In this second part of her dispatch from CyberCon2022, NZSM correspondent Jennie Vickers delivers a bumper harvest of collective wisdom with the best bits of the event’s speaker presentations. This article is part of a two-part coverage by the author on CyberCon2022. Read Part One here.

 

Back in 2004, James Surowiecki published the book The Wisdom of Crowds: Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations

Ideas around the benefits of collective wisdom ring true at conferences and tradeshows where line-ups of technical experts converge to share their thoughts and ideas. With over 30 topic streams and hundreds of speakers, there was more than enough on CyberCon’s agenda to provoke new ideas and build a plan of action for 2023.

But, one can’t be everywhere, so I’ve carefully identified a number of themes inspired by several of the speaker presentations, which will be of interest to security professionals when they wind back up after a well-deserved summer break.

‘Cyberworthiness’: Adopting a philosophy from aviators

In his presentation, Squadron Leader Arjun Xavier of the Royal Australian Airforce introduced the idea of ‘cyberworthiness’. The “-worthiness” concept is familiar to many in the context of air and sea, but this extension into cyber provides a useful framework.

It is, in essence, a risk management and continuous improvement framework, enabling the Australian Defence Force to effectively manage risk in cyberspace as they execute their mission. An underpin is “Don’t get chained to compliance.”

Arjun explained that cyberworthiness is not just about security. Traditional cybersecurity is focused on activities designed to ensure the confidentiality, integrity, and availability of systems. Cyberworthiness, on the other hand, “is rooted in survivability – business continuity, in corporate terms – and assurance of our mission.”

For all of us, our future cyberworthiness governance framework needs to be scoped across three key pillars – people, processes, and technology [the reflections of ‘Sully’ Sullenberger (refer to my other article in this issue of NZSM) around airworthiness changes from 45 years ago would indicate that many organisations have a long way to go understanding the people side of this puzzle].

Group Efforts, Partnerships and Collaborations

A confession. I am hooked on a Netflix Korean drama called “Vincenzo”. It is about a Korean-born mafia consigliere in Seoul. The point of this reference is that the series demonstrates the many ways in which the mafia and other crime groups (pre-cyber) around the world have always collaborated and worked in partnership, where it is of value to them to do so.

A number of speakers at Cybercon2022 alluded to the importance of the good guys (us) getting as good at collaboration as the hackers. Many of them recognised that we’re still not as good as we need to be.

The idea of being out-played in this regard was reinforced when speaker Glenn Maiden explained the work of Fortinet as part of the World Economic Forum’s (WEF) Cyber Atlas Project.

“Defeating global cybercriminal organisations requires a global group effort with strong, trusted relationships among cybersecurity stakeholders,” says the WEF. “Criminal enterprises function almost exactly like corporations. Once attackers start to quit out of fear of being exposed and arrested or feel the profits aren’t worth the risks, then cybercrime may begin to recede.”

Several different speakers from Accenture shared this view of the need for better collaboration, recognising that “visibility across enterprises and government agencies is also essential to allow common goals, training and governance to be implemented, and to reduce duplicated efforts.” The reality is that CaaS (Cybercrime as a Service) is growing faster than SaaS!

Continuing Cyber ignorance

Paula Januszkiewicz is a rockstar MS Security Enterprise Expert, who both delivered a keynote and ran half day workshops. Interviewing Paula, we got around to a key dilemma facing executives embracing Digital Transformations and IOT where the risks are rising.

Paula’s view is that if we apply strict security rules, no one will be able to get any work done, so a balance needs to be struck between safety, usability, and practicality. If executives do not understand the underlying technology, striking that right balance is hard.

Cyber focus at a government level

In her opening speech, Hon Clare O’Neil MP, Australia’s Minister for Home Affairs and Minister for Cyber Security said that the “new Government in Australia has made the decision to have a cyber security minister because we want to elevate this issue to the level of importance that it so clearly is for Australia business, for Australia citizens and very much for our nation.

“Cyber is everything and it is everywhere,” she told the CyberCon2022 audience. “A resilient cyber ecosystem is going to be fundamental to our country’s future.”

We need a champion of Cyber from Government here in New Zealand.

2023: Try telling a different cyber story

Mina Zaki from KPMG ran a useful session on how to use storytelling to change the narrative. She made the case for well-reasoned, relevant, and problem focused case studies along with a better understanding of the way a story engages brains.

Elevate security issues to board-level concerns and language

Talking about changing the narrative, Michael Shepherd from Accenture commented that “essentially it boils down to catalysing the business relevance, capturing the strategic picture of cyber security with the right scorecard, and speaking the language of business impact in all cyber security communications to the Board.”

Jason Brown Principal Advisor, Security and Risk to the Board of Thales ANZ, reminds us that “It’s not about compliance, it’s about survival in a dangerous and complex world.”

Persia Navidi of Hickmans lawyers noted – with thoughts heavily laden with animal references – that “when it comes to board directors, it goes without saying that cyber events are no longer “black swan” events, but despite this they’re still very much treated as the elephant in the room.”

Securing Critical Infrastructure

Amy Ormrod and Zoe Thompson from PwC were joined by colleagues from Europe for a global perspective. A few key takeaway thoughts included:

  • If you can’t map your asset interdependencies, you have no way of understanding what is critical.
  • You need a security by design lenses across the entire organisation.
  • Internal silos are more of a threat than the external threats.
  • Manage expectations, spend is never going down.
  • Where is CI data? Is there a war coming near your data?”

Is it time for your Board’s Committees to play a greater role?

Ashwin Pal of RSM Australia is a friend of New Zealand, having previously spoken at the New Zealand Defence Force / New Zealand Defence Industry Association’s IDEAS2020 event. He presented on the role of ARCs (Audit and Risk Committees of Boards). Ashwin’s summary points are a useful list:

  • Cyber security is a key business risk and must be treated as such.
  • As a result, Board / ARC members’ responsibility for cyber security is increasing.
  • Board / ARC members MUST ask the right questions of management and THEMSELVES to be able to discharge their duties.
  • Cyber risk needs to be quantified so it can be managed.
  • A methodical program is necessary to stay on top.
  • You cannot control what you cannot measure.

“Boards and Executives must treat cyber risk as a high priority business risk,” he said in closing. “It must be part of the Enterprise Risk Management framework with risk appetite clearly defined and cyber risk mitigated to an acceptable level. Unless this methodical approach is taken, breaches will continue to increase.”

Data: How about we go with effective de-identification for now?

Dr Ian Oppermann, the NSW Chief Scientist, delved into the vexing issue of personal information and the failures of de-identification attempts. Enter stage left, the PIF Project Tool. This project is a collaboration between the Cyber Security CRC, CSIRO’s Data 61, the Australian Computer Society (ACS), and the NSW and WA Governments. 

“The Personal Information Factor (PIF) Tool measures the risk associated with releasing a dataset,” explained Dr Ian. “When risks are high, an AI-enabled tool analyses attack vectors and transforms the data, using provable privacy perturbation techniques, making it suitable for publication.”

Procurement: How to pick the right security horse

Mark Hofman, CTO of CyberCX caused a few OMG moments. I never say OMG, but in this case, Mark shared the results of a Gartner report from July 2022 which found that 56% of organisations said they had a high degree of purchase regret over their largest tech-related purchase in the last two years. This is shocking but credible.

Mark had screeds of good advice (article to follow in 2023) but to vendors he said, “get better at articulating both your licensing model and the problems you actually solve; and to buyers the usual entreaty to get better at articulating requirements but also ensure a whole cross organisation team is involved in the procurement.”

Final Thoughts: We need more sessions on convergence

It really is time for events in 2023 to get better at combining OT and IT and talk convergence across the whole spectrum. The events organised by associations are better placed to make this happen… and it needs to, as a matter of urgency.

Read this article in full by NZSM online HERE

Australian Cyber Conference