If you are going to run a cyber security event and conference in Sydney Australia, it would make sense to have the man who is responsible for protecting the entire nation against cyber-crime come and speak to your guests. That’s exactly what McAfee did.
Alastair MacGibbon is the National Cyber Security Advisor at the Department of Home Affairs and concurrently is the Head of the Australia Cyber Security Centre.
|Australia National Cyber Security Advisor Alastair MacGibbon Shares his Views with the MPOWER 2018 Audience|
In his own words Alastair “has a mandate to protect both the public and private sector” and based on the fact that Alastair highlighted stats which suggest that one in four Australians are affected by cybercrime, it’s a pretty important role to hold. Sharing his views on cyber security issues is helpful, and others responsible for security can benefit from understanding areas that he feels matter.
In Alastair’s view cyber security should be a “risk mitigator and a business enabler” and here immediately is one of the major problems that Alastair sees. For security professionals to be successful in an ever more demanding role, they need the support and buy in of C-levels in line of business. The problem (as Alastair explains it) is one of linguistics and communication. Put simply, the C-levels that control the purse strings and steer company strategy do not have a full grasp of the cyber threats they face.
Alastair told us how he has on a few occasions suggested building a “lexicon” of security terms to bridge the communication gap between non-experts and experts.
It’s a salient and important point than in our view at CSA, security professionals should take very seriously. It’s incumbent on “us” to inform and set expectation in a way that line of business c-levels can truly understand so that the correct resource is allocated to this discipline, which as Alastair point out should be viewed not just as risk mitigation but as business enablement.
Bringing the subject back to risk Alastair defined the high level of his role in these terms. He wants to reduce the risk of successful attack occurring. He also wants to reduce the impact of successful attacks if they do occur and, aligned with this needs to be an ongoing acknowledgement that breaches will happen.
He put a very interesting spin on how these aims can be achieved, when he spoke about “driving up cost” for cyber criminals. It’s a simple concept but draws on his time as a police officer and his analysis of how criminals operate. In Alastair’s experience, criminals always take the low hanging fruit. If a crime is easy, they will take advantage, if the cost and complexity of a successful crime goes up less people will try in the first place, and if the reward is less than the cost perhaps no-one will try.
For Alastair cyber criminals are just another type of criminal. If he can find ways to drive up the cost and complexity of their tasks the number of attacks will go down. To our way of thinking at CSA it’s a great approach and should be embedded in the thoughts of all security professionals.
Coming back to the idea of analysing the “psychology” of an attack, the concept born out in a later presentation given by Narrelle Devine, the Chief information Security Office for Australia’s Department of Human Services. Narelle explained that as she built her team, she quickly realised and understand why you are being attacked is as important as how. Accordingly, she has recruited psychologists and lawyers into her team to complement the work the technologists do.
Narelle’s presentation focused on her view that Cyber Security is a people business and not an IT one. Alastair concurred, also spending time to impress on those listening that people are the most important asset in the fight against cyber security threats.
|Narelle Devine CISO at Dept of Human Services Shares her Thoughts on Why Cyber Security is a People Business|
Alastair referred to a number of different reports, including McAfee’s own talent report which suggest there is shortage of people with security skills in Australia. However, for Alastair, he zoned in on the low number of female security professionals, stating its somewhere between 11% to 25%, dependent on whose stats you believe.
Alastair’s point is simple. If you believe (as he does) that people are the most important asset in the fight against cyber-crime, then by having such a low percentage of woman we are not giving ourselves the chance to find “the best DNA” to do the job. In his opinion getting the best minds is absolutely critical.
|According to Alastair and Narelle – It’s All About the People|
As the attendees of this year’s MPOWER get back to their offices, some of this advice will prove invaluable as they build out their own strategies. The challenge will be, can they get their C-levels to understand these strategies deeply enough to fully buy in?