ISACA Conference Oceania welcomed a panel of security experts from the region and beyond to dive into the current threats facing enterprises: cyberrisk, emerging tech adoption, educating stakeholders about risk, and more.
The panel at the recent virtual conference was moderated by Jo Stewart-Rattray, CISA, CISM, CRISC, CGEIT, CP, vice president of communities at Australian Computer Society. The fight against cyber threats was described by Siobhan Casey, MBA, director of scaleups and innovation labs at Australian Computer Society, as a “classic arms race,” with innovation in protection being outmaneuvered by advancements in attack vectors. “Hackers will take their time; they will find the lowest water line, like a personal assistant’s email,” Casey said. “They will infiltrate and then just sit there and watch. Patience is a virtue in this sort of game. They'll see an access code come through and they’ll take that data, they will see a payroll packet and will take that data, and then six to 12 months down the track, that’s when you have a breach. Email is one of the biggest areas of risk, and we don’t seem to have enough focus on that when we have a look at our broader systems.”
Raven David, CRISC, CISSP, manager of digital risk and compliance at Sydney Water, said that cybersecurity discussions often revolve around preventative measures. When it comes to “wicked problems like ransomware,” however, prevention is not always possible, and the focus should shift to recovery. He said that an organization’s leadership should keep this in mind when investing in cybersecurity. “Don’t think about the things that are possible, think about the things that are probable, and use a quantitative approach rather than a qualitative approach,” he said. “With all the statistical data out there in the world, I’m pretty sure we can come up with a generalized statistical model to apply controls in a meaningful way.”
Philip Whitmore, CA, CPA, CISA, CISSP, cybersecurity services partner at KPMG New Zealand, believes that tech professionals are so focused on their work that they forget about the basics. “We still fall for that phishing email,” Whitmore said. “We still get breached because we haven’t applied a patch on a timely basis. It’s the cyber hygiene aspect.”
Chris Dimitriadis, PhD, CISA, CISM, CRISC, chief global strategy officer at ISACA, agreed. “Complexity reduction should be a priority for organizations, especially governments; it’s the most important problem to solve before we even discuss security measures,” he said. “We fail at implementing the basics. We see very high-profile hacks where the root cause was an unattended router or an executive’s forgotten laptop. Reducing complexity and proper governance of IT must be in place for security to be successful.” Dimitriadis also thinks it is important to have a risk management focus when implementing security and to invest the right amount of money that an enterprise can manage.
Rattray added, “I see cyber and privacy as a converging space: physical security, cybersecurity, privacy, risk and assurance, and facilities management. If you look at it as a Venn diagram, there’s a bit in the middle where we all meet and we should all work collaboratively.”
View the entire session (48 minutes) on ISACA’s YouTube channel (http://www.youtube.com/watch?v=B-K2H5ISX3I).