AUSCERT’s Cyber Security Conference is Australia’s longest running conference of its kind, aimed to connect like-minded information security professionals to foster collaboration, knowledge sharing and to strengthen the cyber security industry.
At AUSCERT 2024 on the Gold Coast earlier this year, Sekuro Director of Strategy & Architecture and Customer CISO Lee Roebig was invited to speak about cyber security strategy. Lee outlined the importance of adapting to evolving organisational structures and technologies, while maintaining a pragmatic balance to stay ahead of cyber threats.
We have distilled his talk into the following easy-to-digest points.
ORGANISATIONS: CASTLE TO SKYSCRAPER
- Organisations are in dire need of modernising their cyber security strategies
- Traditionally, organisations used to be like castles, where everything valuable was centrally located and heavily fortified
- However, organisations are becoming more like skyscrapers: decentralised, publicly available, and visible from far – making them more exposed and susceptible to cyber threats
- Our modern corporate landscape, with exponentially more access points into our environments, makes it difficult to discern what is a threat, and what is innocent, as they often look the same
Castle
Centralised
Physical Access required
Accessible
Over a VPN
Visible
Over a VPN
Skyscraper
Decentralised
Remote workers
Software-as-a-Service (SaaS)
Accessible
Over the pubic internet
Visible
Over the pubic internet
The Cyber Security Team’s Biggest Weapon is Not a Tool or Technology
- While great technologies such as MDR exist (and Lee is a big fan of them), what’s even more important is a security team’s ability to influence. After all, we can’t make our organisations safer if nobody listens to what we have to say.
- The correct approach to building organisational influence is to modernise security. This means designing a security program that both complements and accelerates the business goals securely, thereby successfully aiding in digital transformation, through security transformation.
- A successful modern cyber security strategy avoids 4 pitfalls:
Unclear Objectives
Strategies that fail
to articulate what
“good” looks like
Unrealistic Goals
Setting goals that are either too ambitious or too simplistic for the organisation’s size and capabilities
Unbeneficial Actions
Unactionable Plans
Strategies that are not practically implementable, leading to them gathering dust in a drawer
To avoid these pitfalls, focus on the following principles:
CLarity
Clearly define objectives and outcomes
REalistic
Set achievable goals that stretch capabilities without being out of reach
Beneficial
Ensure every action taken has tangible benefits for the organisation
actionable
Create strategies that can be easily implemented and followed
A Good Strategy is a Balanced Strategy
It is also important to not be led by an extreme strategy.
- A strategy fixated on compliance does not necessarily translate into better cyber defence capabilities. Be careful of over-selling compliance to your executives. This misperception may lead to confusion/apprehension in the boardroom when operational problems/threats eventually surface and you’re asking for more money/resources to treat them. Passing an audit and obtaining a certification are only stepping stones on your cyber resilience journey, and it’s our job as cyber leaders to ensure our board/C-suite understand that clearly.
- A strategy fixated on technology is akin to the “shiny toy syndrome”, where you get all the newest solutions, but end up having more solutions than you have engineers to manage them. You will also tend to end up with redundancies with solutions having overlapping features, instead of having consolidated tech and an integrated, optimised stack.
A good strategy lies in the middle of these two extremes.
Sekuro’s 10 Pillars of Cyber Security Strategy
Sekuro has developed a cohesive cyber strategy framework, spanning ten core people, process and technology architecture pillars, to guide organisations on their cyber resilience journey grounded in pragmatism. This proven methodology drives modern cyber strategies inside many Sekuro customers around the world, across every industry.
Watch Lee’s full AUSCERT presentation in the video below
Contact us to discover how Sekuro can help you create and/or implement your organisation’s cyber security strategy.
Lee Roebig
Director of Strategy & Architecture, Customer CISO, Sekuro
Lee is an experienced Cyber Security professional with 17+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.