I'll take Cyber Insurance with that (please)

http://www.cso.com.au/article/598166/ll-take-cyber-insurance-please/

You have either been hacked or are being attacked as we speak or you will be in the future. It’s clear that Cyber insurance is a subject that is not often discussed openly and this is an area we are all learning about.

I recall the first time as a CIO being consulted in a management risk committee about the degree of cyber insurance that we should take as insurance cover. The discussion was quite hypothetical and there was not that much detail that was considered.

But with the increases of cyber security hacks over the last few years, and that includes many high profile ones on household names. We have also witnessed that the insurance premium costs have moved with the increased level of risk.


Is this just a crutch?
In a recent interview that I had with a CTO from a large enterprise, it was suggested in those exact words that Cyber Insurance is actually a crutch.

It doesn’t replace the need for good cyber security practices or provide you any real level of protection. Insurance in simple terms has been developed as a form of risk sharing. By definition it is:

“An arrangement by which a company or the state undertakes to provide a guarantee of compensation for specified loss ordamage in return for payment of a specified premium.”
More specifically cyber security insurance:
Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities 

What’s covered?
Ok, so I might be interested in buying this coverage. What is exactly is covered? When we take a look inside one of these policies, we will see that there are standard and optional features. Below is an example of an actual policy.

Data liability: covers the financial consequences of losing or misappropriating customer or employee data.
Electronic data: covers the cost of restoring, recollecting or recreating data after a leak or breach.
Fines and investigations: covers the potentially significant costs and expenses of a data protection regulator’s investigation and fines following data security breaches.
Crisis management and breach coaching: This policy provides access to a cyber-incident response team from industry specialists and covers the PR costs of reducing the damage it could cause to your reputation. Includes forensic services following a data breach; assistance to repair company and individual reputations; breach coaching and associated notification costs.
Multimedia Liability (optional): covers the damages and defence costs incurred in connection with a breach of third party intellectual property, or negligence in connection with electronic content.
Cyber/Privacy Extortion (optional): covers any ransom payments to third parties required to end an extortion threat.
Business/Network Interruption (optional): Covers the loss of net profit due to an interruption to the customer’s network following a cyber breach.

I’m sure that each of these policies will have slightly different conditions and also degree of coverage. Like any other shopping – you will need to carefully compare and understand what risks you want covered and what degree of risk that you will accept.

There is some movement of insurance companies starting to put limits, to cap the size of losses. The truth is as the Cyber Security product is still fairly new, this means that the terms and conditions are more different than the same at the moment.

Advent of Mandatory Data Breach Notification
In the meantime the Federal government has introduced a new mandatory data breach notification scheme as a measure to help detect and prevent cyberterrorism and cybercrime.

We would expect that this introduction of mandatory data breach notification laws will be a major driver for Australian businesses to accelerate the adoption of cyber insurance products.

  understand factoring risk for different businesses. Moreover this also will improve as businesses start to better understand how to improve what they have in their cyber defences.

What can you do?
For many first time buyers, this is about demonstrating that you have a comprehensive and well tested cyber security plan. By proving that you have practiced and able to cope with threats, then your premiums will be adjusted accordingly.

Clearly businesses should not think they are protected simply because they have cyber insurance. The insurance is there for to assist you with certain scenarios that you regard as reasonably high risk.

One thing is for sure and that is when you have a breach or a cyberlocker attack – no amount of insurance will restore your credibility in the marketplace.

Exclusions
Just like you do with other insurance policies, be aware of what’s not included. Let’s take a simple example from the above data breach insurance policy, just be sure to ask about effective dates.

We all are aware that the average time to detect a breach is 200+ days. Therefore are we now covered or do we have to wait for 200 days to pass? Also what happens in the case of a BEC (Business Email Compromise), our staff have wired monies to what they think is the CEO.

Would this be covered? In many instances, it actually won’t be as this while there may be a email breach that allows the hacker to initially make contact, the actual monies have been transferred due to poor manual controls.

Buying Insurance
The act of buying insurance will require an increasing degree of due diligence and also self declaration of what measures you have or haven’t got in place. I’m sure that this will be confusing process and while you may use a broker to assist you, just imaging going through getting this costed twice to get two quotes.

It is going to be painful and require significant time investment.

Cyber Insurance – Yes please. But can we make it easier?

“Storing certificate information on Blockchain Technology is another way to thwart hackers

CISO Leaders : Tammy Moskites, CIO & CISO, Venafi

David Gee (CSO Online) on 04 April, 2016 10:53

 

http://www.cso.com.au/article/597212/ciso-leaders-tammy-moskites-cio-ciso-venafi/

Your current role as CIO and CISO at Venafi means that you are working in the cyber security industry in a major way. Do you eat your dog food or do the staff already get the importance of information security?Venafi takes security very seriously – and my team deeply understands the importance of information security, but with the ever changing threat landscape, there are always improvements to be made. In my position, I have a dual role to not only protect Venafi but also protect our employees and customers, and I take that role very seriously. As for eating our own dog food – yes we do. We are a Venafi customer!

We are seeing enterprises shift into a Digital world from analogue. How do you see the CIO and CISO role changing? Is this fast enough??
We now have massive amounts of data at our fingertips, and the IT industry is evolving faster than ever. Cyber security has transformed from what most viewed as an IT issue to a central business concern, and the CIO and CISO roles are shifting in response. If we’re to keep up the pace and adopt emerging technologies, security needs to be a priority and CIOs and CISOs need to work together to mitigate risk in organizations across industries and throughout government.

The pace of change is quickening. What do you do to stay up with digital developments?
With the rise of DevOps and explosion in mobility, the IT world is rapidly evolving, and it’s essential for CISOs and CIOs to continue to develop their craft. I am always meeting with my peers, industry experts, attending tradeshows and discussing hot button issues with my peers, customers and teams to stay up on the latest threats, trends and industry developments. I also have to rely on those that are smarter than me (aka – My IT/Security team) to keep me informed!



Trust is a key concept in cyber security. How do you define trust and what’s your view on managing this asset?
In today’s world, trust cannot be blindly granted - period. Threats are constantly increasing in both frequency and sophistication and an innocent email can prove deadly to the everyday enterprise. Just like any other asset – you cannot protect what you don’t know you have. For an organization to effectively mitigate risk and improve security, managing trust is key. It’s essential that IT managers implement multi-factor authentication, manage access and revoke and grant privileges accordingly – not just UserID’s and Passwords, but elevated access like privileged access, as well as keys and certificates.

What’s your view on digital certificates and how these assets in the future would be stored on Blockchain Technology?
Digital certificates and cryptographic keys provide the foundation of trust on the internet. The average organization has over 24,000 keys and certs and most of them don’t know where they all are and how to protect them (unless they use Venafi). The reality is that you can’t surf the web safely today unless their keys and certificates are properly secured.

Storing certificate information on Blockchain Technology is just another way enterprises can take steps to thwart hackers. Since blockchain databases are distributed and encrypted, they are harder for hackers to attack and the security and privacy of data is successfully maintained. With encryption now being used by hackers to hide malware in plain sight, secure technologies like this will be important moving forward. Though it’s important that organizations recognize there is no “silver bullet” when it comes to security, securing keys and certificates is a good start.

When you are stuck with a difficult problem, where do you go for advice and guidance?
I’m lucky enough to work with a fantastic team of incredibly talented individuals, and I often look to them as a sounding board when I run into issues and need another perspective. Also, the CISO community is very close and I have an awesome rolodex of colleagues with whom I collaborate with regularly. If you can’t collaborate with the people you work with and fellow CISOs, how can you expect your company to succeed?

In your role as CIO and CISO – which of these two is the one that you enjoy the most? Why??
It’s hard to separate one from the other. I have 30 years of experience within IT. From managing helpdesks, desktop support, and Identity Management to Production Control and Capacity planning -- I have touched many sides of IT. If I combine that with the last 20 years focused primarily in security/compliance, it was natural for me to take on the role of both CISO and CIO. In the past, security did not necessarily lie within the purview of a CIO, but over the last several years our threat landscape has finally transformed cybersecurity into a C-suite conversation, so my roles tend to overlap and intermingle. It is all about business enablement – I love what I do every day – so instead of which one – I would rather just say “I LOVE MY JOB”.

What’s your view about attracting more female talent into Cyber Security. How can this be achieved?
This is a major issue - and one that is near and dear to my heart. We absolutely need to make the effort to attract more female talent to the cybersecurity field. However, generally speaking, we just simply need more qualified cybersecurity pros to fill the jobs -- both men and women! The National Cybersecurity Institute at Excelsior College estimates that nearly 2 million global cybersecurity professionals will be needed by 2017, and we cannot ignore half the population if we want to fill that talent shortage.

Recent initiatives like Girls Who Code are a step in the right direction, but we need to implement similar programs to break the stereotype that women aren’t fit for STEM fields. To build a workforce, we need to build a talent pipeline and that starts with education. I encourage and challenge all security professionals to volunteer their time at local schools and universities to educate them as to what makes up this awesome field of Security!

What is the one most important attribute that you must see to select a new staff member to your team?
Actually I have two – and neither of them are technical! Passion and Fit. I will never hire someone without a passion and integrity for doing the right things right and for the right reason. In the tech and security industry, it’s easy to get lost in the noise, and I need my team to rise above the rest and strive for success for themselves, their team and their company. And in order for the success to be accomplished they must be a good fit with the rest of the team and always keep in mind that we are just a part of the much larger team.


Finally what’s the last thing that you do on a Friday evening as you leave the office? Why??

Considering I am usually at about 30,000 feet on most Friday afternoons, I consider my office time is while I am on an airplane! I usually make a check list of items (on a paper calendar…) what I need to do over the weekend and for the following week – then honestly? -- I just grab my bags and get home…with a big smile on my face! With being on the road 90% of the time, I really look forward to the opportunity to spend time with my husband, family and friends. Not to mention -- we just added a new puppy to the family, a Rotti named York who has just melted my heart! 

Cyber Security Neighbourhood Watch

 

http://www.cso.com.au/article/597205/cyber-security-neighbourhood-watch/

Neighbourhood watch was created in the 1980’s and I recall putting a sticker on the front window of my own home. The idea was simple - if we all were on alert to crime then we could then as a community discourage criminals.

This very same analogy was the basis of Steve Glynn – Global Head Information Security ANZ Bank who addressed the topic of Strengthening Digital Trust in the community at FST Media Future of Security Conference.

He noted that there are real concerns how our customers can embrace security, this was highlighted in the ANZ Corporate Sustainability report 2015. You will note that in the top right corner Data Security /Technology as the highest importance. While Fraud and Money Laundering also rank highly.

Source: ANZ Sustainability Review 2015

 

Do I trust you?
Who do you trust? In the branch days you knew the branch teller and trusted the person that served you. However in the digital world, this paradigm shifts. Taking on the idea that we are stronger as a community, ANZ has been partnering with universities around customer centric design and also with not for profits. Steve talked about the greater role his team has to play; reach across the divide and take responsibility to help our customers and stakeholders.

He explained that: Enhancing safety is a team sport, we don’t need to compete in this space. In fact, building better trust is an imperative in a digital world, thus collaboration is the key. For instance, sharing threat intelligence with other banks and tier 2, which ANZ commented that they are happy to do.

But is this enough?

Steve Glynn talked about the shortage of skilled staff and that his team was working with institutions on assisting in that cause. In the end that while there is a demand for the technology improvement, there is also the human element – why does a person click a particular link? This requires one to examine human behavior and that is about customer experience and design thinking.

Taking an alternative view on how customers interact with your enterprise can provide new insights.

In addition, Steve noted that we all have too many logs and tools, clearly we will need AI machine learning science and this allows us to amplify signals.

Should we setup a Cyber NABO 
I’m sure that your kids, have not heard of Neighbourhood Watch, but more likely that NABO is on their radar. NABO is a social community startup that provides services for individual neighbourhoods. In the same vein, this group has an objective to prevent crime.
My view is that we probably need to look at this model and create a Cyber Neighbourhood Community – where we can share threat intelligence and alerts. This could be the only way to win.

As Steve said it needs to be a team sport and can’t be won by individual heroics.

The Future of Multi-factor authentication

http://www.cso.com.au/article/597131/future-multi-factor-authentication/

Most organisations have moved to two factor authentication for their online banking transactions, but in recent events all the big banks were attacked despite this already being in place.
The question then becomes if two-factor authentication is not sufficient, we need to just move to a multi-factor approach. Let’s recall the definition:

• Something you have – examples include: a physical card, a one-time–password token, or a smartphone, for example
• Something you know – examples include: a PIN, a password, or the answer to a personal question
• Something you are – examples include: a fingerprint, a retina scan, your voice

It would appear that having and knowing is not enough, then evaluating something you are what would be the appropriate biometric to utilise?

Biometrics – the Ears have it?
You can create an image of your ear over a number of cycles and these curves are translated into a series of numbers that can be used as an identification tool. Ears are not affected by facial expression or by differences in background scenery.

But people do wear jewelry and also hair \ glass frames may impede the image. Perhaps the ears are not the best option.

How about your Face?
Facial recognition is one of the most promising as we all carry a cell phone that is capable of being the input device. Most traditional face recognition systems measure the distance between the eyes, position of cheekbones, size of nose, jaw line, chin etc. The combined math of the measurement becomes a unique code.

The problem with traditional technology is that you have to stand still and be front on. However, 3D facial recognition sensors capture information about the shape of a face from all three angles and is less effected by lighting conditions.

Give me a Hand?
Most of us already use Fingerprints with our iPhone. Fingerprint identity technology compares the pattern of ridges and furrows on the fingertips.

But Fingerprint technology is not good for industrial applications, due to dirt and in these instances Hand geometry is more suitable. This approach measures the dimensions of a hand and compares those to a file copy.

Eye for Details?
There are technologies to scan the Iris or Retina. Retina scans have been adopted as military grade, there are downsides as requires you to sit still for about 15 seconds.

Please Talk to me?
Voice biometrics are however a good way to authenticate. When this is used with a random phrase, then the approach has strong security and therefore hard to break.

Intel and Microsoft to the rescue?
Hardened Multifactor Authentication is the answer so how do we all move forward? This has been a cost tradeoff that few wanted to tackle. But we now have Intel and Microsoft with new announcements that would move this cause.

Recently announced was Microsoft’s Active Authentication to allow enterprises to secure employee, partner, and customer access to cloud applications with multi-factor authentication. They have enabled multi-factor authentication support with Windows Azure Active Directory identities to help secure access to Office 365, Windows Azure and Dynamics CRM Online

The way this works is that after the normal entering of your username and password, the user is required to also authenticate with the Active Authentication app on their mobile device or via an automated phone call or text message.

Also recently Intel rolled out multifactor authentication (MFA) technology that will work in any new PC equipped with its 6th Generation Core processors. Named Intel Authenticate, this new technology represents a new powerful option.

Perhaps when can work out an approach that utilises Intel and Microsoft in tandem, perhaps we then will have a secure approach for all of us.

Do you have an Insider Threat Program?

http://www.cso.com.au/article/596948/do-an-insider-threat-program/

Insider threats are increasingly on our radar, we saw a recent example in Australia with an Bluescope Steel employee taking out company documents. Also two scientists at Glaxo Smith Kline research scientists in another well publicised incident- Yu Xue and Lucy Xi, were charged with stealing trade secrets.

Now in the murky shadow of wikileaks, we have if you like ‘a whistleblower on whistleblowers’. A new insider threat program is to identify these malicious individuals has been created by Obama administration’s USA Office of National Intelligence, noted that:
“An insider threat arises when a person with authorized access to U.S. Government resources… uses that access to harm the security of the United States. Malicious insiders can inflict incalculable damage. They enable the enemy to plant boots behind our lines and can compromise our nation's most important endeavours.”

Continuous Evaluation
This is not something that can be opted out from and you have no choice in this matter. In the USA, there are around 100,000 military, civilians and contractors that are under such surveillance.

In scope is total surveillance of US personnel that have specific access to classified information; and includes electronic emails, messages and communications (using what is referred to as ‘push and pull’ approaches)

The reality is that this approach is about monitoring electronic behaviour both on the job as well as off the job to detect potential threats. Indeed the US government is taking insider threats seriously.

The Insiders
Both the FBI and Department of Homeland Security agree that so called ‘insider threats’ have increased and pose a serious risk.

This level of surveillance will capture both the accidental and malicious.

An ‘accidental insider’ is those targeted by adversaries such as a spear phishing attack from a known source or friendly source. In the main such insiders are unaware that there is potential or actual risk.

On the other hand, ‘malicious insiders’ are individuals who set out to deliberately cause harm; they realise that their actions can cause real damage.

Ultra Sensitive?
Clearly having an Insider Threat program will always be ultra sensitive. Most enterprises have some level of this monitoring that is underway. There are various tools that both monitor and prevent information leakage.

What is clear though is that often such reporting goes to someone is HR or even worse a member of IT. It is not that you that trust is an issue, but instead they (HR and IT) may have no idea what files are actually acceptable to be shared outside.

‘Best practice’ that I have seen is where the technology, process and people all intersect and a supervisor gets a notification of what files their staff members have copied etc.

No Budget

Most enterprises also do not have a budget for insider threats and this also works against this being taken seriously. Instead we have to approach this problem with a mindset that ‘insider threat’ either
innocent or malicious is a near certainty.

Taking that approach means we have to be always on the lookout to detect such patterns and don’t wait for an issue to occur.

Against the HR grain

This also means that we proactively monitor our staff at the same time that we impeach empowerment and giving authority to teams. There are also modern day work pressures that work is no longer just performed in the office, sending a file to one’s home email address may be innocent but can’t be allowed in today’s world.

A recent Harvard article talked about “how most of us think about trust as a black and white decision”.

“We trust you or we don’t. In business relationships, trust is rarely so clear cut…… rather than black or white, a better approach is to think of trust more like a barometer. Trust goes up and down depending on the circumstances”

Unfortunately it is not good enough to use your natural tendency and base trust on gut reaction. We all need to look at putting an Insider Threat program and specifically a Continous Monitoring approach.

Do you punish someone who has Malware?

 

http://www.cso.com.au/article/597069/do-punish-someone-who-has-malware/

Recently I was on a CIO Leaders Summit panel and there were three delegates, each reporting back from the breakouts - on Customer Experience, Digital and Cyber Security.

My group was Customer Experience; which I explained embraced all the elements of Digital, Cyber Security and Analytics. We had a great debate and banter until, one of my colleagues commented when a staff member gets malware he wants to “cut off their hand”.

The idea of punishing someone for getting Malware is abhorrent to myself. But if you are a CISO, then you have mobilise your team and address the issue. But what is the right answer here:

The case to punish

It is simple, the respective individual has been irresponsible and created a risk for the business by visiting a site or clicking a link. For that they should be punished and bring out the big stick.

The stick, will start to change the behavior of the staff that don’t care or are reckless. This makes the CISO and his team, potentially seen as the police who exist to catch the bad guys both internally and externally.

The case against punishing

Again, the principle is simple. If you want to punish staff for getting malware, then this will mean that this goes unreported or at least is delayed as the consequences are feared.
When it comes to malware, we just need to have the issue addressed as soon as possible and then this can be isolated. By making the CISO a more benevolent manager that does not punish a staff member and even avoids scolding that person.

Let’s remember that malware when it is phishing is targeting executives and board members. I don’t think punishing them or scolding is a good career move.




 New thinking on this problem
Recently, I came across a new startup that is attempting to tackle this issue using employee-based intrusion prevention system with automated phishing-mitigation response. Ironscales out of Israel is a startup that trains staff for malware using gamification – employees are presented with simulations of real-world email phishing attacks.

I think you get the picture about being battle hardened and prepared for the enemy. In this case staff are the front line of the attack and when they are able to spot a malware attack, they become assets rather than the liability.

Should I Reward Behaviour?

Yes, I think that is the only way to combat this threat. By engaging your team with ‘carrot and stick’ then perhaps you stand a better chance. Put simply you can offer a ‘carrot’ to staff that report malware, or go further and look at options such as Ironscales.


Originally I thought that this might be taking it too far, to reward staff for reporting this the helpdesk, but that is better than just punishing them for telling you.

It is a dilemma, and if you get the tension right it will help you with this battle.

7 Questions to ask your CFO to get more Cyber Security Investment

CISO Interview Series:: Leon Fouche, Partner: Cyber Security and Technology Risk, BDO in Australia

Many organisations are embarking transformation journeys to reshape their business and move into digital. Do you see them understanding the importance of Cyber Security in that change?
There are various levels of maturity in the market. On the one end you have organisations that understand that information is an asset that needs to be appropriately protected. These organisations tend to have well established internal risk management strategies and processes that will assess the risks of adopting and implementing new technology and guidance on how to mitigate these risks.

Then on the other end of the spectrum you have organisations who want to be innovative and first to market, but who sometimes lose focus of security. These organisations are likely to be more focused on the digital solution and often consider security late in the cycle (i.e. security is built in and not designed in).

Finally in the middle are often the ‘followers’. These are organisations that feel they might be missing out on an opportunity because they don’t have a service offering and rush in for a solution. Unfortunately, this means they may not give enough attention to the associated security risks.

Leon, you work with many CIO and CISO’s. When you think about the ones that you really rate – what are the attributes that really count?
The really great CIO and CISO are those that understand that information is a business asset. They also understand the strategic threats in their industry and their business. At the same time have a good relationship with the Board and C-suite of their business.

Their personal manner is both innovative and proactively works with business to achieve outcomes.

I’ve also noted that they don’t take the position of “no-that-can’t-be done”. There is a ‘can do’ attitude and they are definitely not to a “door mat”.

Also they tend to understand the business and supply chain and what the risk exposures are within each component of the supply chain. And have an industry/market presence and actively participate in industry (A great example of a professional that I really rate is Mike Burgess from Telstra)

As organisations move into the cloud and into effectively hybrid environments what’s your view on managing these threats? Surely the risks are higher and the skills required are increased??
Yes. That is correct. It is important for organisations to understand that using the cloud does not mean they have “outsourced” their risks and that someone else is taking care of it. The risks and their treatment remain their responsibility.

Organisations must have a true understanding of the whole IT services supply chain and what the security risks are within that. With that in mind, it is important to have a good understanding of what

I refer to as CIA (confidentiality, integrity and availability) within the IT services supply chain.
It is also important to know who is responsible for each service component – especially in a hybrid environment where service delivery is shared. Plus organisations also need to invest in getting contract and partner management capability.

 

Most organisations do not invest enough in Cyber Security. When you talk to CFO’s what are the questions that you ask to try to convince them that they need to reconsider this position?
The dialogue would be a series of questions and clearly I would be watching for body language and the CFO’s responsiveness. I would start by asking:

• What is your most valuable asset in your business? If IT systems and corporate information is not in their response, I always ask why not?
• Do you know what the financial and reputational impact will be if normal business operations are interrupted by a cyber-incident?
• What strategies do you have in place to recover from a cyber-incident? When was the last time you tested this?
• What level of insurance do you have to cover for business interruption? Does it cover cyber incidents?
• Do you know what your competitors are doing in this space?
• How much of your business spend is allocated to cyber security and can you measure the return on investment? If not, do you want to?
• Do you understand the regulatory environment and how that could impact your business if there is a cyber incident?

Give it a try, this approach has worked well for me in the past.

What’s your view around the awareness of boards of the risks of Cyber Security in enterprises - is enough being done to educate them?
There has been some good progress here and we are seeing more boards now starting to discuss cyber risks within their organisation.

The Media has played a role in this education process. For instance leading up to G20 in 2014, the local media regularly reported on cyber risks and impacts, which helped the Queensland business community become more aware of cyber risks. Then there is a role for Risk and Audit Committees to play in doing more to educate the board on cyber risks within their business.

We also find that Non-Executive Directors who sit on multiple boards help with the education process. Despite this, there appears to be a general lack of awareness amongst boards about their liability in regard to cyber-incidents and this is no different to their traditional statutory responsibilities.

Overall there is more work to be done to get Boards to shift from just awareness and education into action – with a commitment to ongoing assessment, remedy and assurance of cyber risks.

When I think about two-speed IT (Run IT and Change IT), both come with different threats and opportunities. What’s your view on managing this?

 For me the Social networks, the Internet of Things, big data, amongst other things, are “business disruptors” that organisations will need to consider/assess in line with their business strategy and planning to determine if and how they adopt them.

These will likely introduce new threats and opportunities which organisations need to assess and understand these will impact their industry, business, staff and customers. Thus it is important for organisations not to lose sight of the basics – remember that information is an asset and it needs to be appropriately protected (think CIA approach) anywhere and anytime.

Thus, with this in mind, the same risk management principles apply – have a good understanding of your risks, consider how they measure up against your risk appetite, and put plans in place to manage this or bring the risk back to a level you are comfortable with.

I’ve been writing recently about managing threat to critical infrastructure. What’s your view on how mature is the Australian environment?

Firstly my view is that critical infrastructure is defined as what government describes as assets central for functioning a society and economy. The critical infrastructure operators in Australia are growing in their understanding of the cyber risks within their industry segment and environment.
However at the moment, Australia doesn’t have firm cyber security industry standards that critical infrastructure providers need to adhere to, such as NIST. The Australian Cyber Security Centre recently released its first public report on the threats to critical infrastructure operators and industry sectors. This means there is just now a wider awareness of the cyber threats within the different sectors.

Infrastructure operators are now in a position to work through these threats as part of their strategic cyber planning activities – many has already started working on improving their cyber resilience.
The Banking and Telecommunications sectors are the clear front runners and utility operators, that is Electricity & Water operators are lagging behind the rest. This is mainly due to the geographical spread of their Industrial Control Systems (ICS) systems and how these integrate back into corporate networks.

Let’s remember that the other challenge within this sector is that legacy ICS systems were designed for high-availability with limited focus on security. Newer ICS systems have better security, but it will be a while before these are implemented.

In summary, some sectors are more matured that others but a lot more needs to be done.