Why we need to have a bigger conversation about cyber security and involve all departments

Why we need to have a bigger conversation about cyber security and involve all departments

There is no denying that cyber security is a big issue but there is a widely-held view, almost a folklore mentality, that you can't talk about it because to openly discuss it will make you prone to cyber-attacks.

Of course, it is common sense that you would never reveal your vulnerabilities by sharing details of the technology you use with the whole world.

And to put your hand up and say "I have the most unbreakable cyber security" is just going to attract attention and challenge people to try and prove you wrong.
It's happened before.

But you most definitely need to talk about cyber without exposing sensitive information and leaving yourself and your employer vulnerable.

Talking about what your developers are doing, either publicly or in private groups, doesn't leave you vulnerable and is something we should all be doing to increase everyone's security.

We have to talk about cyber in order to learn from each other. We are not going to fight cyber on tech alone.

You can use as much software as you like but if there is no collaboration between experts, we are drastically reducing our fighting strength.

The view that we can't talk about it is really misplaced and damages everybody, because we all know that innovation comes from collaboration.

A great example of this is the Australian Government's ACSC Partnership Program, which is delivered through the ACSC's network of Joint Cyber Security Centres (JCSCs), located in Sydney, Melbourne, Brisbane, Adelaide and Perth.

The program includes professionals across government, industry, academia and the research sector.

By drawing on this collective understanding, experience, skills and capability, they are bringing together the situational awareness, technical expertise and experience of a diverse community. It also draws from both public and private sectors where they can learn from each other, share insights, and collaborate on shared threats and opportunities.

They are also inviting organisations to collaborate on their Joint Cyber Security Centres.

This approach will go a long way in lifting our cyber resilience across the Australian economy and is a lesson for the corporate world.

Cyber security is about the human element and humans are the biggest area of vulnerability in every organisation.

For some reason, we seem to be focused on the cyber security training, but people really need to be collaborating with their peers on what they are doing on cyber.

Too many businesses still think cyber is a problem for IT or security, when the reality is that it is everyone's problem.

People are slowly realising this. Boards and CEOs are continually being encouraged to talk about cyber because regulators are expecting it of them.

Demanding it, in fact.

They are getting dashboards of cyber risks in their organisation but don't always fully understand they and their Executive Leaders own the risk and responsibility to ensure gaps are fixed.

The security function helps them, but sole responsibility does not and should not lie with technology and security teams.

Working together

Cyber bad guys love a crisis and we know COVID has resulted a huge increase in threats particularly in Social Engineering with campaigns that feed on uncertainty and people worrying.

With budgets being cut, one of the ways organisations can access new ideas is to get them from others within their industry.

A great example of this is when large companies work in Papua New Guinea, they establish informal networks where competitors share security intelligence.  They understand that by collaborating closely and sharing detailed information and learnings they are minimising their own risk by working together.

My question is why don't we do this on a day-to-day basis? Why aren't we taking this level of collaboration into our peer networks and our internal systems to bring all members of departments?

While we might not talk about the tech we are implementing, we can talk about the great initiatives we have seen on how to educate our families and our colleagues.

We don't have to post something online to collaborate. We can reach out to members of a closed group of our peers.

As a CIO, I get lots of opportunities to collaborate because someone is always asking for a meeting or to introduce themselves or sell me something. But security collaboration needs to happen more at developer, engineer and tester level, where they can openly communicate with each other about what they are doing around cyber.

Developers need to get together and talk about how they do secure coding.

If I did an Agile meet-up, there would be hundreds of people turning up to talk about what they are doing. But if I did a cyber security development event, very few developers or designers would turn up, despite the fact they are the very ones who should be talking about cyber because that is how they build in security into their technology.  

Talking about security outside of a training course is how we start to build a security culture which is one of the strongest defences. 

Marketing & UX

Our marketing and UX people should also care about security because customers are caring about security and privacy more and more.

Addressing security near the end of a development cycle creates a clunky user experience. Teams miss an opportunity to create a seamless and secure customer journey and miss out on the chance to build brand trust by demonstrating how they care for your data.

In order to strike a balance between having good security and a good customer experience, we need closer and earlier collaboration with security which in turn helps UX designers increase their security understanding.

We should be able to say to customers "we are going to keep your details safe", because people expect that.

If this is done during the design phase, it can be built in. Then marketing can get involved and sell the benefits direct to the user.

Talent shortage

An added problem these days is that it's almost impossible to get cyber-talent.

If you're a cyber person, it's money in the bank.

The cyber threat is becoming so great that we are never going to fill those roles. The only way to do it is to start cross-skilling your developers, your testers, your engineers and your UX engineers.

Those people need to learn from each other, both internally and externally. They must be able to learn what developers in other companies are doing, without revealing confidential information.

But while we are not talking about it not treating it the way we treat Agile or other technologies we see as "cool" - we are not helping ourselves or anyone else in the industry.

There are some conversations we really need to have if we want to protect ourselves and our employers.

And some of the most valuable are the ones we have with our peers.

Never miss a news update, subscribe here. Follow us on Facebook, LinkedIn, Instagram and Twitter.

Business News Australia

Help us deliver quality journalism to you.
As a free and independent news site providing daily updates
during a period of unprecedented challenges for businesses everywhere
we call on your support

Advertisement

Related Stories

Why supporting men's mental health leads to stronger businesses

Why supporting men's mental health leads to stronger businesses

When I stop posting 20 Instagram stories a day, my friends know s...

Vital Signs: Why has growth slowed globally? It has something to do with technology

Vital Signs: Why has growth slowed globally? It has something to do with technology

Even before COVID-19 hit, Australia was experiencing slow growth...

Premier puts Sydney's eastern suburbs on "very high alert" with new mask guidance

Premier puts Sydney's eastern suburbs on "very high alert" with new mask guidance

Update (1:32pm AEST): In response to the unfolding situation in e...

Challenger telco Pentanet to raise $20m to level up cloud gaming

Challenger telco Pentanet to raise $20m to level up cloud gaming

Perth-based telecommunications group Pentanet (ASX: 5GG) has rece...