sb-au logo
Story image

Microsoft explores Australian CISOs' most common problems in cybersecurity

06 Mar 2018

Australia needs at least another 500 more cyber graduates to meet existing demand for cybersecurity as CISOs tackle the shortage with a variety of methods that don’t necessarily require a background in computer science.

That is just one of the revelations from Microsoft’s report titled Navigating the new cybersecurity threat landscape, which analyses common trends and issues in Australia’s security sector.

According to the Australian Cyber Security Centre, 90% of companies listed on the ASX have experienced a data breach and overall, cybercrime costs the economy up to $17 billion per year.

With statistics like those presenting a stark warning to Australian businesses, Microsoft brought together a group of CISOs from organisations including Telstra and the Department of Human Services (DHS).

The aim was to discover how cyber threats affect businesses and how they are tackled. The discussion also looked at how businesses are finding and retaining cyber talent in a highly competitive market; how a stronger public-private partner can benefit everyone; and how security is discussed in the boardroom.

The report found that in addition to the 500 graduates Australia needs, CISOs are doing their best to implement graduate training programs and branching out to hire a mix of talent.

Telstra hires approximately 50 graduates every year. After finding that it was difficult to integrate security skills with network teams, the company now embeds professionals in those roles. Telstra says it’s a better solution, but there’s still work to do.

The department of Human Services also faced the stark reality that there weren’t enough trained security graduates in Canberra to meet its requirements. They chose to recruit people straight from school and train them internally.

“Some of our best hires have been people coming out of the Australian Defence Force. These people are strategic thinkers, they have built-in loyalty and they bring a host of other skills that are hard to measure in aptitude tests,” adds DHS CISO Narelle Devine.

DHS’ cybersecurity team also brings together psychologists, lawyers and politics graduates. For education and awareness, a person with a communications major was a better fit, rather than a person with a major in cyber.

“It will probably be two years before we know if this strategy is going to work. We know people will leave because these roles are in high demand but we did the maths and we’ll be ahead if we can keep one in three of those going through training.”

The report also states that the cyber threat landscape in Australia puts phishing attacks, user error, the Internet of Things, and threat groups like the Shadow Brokers at the forefront of emerging threats.

ANZ Banking Group CISO Steve Glynn believes that tracking the number of people who click on a phishing email is to measure the wrong metric.

“We should be focusing on the number of people who report a phishing attack because that turns everybody into a potential early warning system like canaries in a coalmine. That’s a cybersecurity metric we’d all like to see increasing,” Glynn says.

Queensland Health CISO John Borchi is concerned about the Internet of Things in the medical space. Managing the network of critical devices is getting more difficult as healthcare moves out of controlled hospital environments, he says.

DHS is concerned about threat groups and their potential appetite for destruction.

“Everything is moving so quickly but my biggest concern is that The Shadow Brokers are sitting on some clever stuff right now and just waiting to pull the trigger. Some of the global attacks we’ve seen recently were really unsophisticated. What’s coming next?” Devine asks.

The report claims that Australian CISOs are well connected. Define says that she talks to other CISOs every day – a statement that challenges the common perception that competing organisations don’t share information with each other.

The Australian Cyber Security Centre will move to a purpose-built facility this year – a move that will present greater collaboration.

“At its best, security is a team sport, and everybody needs to be part of the solution. They should participate in their own rescue and security should be a celebrated part of organisational culture,” comments Microsoft’s VP of strategic, enterprise and security, Ann Johnson.

While Australian boardrooms may be bringing cybersecurity to the table, some board members still don’t understand cyber.

The report suggests that communication is a major part of tackling breaches. Quick and clear response is crucial, even when organisations don’t have all the answers. Incident response plans are important for communicating with staff, customers, partners, media and stakeholders.

Story image
Fortinet’s ‘zero trust’ approach redefining security
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, explains why taking a ‘zero trust network access’ approach to cybersecurity requires fully-integrated and comprehensive security services and policies.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Link image
How a metrics-driven mindset can enable DevOps at enterprise scale
Here's how to enable dev teams to deploy higher-quality software and create reporting standards that clearly communicate software performance.More
Story image
Netlinkz revenue surges 846% as secure enterprise cloud technology gains traction
Executive chairman James Tsiolis believes this growth is the start of something much bigger.More
Story image
Why securing IoT installations will be ‘do or die’ in post-pandemic Australia
Unless IoT technology is visible on the network, organisations will find themselves at risk with an unmanageable high-tech morass, warns ExtraHop A/NZ regional sales manager Glen Maloney.More
Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More