Despite new mandates, compliance-driven security is hindering Australian businesses

Australian IT experts are struggling to secure increasingly complex networks and increasing compliance pressure isn’t providing enough incentive for change, a security expert has warned as looming breach-notification legislation threatens to publicly expose poor risk management practices and their consequences.

Such legislation may have taken years to pass through Australia’s Parliament, but jurisdictions in the US and Europe passed breach-notification laws years ago and are already moving well past simple compliance. This situation creates serious potential risks for Australian companies, where the focus on meeting a perceived compliance deadline is already seeing many organisations approaching the issue with blinkers on.

The new legislation “is a very positive step in the right direction, but what I’m not seeing is that the penalties are significant enough for people to want to pay attention,” warns Antoine Le Tard, ANZ general manager with RSA. “Senior executives are paying attention because their jobs are at stake – but right now I’m not convinced that the penalties are significant enough for organisations to decide to do something serious about this.”

Just what constitutes a “serious” response varies between companies, but Le Tard says that it extends far beyond just ensuring compliance with arbitrary standards. Using more-mature US companies and local large enterprises as an example, he says, many are looking at continuous monitoring of network elements and active controls to ensure their security regimes are assiduously protective – as well as being deeply ingrained into their corporate cultures.

Broadly speaking, Le Tard warns, Australian organisations are still 2 to 3 years behind their overseas counterparts due largely to what he calls ‘the gap of grief’ – the ongoing, systemic failure to translate technological risk into terms that support rapidly-changing business objectives. This, in turn, is keeping security practice lagging behind the pace of transformational business strategy – compromising emerging requirements for business-driven security.

“There’s a requirement for organisations to innovate at a much faster pace to keep up with the ever-changing landscape,” Le Tard says. “This has seen the security attack surface expand exponentially: it can now be any IP enabled device, anywhere. This is going to have a fundamental impact on the way businesses view risk, and cyber risk, as part of their overall risk management.”

The impact of the gap between security objectives and business practice was starkly observed in a study by Verizon, which helps companies attain certification to Payment Card Industry Data Security Standards (PCI DSS) requirements but found during an audit that only 28.6 percent of certified companies were still compliant a year later. While a checklist-security mentality had given the remaining 71.4 percent of companies the right to claim PCI DSS compliance for the entire year, the hard truth is that they were vulnerable in security terms.

This translates poorly when the implications of such a gap are considered in business terms, which is why business organisations like the Australian Institute of Company Directors (AICD) has recently jumped aboard the cybersecurity train. A growing body of AICD advice now explicitly pushes directors to get on top of their changing cybersecurity risk exposure, with one recent presentation speaker advising 5 questions company directors should ask about their cybersecurity posture.

These include considering what cybersecurity means to the organisation, in terms of confidentiality, integrity, and availability; who are they key people responsible for cybersecurity; how vulnerable the organisation is; what is the organisation’s risk tolerance and exposure; and what is the company’s long-term strategy for dealing with cybersecurity.

Such systematic approaches can go a long way towards clarifying the business side of the gap of grief – and that is a “really positive thing”, Le Tard says. “There are conversations we’re starting to see at the board level,” he explains. “They’re not just environmental or strategic, but it is now something that they are starting to pay attention to.”

“Their participation introduces concepts they hadn’t quite concentrated on in the past,” he continues. “Deciding the risk tolerance and risk culture that they are prepared to accept within the organisation, sets the tone on how the organisations and people in those organisations should be viewing what they do.”

Increasing participation by board members and company executives, however, also complicates a cybersecurity paradigm that has been predominantly driven by technologists in the past. Previous working models typically had technology-driven project teams tasked with implementing specific technologies to support a business objective, but few of those team members were given business context to understand the role of those projects within the larger organisation.

While in many ways a natural outcome of the corporate structure’s compartmentalised design, such practices also reflect a manifestation of the gap of grief in which business and technological outcomes are often only loosely aligned.

For example, in planning for breach notification laws the business might be focused on ensuring that it has implemented processes to monitor the company’s cybersecurity status and to manage any issues when a breach arises; the IT department, by contrast, may be more focused on preventing such a breach in the first place but will have little input into how the business manages reputational or operational damage should such an incident occur.

Bridging these perceptual gaps is as important to implementing business-driven security as any form of compliance-driven security, Le Tard says. This includes introducing active security monitoring to speed detection on the technology side, as well as developing clear business-related linkages so that cybersecurity incidents can be immediately evaluated in terms of their risk to the business.

Once this translation is made, businesses will be better equipped to position cybersecurity risk within the context of their expanding risk management framework. And that, in the end, is the key to business-driven security: moving from simply identifying cybersecurity as a risk needing management, to having the tools and processes for organisations to better understand their risk appetites.

“If organisations look at continuous monitoring and endpoint type technologies with the necessary teams wrapped around them, they get benefits from that,” Le Tard says. “Creating an agile platform reduces your dependency on static controls and infrastructure, providing the necessary processes to monitor risk in real time.”

“Leadership plays a significant role in cultural transformation, and risk is good because it drives innovation forward. But managing it securely is about continually reinforcing with people in your business the impact that they could have on the organisations through actions that they do – or do not – take. Considering cyber risk, and their daily culture, will reduce the amount of risk they expose the organisation to in the long run.”