Security Market Segment LS
Tuesday, 11 July 2017 16:04

Panel recommends chief cyber security expert for every company board


With cyber security top-of-mind after the WannaCry and other attacks, IT governance and board expert Monica Schlesinger says that company boards can no longer leave security to the IT department – they need a chief cyber security expert as a C-level member.

WatchGuiard HigginsThe suggestion was made at a security round table for media and analysts hosted by WatchGuard’s ANZ country manager, David Higgins, with fellow panellists Monica Schlesinger, principal of Advisory Boards Group, and David Cohen, founder of SystemNet, an IT and managed services company specialising in the small to medium enterprise market.

Higgins recounted WatchGuard’s seven potential security threats released in December 2016. Of the seven it got most right or there was no empirical evidence to support some of them – yet. To paraphrase:

We will see the first ever Ransomworm, causing ransomware to spread faster – exactly what WannaCry was;

Attackers will exploit infrastructure-as-a-service (IaaS) as both an attack platform and attack surface – no evidence yet as cloud providers are trying very hard to secure their offerings;

IoT devices become the de facto target for botnet zombies – just look at the Mirai botnet. About 38% of all malware identified by WatchGuard has been targeted at Linux, the staple of IoT with constant Internet scanning looking for vulnerabilities;

We’ll see civilian “casualties” in the cyber cold war – well, not physical bodily harm but business has suffered;

Under siege by cyber criminals, SMBs turn to small MSSPs for cyber security – yes, with an amazing 25% growth of MSSPs on its books;

Increased biometrics usage hides continued credential insecurity; passwords aren’t really gone. WatchGuard has seen a massive explosion in the use of biometrics but the underlying issue of needing a password first leaves a gaping security hole;

Attackers start leveraging machine learning and AI to improve malware and attacks – cyber crime is a well-oiled business with substantial resources including AI and machine learning.

Higgins said the biggest change at WatchGuard had been to move from its hardware “red boxes” to software – virtual devices protecting on and off premise networks.

Schlesinger presented a “board members'” view and cited the Ponemon Institute Research. In 2016 the average cost of a data breach was US$4 million and the likelihood of a material data breach was 26%. In Australia, 60% of larger businesses had experienced cyber attacks and the loss was calculated at A$17 billion.

She presented a case for a chief cyber security officer as a C-level board member, rather than leave it to the IT department. “As a director, you need to know the regulatory environment as well as what you are doing – respect the duty of care, skill and due diligence.”

Schlesinger presented board level research from ASX listed companies on attitudes to cyber security. One result was that 87% of board members had no idea about cyber security issues let alone the new governance regime that would be forced on them in the next eight months. An edited version of her report is attached at end of this article.

Cohen focused on small business. “The biggest issue is the trust between the managed security services provider and the client. Clients need to realise that 100% trust is needed to help the relationship work to help prevent breaches”

He made several points. “97% of Australian business is small business — no board and worse no in-house IT support — where the owner makes the decisions. Frankly, they are not equipped to make cyber security decisions.”

He said that humans were still the weakest link in the security chain. “Too many will blindly click on a malware link.”

Small business was largely characterised by a lack of IT knowledge, lack of effective backup and restore systems, no understanding of what the “logs” meant, and being too trusting by opening data access to all.

He said that SystemNet tried to educate users that, “you don’t automatically win prizes (spam) or inherit millions from a long-lost family member.” His company monitored logs generated by WatchGuard firewalls, and tried to be proactive but security spending was a very low priority compared to making money and the “won’t happen to us” mentality.

On the other hand, Australian SMBs were well placed to have good security if they really wanted to – more so than the major enterprises that may lack flexibility to respond. “Run Windows 10 and its self-patching, install a good firewall, and use an outside firm to check security.”

Schlesinger reminded all that cyber crime was a business and it had excellent tools. “It is easy money for hackers so make it hard for them. The drivers behind security need to expand – it will happen to you.”

Higgins said that it was not a matter of if but when and the likely collateral damage could be the business goes out of business after a hack. The rise of MSSPs was evidence of the growing extent of the issue. “Cast your mind back five years – there has been a huge growth in MSSPs. Cyber security must be an integral part of your budget just as marketing is.”

The panel all agreed that there was a drought of cyber talent to manage the issues.

Edited results from Monica Schlesinger's presentation.

The regulatory environment is reacting to the increased intensity and consequences of cyber attacks and new laws have come into play with higher penalties and harsher conditions.

Organisations, large and small, that are under the Privacy Act must comply and implement measures before February 2018, when it penalties and requirements will be enforced.

At the board level the cyber security conversation is non-existent or difficult. In December 2016, a survey of Board members showed showed there was an immediate need to act and educate directors about the consequences of the threats, about their duties and how to best take action. And at board level, this means creating a Cyber Strategy.

Q1: What has your experience of cyber security been like at the Board level?

Responses could be sorted into three categories:

  • No idea (87%) even though 3 of them had already suffered breaches or ransomware attacks
  • Some discussion or had heard about it 8%
  • Stated they talk about it or consider this in the risk register 4%

One of the respondents had been attacked a few times and after the last attack, they needed six months to recover. Unfortunately, none of them stated they are well informed and they have a cyber security strategy in place.

Q2: What do you believe is your greatest risk related to cyber security?

Over 12% of the respondents candidly admitted they did not know or understand.

Around 30% referred to the loss of reputation and branding, 40% to a loss of sensitive information, with some specifying Privacy breaches, and 40% mentioned the operational and financial loss, even going out of business.

Q3: What are your top two questions about cyber security that the Board needs to continually consider?

Again, 12% of the respondents gave no answer or admitted they don’t know. 20% referred to risk management, with 20% talking about policies. Directors also thought of bringing an expert on the board (a “Cyber Director”). Around 25% felt that the responsibility lies with the IT department and they must do something to defend the organisation.

What should directors do at board level?

  • Directors must understand and approach cyber security as an enterprise risk and elevate it as it can have a devastating impact within a short span of time
  • They must undertake cyber governance assessments and understand the legal implications of cyber attacks
  • If they don’t have a director with cyber expertise, they must either try to acquire one or bring in experts to help them
  • They must set expectations for management to implement cyber risk management across the entire organisation
  • They must create a cyber strategy and task management to create a framework that stems from it

A few of the main questions directors should ask:

  • Where does our data reside?
  • Do we have a 3rd party (contractors) HR policy?
  • Do we have a contractual clause for breaches via a 3rd party?
  • What is our security framework (which includes Cyber Strategy, Regulators and regulatory compliance, standards, plans, audits and risk management)?
  • What are our top five cyber risks? (BYOD, cloud, outsourcing/3rd parties, DR & BCP, Backups, FW, Access, IDS, IPS, Antivirus)?
  • Is there cyber education at all levels in the organisation?
  • What is our crisis management plan in a cyber security breach scenario?
  • What is our data breach response plan?
  • Whom do we notify?
  • What are the short, medium and long-term actions?

Where to start and how?

  • Involve management, understand the regulatory obligations, understand the current cyber posture – and this does not mean another penetration test.
  • Classify assets, calculate the risk exposure and how much to invest in protecting the organisation, decide mitigation strategies and look at all areas – HR, IT, Partners, Contractors, Facilities
  • Request management creates plans that Board can understand, scrutinise, monitor and manage extreme risks.

If you are on a board or in a senior position you should start the cyber conversation with your board immediately. Start by educating yourself by undertaking a course that gives you a structure for what you need to do.

As the FBI director Robert Mueller put it: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News