10 minute read
Keep calm and carry on
KAREN STEPHENS
Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.
COLUMN
Keep calm and carry on
As I sit down to write this Australians find themselves knee deep in the Optus data breach.
It is all very good to say “keep calm and carry on” but the 9.8 million Australians who may have been affected (and some say the figure could be as high as 11 million) is a substantial portion of our population, which stands at around 25 million. So, I fear this message is perhaps not getting through to those who need it the most.
As always it is important to have good cyber hygiene at both a personal and a corporate level. So, while the mainstream media keeps on feeding the fire of fear and confusion, we need to keep our heads when all about us are losing theirs (with thanks to Mr Kipling) and focus on ensuring we get the basics right. Here are six basics to get you started on the cyber secure journey.
1. Assessment. You cannot protect what you are not aware of. You cannot educate those you do not understand. A good assessment includes both qualitative and technical quantitative components. And do not forget to include your website!
2. Good password hygiene. We saw how important this was during the recent RI Advice court case.
While it may be tempting to use a password more than once, to share it (to keep software costs down) or even to choose one you can easily remember, don’t. You need passphrases or a complex password containing 16 alphabetic and non-alphabetic characters for everything: business, personal, the lot. 3. Build cyber knowledge into your DNA. Tick-thebox cyber training leads to complacency and a false sense of security. Training and education must be continuous, relevant and fun.
4. Patch everything, patch often, patch now. Do not make it easy for cybercriminals to exploit your business. Keep your patches up to date on all devices; business and personal.
5. Speak business not tech. Never assume your business contacts understand what you are saying. There are many interchangeable terms out there. ATO, is it Australian Tax Office or Account
Takeover? Assets, do you want to invest in shares, property, fixed interest accounts or cash, or do you mean software and hardware? There are many more examples, but you get the gist.
6. Practice makes perfect. When you have a ransomware breach, that is not the time to discuss how to handle it. The better prepared you are, the better your business will handle the breach.
www.linkedin.com/in/karen-stephens-bcyber
www.bcyber.com.au
karen@bcyber.com.au
twitter.com/bcyber2
youtube.bcyber.com.au/2mux
INDUSTRY PERSPECTIVES
IN 2023, LOOK FOR WAYS TO CONSOLIDATE PROGRESS AROUND GENDER EQUITY
by David Braue
COVID pressured CISOs like never before – but it also created momentum and empowerment
After two years spent compensating for the security impact of the COVID-19 pandemic, CISOs were already in recovery mode before Russia’s invasion of Ukraine sent the global economy into a tailspin. And as the cyber attacks continued unfettered, it was clear early on that 2022 was not going to offer a reprieve for organisations that have cranked the transition to digital operations up to eleven.
Whereas they entered 2022 with myriad challenges and uncertainty to deal with, however, security and business executives around the world spent much of the year learning to manage these risks – and as they head into 2023, they are responding to ongoing challenges on the front foot. “We are getting better at asset management and starting to build an enterprise architecture capability so we understand our [operating] state better and how it interconnects,” noted Gina Gill, chief digital innovation officer with the UK Ministry of Justice, who has been working with security teams to ensure the transformation integrates security at its core. “We’re putting some governance, and proportionate governance, around new technology.”
Although the ministry’s transformation has coalesced around a formal Digital Strategy 2025, executing on that plan has been burdened by the complexities of driving change through an expansive government body comprised of 13 different organisations – each with a different CEO, board, and governance – operating 80 different IT environments across 100 locations in the UK.
“Once you start digging and take a step back and look at it, it is more complicated than it needs to be,” Gill explained, telegraphing the major challenges that she will be helping the organisation tackle as its transformation rolls into 2023.
“We’ve got a big challenge in terms of legacy technology, and that limits our ability to respond to change. And I think that’s a common theme and a common problem.”
“It has taken a long time and experimentation,” she added, “to get to a point where we’ve got genuinely digital teams and operational teams and policy teams working together to implement policy in a way that can be easily implemented operationally and digitally. And it’s brilliant to see.”
GETTING BETTER ALL THE TIME
From one corner of the corporate world to another, women executives are demonstrating their management nous, grasping the nettle to lead extensive transformation efforts.
“I was asked to get an understanding of what the maturity level was, and how we could get it to where it needed to be so that it was appropriate, and everything would be aligned with our risk,” said Audrey Hansen, who began working as CISO with global industrial giant BlueScope in mid 2019 and embarked on a global program of work “to uplift our security maturity.”
That program has included extensive outreach, open engagement with stakeholders, and risk-based assessments to better understand the circumstances around the company’s 2020 ransomware compromise – which put Hansen’s team into overdrive as they engaged with outside specialists and worked to contain the impact of that event.
“The one thing that came out of it is that cybersecurity really is a business risk,” Hansen told a recent Gartner conference. “My language has always been about managing risk, understanding that risk, and mitigating it as well. You can go and say that security is risk and people listen, but it doesn’t completely drive home until something actually happens.”
In mid 2021, something did happen: Hansen’s cybersecurity team was officially rehomed into BlueScope’s corporate risk area, representing a significant mindset shift that is continuing to support her work around security as she continues to pivot into the new operating state of 2023.
Source: World Economic Forum
More than ever before, women are helping beat the drum of secure transformation – whether in leading digital transformation initiatives, managing their security, or executing other roles that might have seemed completely out of reach just a few years ago.
The good news: women now comprise 42.7% of senior and leadership roles worldwide, the World Economic Forum’s latest Global Gender Gap Index found, setting a high-water mark for gender parity that has seen the gender gap closing steadily across exemplar countries such as Iceland, Finland, Norway, New Zealand, and Sweden (Australia is actually moving backwards, according to some reports).
The bad news: technology remains one of the most stubbornly gender-inequal industries, with just 24% of leadership roles held by women in 2022 – although, on the bright side, the technology industry adjusted its gender imbalance more during 2021 and 2022 than any other industry.
“More women than ever are working in cybersecurity, from the entry level employees all the way up to the C-suites and the CEOs,” explained US National Security Agency CISO Peg Mitchell, who joined the agency after completing a degree in applied mathematics and now heads security in one of the world’s most secure organisations.
“We look up and look around, and we need to see reflections of ourselves,” she added. “It’s really important to bring different voices – whether it’s different skills, different backgrounds, or different views – to the problem. You learn from that diversity of experience because that’s how we get a richer answer.”
THE BRIGHT SIDE OF COVID
As the security industry heads into 2023, many women technology leaders feel the cause of equality has turned an important corner – and some are thanking the COVID-19 pandemic for creating the opportunity for this to happen.
“Flexible working arrangements, work-life integration, balance, and hybrid working are all playing out in favour of women,” said Annie Chong, Singapore-based
regional IT director with pharmaceutical giant MSD International and an active Women in IT Sponsor.
“We are able to balance our work and our life better, because these topics are no longer taboos. Women nowadays are more courageous, and they know what they want and what are their priorities – and they know how to exert their worth, and their rights, and their values.”
The support of value-driven companies, enabling colleagues and loving families have all played a role in this empowerment, Chong added: “this is not just us,” she said. “The whole ecosystem has to move and support us.”
This newfound confidence – which was fostered during 2022 and will be a key enabler of change during 2023 and beyond – helped Geetha Gopal, head of infrastructure projects delivery and digital transformation with Panasonic Asia Pacific, nurture a more confident and capable version of herself during the pandemic.
“During COVID, I saw myself as more empowered because I was able to juggle the multiple roles that women play,” she explained. “I do not have to take leave to be able to manage my personal situation; I can take two hours off, take care of my son, and be on escalation calls and manage my go-lives.”
Given the freedom to be unapologetically focused on work-life balance, Gopal said, women are in a stronger position than ever moving into 2023.
And while she admits not being an advocate of fulltime working from home – she encourages staff to work in the office three days a week – she said that to stay competitive organisations will need to become real about diversity, equity and inclusion (DEI) and stay more flexible for the long term.
“If we want to promote DEI, and sustain more women in the workforce, we need to empower this kind of hybrid approach,” she said. “You need to be flexible not just by word, but by practices. Ensure that there are policies in place that are measurable and tangible; and that empower people on the working line, to ensure that it goes down all the way to the bottom and gets implemented.”
Such practices will be key to making 2023 the year when diversity and gender equality will persist as core values for companies around the world – and that, noted UOB first vice president for enterprise data governance Joyce Chua, should be a key goal for executives at every level and every industry.
“What we can do is to ensure that equality and inclusiveness and culture are the tone from the top,” she said, “and the culture of embracing anyone. in terms of like whether you are female or male, so long you do the job, you get your KPIs, you get your promotions, and so on.”
COVID’s disruption has created other issues, Gill points out, with women benefiting from an overall paucity of security and other technology skills that she attributes partly to a lack of foresight by the many companies that got strategically T-boned by the COVID pandemic.
“I’m still totally baffled why COVID was the driver for technology updates [and] why technology wasn’t a bigger thing in people’s minds before 2020,” she explained.
“Now we’ve got a marketplace that is just so competitive. There aren’t enough skill sets. There aren’t enough digital skills in our organisation and government, in the country, in the world. I know that sounds melodramatic, but it’s sadly true.”
Ultimately, however, “there is cause for optimism,” noted IBM Garage partner and ASEAN leader Charu Mahajan, noting that the industry is exiting 2022 with around one in four leadership positions filled by women.
“If we can move that to 30 per cent,” she said, “we will have made a pretty big impact.”
