During the unforgettable year for cybersecurity that was 2017, at Microsoft we wanted to understand how CISOs are considering the new landscape and evolving their thinking.
The news of the year around the globe seemed dominated by cybersecurity events—attacks that breached privacy, were costly and had a broad impact on organisations’ reputation. So, while in Sydney at the end of the year, I hosted a round-table CISOs from Australian Industry and Public Sector.
I talk to CISOs around the world—but the Sydney round-table was a rare chance for a group discussion on cybersecurity threats, pending privacy legislation, the promise of digital transformation, and ideas to fill the skills gap.
Australia was no exception to the global experience in the past year. According to Australia’s new Cyber Security Strategy, cybercrime costs Australians up to $17 billion annually. An Accenture study shows that cybercrime in Australia grew by over 25% last year. But 2017 was not a high-water mark and we can expect attacks to accelerate. Among the top concerns for 2018 are an arms race of machine learning between hackers and defenders, evolving ransomware and potential exploits in server-less applications.
Australia’s new mandatory data breach notification law will demand more transparency around how breaches are handled. Privacy is also a growing concern. The General Data Protection Regulation offers EU citizens increased control over their data. Australia is not among the dozen or so countries that the European Commission listed as providing adequate. Penalties for failing to comply are severe and the stakes have never been higher.
At the same time, digital transformation continues to gather momentum. Industry and government agencies are aware of the potential to improve products and services, increase the efficiency of operations, empower employees and engage customers and citizens. Data has never been more valuable. While every step along the journey towards digital transformation has promise, it also magnifies risk.
We have a shared responsibility
As business and technology leaders, we have a shared responsibility to identify, share information and act on the most serious cybersecurity challenges.
The heightened sense of cyber threat brings with it an opportunity to change the story. But if we’re to do this, security teams need to be part of the first conversation. While 59% of board members believe their cybersecurity practices are very effective (according to The Association of Corporate Counsel Australia), only 18 per cent of IT security professionals agree. This has serious repercussions for the management of cyber risk.
The Sydney round-table was a fascinating session. We’ve distilled our discussion into themes that will be useful in framing the conversation within your organisation and more broadly across industries.
Security is a team sport, and everybody needs to be part of the solution. We need to promote a culture of continuous education because, when it comes to cybersecurity, we must never stop learning.