8 minute read
managing risk and resilience
NANCY PAVLOVIC
THE MANY CHALLENGES OF MANAGING RISK AND RESILIENCE
By Nancy Pavlovic, Director at PAVLOV GROUP
We are part of a global ecosystem in which cyber risk is a complex issue embracing data access, storage, usage and more. Data can reveal a lot about every individual. We live in a knowledge economy. Many of us are becoming digital natives while others remain innocent novices. Yet we are only now waking up to the value of our data, value long recognised by those in marketing and sales. They have been analysing our data for years, using it to understand our motivations and influence our buying patterns.
Data comes in many forms and can be used for many different purposes. It can be used to change lives. Data is empowering. We all need to know who has our data, what it is used for and for how long it will be retained. More importantly, we need to be notified when our data is breached.
Cyber risk has many facets and can impact us in different ways. The World Economic Forum’s (WEF) 2022 Global Risk Report ranked cybersecurity as one of the top five risks. Risk is a universal issue, defined and described by a common language, but one with many industry-specific dialects, all seeking
to convey similar messages and achieve similar outcomes. To achieve these outcomes our systems, processes and people need to be recognised as our most important assets, and the data connected to them must be protected with vigilant governance and effective risk management.
Data can reveal much about us, and put us at risk if used with malicious intent. When yet another data breach is announced, we feel powerless. Risk management related to data and cybersecurity is everyone’s concern, especially as we move towards cashless societies and mobile, digital devices that wake us up in the morning, tell us what roads to take, when to pay our bills, when to go to the dentist. These devices enable us to shop by tapping. They monitor unauthorised transactions on our credit cards. They monitor our blood pressure.
How many of us were affected by the Optus data breach? How many Australians were poleaxed when they heard Medibank had been hacked? The list of large organisations we rely on that have lost our data keeps growing. But we cannot put the genie back in the bottle. Reputational damage has a long-term impact on consumer confidence, and a reputation built up over decades can be lost overnight.
The WEF says there are “systemic challenges” to “improving digital trust” and that “unprecedented security risks threaten to undermine economic growth and public trust.”
Cyber is still seen by many as a technical risk, yet it should be seen as a fundamental risk to the viability and sustainability of a business because it is a business enabler. Business leaders and decisionmakers have a fiduciary responsibility to make informed decisions to mitigate strategic, tactical and operational risks. The threat landscape is changing. Our risk posture and—dare I say, our appetite for risk— are also changing.
Risk is inherent in every input, process, action and output of a system. Risk management needs to be factored into every aspect of a business: its processes, assets and objectives. Therefore, we must prioritise the risks associated with cyber.
The Harvard Business Review article Is Your Board Prepared for New Regulations? by Perlson and Hetner (2022), says, “Resiliency is more than just protection; it’s a plan for recovery and business continuation. Being resilient means that you’ve done as much as you can to protect and detect a cyber incident, and you’ve also done as much as you can to make sure you can continue to operate when an incident occurs. A company [that] invests only in protection is not managing the risk associated with getting up and running again in the event of a cyber incident.”
According to the WEF’s Global Risks Report 2022 (Insight Report) “in the context of widespread dependency on increasingly complex digital systems, growing cyber threats are outpacing societies’ ability to effectively prevent and manage them.” This is hardly reassuring. Specifically, ransomware has increased by 435 percent, and there is a worldwide shortage of three million cyber professionals. Most interesting is the fact that 95 percent of cybersecurity issues can be traced to human error.
To meet the global and domestic cybersecurity workforce needs of today and tomorrow we need to increase the diversity of professionals working in cybersecurity. In September 2022 the Australian Computer Society chief executive Chris Vein said in an ACS Digital Pulse report: “Australia faces a shortage of 30,000 cybersecurity professionals … [and] our annual Digital Pulse report forecasts the nation faces an annual shortage of 60,000 technology workers across all disciplines … This demand is a great opportunity for Australia. If we can meet this demand, we are going to get more Australians into high-paying technology roles and give industry and government the ability to protect our nation’s IT systems.”
At present 17 percent of the cybersecurity workforce nationally is female, according to the Australian Bureau of Statistics. To meet demand for
cybersecurity professionals we need to increase the percentage of women in the cybersecurity workforce well beyond this level.
IT Brief reported, in October 2022, “searches online for cybersecurity training for employees have risen 114 percent over the past four years.” Australia’s Cyber Security Sector Competitiveness Plan, chapter 3 - The challenge, said Australia needs to close the workforce gap, remove startup barriers and strengthen research and development. It highlighted the four major challenges detracting from the growth outlook for Australia’s cybersecurity sector:
I was one of 4000+ delegates who attended the AISA Conference in Melbourne in October 2022 and amongst the hundreds of presenters and scores of exhibitors and sponsors, the standout for me by far was Erin Brockovich. (A big shout out also to Steve Wozniak and Captain ‘Sully’ Sullenberger).
Brockovich said, “Superman is not coming. No one is coming to save you.” Wow! That packed a punch and it truly resonated. Allow me to share and eNANCiate that for you.
Cybersecurity has become the hottest global and national topic of conversation because it is no longer only an IT problem. Cybersecurity should be everybody’s concern and everybody’s problem. What that means is that we need to become informed about how our data is captured, stored and used; about who has access to it and, more importantly, what we can do to protect ourselves through awareness and education. We need to increase our ability to anticipate, detect, react to and mitigate cyber threats, and build cyber posture and resilience.
When we think of our border defence, we might think of the Departments of Defence and Home Affairs or the Australian Defence Force. When we think of our communications infrastructure and networks we might think of NBN. For each of these organisations, who comes to mind: the CISO, the CIO, or the IT helpdesk?. Well, I defer back to Erin Brockovich. Superheroes are great on a screen in comics and cartoons, but they are not coming to save you. Now we have new actors to watch out for, specifically threat actors and threat agents, organisations or individuals with malicious intent. Threat actors can be internal or external.
Another event I attended recently was the launch of Cyber Week where the Minister for Home Affairs and Minister for Cyber Security, Clare O’Neil, said: “Cybersecurity is no longer just a boardroom table conversation, it is also a kitchen table conversation.” She is right. We need to be having constructive and candid conversations about cybersecurity.
And in case you missed it, the Australian Government has just passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Businesses that suffer repeated or major data breaches will now have to pay.
Attorney-General Mark Dreyfus said “the new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.” Time will tell if the stick approach, without the carrot, will produce increased accountability from big business.
The industry stakeholders driving our economy include multinationals, nationals, employers, small businesses, peak bodies, unions, employer groups and, most importantly, our workforce, taxpayers and ordinary Australian consumers of products and services.
The Productivity Commission’s interim report on Australia’s data and digital dividend (August 2022) said: “Productivity growth is vital for Australia’s future, particularly as the Australian and global economies emerge and begin to recover from the economic impacts of COVID-19. … Given the scale and nature of the economic shock caused by the COVID-19 pandemic, it is expected to have an enduring impact on Australia’s productivity challenge. … The acceleration in the uptake of technology by businesses and individuals has stimulated growth in remote work, online commerce, businesses’ digital presence and innovative delivery of public services like health and education. The pandemic has affected business models in some key sectors and underscored the need for labour mobility across the economy.”
According to the Australian Cyber Security Centre’s Essential Eight security measures, while “no set of mitigation strategies [is] guaranteed to protect against all cyber threats,” organisations are recommended to implement eight essential mitigation strategies that make it much harder for adversaries to compromise systems. The mitigation strategies that constitute the Essential Eight are listed below.
The WEF‘s Cyber Resilience Index: Advancing Organizational Cyber Resilience (July 2022) said “Cyber resilience is the ability of an organisation to transcend any stresses, failures, hazards, and threats to its cyber resources within the organisation and its ecosystem, such that the organisation can confidently pursue its mission, enable its culture and maintain its desired way of operating.”
Prioritising cyber risk is an imperative. Organisations irrespective of size, industry, geography, product, or service must commit to implementing specific strategies to demonstrate they will not compromise their consumers and customers trust through inactivity.
Boardrooms can no longer be ‘bored rooms’. They need informed decision-makers with diverse skills and experiences. We as a nation need to maximise the diversity of our workforce so we can aspire to greatness, reclaim our digital sovereignty and develop a world-leading workforce.
www.linkedin.com/in/nancypavlovicmaipm
