Cyber-Security Briefing

6 December 2017

Technology Leaders Discuss Key Issues in Cyber-Security for Business

At the Australia-Israel Chamber of Commerce’s Cyber-Security Briefing on 6 December 2017, a panel of leading cyber-security experts discussed key issues for business. Moderated by KPMG Cyber Security Services Partner Gordon Archibald, the speakers were Craig Davies, Chief Executive of AustCyber; Commonwealth Bank of Australia Chief Information Security and Trust Officer Yuval Illuz; Philippa Wyrdeman, Director Cyber Security Services and Systems, Elbit Systems of Australia; Professor Dali Kaafar, Scientific Director of the Optus Macquarie University Cyber Security Hub; and Stuart Mort, Director of Cyber Security at Optus. The event partners were Macquarie University, Microsoft Australia, Norton Rose Fulbright, and Votiro.

Lessons From the Past for the Future

For Dali Kaafar, the key lesson from the past was recognising that cyber-security is not just a technical issue, but also involves human behaviour and psychology. Cyber-security had often been approached reactively in response to headlines, rather than proactively, he said, and policy-making had frequently been disconnected from technical solutions. Yuval Illuz agreed that cyber-security had to be considered more holistically, and argued that companies needed to consider it an enabler rather than a burden.

Optus’ Stuart Mort stated that cyber-security is not a new issue – the first ransomware attack took place in 1989 – and that “we don’t do enough looking at the past outside Australian borders and applying that here”.

The Collaboration Challenge

The conversation then moved to the challenges associated with collaboration.

Yuval Illuz lauded the Joint Cyber Security Centre, which enables cyber-security professionals in different industries to share information, and emphasised the importance of outreach – his team publishes a magazine sharing their research and insights. Because collaboration involved commercial data sets, companies are concerned about losing competitive advantage, Dali Kaafar noted. He advocated using encrypted spaces to extract patterns without the need to see the underlying data.

Optus’ Stuart Mort took a different tack from those emphasising the need for greater collaboration, questioning whether as a commercial organisation you want to share your data, and pointing to contractual agreements restricting customer information-sharing and the need to consider headcount resource requirements.

Bridging the Education/Business Gap

AustCyber’s Craig Davies outlined his organisation’s initiatives to create a new nationally consistent TAFE college curriculum for cyber-security. This would, he said, provide business with a consistent standard of qualified employees and an employment pathway. Discussing Optus’ $10 million investment in the joint Cyber Security Hub with Macquarie University, Stuart Mort advocated for development of cyber-apprenticeships – “you don’t need a degree to manage a firewall” – and for cross-skilling and bringing people from other industries and disciplines into the field.

Yuval Illuz argued for more effort embedding science, technology, engineering and mathematics (STEM) at primary school level, with which Dali Kaafar agreed, commenting that “education is our way of getting human beings to be our first line of defence”. We need to provide people with tools through automation, Philippa Wyrdeman said, but people can be dumbed down relying on such tools, so we also need to provide mechanisms to enable people to continue to upskill.

Key Implications for Business

The panel was also asked how corporate Australia can continue to stay ahead of the game in the cyber-security field.

After studying 10 years of cyber-attacks, Dali Kaafar had identified two key trends: they’re now happening on a daily basis, and taking longer to resolve. This meant business needed to establish trust in researchers and use what they produce, he said. Yuval Illuz outlined that the relationship between the corporation and the hacker was an asymmetric one – the company needs to be right 100 percent of the time, the hacker only once – and that companies needed to understand that the issues would continue to increase in complexity. He was, however, optimistic that over the longer term corporations would prove more innovative than hackers.

According to Stuart Mort from Optus, internal cyber-resources needed to reach out to different areas within the business: “You need to get security fingers into every single pie.” Mort also argued that leaders within businesses should not take data protection for granted – “ask your cyber team what they’re doing to protect your specific data” – and should not assume cyber-security is a priority for chief information officers.

For Philippa Wyrdeman, businesses needed to understand that it was not a question of if they got hacked, but when, and emphasised the importance of focusing on recovery as much as on defence: “you need to know what’s important to your business and how you can recover.”