Zero Trust

WhY Zero Trust?

Changes in the way organisations engage with technology have moved data outside the protection of traditional security controls, in some cases rendering them powerless to protect. Led buy Strategy and Architecture team, Sekuro’s Zero Trust Strategy allows organisations to address this by modernising their approach to security and allowing their business to digitally transform securely.

What is Zero Trust?

Zero Trust is the concept that no one and no thing, (whether that be a network, user, device, application, server etc) has access to perform an action until proven they should be trusted. And in order to prove it, the entity must take as much context into account before making any trust decision. Put simply, it’s about verifying with more context before allowing anything/anyone to do or access something whilst minimising assumptions.
It’s more than that though, Zero Trust is a fundamentally modern approach to security that organisations need to take now in order to match the modern approach they’ve taken to technology, which has transformed their threat landscape significantly.

IBM reports that the average cost of a data breach was $4.35 million in 2022, increasing year on year, and showing no signs of slowing down. In addition, organisations have transformed their technology program with the rise of remote work, cloud migration, and SaaS applications and services to enable unparalleled productivity. During this process risk exposure has come as a side effect. Their security program is often not compatible with this new approach to technology and architecture and is trying to play catch up. In fact, according to Avast, 59% of IT leaders said it was difficult to keep up with securing employee devices while working remotely.

Organisations are finding that their existing perimeter-centric controls no longer work, or are major productivity dampeners. However, it’s not just remote workers. All businesses are now recognising that their data, critical business applications and infrastructure also now exist in multiple areas outside the four walls of their organisation. This leads to the need to protect data, networks, users, and devices outside and inside the perimeter equally.

What is the solution to allow our businesses to continue innovating, without the added risk? This is where Zero Trust is gaining strong traction. Zero Trust is a modern approach to security that can address the modern threat landscape whilst supporting an organisation’s digital transformation and without hindering innovation.

The benefits of Zero Trust

Address the Modern Threat Landscape

Today, companies are using modern environments, platforms and technologies to drive productivity through greater flexibility and agility. With this comes increased cyber risk. With these forward-thinking Zero Trust principles, Zero Trust methodology and Zero Trust architecture, your cyber security program can address the modern threat landscape.

Defence Outside the Perimeter

In the past, we placed far too much emphasis on perimeter security controls and treated our organisations like an isolated castle with strong walls around it. This legacy approach to security worked acceptably in the past but is now less effective, since our data, users, devices and systems are frequently not within the four walls of our organisation, often rendering our previous controls powerless. A modern, Zero Trust aligned strategy can ensure security follows the user, device, data, and other assets wherever they reside.

Defence Within the Perimeter

Although many assets now exist outside our perimeter, we must never forget our internal assets that still continue to exist. Years ago, we placed far too much trust inside our internal network due to the secure external perimeter and ‘limited access bridges’ for access into our castle. Now that more bridges exist than ever before, we must move away from assumed trust inside our internal network, as it leaves our organisation fully exposed once an asset is compromised. A Zero Trust Strategy can carefully segment access within your open network beyond just IP addresses and ports, severely limiting the blast radius of an incident.

Secure Digital Transformation

The majority of organisations are embarking on their digital transformation with the use of modern technologies (Cloud, SaaS, productivity applications, and more), but their cyber security program often isn’t ready for it. Contrary to common pitfalls of a cyber security uplift program, a properly designed and implemented Zero Trust strategy will allow the business to continue innovating securely, without stifling progress, and without compromising speed or usability.

Removing the fork between security and business enablement

Any elements of Zero Trust can be used to improve user experience and security simultaneously - a combination difficult to achieve in the past. With all the additional context Zero Trust provides, we can say “Yes” to the business more often, without the added risk. Zero Trust will allow your security program to go from the oppressor to the protector.

Lee's Zero Trust 'TL;DR'

SekuroKon Secret Sauce

How CBHS improved its cyber health with Sekuro's Zero Trust strategy

At CBHS, protecting members’ highly sensitive and confidential health insurance data is paramount. CBHS undertook a journey toward implementing a wide range of modern security controls and processes and realised there were opportunities for improvement.

“Some of the existing controls and processes either created a lot of overheads or had the effect of becoming a barrier to business productivity, for example, when we needed to do manual security reviews of cloud apps or desktop applications before they could be used by the business.” – Nathan Hunter, IT Security and Operations Manager, CBHS

CBHS wanted a framework that balanced a best class security strategy with the need to help staff feel enabled, rather than obstructed, and to do their jobs effectively.

Always striving to be progressive with technology and policy, Nathan Hunter and his team at CBHS felt a “Zero Trust” approach would streamline processes and controls to enable the business and improve the overall security posture.

Sekuro’s work with CBHS identified gaps in its existing security strategy. Sekuro implemented Zero Trust improvements to give CBHS better visibility of security threats and greater agility in achieving its business goals while remaining secure.

“Now, we have identified the technologies and processes that are going to enable us to adopt a Zero Trust strategy across our entire organisation,” Nathan Hunter commented on the Zero Trust work with Sekuro.

Sekuro's Zero Trust Framework

Sekuro’s unique approach to Zero Trust through its Zero Trust Strategy framework has been created 100% in-house to focus on the areas that give the greatest security benefits whilst being pragmatic and realistically achievable for all organisations. It was created by security professionals with decades of hands-on experience in cyber security engineering, architecture and executive leadership across both private and government sectors globally.

The strategy encompasses 8 key pillars across 3 maturity levels. Sekuro’s Zero Trust Strategy takes a holistic look at your organisation’s entire cyber security posture delivering a tailored strategy that’s clear, realistic, beneficial, and actionable.

Overview of Sekuro Zero Trust Strategy

What are the 8 Pillars of Sekuro's Zero Trust Strategy?

Sekuro strongly believes that Zero Trust is a concept that needs to be considered across an organisation’s entire technology, process, people and architecture landscape.

Sekuro has developed a Zero Trust Strategy which is focused across 8 key pillars for an exhaustive look at your organisation’s entire cyber security posture.

People

Create and foster a culture that creates threat awareness, resilience, and identification of risk in your people whilst continuously measuring its effectiveness.

Identities

Multi-step authentication and verification of users on an ongoing basis with automated, continuous provisioning and de-provisioning.

Endpoints

Protection of devices no matter the location, operating system, or user.

Networks

Segment and isolate networks to help protect valuable assets.

Infrastructure

Protect key infrastructure from data exfiltration, misconfiguration, unauthorised access, and modification.

Applications

Catalogue, risk assess, restrict access to and protect applications and APIs.

Data

End-to-end protection of data, covering areas such as data classification, labelling, restricted access, DLP, and end-to-end encryption.

Analytics

Real-time observation across all pillars to understand interactions, anomalies, and threat visibility.

A Human Perspective on Zero Trust

In this e-book, Customer CISO, Lee Roebig, and Field CTO, Jason Trampevski, look at the human elements an organisation must consider when building a modern cyber security strategy, how Zero Trust fits in and what actions organisations can begin taking today.

What are the ten principles of Zero Trust?

Zero Trust is largely a principles-based methodology that can stretch across many areas.


Sekuro’s Zero Trust Strategy uses these key principles when building Zero Trust cyber security programs for customers:


#1: Verify Through Context

#2: Per-Session Least Privilege

#3: Assume Breach

#4: Secure Anywhere

#5: Continual Analysis

#6: Cloud Ready, Modernised Security

#7: Continual Assurance

#8: Attack Surface Reduction

#9: Automation/Orchestration

#10: Identity-Driven Access

Sekuro's Zero Trust Process

01

Discovery Workshops

Discovery workshops and interviews are held with your organisation’s key staff members to gather information on the security program’s current state and establish a high-level overview of the current environment with key stakeholders.

02

CURRENT STATE ASSESSMENT

Information gathered on your organisation’s overall current level and scoring for each maturity level across the eight pillars will be summarised in the final report. We will also compare your organisation to others and advise if your current state is lower, equal to, or higher than other similar organisations.

03

TARGET FUTURE STATE WORKSHOP

Either during the interviews or after, we will discuss where your organisation currently sits on the maturity scale and recommend a target maturity level across each pillar. This is a mutual decision agreed on with Sekuro and your organisation. This will also be summarised in the final report.

04

FUTURE STATE INITIATIVES AND DEPENDENCIES

After current and future state assessments are completed, the final report will contain a list of vendor-agnostic, practical, and clear future state initiatives. This will also list where Sekuro’s services or technology partners can assist, the effort required, the priority, and the associated maturity level across each target initiative.

05

PRIORITISED ROADMAP

Sekuro will provide a roadmap with prioritisation timelines for the implementation of each target control. This takes into account dependencies between initiatives, security benefits, organisational priorities, and quick wins (low effort).

06

EXECUTIVE SUMMARY

Sekuro will consolidate and analyse all the gathered information in order to create an executive summary report containing the current state of your organisation’s security posture, a comparison to other organisations, and the desired future state.

07

FINAL HANDOVER WORKSHOPS

Sekuro will walk your organisation through the report and roadmap, also providing guidance from our Zero Trust specialists. Additional workshops (Executive & Technical) are also optional extras.

Additional Workshops

EXECUTIVE STAKEHOLDER ENGAGEMENT

Sekuro can help assist with executive engagement by creating a Zero Trust Strategy executive briefing presentation and (co)presenting to your executive team.

TECHNICAL STAKEHOLDER ENGAGEMENT

Zero Trust can be a major change that will require assistance, buy-in, and input from an organisation’s wider technical teams. Sekuro can hold a specialised session deep dive on Zero Trust principles, concepts, diagrams, and benefits with your wider technical teams to assist in gaining buy-in and cooperation, as well as answering any questions or concerns.

ZERO TRUST STRATEGY & ARCHITECTURE CONSULTING

Sekuro can help your organisation execute the multi-year roadmap after the handover has occurred by offering Zero Trust consulting services available in flexibly priced/sized packages.

A STRATEGY TAILORED FOR ANY ORGANISATION

Sekuro understands that not every organisation has the capability or need to aim for highly strict cyber security controls in their environment, and therefore we have developed three maturity levels to allow all organisations to align with a Zero Trust target state that can be tailored to their needs.

Level 1 – Maturing:

The organisation has the fundamental capabilities/technology in the respective pillar to set the baselines for a Zero Trust environment with room for additional effort to realise the value of their technologies and gain additional protection.

Level 2 – Pragmatic:

The organisation has implemented pragmatic Zero Trust cyber security controls in the respective pillar, prioritising controls that give strong protection while balancing costs/effort/resourcing requirements and focusing on reduction of high risks.

Level 3 – Advanced:

The organisation has implemented advanced Zero Trust cyber security controls in the respective pillar with a strong focus on protection, monitoring, automation, orchestration, and reduction of all levels of risk.

Lorna Jane 'steps up' to a Zero Trust approach with Sekuro

Lorna Jane was looking for a trusted security partner to take it on a journey to becoming a highly secure retail organisation.

Lorna Jane’s IT team needed to focus on securing against breaches while online selling and operations boomed during the COVID-19 pandemic. Harbouring fears of data breaches and dealing with a very young, casual workforce with little understanding of compliance or cyber security, Lorna Jane engaged Sekuro to provide a Zero Trust security framework.

Sekuro ensured that Lorna Jane’s cyber security policies and compliance aligned with a Zero Trust strategy. Sekuro also engaged with Lorna Jane’s existing technology providers to create an integrated ‘Alliance’ as a core cyber security stack.

  • Lorna Jane now has SSO across 300 external applications.
  • The ‘Alliance’ technology stack works in harmony to block around 50,000 malicious emails daily.

Read more from the Lorna Jane Zero Trust Case Study.

Frequently asked questions about Zero Trust

Zero Trust is the concept that no one and no thing, (whether that be a network, user, device, application, server etc) has access to perform an action until proven they should be trusted. In order to prove it, the entity must take as much context into account before making any trust decision. It combines this with the ethos of providing the same, consistent level of security, control, and visibility both outside and inside the perimeter equally. This allows users, devices, networks, and other assets to be secure anywhere.

Zero Trust involves always authenticating and authorising the use of all available data/context, such as the connecting user/resource identity, location, device health, and anomalies. This should be done consistently regardless of whether the asset/user is inside or outside the perimeter. It also requires architecting systems so that they can provide adequate context to the entity or policy engine expected to make the trust decision. Lastly, it removes the assumption-based trust model, where we place inherent trust in singular points of context i.e. source IP ranges since they could be breached at any time.

This is a common misconception. When we think of granting access, we often think of the network, because it gates access to many assets. To be clear: the network access controls are a big part of a Zero Trust strategy, but the concept goes much further than that. A trust decision is more than just network access, other considerations need to be made when considering how and when to grant trust. For example, when people click on an email, action a phone call request, allowing certain data to be uploaded to certain cloud applications, or granting access for an application to run on your endpoints. This is why we have The Eight Pillars of Zero Trust in our framework, so no stone goes unturned.

Once again, identities are a huge part of a Zero Trust strategy, but there are many other areas to implement Zero Trust principles across The Eight Pillars of Zero Trust.

Traditional security, which focused on protecting an organisation’s perimeter, which meant placing trust in devices inside the network and having full control over all data flows, has grown less effective as the technology landscape has changed. In today’s modern world, we see a rise in remote work, portable devices, collaboration with third parties, cloud application (SaaS) usage, cloud infrastructure, and a technologically savvy workforce. This means data now flows across many external networks, cloud services, and endpoint devices, often in locations outside of traditional security’s corporate controls. To account for this increased attack surface, an organisation's security architecture design should move to a Zero Trust model.

Yes and no. The pitfalls of VPNs are often a result of the way that they have been set up inside an organisation. In many organisations, the VPN allows a large amount of access to organisational assets and the network once an employee connects. This is a dream for an attacker because it means all they have to do is compromise one user’s account or device to get unfettered access to an organisation, which can cause astronomical harm. This isn’t due to laziness or a lack of knowledge in the organisation, but more how difficult is it to set up a VPN with the level of granularity necessary to have adequate risk mitigation.

To account for this, Zero Trust Network Access (ZTNA) is a relatively new technology predicted by many experts to be a more viable alternative to VPN for large-scale cloud networks. ZTNA works by using identity to grant extremely granular network access dynamically based on layers of context such as MFA, device security posture and more. This removes a huge burden from the network and cyber security team as the policy can leverage existing things like role-based access control groups (for example Okta, Active Directory, etc) without creating thousands of VPN profiles. It also works more effectively in cloud contexts than VPNs because it doesn’t require a heavy hardware footprint, unlike VPNs that require firewalls. This is one of the key areas where Zero Trust can actually provide security, ease administrative burden and create a better user experience simultaneously.

Sekuro looks at Zero Trust as a holistic solution, using the principles to augment a modern cyber security program. It does this while having a very business-centric mindset. Not only do we provide a large security uplift, but we also help your organisation use Zero Trust for other benefits, such as using all this additional context to allow you to say “yes” to the business more often, without the added risk. This takes your security program from the oppressor to the protector. We also have four strict rules in all of our controls and recommendations: Clear, Realistic, Beneficial and Actionable. No high-level unclear goals, no pipe dreams , just beneficial and actionable recommendations you can begin implementing immediately.

Yes, identity is the second pillar in Sekuro’s Zero Trust Strategy. Identity and access management (IDAM) solutions are critical for cloud security, ensuring that your users, assets, and data interactions are frictionless and secure. Sekuro’s IDAM solutions deliver a host of benefits, including SSO, MFA, and user lifecycle management.

Absolutely! This is why Sekuro developed the 3 maturity levels of Zero Trust, allowing a tailored approach that’s beneficial and actionable for the organisation and matches their budget, capabilities, and risk appetite. Sekuro’s Zero Trust Strategy has been successfully implemented in organisations as small as <50 users and as large as 20,000+ users, but of course, while meeting the same principles, the approach differs.

This highly depends on what your board values. Some may consider customer trust and reputation the highest priority, others may consider it to be operational impact and cost (and many consider both equally important!). Sekuro can help you gain buy-in from your executive audience as part of building a Zero Trust Strategy service, but these statistics below are also helpful:

Cost Impact: In its 2022 data breach report, IBM published:“Organisations with zero trust deployed saved nearly USD 1 million in average breach costs compared to organisations without zero trust deployed.The difference was USD 0.95 million, representing a 20.5% savings for organisations with zero trust deployed.”

Reputational Impact: Bitdefender’s research showed that “83% of consumers in the US claim they will stop spending at a business for several months immediately after a security breach. 21% will never return to that business.”

Stock Price Impact: Istari Global’s research indicates that “a cyberattack can sink a company’s share price. When Capital One disclosed that they suffered a data breach, its share price immediately dropped nearly 6% in after-hours trading. In the two weeks that followed, the share price plummeted by nearly 14%. This story isn’t unique. Equifax’s share price fell by 60% in the wake of their cyber breach in 2017.”

NOTE: Depending on an organisation’s response, their stock has shown to be able to recover over time.

Director/Executive Culpability: Directors and executives can be held personally liable for data breaches. Uber suffered a data breach in 2016 that wasn’t disclosed by an executive and the individual was “sentenced to a three-year term of probation and ordered to pay a fine of $US50,000 ($93,663)”

Sekuro’s Zero Trust Strategy has been tailored to both compliment compliance frameworks and extensively cover areas that popular frameworks do not. ISO27001 is a framework for establishing a management system to govern your security risks and controls. By design, it provides high-level controls and control areas allowing organisations to use more prescriptive control frameworks like NIST or ISM. In order to be used broadly, these frameworks contain good but mostly high-level recommendations that often lead to organisations spending large amounts of time trying to translate these recommendations into actionable programs of work suited to them.

Our Sekuro Zero Trust Strategy and assessment dives deep, past the design effectiveness and into the actual operational effectiveness of your technical controls to provide a tailored strategy supported by clear, realistic, beneficial and actionable recommendations. Zero Trust aligns with any existing framework as an assurance tool to provide you with a very truthful and factual view of your security posture and of the initiatives required to get to the level of resilience that is right for your organisation. In short, ifyou partner with Sekuro on Zero Trust, you can rest assured you'll know what you have to do, why you have to do it, when you should do it, and the steps required to get there.

Scroll to Top

Aidan Tudehope

Co-Founder of Macquarie Technology

Aidan Tudehope, Co-Founder of Macquarie Technology

Aidan is co-founder of Macquarie Telecom and has been a director since 1992. He is the Managing Director of Macquarie Government & Hosting Group with a focus on business growth, cyber security and customer satisfaction. 

Aidan has been responsible for the strategy and execution of the investment in Intellicentre 4 & 5 Bunkers, Macquarie Government’s own purpose-built Canberra data centre campus. This facility is leveraged to deliver Secure Cloud Services and Secure Internet Gateway.

With a unique pan-government view on the cyber security landscape, we are invested in leading the contribution from the Australian industry on all matters Cyber policy related.

Aidan holds a Bachelor of Commerce Degree.

James Ng

CISO, Insignia Financial

James Ng, CISO, Insignia Financial

James is a leader with a range of experience across various cyber security, technology risk and audit domains, bringing a global lens across a diverse background in financial services, telecommunications, entertainment, consulting and FMCG (Fast Moving Consumer Goods). He is currently the General Manager – Cyber Security at Insignia Financial and most recently was at AARNet (Australia’s Academic and Research Network) where he oversaw a managed Security Operations Centre (SOC) capability for Australian universities. Prior to this James was the acting Chief Information Security Officer for Belong and led the cyber governance and risk team at Telstra.

Noel Allnutt

CEO, Sekuro

Noel Allnutt CEO | Sekuro

Noel is a driven and award-winning IT leader. He has a passion for developing great teams and accelerating client innovation, and in enabling organisations to create a secure and sustainable competitive advantage in the digital economy. Noel also hosts the ‘Building Resilience Podcast,’ which explores the world of sport and deconstructs the tools and ethos of world-class athletes that can help create growth and optimise business and life.

Audrey Jacquemart

Bid Manager, Sekuro

Audrey Jacquemart, Bid Manager, Sekuro

Audrey is an innovative cybersecurity professional with a versatile profile spanning across Product Management, Presales and Delivery. She has worked within organisations from start-ups to large international organisations in Europe and APAC before joining Sekuro.

Nicolas Brahim

Principal Consultant, CRP and OT

Nicolas Brahim, Principal Consultant, CRP and OT

Nico leads Sekuro’s Cyber Resilience Program and OT Cybersecurity, ensuring continuous support and effective program execution for our clients. With over a decade in the security industry, including the creation and leadership of several Security Programs for IT and OT across Australia, New Zealand, Argentina, Chile and the US, his core philosophy emphasises an equal balance of people, process, and technology in delivering actionable and simple solutions.

Trent Jerome

Chief Financial Officer, Sekuro

Trent Jerome

Trent is a seasoned CFO with over 30 years’ experience in Finance. Trent has broad experiences across Capital raises, debt financing, M&A and business transformation. He is a CPA and member of AICD. Trent works with Boards around risk and risk mitigation plans and assists Boards in navigating the risk mitigation versus cost conversation.

Ada Guan

CEO and Board Director, Rich Data Co

Ada Guan, CEO and Board Director, Rich Data Co

Ada is the CEO and Co-founder of Rich Data Co (RDC). RDC AI Decisioning platform provides banks the ability to make high-quality business and commercial lending decisions efficiently and safely. With over 20 years of global experience in financial services, software, and retail industries, Ada is passionate about driving financial inclusion at a global scale.

Before launching RDC in 2016, Ada led a Global Client Advisor team at Oracle Corporation, where she advised Board and C-level executives in some of the largest banks globally on digital disruption and fintech strategy. She also drove Oracle’s thought leadership in banking digital transformation for Global Key Accounts. Previously, Ada implemented a multi-million dollar program to deliver a mission-critical services layer for Westpac Bank in Australia and formulated the IT strategy that was the basis of an $800m investment program to transform Westpac’s Product and Operation division and complete the merger with St. George Bank. Ada is an INSEAD certified international director and holds an EMBA from the Australia Graduate School of Management, and a Master of Computer Engineering from the University of New South Wales, Australia. She also graduated from the Executive Insight Program at Michigan University Ross Business School and IESE Business School.

Megan Motto

Chief Executive Officer, Governance Institute of Australia

Megan Motto, CEO, Governance Institute of Australia

Megan Motto is Chief Executive Officer of Governance Institute of Australia, a national education provider, professional association and leading authority on governance and risk management. The Institute advocates on behalf of professionals from the listed, unlisted, public and not-for profit sectors.

Megan has over 25 years of experience with large associations, as a former CEO of Consult Australia, as well as holding significant positions in Australia’s built environment sector and business chambers.

She is currently a director of Standards Australia, a member of the ASIC Corporate Governance Consultative Panel and a councillor of the Australian Chamber of Commerce and Industry (ACCI) where she chairs the Data, Digital and Cyber Security Forum.

Megan’s expertise spans governance, risk management, public policy and education. She holds a Bachelor of Arts/Bachelor of Education, a Masters of Communication Management and a Graduate Diploma of Corporate Governance and Risk Management. She is a Fellow of the Governance Institute of Australia, the Chartered Governance Institute and the Australian Institute of Company Directors and is also a member of Chief Executive Women. Megan is also an Honorary Life Trustee of the Committee for Economic Development of Australia (CEDA) and was a 2014 recipient of the AFR/Westpac 100 Women of Influence.

Shamane Tan

Chief Growth Officer, Sekuro

Shamane Tan, Chief Growth Officer, Sekuro

Sekuro’s Chief Growth Officer, Shamane Tan, is passionate about uniting minds and experiences, excelling in aligning C-Suite and Board members with cyber security imperatives. As the author of “Cyber Risk Leaders,” she unravels executive communication nuances and distils C-Suite expectations. 

Her work extends to “Cyber Mayday and the Day After,” a roadmap for navigating crises by mining the wisdom of C-level executives from around the globe. It’s filled with interviews with managers and leaders who’ve braved the crucible and lived to tell the tale. Her most recent book, “Building a Cyber Resilience: A Cyber Handbook for Executives and Boards,” was featured on Forbes Australia’s top list of books for CEOs. 

Shamane has also founded a transcontinental cyber risk and executive meetup spanning Sydney, Melbourne, Adelaide, Perth, Singapore, the Philippines, and Tokyo, fostering mentorship, women’s empowerment and thought leadership. As a strong advocate for the importance of having a voice and helping others use theirs, Shamane Tan has spoken at TEDx and global conferences, including FS-ISAC, RSA, Silicon Valley, Fortune 500 and ASX companies. 

Recipient of the IFSEC Global Top 20 Cybersecurity Influencer award and named among the 40 under 40 Most Influential Asian-Australians, Shamane leverages her unique fusion of technical prowess and business acumen to help organisations progress on their security maturity journey.

David Gee

David Gee, CIO, CISO, NED, Board Advisor & Author

 

David Gee, CIO, CISO, NED, Board Advisor & Author

David has just retired in July 2024 and is building out his portfolio. He is an Advisor with Bain Advisory Network and also an Advisor to JS Careers (Cyber Recruitment) and Emertel (Software Commercialisation).

He is a seasoned technology executive with significant experience and has over 25 years’ experience in CIO and CISO roles across different industries and countries. At Macquarie Group David served as Global Head Technology, Cyber and Data Risk. Previously was CISO for HSBC Asia Pacific. His career as a CIO spans across multiple industries and geographies including – Metlife, Eli Lilly and Credit Union Australia. He was winner CIO of the Year 2014, at CUA where he successfully completed a significant Transformation of Core Banking, Online and Mobile Banking systems.

David is past Chairman for the FS-ISAC Strategy Committee and awarded Global Leaders Award in 2023 for his contributions to the cyber security industry. A regular conference keynote speaker and 150+ published articles for CIO Australia, Computerworld, iTnews and CSO (Cyber Security), David now writes for Foundry CIO.com and AICD.

His most recent book – the Aspiring CIO & CISO was published in June 2024 and David is writing his second – A Day in the Life of a CISO with a number of CISOs from around the world for 2025.

Naomi Simson

Co-founder, Big Red Group and Former Shark Tank Judge

Naomi Simson, Co-founder, Big Red Group

INTRODUCTION

For 25 years as an entrepreneur, Naomi Simson has been bringing people together whether it’s with her business experience, her speaking or writing. Passionate about small business and local community, Naomi is considered a home grown success story.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia and she appears regularly on ABC The Drum. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano, as well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has four seasons of her podcast ‘Handpicked’, and she has authored two best-selling books Live What You Love, and Ready to Soar, and is sought after speaker.

FULL BIO

For 25 years Naomi has been bringing people together whether it’s with her business experience, her speaking or writing. She is a strong advocate of business owners.

Known as an entrepreneur and business leader; following the growth of RedBalloon which she founded in 2001, Naomi co-founded the Big Red Group (BRG) in 2017.

Naomi had a corporate career with Apple, KPMG, IBM and Ansett Australia prior to becoming an entrepreneur. She is a prolific blogger, podcaster and business commentator, and appeared as the #RedShark in four seasons of Shark Tank Australia. She is a non-executive director at Big Red Group, Australian Payments Plus, Colonial First State and Weebit Nano. As well as the Cerebral Palsy Research Foundation and the University of Melbourne Business and Economics Faculty.

A true business leader and influencer, with more than 2.7 million LinkedIn followers, Naomi is Australia’s most followed person on the business networking platform. She has authored two best-selling books Live What You Love, and Ready to Soar, and is an engaging, humorous and insightful speaker. She has four seasons of her Podcast – Handpicked.

Naomi is relatable across a broad variety of audiences and topics, often drawing on her personal experiences to provide thoughtful and valuable views into topics; including the customer obsession, intentional leadership, growth mindset, personal development. She is a regular panellist on ABC The Drum.

Peter Ngo

Product Line Manager, Global Certifications, Palo Alto Networks

Peter Ngo

Peter leads the Commercial Cloud, Global Certifications organisation at Palo Alto Networks which oversees global cloud security compliance efforts to various frameworks and standards including IRAP, SOC 2, ISO, PCI, C5, ISMAP, and IRAP and more for 25+ cloud products.

He has held many roles over the years covering areas of IT Operations, and Governance, Risk, & Compliance (GRC) for a wide range of industries including technology, insurance, and manufacturing.

Peter holds various security and professional certifications, including the CCSP, CISSP, PCI ISA, CISA, CISM, CDPSE & ISO Lead Auditor, in addition to a Master of Science degree in Information Assurance. 

Jack Cross

CISO, QUT

Jack Cross

Jack Cross is an experienced business leader with expertise in digital technologies and risk management. Through a steadfast commitment to integrating people, processes, and technology, he champions the fight against cyber threats while mitigating organisational risks. 

Over the past 15 years, Jack has navigated diverse leadership roles within the Defence and Education sectors, honing his skills in steering multidisciplinary teams through intricate and sensitive technical landscapes. In addition to this experience, he holds numerous formal qualifications such as: a Master of Systems Engineering (Electronic Warfare); CISSP; and CISM certifications.

Nadene Serman

Global CTO, Infotrack

Nadene Serman

Nadene Serman is a leading IT executive with a proven track record spearheading first-of-its-kind technology and business transformation for some of the most prominent organisations globally and in Australia. As the Global Chief Technology Officer of InfoTrack, she is a key protagonist of innovation as an enabler of InfoTrack’s next stage growth. Her energy, commercial acuity and strategic capability have fueled her success.

Nadene leads with clarity, transparency and urgency, uniting people in complex, multi-layered technology and business execution, and go-to-market transformation and innovation. She tackles and resolves complex and seemingly intractable challenges while building support and collaboration – even in times of crisis. Her people-first, ‘think straight, talk straight’ approach makes her a formidable force.

John Doe

President Great Technology

Cyber Resilience Program | Sekuro

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.