IN:SIGHT talks to Telstra’s Chief Risk Officer (CRO) Kate Hughes and Chief Information Security Officer (CISO) Mike Burgess about the most effective ways senior management can counter new security threats
Q: What are the major challenges facing Australian business leaders who are responsible for protecting the privacy of consumers and suppliers?
Mike Burgess: Cybercrime in the end is just crime – people are stealing data and hacktivism is just another form of protest. However, technology and improved connectivity means that espionage, protests and mistakes can occur at an unprecedented pace and scale.
Look at what happened to US health insurance giant Anthem where the health records of 80 million customers were stolen. That amount of documentation would take roughly a million pages of double-sided paper to fill. It would take someone about two months working fulltime standing at a photocopier to copy but it probably took less than an hour to remove that information via a computer across the Internet.
Kate Hughes: There’s been a general cultural shift in the business community that has reignited the value of data. We all think we could market better to our customers if we knew more about them and so we go on these hunts for more data and holding all that data puts us at risk.
This is exacerbated by the fact that supply chains of most large corporations are deeper and more complex than they’ve ever been. With all of those vendors in there, you know, you are further increasing the risk that they will either deliberately, maliciously, or just mistakenly mistreat your data.
Q: Given the diversity of cyber security challenges, who inside the business should have the most insight into emerging threats?
Mike Burgess: It is a leadership issue first and foremost. The business leaders have to understand that collecting and using more data carries with it an ever-increasing threat.
Kate Hughes: Mike and I work very closely together on this because we consider it a business risk, not an IT risk. There are elements of IT risk in it, but we also need to look at the relationship between our business units, the risks at the coalface and how those risks manifest themselves. We can’t fight a good battle until people understand how they introduce cyber risk to a business and how even the simplest things such as access codes to buildings, the security of staff and our employee vetting processes all contribute to the company’s risk profile.
There’s no point having the world’s best firewalls if we inadvertently open the door to a hacker by plugging a USB key into a laptop.
Q: How does Telstra assess the risks associated with cyber and IT-based threats?
Kate Hughes: Most businesses have traditionally viewed these threats as IT or technically related so they’ve used those departments to come up with technical solutions. At Telstra, we’ve taken a much more collaborative approach where we expect every line of business and every business unit to understand how cyber risk manifests for them. They then incorporate that risk into an overarching governance framework that recognises that cyber risk doesn’t exist in and of itself.
Q: How have the obligations of large companies changed in recent years, particularly regarding data protection, privacy and cyber security?
Mike Burgess: Governments and regulators are still adapting to this connected world and the law is still evolving. The Australian government has recently indicated strongly that it will introduce mandatory data breach notifications.
Kate Hughes: Governments want to treat the Internet and cyber security as though it has regional boundaries, which it doesn’t. Laws need to recognise that in fact data can easily be sent round the world in a matter of seconds. So I do think that regulation has kept pace.
But I also think it’s incumbent on the business community to take the initiative by having regular discussions about things such as privacy. For example, who owns the data captured by your Fitbit? If I share that information with my employer, could they usefully act on it? If I shared it with my health insurer, could they usefully act on it? The privacy legislation we’ve got now still doesn’t fully understand how personal information can be collected in a big data environment and how supposedly anonymous data could become re-identifiable with the right steps.
The extent of the risk has come as a bit of a culture shock for a couple of large Australian organisations that now have data that’s considered incredibly attractive to other countries and to other large companies. Cyber threats today are as much about industrial espionage as anything else.
Organisations are certainly going to have to increase their levels of data protection and risk mitigation, not because the regulator says so, but because their customers would not forgive them if their data was stolen.
Q: At the most senior level, what kinds of strategies are proving most effective for preparing for and ultimately combating cyber security threats?
Mike Burgess: At Telstra we refer to the ‘Five Knows of Cyber Security’: knowing the value of the data, where that data is, who has access to the data, who is protecting the data, and how well it’s protected.
And if you don’t know the answers to those five things, how can you possibly assess the business risk?
Kate Hughes: Yes, get away from the technical jargon and terms and seeing this as some kind of rare specialisation, when it is really a serious commercial business risk.
We need to talk about cyber risk in the same way that we talk about business resilience, privacy and safety as business risks.
Q: What are the main challenges to adopting an effective security strategy to prepare for cyber security threats?
Mike Burgess: People still believe this is a computer problem and therefore it’s not their responsibility and leave it to the IT department.
Kate Hughes: The challenge has been getting the first line in our business to be accountable. It’s really easy for us to sit here and talk about some really sophisticated hacking activity, but it can be as simple as the employee who gets an email and clicks on the link in an unsafe environment downloading malware or ransomware onto the computer.
Where we see people behaving badly or potentially not understanding what they are doing, they will get a friendly phone call from their security team to talk about what they did and how they might do it more safely.
They’ll also have a conversation with their risk manager. That will be about making sure the teams involved really understand what’s required and that our policies are well understood.
Q: Can adopting a strategic approach to data protection and privacy security improve other areas of the business?
Kate Hughes: Absolutely. No doubt about it. We have recently done some revisions to our cyber risk framework to align it more closely with our broader enterprise risk management framework. We cause significant customer dissatisfaction when we have an information security problem that often results in a privacy issue. It may also end up costing us money to compensate or take remedial action for the customer. We know we can achieve good business outcomes when we can look at this as a holistic situation rather than trying to deal with these risks in isolation.
We have had internal guidelines at Telstra for a very long time about how we report breaches to our customers. We also notified customers every time we feel that a customer has been at risk from a breach.
Mike Burgess: When we engage with a business, it’s not just cyber security that’s important. It’s about data management, where cyber security is important, but only one component of a greater range of things that can cause problems.
Q: What do CROs need to do to integrate emerging cyber security threats into an overall risk and response strategy?
Kate Hughes: The first thing you need to do is make sure your enterprise-wide assessment processes take cyber risk fully into account. You want your technical experts to be able to help you, but it’s the same as any other risk management strategy.
When you understand that risk at every level of your business, you can be sure that the management of a product release or the finalisation of a product is being done within a holistic risk management strategy.
This means understanding the cyber risk not just from a security perspective but from a privacy, data protection and commercial level. We make decisions every day not to retain certain bits of data because it’s too costly to and it’s not appropriate from a privacy perspective. If you have all of those voices in the room when you make those decisions, you’ll get a really good business outcome, especially if you know where to go to in your organisation.
Mike Burgess: Chief risk officers should not let cyber security risk become something special and different. It is just another significant business risk these days and if you take the same approach to the way businesses manage other significant risks, you’ll get a far more effective outcome. You can’t let it become special.
Telstra, Chief Risk Officer
Kate Hughes has responsibility for enterprise-wide risk management, security and compliance.
Telstra, Chief Information Security Officer
Mike joined Telstra in February 2013. He has more than 18 years’ experience fighting cyber-crime and espionage in government agencies at the forefront of national cyber security.
Idea in brief
- Cyber security is a leadership issue first and foremost
- Cyber security is a business risk – not an IT risk. Many businesses still regard cyber security as a technical issue that can be dealt with by IT departments
- Business leaders need to understand the value of cyber security from a commercial perspective
- Every department and all staff need to be aware of their responsibilities in an enterprise-wide security framework
- Adopting a holistic approach to cyber security leads to positive business outcomes.
Ask your Telstra AE about how to use security and privacy strategies to protect customers and improve your business.
Or to find out more our Cyber Security Report 2016 virtual event is now live for registrations.