Telstra Purple is a technology services business, comprising of 1,500 specialists in Australia, EMEA and Asia. Bringing together Telstra Enterprise’s business technology services capabilities and a number of acquisitions, Telstra Purple is focused on outcome-based, transformative tech solutions.
Why cyber resilience counts today
Geopolitical risks and the impact of COVID-19 have put security technology at the top of every business leader’s agenda as the world rapidly responds to the threat. Manoj Bhatt, Head of Cyber Security Advisory and Consulting at Telstra Purple EMEA, has seen first hand the increased focus on risk management and cyber resilience in response to the crisis.
“The coronavirus has demonstrated the importance of cyber resilience as businesses move to remote working whilst ensuring they do so securely,” says Bhatt. “Cyber security isn’t just a concern for the security or IT department, and those organisations that already have a strong, ingrained security culture that is business wide, will weather the storm best.”
As business leaders begin to evaluate their technology stacks to understand their efficacy, and consider how well they integrate with the current business while supporting its future needs and goals, security teams must remain one step ahead with answers to potential questions.
Rob Robinson, Director of Security and Network Services at Telstra Purple EMEA, believes that organisations must think of security as a business enabler.
“It goes back to the conversations we’ve been having with CISOs recently. For a security strategy to be successful, all lines of the business - HR, Finance and IT - must stay informed and aligned with its goals,” explains Robinson. “CISOs admit to friction within companies, saying they don't think their boards see information security as important a function as they do. It’s important that this thinking changes and security leaders offer guidance on how businesses can protect themselves and mitigate risk. Security has to be considered an enabler rather than something that is negatively impacting the business.”
Dr Jessica Barker, co-CEO and Socio-Technical Lead of Cygenta, is an evangelist for driving security culture and awareness within organisations. She believes it’s essential to operate with an agile approach and remain aware of the latest vulnerabilities to maintain that visibility over potential cyber threats.
“Staying up to date with current attacks is crucial, meaning people in security don’t often get very many days off as they need to keep up with the latest news to ensure the greatest level of protection possible,” she explains. “However, it is also equally important that we remain vigilant against previous vulnerabilities that we’re already aware of, because it could be easy to get distracted by the latest trends or newest vulnerabilities. In many cases, the biggest cyber attacks involve the vulnerabilities that we’ve been aware of for decades, so it’s just as important to remain vigilant against all kinds of attacks.”
Barker is also Chair of ClubCISO, sponsored by Telstra Purple, which is a private members forum for information security leaders, working across public and private sector organisations. More than 350 CISOs are currently registered members. Barker believes there are a number of key advantages to being a member of the organisation.
“We work together to shape the future of the security industry, community and the CISO role,” she says. “The idea is to provide a voice to CISOs and offer an environment where they can speak between themselves, and externally, about what the CISO role is and what security looks like moving forwards. It’s been great to have a place to build a network of like-minded individuals, share success stories, as well as navigate the challenges in the industry together and work out the best way to overcome those hurdles.
“This year’s ClubCISO Information Security Maturity Report reveals some interesting insights on how CISOs are coping with the additional pressures of COVID-19 and other geopolitical risks,” adds Barker. “The majority (61%) of CISOs believe that the stress of their job has increased over the past 12 months, yet 70% profess to love their job. I believe one of the most important aspects of a CISO’s job today is around cultural change, raising awareness of security threats and figuring out how to embed that cyber security culture within their organisations.”
Getting cyber security right: best practice and learnings
Cyber security doesn’t sit still, and understanding the latest threats, risks and solutions to these problems is a collective industry effort.
Bhatt also sits on the advisory board of ClubCISO. Explaining the community’s benefits he states: “One of the things we really like about ClubCISO is that it’s a community of CISOs for CISOs – that’s the key thing. It’s a peer group to share thought leadership and provides a platform to talk to one another about the latest cyber security threats and issues, and also to share best practices.”
Each year, ClubCISO surveys the community in a live vote to get a collective view of the current security landscape, and understand the contemporary issues faced by security specialists. The latest ClubCISO Information Security Maturity Report was released in May 2020. This year’s Live Vote, which was held virtually for the first time due to the COVID-19 outbreak, drew over 100 CISO respondents.
“One surprising finding from this year’s report is that there isn’t as much maturity around the cloud as expected,” states Robinson. “We have asked that same question five years in a row, expecting the percentage to increase considerably each year. However, interestingly it has remained the same.”
Robinson postulates that this stems from a shortage of skill sets. Another related conversation in this space revolves around how to encourage more diversity in security – sparking an interesting debate around what security teams can do to be more inclusive and build up capabilities. To resolve the issue for future generations, Robinson believes it’s important to start talking about security apprenticeships early, and begin to raise the importance of it in schools now. “It’s vital to talk about the importance of security and feed that interest into the security industry, at a time where we increasingly need that help and capability,” he says.
The coronavirus pandemic has caused disruption in industries worldwide. Uncontrollable circumstances such as these highlight the importance of adopting a ‘future state’ mindset, reassessing business needs now and in the future, and evaluating what kinds of technologies and implementations can support these. The priority in the current environment is supporting home working and guarding against cyber threats.
Bhatt sums up the current situation and issues a warning: “We're certainly seeing a big drive from a number of vendors talking about how their security products are going to be ‘the silver bullet’, but it’s impossible to determine a solution without a proper assessment and understanding of business needs first.
“You must first understand what already exists within your organisation, and what the current technology set up is, before you can consider what the best technologies for the job are. If you bring this thinking together, it makes you more resilient against threats, whether that be COVID-19 or an out-of-the-blue cyber attack. It’s important to join the dots and take a holistic perspective.”
The power and the threat of emerging technologies
As emerging technologies such as machine learning (ML) and automation become increasingly sophisticated, so do those with malicious intent. Businesses must be prepared to keep pace with the threat environment to remain secure.
“The world’s changing,” states Robinson. ”We’re not in a traditional bubble where security is at the perimeter and everything’s protected centrally – there’s a much wider attack surface. There’s a lot of information sitting outside of non-traditional environments and you have to apply technology and modern approaches such as ML and automation to that,” he affirms.
“It’s important that we apply these technologies in a way that’s appropriate, as well as maintain an accurate understanding of how we address and manage security incidents, otherwise businesses will not be in a position to respond and protect.”
Whilst cloud is not exactly an emerging technology, many businesses are still at the nascent stage of their cloud journey. Bhatt has observed that businesses are split into three different camps when it comes to their cloud security strategies.
The first camp thinks about cloud, but has not embarked on the journey because they haven’t considered where it might take them. The challenge is in identifying what cloud will achieve for the business, and how much can be saved by implementing it.
In the second camp are businesses that have implemented cloud, but are not recognising the benefits it is delivering. These are typically organisations that have not set out a clear path or taken an objective-driven approach to their cloud strategy.
In the final camp sit the businesses with cloud expertise that focus on cloud enhancement. This is where a company has moved to the cloud and is now looking to enhance it with approaches such as containerisation. This marks the start of the next stage of the journey, where technologies such as automation and robotics become increasingly influential in the business.
With the pace of technology adoption showing no sign of letting up, it’s vital that businesses and their employees practise good cyber hygiene at their workplaces and homes.
”Security is a continuous journey that must be grounded in what the business is trying to achieve,” says Robinson. “Business leaders and their security advisors must assess the environment the business operates in, understanding the risk landscape, the threat profile and how you place people, processes and technology around security to address these evolving needs. And finally, cyber security must align with all business functions to ensure there are no weak links.”