Story image

Microsoft explores Australian CISOs' most common problems in cybersecurity

06 Mar 2018

Australia needs at least another 500 more cyber graduates to meet existing demand for cybersecurity as CISOs tackle the shortage with a variety of methods that don’t necessarily require a background in computer science.

That is just one of the revelations from Microsoft’s report titled Navigating the new cybersecurity threat landscape, which analyses common trends and issues in Australia’s security sector.

According to the Australian Cyber Security Centre, 90% of companies listed on the ASX have experienced a data breach and overall, cybercrime costs the economy up to $17 billion per year.

With statistics like those presenting a stark warning to Australian businesses, Microsoft brought together a group of CISOs from organisations including Telstra and the Department of Human Services (DHS).

The aim was to discover how cyber threats affect businesses and how they are tackled. The discussion also looked at how businesses are finding and retaining cyber talent in a highly competitive market; how a stronger public-private partner can benefit everyone; and how security is discussed in the boardroom.

The report found that in addition to the 500 graduates Australia needs, CISOs are doing their best to implement graduate training programs and branching out to hire a mix of talent.

Telstra hires approximately 50 graduates every year. After finding that it was difficult to integrate security skills with network teams, the company now embeds professionals in those roles. Telstra says it’s a better solution, but there’s still work to do.

The department of Human Services also faced the stark reality that there weren’t enough trained security graduates in Canberra to meet its requirements. They chose to recruit people straight from school and train them internally.

“Some of our best hires have been people coming out of the Australian Defence Force. These people are strategic thinkers, they have built-in loyalty and they bring a host of other skills that are hard to measure in aptitude tests,” adds DHS CISO Narelle Devine.

DHS’ cybersecurity team also brings together psychologists, lawyers and politics graduates. For education and awareness, a person with a communications major was a better fit, rather than a person with a major in cyber.

“It will probably be two years before we know if this strategy is going to work. We know people will leave because these roles are in high demand but we did the maths and we’ll be ahead if we can keep one in three of those going through training.”

The report also states that the cyber threat landscape in Australia puts phishing attacks, user error, the Internet of Things, and threat groups like the Shadow Brokers at the forefront of emerging threats.

ANZ Banking Group CISO Steve Glynn believes that tracking the number of people who click on a phishing email is to measure the wrong metric.

“We should be focusing on the number of people who report a phishing attack because that turns everybody into a potential early warning system like canaries in a coalmine. That’s a cybersecurity metric we’d all like to see increasing,” Glynn says.

Queensland Health CISO John Borchi is concerned about the Internet of Things in the medical space. Managing the network of critical devices is getting more difficult as healthcare moves out of controlled hospital environments, he says.

DHS is concerned about threat groups and their potential appetite for destruction.

“Everything is moving so quickly but my biggest concern is that The Shadow Brokers are sitting on some clever stuff right now and just waiting to pull the trigger. Some of the global attacks we’ve seen recently were really unsophisticated. What’s coming next?” Devine asks.

The report claims that Australian CISOs are well connected. Define says that she talks to other CISOs every day – a statement that challenges the common perception that competing organisations don’t share information with each other.

The Australian Cyber Security Centre will move to a purpose-built facility this year – a move that will present greater collaboration.

“At its best, security is a team sport, and everybody needs to be part of the solution. They should participate in their own rescue and security should be a celebrated part of organisational culture,” comments Microsoft’s VP of strategic, enterprise and security, Ann Johnson.

While Australian boardrooms may be bringing cybersecurity to the table, some board members still don’t understand cyber.

The report suggests that communication is a major part of tackling breaches. Quick and clear response is crucial, even when organisations don’t have all the answers. Incident response plans are important for communicating with staff, customers, partners, media and stakeholders.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.