Grae Meyers-Gleaves is Chief Information Security Officer (CISO) of Hollard, Australia’s 5th largest insurer (following its acquisition of CommInsure) and underwriter to many popular retail insurance products. But no growth comes without pain, as Hollard deals with an influx of new customers and employees with varying needs and demands.
In the lead-up to our Future of Security conference series, we sat down with our featured keynote speaker to unpack Hollard’s post-Covid cyber response, on cyber defenders’ perpetual battle against the ‘ishings’, why security policies are better off with more carrot and a lot less stick, and the need to pull the cyber sector out of its early-2000s mire.
FST Media: Today, culture is everything in business. For cyber, good culture can be a make or break. What is your secret to nurturing a healthy and safe security culture?
Meyer-Gleaves: It’s challenging in any industry, but the key is to have a plan that covers the three core elements of people, process and technology. And it’s people who are your primary and last line of defence against cyber-attacks. So, you need to enable them to be as resilient as possible if you are to tackle cybersecurity threats.
This entails training and an awareness plan with content that covers the personal aspects, as well as business side of cybersecurity. We know people are far more responsive if the messaging is clear and it helps them in their personal and work life. This is especially relevant today given the changes in workplace flexibility following the Covid-19 pandemic.
It is a mistake to only focus on the workplace. We all want to keep ourselves, our families, our friends, the community and our workplace safe and secure from cyber threats.
It also pays to think about the way you deliver content. Use social media channels, host events that are fun, create competitions, publish relevant statistics, be transparent, provide worthwhile advice, and make sure your cybersecurity team will help people professionally and personally.
It also pays to remember this: “A failure to plan is a plan to fail. But a failure to execute a plan is almost a guaranteed plan for disaster.”
FST Media: Has the threat landscape for your staff changed again since returning to the office? Have security protocols reflected or updated with these changes?
Meyer-Gleaves: In the past 12 months the volume of phishing emails we’ve blocked has, for the first time, exceeded SPAM volumes. It’s a game changer as it shows just how big the shift is from the annoyance of SPAM or junk email to threat-based models.
For over two decades, I have always taken the endpoint device seriously from a security perspective. Today, if you don’t have the Australian Cyber Security Essential 8 in place on all your devices then your organisation is going to be an easier target.
Hollard supported flexible working prior to Covid and so the transition was relatively easy and seamless. Our workforce, like many, has changed to a big mix of people who either work from home, in the office or in a hybrid model.
For a CISO the challenge, as a result, is to think about how we communicate important cyber safety information to our teams and which are the most effective channels. Our experience is it is best to use multiple channels including the intranet, Lunch and Learn, video, and social media, among others. And make good use of the times when your teams are together for events and offsite.
FST Media: Board buy is of course crucial to get any big enterprise plan off the ground. How can your security function win over the board, and what strategies do you employ to ensure a more seamless relationship with management outside of the security function?
Meyer-Gleaves: Boards across the financial services sector are much more aware of cybersecurity threats and risks than ever before. More recent reports, including the one published by the Australian Institute of Company Directors (AICD) with the Australian Information Security Association (AISA), Board and Cyber Resilience Survey Findings, provide some excellent current insight into boards.
As a cybersecurity leader, the challenge is to get out of the technical weeds and hone your abilities to communicate the relevant information at the right level about the organisation’s risk profile.
An example would be how you take a report, such as the AICD/AISA one, and communicate it to board members and executives.
There needs to be a strong understanding and agreement on the risk appetite for cybersecurity and then an honest appraisal of where you are as an organisation at an operating and strategic level. You may find your board has reviewed and signed this off, but the question is whether all lines of management understand the appetite and are on board with how they can help raise awareness of it.
Risk is an important part of doing business and it is an enabler, but it must be managed appropriately, and it is important to note that cybersecurity is not the only area a board should explore.
Many CISOs still talk about operating system patching levels based on a number of compliant systems. But we need to think in terms of metrics and key performance indicators (KPIs) because getting to 100 per cent is almost near impossible or it merely hides the reality once exemptions are in place.
So, we need to think carefully about what ‘green’ looks like. Is it 95 per cent patched, in accordance with your vulnerability score from your policy, or is it 90 per cent? Maybe it is 100 per cent only unless mitigating controls are in place. How does it fit your appetite?
Always ask: Are you reporting the right information? And then, can I make that real-time and available to management so they can see it? Is it valuable information and does it get the understanding and buy-in you need?
FST Media: What can financial services organisations learn from other industries in improving cyber controls?
Meyer-Gleaves: Two things: how to be more agile and how to be more contemporary.
I’m going to be a bit controversial here and say some parts of our sector are still applying ‘Year 2003’ information security policies, standards, architecture and controls.
We need to get in front of this and be more innovative. We need to find ways to deliver more value and lessen the frustration for our users. This includes things like passwordless authentication, passcodes over passwords, and getting rid of changing the password every 30, 60 or 90 days.
We should be thinking about adopting new methods, enabling new functionality and understanding risk better. Often a tool is not as good as a decent process nor investing in training your teams to really know the latest technology, such as Microsoft Azure & 365, Amazon AWS, Google, etc. Another bit of advice is to support and stay connected to fintech start-ups. They can often help solve those difficult problems and broaden your thinking.
FST Media: There is increasing recognition that security works best when adopted holistically. How can security behaviours be embedded into workplace culture?
Meyer-Gleaves: It starts with rolling up your sleeves, developing a plan, executing it well, and then maintaining it with an eye to ongoing enhancement. Then you rinse and repeat.
At the same time, we are competing for everyone’s time, so we need to be realistic about what we set out to achieve. I have been fortunate to be in a program where I learned about a leadership model developed by Adaptive Cultures. It helps by introducing new methodologies to deal with cultural change in a modern organisation. There are methods applied to understanding current state and desired state. What I like most is it helps build a roadmap after determining where you are now and where you want to be; you can then apply this to cybersecurity and apply the model to work out where you want to be.
Culture change is easily said and talked about often, but in any organisation it’s tough, because you are competing with many other objectives and needs. It is, however, worth the time and energy. The right culture will help you embed the right security behaviours.
The days of policy being used as a stick is no longer effective.
But it is always a work in progress. A CISO must continually listen and learn; it’s something I actively try and do more and more.
FST Media: What needs to be done to build a human-centric approach to security?
Meyer-Gleaves: Start by being human. Too many times I hear cybersecurity people talking about their ‘users’; we simply have to be more human in our approach when it comes to cybersecurity.
Furthermore, we all learn differently and respond in different ways. People make the processes and people design, implement and maintain technology. So, it all comes down to understanding how best to communicate with your people to deliver the best approach and outcome.
Building a human-centric approach means we need to understand more about our people. I’m a big fan of Bruce Schneier. I have seen him present on many different topics over the past few decades. Bruce is an expert in cryptography and has many publications in this space, but it is his work around the links between security and sociology where he discusses how important the human part is in all of this.
Being human-centric means understanding the good, bad and ugly and then adopting the right approaches.
Consider gamifying your awareness to make cybersecurity fun, know what drives the bad and look at human behaviour when something ugly occurs.
Understanding this will help drive your human-centric approach better, and not merely looking at a packet passing through a firewall with the proverbial microscope.
FST Media: Looking at cyber education programs today, what do you focus on? Where do you start? What are the key components of a good program?
Meyer-Gleaves: Phishing via socially engineered campaigns continues to rise. They are not very technically advanced but are good at baiting people to provide information. We, like many companies, spend a lot of time and effort on phishing, threat types, threat actors, and teaching people about these.
Covid has been a challenge when it comes to face-to-face, so other delivery mechanisms are important. You can still have workshops or presentations and make them interactive. You can gamify content.
A good program has a good mix of delivery methods and media. Don’t rely only on electronic learning modules and the odd Intranet article.
Get active with content people enjoy and those that bring benefit to their families, friends and fellow workers.
Make sure you let them know about the type of threats that are out there and the methods they can use, with a special focus on social engineering to build their resilience. I would advise against using scare campaigns; in my experience, constant fearmongering leads to complacency and desensitisation.
FST Media: What potential pitfalls and missteps have you identified when building a security framework with employees in mind?
Meyer-Gleaves: I often say the technology is easy but processes can be tough, and people are our biggest challenge. That’s not a negative, as challenges can be good or bad, but the biggest mistake is not taking people on a journey and not being able to tell the whole story.
We should never assume our people understand nor have the desire to know everything about our security framework.
Not everyone has the time to invest in helping build the framework either. It’s not that they don’t care, they merely have other priorities.
Assumption is probably the biggest pitfall. Never assume, and you can do this by asking lots of questions and through upfront research. And if you get it wrong, fix it quickly and learn from it.
The second big issue is trying to be perfect.
Rome wasn’t built in a day, and neither will a framework.
A cybersecurity framework is a journey, not a destination. It’s fine to tick the box when you have a framework based against a standard, but know you always need to keep building and improving on it.
FST Media: Human error continues to be a factor in many data breaches, showing that traditional approaches to security awareness training can be ineffective. How are you providing accurate training to breach-affected staff?
Meyer-Gleaves: Nearly all employees at every organisation are under attack. When I joined Hollard, I had a targeted spear phishing [attack] within 12 hours of updating my LinkedIn profile! This is the same for many people.
In my view, human error is 100 per cent guaranteed in all data breaches, given people are always involved. Yes, people do build vulnerable technology.
Like most organisation, we do comprehensive training and run ongoing campaigns. We are a highly regulated industry, and our employees have lots of training and the demand for this grows year on year in order to meet regulatory requirements.
Unfortunately, what we have not been able to do much of is much face-to-face due to the pandemic. I look forward to spending more time on that front. I don’t think e-learning is as effective as it was in the early days, and constant phishing simulations can result in desensitisation of the workforce.
I’m a part owner of a company that gamifies cybersecurity education, and it is based around the human factor, i.e. people working in teams, sharing experiences, playing games and learning. It has an average Net Promoter Score of 9.5 out of 10 from all participants and it is proven to turn the dial. But 1 in 100 respondents does not like it all. That’s a social norm in our society, as some people would prefer a different approach to learning.
The key is to ensure you have a training and awareness program that is diverse in the delivery methods, the techniques used and the medium. Cover all your bases, hedge all your bets.
FST Media: What methods or approaches have you been exploring and implementing to fight next-gen phishing, social engineering, and business email compromise (BEC) attacks?
Meyer-Gleaves: It’s about the people and making them more resilient. Cyber threats are now more sophisticated, there are fewer grammar and spelling errors, and the content looks more professional. The bad folks didn’t need to do this previously and still got their returns. Now, they’ve lifted the game and so it is even more critical we build the resilience of everyone in the company.
At the same time, we can’t ignore process. Invest there too, because often a good process with the right checks and balances will trump or thwart an attack. Technology still plays a role too; the less sophisticated attacks are easier to weed out, especially with the use of AI becoming more prevalent.
FST Media: Who is being attacked in your organisation? Are there certain phishing methods your organisation has been targeted with?
Meyer-Gleaves: Everyone, including our supply chains! We see every method, from smishing, phishing, vishing and every other “ishing” you can think of.
Make sure you cover all of the “ishings” and build your resilience!
FST Media: What can organisations do to move the needle?
Meyer-Gleaves: Firstly, have an experienced and grounded cybersecurity leader (or CISO). Have a cybersecurity strategy, have a plan, execute it well, deliver, maintain, sustain, enhance then rinse and repeat. Make sure you cover People, then Process then Technology. Know your threats, identify your weakness, know the attack types, methods and your weaknesses.
Don’t only do what everyone else is doing, your organisation is likely unique in its own ways and in some ways. Your cybersecurity needs to align with and protect your organisation. To do so, think outside the box, do your research and network with colleagues. Be aware of shiny new toys and have great partners.
Be the house in the street the burglar avoids, or if you are unlucky enough to be selected then be prepared and respond swiftly and precisely. A cyber incident is not a matter of if, but when. ◼
Grae Meyers-Gleaves will be a featured keynote speaker at the upcoming Future of Security 2022, Melbourne and Future of Security 2022, Sydney events, exploring the benefits of an adaptive security culture, protecting the long tail of supply chains, and how remote working has shaped the security discipline.