There is no denying that cyber security is a big issue but there is a widely-held view, almost a folklore mentality, that you can't talk about it because to openly discuss it will make you prone to cyber-attacks.
Of course, it is common sense that you would never reveal your vulnerabilities by sharing details of the technology you use with the whole world.
And to put your hand up and say "I have the most unbreakable cyber security" is just going to attract attention and challenge people to try and prove you wrong.
It's happened before.
But you most definitely need to talk about cyber without exposing sensitive information and leaving yourself and your employer vulnerable.
Talking about what your developers are doing, either publicly or in private groups, doesn't leave you vulnerable and is something we should all be doing to increase everyone's security.
We have to talk about cyber in order to learn from each other. We are not going to fight cyber on tech alone.
You can use as much software as you like but if there is no collaboration between experts, we are drastically reducing our fighting strength.
The view that we can't talk about it is really misplaced and damages everybody, because we all know that innovation comes from collaboration.
A great example of this is the Australian Government's ACSC Partnership Program, which is delivered through the ACSC's network of Joint Cyber Security Centres (JCSCs), located in Sydney, Melbourne, Brisbane, Adelaide and Perth.
The program includes professionals across government, industry, academia and the research sector.
By drawing on this collective understanding, experience, skills and capability, they are bringing together the situational awareness, technical expertise and experience of a diverse community. It also draws from both public and private sectors where they can learn from each other, share insights, and collaborate on shared threats and opportunities.
They are also inviting organisations to collaborate on their Joint Cyber Security Centres.
This approach will go a long way in lifting our cyber resilience across the Australian economy and is a lesson for the corporate world.
Cyber security is about the human element and humans are the biggest area of vulnerability in every organisation.
For some reason, we seem to be focused on the cyber security training, but people really need to be collaborating with their peers on what they are doing on cyber.
Too many businesses still think cyber is a problem for IT or security, when the reality is that it is everyone's problem.
People are slowly realising this. Boards and CEOs are continually being encouraged to talk about cyber because regulators are expecting it of them.
Demanding it, in fact.
They are getting dashboards of cyber risks in their organisation but don't always fully understand they and their Executive Leaders own the risk and responsibility to ensure gaps are fixed.
The security function helps them, but sole responsibility does not and should not lie with technology and security teams.
Cyber bad guys love a crisis and we know COVID has resulted a huge increase in threats particularly in Social Engineering with campaigns that feed on uncertainty and people worrying.
With budgets being cut, one of the ways organisations can access new ideas is to get them from others within their industry.
A great example of this is when large companies work in Papua New Guinea, they establish informal networks where competitors share security intelligence. They understand that by collaborating closely and sharing detailed information and learnings they are minimising their own risk by working together.
My question is why don't we do this on a day-to-day basis? Why aren't we taking this level of collaboration into our peer networks and our internal systems to bring all members of departments?
While we might not talk about the tech we are implementing, we can talk about the great initiatives we have seen on how to educate our families and our colleagues.
We don't have to post something online to collaborate. We can reach out to members of a closed group of our peers.
As a CIO, I get lots of opportunities to collaborate because someone is always asking for a meeting or to introduce themselves or sell me something. But security collaboration needs to happen more at developer, engineer and tester level, where they can openly communicate with each other about what they are doing around cyber.
Developers need to get together and talk about how they do secure coding.
If I did an Agile meet-up, there would be hundreds of people turning up to talk about what they are doing. But if I did a cyber security development event, very few developers or designers would turn up, despite the fact they are the very ones who should be talking about cyber because that is how they build in security into their technology.
Talking about security outside of a training course is how we start to build a security culture which is one of the strongest defences.
Marketing & UX
Our marketing and UX people should also care about security because customers are caring about security and privacy more and more.
Addressing security near the end of a development cycle creates a clunky user experience. Teams miss an opportunity to create a seamless and secure customer journey and miss out on the chance to build brand trust by demonstrating how they care for your data.
In order to strike a balance between having good security and a good customer experience, we need closer and earlier collaboration with security which in turn helps UX designers increase their security understanding.
We should be able to say to customers "we are going to keep your details safe", because people expect that.
If this is done during the design phase, it can be built in. Then marketing can get involved and sell the benefits direct to the user.
An added problem these days is that it's almost impossible to get cyber-talent.
If you're a cyber person, it's money in the bank.
The cyber threat is becoming so great that we are never going to fill those roles. The only way to do it is to start cross-skilling your developers, your testers, your engineers and your UX engineers.
Those people need to learn from each other, both internally and externally. They must be able to learn what developers in other companies are doing, without revealing confidential information.
But while we are not talking about it not treating it the way we treat Agile or other technologies we see as "cool" - we are not helping ourselves or anyone else in the industry.
There are some conversations we really need to have if we want to protect ourselves and our employers.
And some of the most valuable are the ones we have with our peers.
Business News Australia
As a free and independent news site providing daily updates
during a period of unprecedented challenges for businesses everywhere
we call on your support