Having a matured cybersecurity strategy from the ground up is pertinent for any enterprise to grow. This approach ensures an easy-to-maintain, long-term security posture, and builds a secure base for the applications. Apart from it, a matured cybersecurity strategy also translates to better future investments and initiatives.
In this exclusive interview with Augustin Kurian from CISO MAG, Rob Wiggan, Associate Director, Information Security at the Queensland University of Technology, talks about cybersecurity strategies that businesses must have. He also talks about the role of CISOs, understanding the responsibilities, and shares his tips for securing boardroom investment.
Wiggan is an accomplished IT professional with over 30 years of industry experience, specializing in providing strategic leadership to deliver mature information security programs and manage secure information security operations within complex working environments — including banking, utilities, and higher education.
Since early 2018, he has held the role of Associate Director, Information Security at the Queensland University of Technology, where he is responsible for information security across all the business streams of Research, Learning and Teaching, and corporate applications.
From a CISO’s standpoint, how important is it to build a mature cybersecurity strategy from the ground up? With the surge in attacks during the lockdown, what were the newer and additional responsibilities that fell on the shoulders of the CISOs?
The CISO needs to take ownership of the Cyber Security Strategy early in their tenure. They should then aim to develop a mature strategy that defines the priorities and the focus areas for both future investments and initiatives. Without a mature strategy, important momentum could be lost by consuming effort in the wrong areas. It is important to stay focused on the strategic goals and ensure the ability to continually articulate progress and demonstrate benefits to the senior executives and the relevant board committees.
In our case, the lockdown coincided with our usual annual peak of security incidents. This meant that we spent a lot more time identifying the departures from the normal patterns and implementing new methods of informing the senior executive more regularly of the overarching trends. Interestingly, although there was an increase in the number of incidents during the early weeks of the lockdown, the types of incidents were consistent for this time of year, with the only material change being that many of the cybercriminal actors pivoted to using COVID-themed lures. After the first couple of weeks, the incident volumes returned to normal levels.
Additionally, there was increased internal sensitivity about the increased risk of large numbers of staff working remotely. It was considered that a material increase in risk could only be quantified if we took the view that nobody worked at home prior to the COVID-lockdown. While we added some additional VPN capacity due to the increase in remote access users and implemented heightened vigilance on our detection controls, there was no appreciable increase in incidents once that initial period passed.
For current and aspiring CISOs, understanding the responsibilities before they step into the role can save them from many issues, including personal liability and possible lawsuits. Do you think there is enough preparedness?
The CISO role needs to be recognized as a key business role. Many CISOs come into the role of other disciplines that are not necessarily from security or governance backgrounds. Sometimes they can either lack the knowledge or be too technically-focused to understand the key accountabilities of the role. Generally, they are often unprepared for reporting and governance that is required. I think it is important that, as an industry, we must ensure that we are building a collaborative community that can mentor new CISOs into their role, to avoid some of the pitfalls of inexperience.
Apart from cyber warfare, and cyber espionage from state-sponsored actors, what are the other types of foreign interference that you have observed? Can you rank these from the most dangerous to the least dangerous ones?
I think it is important to remain pragmatic about foreign threats. While I acknowledge that there is ample evidence to confirm that foreign actors are continuing to target weaknesses in infrastructure and processes, our experience is that the overwhelming majority of cyber incidents are still attributed to cybercriminals looking to gain credentials and access for financial gain. It is also important to note that foreign ‘influence’ is a normal activity conducted by governments of all countries. Foreign interference occurs when actors employ other methods to coerce or trick users into exposing systems. These methods can operate outside the realms of cyberattacks and can include bullying, coercion, user profiling as well as standard data exfiltration.
What is your take on Australia’s News Media Bargaining Code? Do you think Google and Facebook must pay news publishers for hosting their news links and snippets on their platforms?
In recent years, the Australian government has implemented several pieces of legislation that have impacted technology industries. The News Media Bargaining code is primarily designed to protect traditional media companies, but I believe that it does not adequately consider different ways in which different platforms use and distribute content. That aside though, the recent decision by Facebook to block news content was deeply unpopular with the Australian public and was likely to create more imbalance in the publication of misinformation. I have an underlying concern that Australia lacks the media diversity to have a transparent public conversation, and I note that the tech companies are now negotiating payment arrangements with the Australian news providers. I think that it is important that both media organizations and tech companies continue to coexist in the Australian market.
Several pieces of research have pointed out that cybersecurity investment decisions are still more about insurance than about any desire to lead the field. Don’t you think this approach limits the industry’s ability to keep pace with cybercriminals?
This is a difficult conundrum because corporate cybersecurity functions need to be able to prioritize initiatives and typically risk is used as a lever to assist with the prioritization of initiatives. As a result, the prioritization decisions are then largely driven purely by risk reduction. It is important that we still consider innovative approaches to complex problems. This is where a well-considered and thought-out Cyber Security Strategy can help frame some of the decisions. The challenge remains to enable our teams to experiment and “fail fast” when resourcing is so constrained and much of the available capacity is consumed in the BAU workload. The cybercriminals continue to develop new tools, tactics, and procedures at a pace while security practitioners can continue to take a more cautious risk-based approach to ensure that business continuity is not impacted.
What are your best tips for CISOs to secure Boardroom investment?
In my experience, the best way to gain investment is by establishing as much transparency as possible. It is also important to understand that while a report from a consultancy appears to have the same advice that you may have been providing to the Board, it is that independent view that is likely to cut through. Secondly, Boards will always respond to issues articulated in risk terms because their primary responsibility is to provide oversight that organizations’ risks are being managed. Failure to do this can result in serious consequences for individual Board members, so expressing issues in risk terms appeals to their expertise. Finally, it is important not to go to the Board with a list of problems and a request for a lot of funding. However, if you go to the Board with a series of key risks and some reasonable steps, you can take to either, use existing controls, or implement some new cost-effective controls, you are more likely to succeed in getting the funding you need. I would also add that I don’t think there is any Cyber Security function anywhere in the world that is resourced to the degree that the CISO thinks it should be. Be very clear about what you can and cannot do and never over-promise.
About the Interviewer
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.