of data is over-classified as being more important than it actually is. That’s part of the problem.


Meyer-Gleaves (Hollard): Absolutely. But it’s also around understanding that risk profile: What are the keys to the castle for your organisation? What is that most important intellectual property?

We as cybersecurity professionals all have a role to play to help people in our organisations understand those threat risk profiles. It’s really a process: you’ve got to work through it end-to-end to figure out what those high-value or sensitive assets are – whether you’re in a business where the intellectual property’s most important, or maybe your processes are the most important, or perhaps some of your code if you’re a fintech.

It’s going to be different for every organisation; one box doesn’t fit all. And it’s not just PII [personally identifiable information] or SPI [sensitive personal information] that’s driven by regulation and laws. It’s something that we need to always keep working through, and it’s going to change over time as well.

Cunningham (Securiti): The human factor is the biggest one. Grae and I are both ex-Defence [Force], and we’ve been down to Canberra to do courses on classification. But if you look at it today, I’ve got clients who’ve got recipes that they need to have classified, but the manual side of it typically is what leads to the over-classification.

Using technology now, such as AI/ML, to verify the classification and then to update the status of it – and not just having single-level labels, but putting some context around, for instance, ‘It’s classified this because of X, Y, Z,’ – will also help. That element of technology versus the human is going to get you classifying your environment a bit more accurately.

Gee (Macquarie): And just an aside on the point of defence. The Ukrainians did in fact upload a lot of their data into the cloud prior to being physically attacked in the kinetic war. This would allow them to recover really quickly when needed.

There was a vendor who sent [the Ukrainians] thousands of FIDO2 keys to protect them so that their admins could maintain strong multi-factor authentication. That’s really fascinating to me in terms of cyber defence, and would actually leave [them] in a much stronger position.


Hannon (MC): Is there such a thing as best practice when it comes to KYC? Is anyone doing it well? And do you feel as financial services businesses we have to do too much?

Meyer-Gleaves (Hollard): One of the things that I struggle with is that we’re using these so-called ‘secret’ identity methods – your mother’s maiden name, what town were you born in, dates of birth – that are far beyond being a secret. And then also we’ve adopted some of more modern ID numbers, such as a Medicare number, a Tax File Number, health identifier, or Veterans Affair number, the list goes on, which we’re trying to use for verification.

Most of that information has been compromised at some stage. The biggest challenge is people who haven’t enrolled for a [government] Digital Identify, because, you know what, if you don’t, the bad guys are going to make one for you.

Those criminals will set one up, and then they’ll do a tax refund on your behalf, and then you’re going to get the bill later on.

We’ve got to find better ways to identify people, and it can’t be using methods that come from the 19th Century.


Hannon (MC): Onto audience questions. What are the panel’s thoughts on the security of myGovID that the Australian Government has rolled out recently?

Meyer-Gleaves (Hollard): I use that service like anybody else – or most people I assume. Those who don’t are likely the ones currently getting enrolled without their knowledge – which does potentially show a problem with process. But, again, this still raises problems with those old methods of identification. Once you’re in the system, though, there are probably improvements that can be made and will always need to be made.

At the end of the day, you’re dealing with an evolving threat. And, I’ll tell you what, it’d be very challenging to try to deal with the identity of 25 million people as well as account for foreigners who may have travelled and worked here and who’ve set up IDs in this ecosystem. So, it’s not an easy issue. We as a nation are going to have to do a lot more about it, and I imagine there will be an ongoing discussion in that space.

Gee (Macquarie): I was locked out [of my account] recently, and it was really difficult [to get back in]. The friction you had to get to get to reinstate your account was actually, I think, great. Yes, on the one hand, it’s frustrating as a user, but then ‘Great, I know it’s secured, because it just can’t have anybody turn up and say they’re David Gee, so I’m good with that.


Hannon (MC): On the subject of friction, there’s much talk about UK regulations [on financial services businesses refunding victims of a scam] coming to Australia; that’s clearly going to create more friction in the customer experience and the customer journey.

If it does come, what can we do to make it better for customers, when the liability shifts from the individual onto the sector?

Gee (Macquarie): It’s early days, and I’m not an expert, but I think there are 116 new regulations, so that’s still not settled. Let’s wait and see.

Cunningham (Securiti): The bigger thing is the Privacy Act being changed. Because all of a sudden, organisations must realise it’s not their data. You’re the custodians; it’s your customers’ data, your mother’s, your brother’s, your children’s, it’s your grandparent’s data.

Maybe then the emphasis around the data [protection] will change, because the regulations really do go towards [businesses] becoming a custodian of data; this means that customers gain the right to ask what information you have on them. In Indonesia, [their law is] 72 hours and you’ve got to respond. If you don’t know where your data is, how are you going to find across all those systems the right information to be deleted or corrected?

I worked in the UK and the US during Covid. What I was was that these projects aren’t ever successful if driven by lawyers or those in the data governance area.

Literally every project I’ve seen that’s been successful has been driven by security people and cyber people – and CSIO has had their fingerprints all over it.


The other side of that is, what are we going to do about regulation for Generative AI, because now you’re going to be putting people’s information into data models, and they’re going to be in those data models forever. How do you control and then protect what’s put in? There are a lot of new challenges coming over the horizon with lots of different types of regulation.

Meyer-Gleaves (Hollard): John raises an interesting point. When we see some of those new techniques emerging – particularly around deep fakes, the use of voice biometrics or facial recognition and things like that, and the bad guys also using those same technologies – regulation is going to be behind for some time.

Things like the GDPR – and I worked at a company during that time that was international and had to deal with its implementation – it takes years to put things like that together, and a long process for businesses to implement. It’s no different in Australia: you’ve got a big cycle to get things through the lower house and the upper house and go through all that consultation.

One of the challenges that we’re all going to face is what I call the ‘grey area’ that’s coming here. We’ve got a massive technology shift happening, with the emergence of generative AI and quantum computing, and regulation, unfortunately, is going to be way behind. As much as lawmakers and our political system would like to be in balance with the speed of that, it’s not a reality.

It’s going to be up to industry to solve that [regulation] problem. This means it’s going to have to fall under our codes of conduct – that is, how are we going to operate from a social responsibility point of view within our own organisation?


We as a cybersecurity community as well as some other folks on the risk and compliance side, need to come up with solutions to protect our customers and our employees as we move into something that is going to be so rapidly transformational.


Hannon (MC): A question from our audience: I’m keen to understand your views around data safety obligations as they relate to third- and even fourth-party relationships in our supply chains.

Gee (Macquarie): It’s really a tricky one. Most organisations would put third-party suppliers in the ‘difficult to solve’ basket.

Most business contracts don’t have much beyond the ‘tick a box’ security, which provides very little assurance.


I was speaking to a partner of a law firm – noting the context of the recent HWL Ebsworth incident, which saw around 1.7 million documents stolen – and we said that ‘The only protection you have is encryption’. It’s at rest, you can’t print it, you can’t save as, you can’t modify the documents, but kept in the data room and then destroyed. That records management piece – which needs to be enforced, because it’s always the poor cousin – needs to be part of that deal. To make it to make that happen, it requires a paradigm shift to say, ‘This is what’s required!’

Speaking to some of my colleagues across the banking fraternity a few days ago, we discussed this very same topic. I said, ‘If we all banded together and set this as our standard, then all these [third-party] films would have to comply’. But if we did it one by one, they’d probably say, ‘Go away. It’s too hard!’

We need to determine the minimum standard for these documents that are very, very sensitive. Encryption is not for everything, but we do sometimes need to push [that method] as a way to secure [sensitive third-party data].


Hannon (MC): There is another great question. How can young people get more exposure in cyber and level up their cyber careers?

Meyer-Gleaves (Hollard): From a career point of view, one of the best things to do is start clocking up good experience. Join organisations that are going to give you an opportunity to learn and grow!

My career started in the Australian Defence Force, where I was given great opportunities to learn about cybersecurity. I joined Westpac for a number of years under a great boss and with a great team, and that gave me opportunities to learn a lot of things about cyber.

When you’re looking at your career, you’ve got to decide what is really important to you. If it’s the money, you can probably chase the biggest money or where the biggest salaries are paid. But if you’re after something fulfilling, my advice is to find places where you aren’t just a cog in the wheel. Try to find internship programs, traineeships, and graduate programs run by organisations where you keep moving around. They’re fantastic ways to clock up good experience.

If you’re in cyber, I encourage you to join a cyber team where you get lots of different opportunities, working, say, in the compliance or cyber risk space, in the policy domain or operations. They’re going to give you the skills you need to advance.

Gee (Macquarie): I’m actually writing a book called The Aspiring CISO. It’s not a plug! But there’s a chapter which covers things I’ve mentored people about.

Think of a two-by-two matrix: skills, knowledge, experience, and behaviour. When you’re younger, skills and knowledge are much more important in ensuring you get those foundations around data analysis – in understanding how to be a business analyst and how to ask questions to project manage.

As you get older, your experiences and your behaviour matter more and more for you in a leadership role, like a CISO.


It’s about trying to figure out how to get the right foundations early on. From those foundations, you get the confidence to do those harder jobs.

Cunningham (Securiti): From my experience, and it’s pretty similar to Grae’s but in the Australian Navy where I was for 20 years as an apprentice coming through the system.

One area where I saw real value was in the alternative training systems – in vendor training; most vendors have got great training options which you can access for free. If you think of the area you want to get into and want to have continuous learning, and do it in your own time, most vendors can give you free training through their website, giving you can least some base-level knowledge. It’s a chance to explore what you might want to learn or might not want to learn.

The other thing to think about is, tapping into David [Gee’s] thoughts, is in communication: you need to build out your communication skills. Do things like a DiSC assessment program, lift your communications, because you’re going to have the hardest job as a CISO: you’ve got to talk up to the board and talk and understand down into your team at all levels.

The ability to be agile in your communications, to have your listening skills and to learn how you communicate effectively with other people, and then adapt your communication to their style, is equally as important as the technical skills and the business skills you’ll need.

Meyer-Gleaves (Hollard): Just remember, being the CISO is not the measure of success in cybersecurity.

We can all have fulfilling careers in this industry, and the measure of success isn’t only at the top of the tree. There are lots of people in our industry who are very good at what they do within their unique disciplines; that does not mean that you have to be the one who’s leading the whole team. You can have a very fulfilling career being that expert and leading some of those key disciplines.

This is an edited extract from the Industry Leaders Panel Discussion featured at FST’s Future of Security, Sydney 2023 conference.