On 20 August 2024 Sekuro and our client, legal firm Mills Oakley, co-hosted a Cyber Leadership Exchange in Sydney. Headlined by the Deputy National Cyber Security Coordinator Tony Chapman, the event also incorporated a panel of leaders from business, insurance, legal, board directorship and government.
Sekuro’s annual Leadership Exchange is a forum for cyber security leaders and influencers centred on determining how we can tackle our common challenges together, with our inaugural event in 2023 in Melbourne keynoted by then Minister for Cyber Security, Clare O’Neill.
The ‘Pentagon’ of Cyber Resilience: Leaders from Business, Insurance, Legal, Board Directorship and Government share their insights
The second part of our Cyber Leadership Exchange featured a panel of esteemed leaders and thought leaders across the industry pillars critical to bolstering our national cyber resilience:
- Noel Allnutt, CEO, Sekuro
- Gill Collins, Head of Cyber, Marsh McLennan Pacific
- Jason Symons, Partner, Mills Oakley
- Megan Motto, CEO, Governance Institute of Australia
- Jessica Thomas, Assistant Director, Cyber Security Engagement, National Office of Cyber Security
Moderated by Sekuro Chief Growth Officer Shamane Tan, panel discussions ranged from: the salient cyber threat trends affecting industry; leadership, culture and board engagement; legal, regulatory and insurance considerations and ramifications; and the standout lessons from the government’s cyber crises drills under the National Cyber Exercise Program.
Perspectives from Business: Noel Allnutt, CEO, Sekuro
- Technology trends are coming in big waves, AI and cloud adoption being the most prominent ones. As a business, emergent technologies are our friends – embrace them!
- Don’t forget the cyclical nature of trends. The recent global IT outage was a reminder that the basics, such as business continuity, are never going to go away. Focusing on recovery from critical disruptions and recovering quickly, should remain fundamental business capabilities.
- In terms of adversarial activity – there is more of everything. More organised crime, more State-sanctioned attack campaigns. As such, organisations need to ensure cyber has a strong voice. Your cyber agenda needs to be intertwined with your key organisation growth strategies.
- Effective organisation-wide communication is pivotal to scaling a cyber-led culture. Cyber is a team sport – everyone has to play. However, the ethos and ideas need to be filtered down and embedded into systems, processes and your employee’s mindsets, and they must be relatable and relevant. In Sekuro’s partnerships with enterprises such as Salesforce, Atlassian and Canva, it is evident that large organisations are experts in mass communication. Smaller organisations can benefit from adopting some of the effective corporate communication strategies used by these industry leaders.
- Cyber security strategies need to be pragmatic, achievable and measurable. You need to be able to track where you are on the journey, how you’re going to get there, and what’s required to achieve your goals. Being pragmatic also means being adaptable and ready for curveballs.
- Cyber strategy and industry regulatory frameworks are vanilla, or, in examples such as Security of Critical Infrastructure (SOCI) and CPS 230, sector-specific. Leverage elements that are relevant, pragmatic and achievable for your organisation. There is no need to reinvent the wheel, but leveraging common control frameworks and adjusting so it’s fit-for-purpose will raise the confidence level of the board and your customers.
"Cyber security strategies need to be pragmatic, achievable and measurable. You need to be able to track where you are on the journey, how you’re going to get there, and what’s required to achieve your goals. Being pragmatic also means being adaptable and ready for curveballs."
Noel Allnutt, CEO, Sekuro
Perspectives from Insurance: Gill Collins, Head of Cyber, Marsh McLennan Pacific
- In the past twelve months, rates for insurance premiums have dropped. Coming out of COVID, there were a lot of unknowns, but now the market has recalibrated and is now operating more as BAU. Insurance coverage has expanded, and there are more insurance providers, meaning there is a far greater ease of obtaining cyber insurance, so this is positive news for businesses.
- Insurance plays a significant role in cyber risk management. When businesses apply for insurance, (Marsh McLennan) have them complete a cyber self-assessment comprising over 200 questions. This in itself, is a mini-audit, helping organisations to spotlight gaps in their cyber postures, such as their vendor third party review diligence and Incident Response (IR) playbooks. Insurers are valuing these assessments as indicators of risk.
- Macro trends that affect cyber insurance include:
- The increase in frequency and severity of claims – ransomware remains a major threat vector, and ransom demands are escalating
- The high value of data – data management and data risk management are critical
- Massive volume of Business Email Compromise (BEC) leading to funds transfer fraud – SMBs are particularly vulnerable
- Supply chain risks and weak links – for those that have contracts and partnerships with vendors and suppliers, it is critical to ensure stringent mechanisms are in place to control third party access
- Understand the risks that you’re governing. This involves deeply thinking about how your governance framework protects your critical assets. It is imperative to understand what your maximum foreseeable loss will be, what are the likely cyber scenarios, modelling those out, and understand what a significant impact will cost your business.
- Five ways to improve your cyber risk insurability
- Clearly define roles and responsibilities in managing your cyber risk – get HR, Finance, IT all involved.
- Hone your Incident Management procedures. Practice, practice, practice your IR capabilities – understand who will manage incidents, practice 3-4 times a year with different scenarios including out-of-band incidents, such as presuming you cannot communicate with your team and stakeholders.
- Have clearly defined metrics – be able to measure what success looks like within your cyber risk management framework. Have clear barometers of financial information – what you’re spending on cyber initiatives, what the corresponding ROI is. Know in empirical terms how you’re tracking against your framework, and how you’re improving your security posture.
- The culture of cyber risk management and cyber security need to cascade from the board level. The board needs to be cognisant of your business’ cyber risk exposure, pre-empt emerging risks, and continually adapt, as threat vectors shift all the time.
- Have the appropriate carrots and sticks to inculcate your cyber risk and responsibility into your culture. Culture is like an iceberg – the visible tip are the policies, procedures and board and executive-level leadership. Underneath the water line, and significant to shifting your cyber capabilities, is the culture. How are you rewarding and reinforcing positive behaviours, how are you weaving employee awareness and education into mainstream conversation? On the flip side, how are you using disciplinary guardrails to correct non-compliant behaviour? For example, is non-attendance or non-completion of mandatory training attached to remuneration, are there warnings or penalties?
“Culture is like an iceberg – the visible tip are the policies, procedures and board and executive-level leadership. Underneath the water line, and significant to shifting your cyber capabilities, is the culture.”
Gill Collins, Head of Cyber, Marsh McLennan Pacific
Perspectives from Legal: Jason Symons, Partner, Mills Oakley
- Organisations need external legal help and access to sound, expert advice. Cyber security and data protection liability is a complex space, involving an array of converging legislation, reporting and insurance requirements.
- Be prepared. There are several, practical strategies to undertake prior to any incident. These include: a cyber risk assessment; pen testing; a cyber risk analysis of your environment; and ensuring your IR plan is comprehensive, up to date, and has been tested in a variety of scenarios.
- Board-level engagement. Secure appropriate representation of cyber risk and proficiency across your board and senior management. Your board members need to authentically understand cyber, it’s not just a tick-the-box exercise and a 30-minute meeting on your cyber priorities. Practice effective communications between your IT and board, rehearse your IR communications strategy.
- Ensure you can meet mandatory reporting requirements to the Office of the Australian Information Commissioner (OAIC). These can vary depending on whether you’re an ASX listed company or public sector agency, your company revenue, and whether you’re a private sector health service provider. Increasingly, mandatory data breach notification laws are applicable to smaller businesses covered by the Privacy Act and Australian Prudential Regulation Authority (APRA).
- Consider voluntary reporting in partnership with the government, to share intelligence on live threats.
“Organisations need external legal help and access to sound, expert advice. Cyber security and data protection liability is a complex space, involving an array of converging legislation, reporting and insurance requirements."
Jason Symons, Partner, Mills Oakley
Perspectives from the Board: Megan Motto, CEO, Governance Institute of Australia
- Board directors crucially need to be digitally and data literate – it’s as imperative as being financially literate. Boards need to have a deep enough understanding to interrogate for the answers, though the upskilling task is a significant one.
- This is where industry has a part to play, in writing good board papers and providing good advice to boards in a language that they understand. Cyber experts must have the willingness to cross the language barriers and break concepts down so that Directors engage.
- Directors need to take a step back and solidify their data Governance. The largest threat to a business is a data breach, so boards need to comprehend data governance and know where their most vulnerable data is stored, how this data is being differentiated / categorised, what the security controls are, who has access. This needs to be a separate and distinct dialogue from generic cyber landscape systems architecture.
- Cyber risk has to be embedded as a whole-of-organisation risk management strategy. It is vital that cyber is not siloed, but a remit on every person in your organisation. We have a huge, critical upskilling movement ahead of us – in Australia, there is only one cyber security professional for every 240 businesses.
- Culture will eat strategy for breakfast, and if not fostered, will make formal processes and governance redundant. We need to develop the culture muscle underneath the processes, procedures and talk.
- Make sure cyber conversations are happening at the Board level – where is it on the agenda, how often is it on the agenda? Cyber needs to be a key component of a broad uplift exercise, not a side note. Under Section 180 of the Corporations Act 2001, the entire Board is liable for damages stemming from cyber fall outs, given their duty of care. Hence Boards need to be actively engaged, and at a practical level, have oversight of risk and audit committees.
- Understand your ecosystem, your supply chain, and the inherent risks. We are so interconnected these days. A particularly vulnerable sector is NFPs, as they are lacking in resources and sophistication due to funding constraints. Yet, they are custodians of Personally Identifiable Information (PII) of the most vulnerable people in society (those receiving benefits and care), and the wealthiest (in terms of philanthropy).
- According to Motto, two-thirds of organisations have never tested their IR plans, and more than half of organisations haven’t updated their critical response plans and have no intention of updating them. Your IR plan needs to be battle tested, and has to be a living, breathing, dynamic playbook to adapt to evolving cyber threats.
“Culture will eat strategy for breakfast, and if not fostered, will make formal processes and governance redundant. We need to develop the culture muscle underneath the processes, procedures and talk."
Megan Motto, CEO, Governance Institute of Australia
Perspectives from Government: Jessica Thomas, Assistant Director, Cyber Security Engagement, National Office of Cyber Security
- Cyber threats and successful breaches are coming thick and fast, most people’s data are already available on the Dark Web. Emergent and prevailing trends in the cyber landscape are detailed in the ASD Cyber Threat Report 2022-2023, a couple of trends highlighted on the panel are:
- State-sponsored attacks on critical infrastructure. Volt Typhoon has been engaging in espionage and foreign interference for years. FBI Director Christopher Wray said at a US Committee hearing that Volt Typhoon was “the defining threat of our generation,” and likely to have infiltrated beyond US infrastructure to the “Five Eyes” allies of Canada, Australia, New Zealand and the UK.
- Cyber criminals continue to adapt their tactics to extort maximum payment from victims, most commonly in the form of BEC, ransomware, and in the case of hacktivists, Denial of Service attacks.
- Patch! One in five critical vulnerabilities were exploited within just 48 hours. Organisations are not patching well or quickly and need to address this hygiene factor of cyber security.
- Engage more with the government. We have a variety of mechanisms to help organisations, such as our Trusted Information Sharing Network (TISN) for Critical Infrastructure owners, operators and community constituents; and the government is also consulting with industry on an ongoing basis as input into policy development.
- A common observation from the crisis drills run by the National Cyber Exercise Program are that there are wide-ranging levels of maturity across our economy. Financial Services Institutions tend to be more mature due to them being heavily regulated, with healthcare being less mature. The lessons learned have been incorporated into sector-specific policy documents and playbooks.
- With the government’s limited use obligation, organisations are encouraged to share threat intelligence with the National Office of Cyber Security (1300 CYBER1 / 1300 292 371). Early intelligence on live threats is crucial to damage mitigation.
- Cyber security is a whole-of-nation endeavour. It is down to every Australian and is truly a nation building precept.
“Cyber security is a whole-of-nation endeavour. It is down to every Australian and is truly a nation building precept."
Jessica Thomas, Assistant Director, Cyber Security Engagement, National Office of Cyber Security
Insert Person's Name
Chief Growth Officer, Sekuro
Shamane Tan is one of the most established women in the fields of technology and cybersecurity. As the Chief Growth Officer at Privasec and Sekuro, she is responsible for leading the security outreach strategy with the C-Suite and executives. Recognised by IFSEC as one of the global top 20 cybersecurity influencers, the ‘Cyber Risk Leaders’ author was also recently listed in the 40 under 40 Most Influential Asian-Australians and Top 30 Women in Security ASEAN Region 2021. A TEDx speaker and podcaster, Shamane is also the Founder of Cyber Risk Meetup, an international community and platform for cyber risk executives to exchange learnings.