Mark Nicholls discusses how to integrate cybersecurity throughout the development lifecycle rather than treating it as an afterthought with pre-go-live penetration testing. He explains that embedding security into early design phases requires both leadership commitment and proper resource allocation to overcome the natural friction between IT and security teams.
• Moving security activities earlier in the development lifecycle is crucial for effectiveness
• DevSecOps implementation remains relatively rare, especially in larger legacy organizations
• Many security teams lack capacity to participate in early design stages
• Where a CISO reports indicates organizational security maturity
• Less mature companies have CISOs reporting to CIOs, treating security as just a tech issue
• More mature organizations position CISOs outside IT, reporting to CEO or board
• Business risk assessment should be the ultimate measure of security effectiveness
• Australia's "Essential Eight" provides practical baseline controls compared to NIST or ISO
• Regulatory requirements for breach reporting are increasing globally
You can find Mark Nicholls on LinkedIn or at informpros.com for any questions or follow-ups.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
All right.
So, mark, you are on theforefront, it seems like, with
Information Professionals Group,on what's going on in the
solution space, in thetechnology space, in building
those companies, so you're theperfect person to talk to about
this topic of the roles in cybergovernance and assurance in
technology, right?
So when we're talking aboutassurance in technology, we're
(00:21):
talking about security aroundtechnology, making sure that
information is safe, that it'savailable when customers need it
, when companies need it, thattheir data is protected and all
the other stuff that werecognize in the cybersecurity
and the IT space.
Something that's been top ofmind for a lot of people and
that has been sort of on my mindthis week is the convergence of
(00:44):
IT and security.
The IT team, the guys who areexclusively almost exclusively
focused on making things runtoday right.
They set it, it works, kind ofset it and forget it, whereas
the attitude in cybersecurity isa little bit different.
It's always moving, it's anebulous concept.
The threat landscape is alwaysevolving, it's always changing,
(01:07):
so there's a little bit offriction between those two teams
.
How do you help leaders and howdo you see leaders in the field
solving that problem offriction between the IT teams
and the cybersecurity teams.
I mean, what is the fix here?
Is it a leadership issue?
(01:28):
Is it a technological issue?
How do you view this problem?
Speaker 2 (01:36):
Yeah, look, ultimately, josh, it's all of
those things right, but the keyquestion probably is, where do
you start?
And you know, like we mentionedin that brief conversation
earlier before we started thispodcast about you know, often
cybersecurity comes into playand there's a pre-go-live pen
(01:57):
test gets thrown in there right,as if that's somehow going to
be this sort of magic pudding toprotect risk at the very end of
the life cycle.
And so the first challenge ishow do you actually move some of
those actions, activities,further up the life cycle and in
doing so, how do you get thecyber perspectives and the
(02:20):
technology perspectives workingtogether?
But you know we've solved theseproblems before.
This isn't new If you look atthe history of technology.
How do you get businessinterests and technology
interests actually aligned?
How do you get architecturalstandards and enterprise
architecture direction alignedwith solving business problems
(02:43):
in technology?
All these challenges we'vedealt with, obviously, in
different organizations.
They've dealt with them tovarying degrees, right, some are
even doing that not thatsuccessfully, some more
successfully, and so they giveus a pretty good read on how to
start embedding cybersecurityback into the development
(03:03):
lifecycle and further up thelifecycle, and there's a whole
range of capabilities need toget developed.
Obviously, leadership is a keyaspect to that.
Recognizing that number one.
It's important to do this.
But, you know, throwing in thepen, test pre-go-live, yeah, it
might protect a couple of risks,but there's probably a few
things you could do in additionto that.
(03:24):
And is it even going to be themost cost-effective,
risk-effective way of dealingwith it?
Probably not.
And so that's a first isrecognition.
That's the first step of anychange is recognizing things
need to change and then movingit up the life cycle.
So, yeah, there's techniquesaround with DevSecOps and so
forth DevOps, of course, butthen DevSecOps, integrating
(03:47):
security but, yeah, I would saythat there's still quite rare
implementations of that.
Yeah, that's quite an advancedconcept and in many
organizations they're still notthere.
Where I see it, there isprobably in smaller
organizations and particularlysmaller organizations that can
(04:07):
operate greenfield really standup best practices from the
beginning.
Longer term, olderorganizations and those that are
bigger tend to be quiteentrenched in their practices
and that can be hard to change,and that's, of course, where
stronger leadership is requiredand also some persistency to be
hard to change, and that's, ofcourse, where stronger
leadership is required and alsosome persistency to be trying to
(04:27):
change these things over a longterm because not everything
will work and eventuallybuilding capability and building
new culture and new practicesand so, but right at the restart
, cybersecurity can injectthemselves if they've got
capacity.
Cybersecurity can injectthemselves if they've got
capacity.
And I would say, even with goodintent, those organizations
(04:48):
that I see struggling is becausethey just don't have the
cybersecurity capacity.
They're dealing with the backend of the life cycle, doing
what's mandatory, almostcompliance-based activity, just
to be able to write the rightboxes to get things live, and so
do they have the capacity toactually operate up in the early
(05:09):
stages of the lifecycle.
That can be really difficultfor them.
So again, there's a challengefor leaders in allocating
personnel, allocating resourcemaybe different types of
resources as well to be able toinject themselves early stages
of the life cycle.
So back when solutions are beingtalked about, when they're
being architected, there's acybersecurity element in there
(05:31):
and that can be incrediblybeneficial, of course, because
right there you can startarchitecting solutions to go
well, is there a way in which wecan isolate some of that
traffic from certainenvironments?
Or is there a way in which wecan isolate some of that traffic
from certain environments?
Or is there a way in which wecan actually move any
personalized identifiedinformation off of that solution
(05:51):
and do things in a differentway?
You can start thinking aboutcybersecurity as a design
problem or a design challengeright at the very beginning, and
by doing that then you're alsoembedding some of those
capabilities into thedevelopment and architecture
teams who are actually doingthat upfront design work.
They learn and they're buildingcapability, and so it's a
(06:11):
really beneficial thing to do iforganizations can do it.
One is do they have thecybersecurity architecture
expertise, which is a bit moresenior, to be able to apply and
do they have the capacity to doit?
But that would be the firststep that they should probably
(06:34):
try to do get in front of thelifecycle at the very beginning,
and then they can be involvedon the way through, very much
like an architecture reviewboard or an architecture
assurance board does that aroundenterprise architecture
standards.
They define cybersecurityarchitecture standards and then
they embed that into thelifecycle.
So that's really the placewhere every organization should
(06:59):
be able to get to.
Speaker 1 (07:01):
It's very efficient.
It reminds me of a conversationthat I had yesterday with a
fellow named Dave Brown, andDave brought up a really
interesting idea, and it's a wayto so he was summoned by the
Joint Chief of Staff to.
The request was to bring downthe cost of cybersecurity, right
(07:23):
.
Joint Chief of Staff saidsomething like anything in the
budget that's over 3% oranything that's over 3% of the
budget is a line item, so he hasto manage that budget.
So he said cybersecurity isright there, right over the 3%
line, and he was like okay, howdo I get that under the 3% line?
(07:45):
And similar to what you weresaying, at least what I'm
hearing.
His idea was that you embedcybersecurity into the
technology and so when you'reembedding cybersecurity into
these projects and into thesoftware, then it becomes
integrated and just as a part ofthe process right.
Then it becomes integrated andjust as just a part of the
(08:05):
process Right.
So you can streamline theprocess.
We reduce the, the, the.
You maintain the capacity forcybersecurity to operate and
function properly, but you gotthe costs Right so they're able
to get below that three percent.
It wasn't a line item and theJoint Chief of Staff didn't have
to worry about it, right?
No-transcript.
Speaker 2 (08:51):
So, yeah, it's always a good question about
governance is, you know, who hascontrol of the purse string, so
to speak, right, like who hascontrol of the budget?
And ultimately that needs to bealigned in the ideal
organization.
That needs to be aligned withthe accountabilities and the
KPIs, right, so it's fine.
(09:11):
I'm sure some of your audiencemembers have had situations
where they might be accountablefor some KPIs, but they know
that they've got a lot ofdifficulty actually controlling
that.
They may not have any budget tobe able to drive it either, and
that doesn't make it impossible, but it does make it more
challenging.
And so ideally, that's firstlyon the budget is yes, budget is
(09:35):
important, but also making sureit's aligned with KPIs and
performance expectations todrive the right behaviors.
And so I think it dependsthough, in answering that
question, I think it depends onthe maturity curve as to where
an organization is at.
So it may well be in theinitial stages, because you do
(09:56):
need a particular drive and youdo need a focus.
Then you might actually havethe CISO who has actually got
accountability for drivingcertain inputs into the software
development lifecycle earlystages of investments, for
instance and they've got to beable to have a scorecard of some
(10:18):
kind that goes yeah, we'veverified that design or we've
approved that architecture orwhatever it is.
Whatever that accountability is, you have something to verify
that they're actually injectingtheir expertise and having that
influence as early as possible.
Now, is that going to be great?
Long term, probably you want tomove to a different model.
Long term, you probably want tomove to having your software
(10:41):
developed managers, cios,potentially even much more
directly accountable for theextent to which their solutions
are maintaining standards interms of cybersecurity practice
Right, and they might get anincremental budget as part of
their KPIs to be able to do that.
(11:02):
So I think these things evolveand it's all about what's fit
for purpose for thatorganization at the time to
drive the right behaviors, andthat's going to be based on
where the weakness areas are.
But there's always a good case,when there's a key weakness and
low maturity, of actuallyhaving somebody who's very
focused and an evangelist, anadvocate, to drive that, but
(11:23):
knowing that there is a steppingstone and that this is a
stepping stone wherebyexecutives that are in place at
the moment will have additionalthings added to their
accountabilities over time, andso this is an opportunity for
them to learn and embrace thatas opposed to no.
This is something which can bedismissed over a period of time,
(11:44):
so I've just got to outlast.
That can be sometimes abehavior in some organizations
with a lot of inertia, anddifficulty to change is that
executives do try and outlastnew initiatives like this right,
and I think I'll just ignorethis problem until it goes away.
Speaker 1 (11:58):
Until it goes away, yeah.
Speaker 2 (12:03):
So that's where it has to be evolving and it has to
change over time.
But having an initial sort oftargeted pursuit by one or more
individuals, knowing that'sgoing to transition into
executives as part of theirstandard operating arrangements
has to be part of the mix.
Speaker 1 (12:21):
This is going to be a little bit controversial and I
don't want people to come afterme.
I'm just asking the question.
Okay, so, because let's assumethat we're embedding
cybersecurity more and more intosoftware and into these systems
, does that mean that the CSO,the CISO, ciso, however we want
(12:46):
to call them CISO?
Actually, I never heard CISObefore and that's why I love, I
love, I love, I love thedifferent versions of this.
I've heard CISO, ciso, ciso.
Okay, so we'll go with CISOtoday.
Should the CISO then, at thatpoint, report to the CIO Because
everything is being embeddedinto the technology, right?
(13:06):
Everything is being embeddedinto the software, into the
processes, into the tool sets.
Or should those two functionshave their own budget?
Should it be separate?
I know that's not a totallyfair.
You can say that.
You know.
A caveat with that is thatevery organization is different.
You know, all things beingequal, you know it would have a
different universe, but what doyou think about that?
Speaker 2 (13:32):
Yeah, josh, I have a very clear view on this, and I
think it's a good indicationjust where certain roles are
positioned in organizations.
It's a good indication of theirmaturity of thinking about that
function.
And so the CISO, cso, whateverwe're calling it that's another
(13:54):
good example of where you canget a read on the maturity of an
organization, not in ajudgmental way, but just where
they are in their journey.
You can get a read on thatbased on where they position
some of these roles.
And so you take a SISO numberone.
Of course, they don't have one.
That's probably the perfectexample of a low level of
maturity around informationsecurity is they don't have a
(14:18):
SISO, and so somebody elsewithin, probably the CIO's
organization, is kind of wearinganother hat as an add-on to
whatever function they're doingthere, and that could actually
be the CIO themselves, but insome cases that's what happens,
and so that's a first level ofmaturity and then the second
level yeah, they do have a SISO,and typically that's reporting
(14:41):
into the CIO.
Now what's the internalmessaging of that?
The internal messaging is thatthe SISO and that risk is very
much a technology risk andtherefore it's appropriate that
they're sitting under the CIO.
However, is cybersecurityreally a technology risk?
Yeah, it is, but at a biggerpicture, it's actually a
(15:03):
business risk, and there's a lotof business risks that
organizations face, andcybersecurity is one element of
that.
I mean, ultimately, the onlyway of assessing what you're
doing in cybersecurity whetherit's right or wrong or
well-targeted or not is how isit impacting on your business
risk, how is it impacting onyour availability, your
(15:28):
integrity and so forth of yourbusiness conditions?
And so that's the next level ofmaturity that I see in
organizations where they go,actually the SISO.
Yes, it is a technology risk,but it's also beyond that.
There's a business risk element.
We're going to move it out fromunder the CIO, because that
understates its relevance, andwe might even move it out into,
(15:50):
maybe if there's a chief auditand risk area and we might move
it out there and, in fact, riskarea and we might move it out
there and in fact, we might evenhave it as a direct dotted line
reporting through to the CEO orin some cases, it's actually
reporting directly to the boardas well, because some of these
risks that we're facing from acybersecurity perspective are
(16:13):
actually very board relevantrisks and things that we need to
be on top of as a board.
And so those reportingarrangements that you can see in
organizations, I think are areally good reflection of how
that organization thinks aboutthis risk and how mature they
are on their journey aboutthinking about it.
And then part of that, ofcourse, is what's the type of
(16:34):
CISO that they might need?
Right, because, as we talkedabout with KPIs and driving
different performance beforethen, certain roles are going to
be fit for purpose for wherethat organization is and what
they need at that time.
And so a CISO that can actuallysit within a CIO's organization
and start to build out thatinitial view around what a CISO
(16:57):
does, it's probably going to bea very different CISO that's
sitting out alongside the CIOand making regular reporting up
to the board.
And so, yeah, I think there'sagain maturity of organizations,
and by looking at organizationsyou can tell how they think
about some of these things.
Speaker 1 (17:15):
So, would you say, the greater the maturity of the
organization, the more likely itis that they will have a CISO
who is at the helm and reportingto the board, or at least
reporting to the CEO.
Speaker 2 (17:28):
Yeah, correct, okay, yeah correct and outside of the
technology.
I mean sometimes, yeah, theymight have like a chief risk and
audit type function whichreports directly into the CIO,
and I have seen CISOs sitting inthere.
I mean one organization thattook a very good maturity
journey over a number of yearsand their CISO actually helped
(17:50):
them take that journey.
They started down on the CIOand then they moved up into the
chief risk and audit role andthen they themselves became the
chief risk and audit officer aswell as SISO, so they had a
joint role and they werereporting directly to the board
as well as to the CEO, more kindof broadening our topic a
(18:10):
little bit right.
Speaker 1 (18:11):
What do you think in building policy, what is the
most appropriate measurement ofa company's or any
organization's cybersecurityposture?
(18:31):
Is it risk?
Is it maturity?
Is it some other KPI?
But how do they know thatthey're governing well and that
their policies are working?
Speaker 2 (18:41):
Yeah, it has to be ultimately business risk,
business risk assessment.
And so you know I know oneservice that we do and I know a
number of organizations do.
It is like a threat and riskassessment, and so the starting
point for that is you know whatis a risk appetite for that
(19:02):
organization, you know what istheir risk matrix, what are
their consequences andlikelihood risk matrix look like
, and you know what risks arethey not willing to tolerate and
which ones are they comfortablewith.
And then looking at theircybersecurity landscape and
going right, well, what is thethreats that they're facing here
(19:23):
, what level of controls do theyhave in place and what's the
likelihood and consequence ofthese things occurring?
And if they're all belowtolerance, fantastic Green light
, they're doing a good job.
Yeah, they could probably lookat optimization of cost and
there might be spend thatthey're misdirecting.
Potentially there could berisks there that they're pushing
(19:47):
right down to very low levelsand they might be paying a high
premium for that that they couldavoid.
There might also be things onthe future horizon that they
might be concerned aboutescalation and they might be
worthy of looking at additionalinvestment in those areas to
preemptively cut those offbefore they manifest, but, in
essence, the risk landscape iswhere every organization should
(20:10):
be focused, and that's also thebasis under which the
conversations with the board andchief executives should take
place as well.
It's not a technology issue assuch, but what does this mean to
our business?
What are the potentialscenarios here that could be
life-threatening to ourorganization and therefore be
above our risk tolerance levels?
What are those things that weneed to be focused on?
(20:33):
That should be the exact samescorecard.
If you're going to pick one,that's the one you'd pick.
Speaker 1 (20:39):
So let me get this straight.
I want to make sure that I needto visualize this a little bit,
because when we talk about riskand cybersecurity,
automatically my brain goes to aheat map or a risk register or
something like that.
Right, it would be a heat mapor a risk register, or I'm
already thinking of the way youknow our five by five grid and
all that.
Yeah, Are you saying that thebusiness should if we were to
(21:04):
picture it this way, should thebusiness have a risk register
that includes all of thebusiness risks, and
cybersecurity is a part of that?
Or are you saying that thebusiness risk is cybersecurity
risk and so there's nodistinction between the two?
Speaker 2 (21:22):
Yeah, so there will be some risks that are specific
cybersecurity related,cybersecurity events.
But a risk has two parts to it.
It has the event and it has theoutcome.
And so the event could be acybersecurity incident or it
(21:43):
could be other incidents,incidents but the outcome should
always be in some kind ofbusiness impact, because that's
how you can create a levelplaying ground for assessing
what's important and what's not.
And so, okay, we've got anoutage, for instance, or we've
got a breach, or we've got someloss of data or whatever the
(22:04):
case may be.
Well, what does that look likein terms of business
implications?
And then you've got themeasuring stick for how
important is that event and howmuch do we need to try and avoid
that event from happening andhow much are we willing to spend
on avoiding it happening?
And so, yeah, the risklandscape has to include those
(22:27):
cybersecurity events, but put inthe context of what it means
for the business areas, yeah,All right, just to wrap things
up, the last question is I guessis kind of I don't know.
Speaker 1 (22:40):
To me it's a little, it's kind of fun, I don't know,
maybe because I'm a nerd and Ilike cybersecurity and
governance and I'm reallyinterested in the differences in
governance styles betweenentities, specifically between
countries.
Right, so you're in Australiaand I'm in the US.
What is the preeminentmeasuring rod or framework or
(23:06):
standard that you're using inAustralia?
Speaker 2 (23:10):
Yep, so yeah, look, nist is referred to here.
A number of organizations douse NIST as their standard.
Probably more common would bethe ISO 27000 suite.
That would be the more commonbaseline standard.
But the most commonly promotedstandard is what's called the
essential aid.
The Australian Cyber SecurityCentre has an essential aid.
(23:34):
You would probably considerthat to be a base standard and
it's really targeted at themassive companies out there who
should be doing the minimum.
It's targeted also atgovernment departments, local
government, government-ownedentities and the minimum that
they should be doing.
(23:54):
And it's a curious mix ofspecific technical standards in
terms of admin patching, certaingovernance standards.
It's a little bit of a blend ofthings.
They're all very important, butit's not as broad and
all-encompassing as, say, an ISO27000 or a NIST.
It's very practical and I thinkin that way it makes it
(24:18):
accessible for manyorganizations to go.
Yeah, I think we can actuallyachieve that.
We understand exactly what'snecessary.
Iso 27000 and NIST.
You do need to put a lot ofinvestment into thinking about
what's appropriate for yourorganization and then filtering
it down to what is appropriate.
This is much more practical andalmost prescriptive really, and
(24:41):
so it's very common.
It's promoted by governmentagencies, as in the regulated
government agencies, it's meantto be complied with every
government agency, and also it'sencouraged that every private
company in Australia meets thatstandard as well, and so I think
, in terms of initial standards,it's actually quite a good one
(25:05):
for organizations to get to andthen build on from there, and
I'd encourage your US listenersto actually have a look.
It's very easy to accessAustralian Cyber Security Center
, central 8.
Speaker 1 (25:19):
And, coming on the heels of the SolarWinds fiasco,
we know that their CISO got inhot water right.
A lot of trouble got hauled offto jail.
I shouldn't laugh at that.
I don't even know why.
It's not funny.
It really is not funny, butit's indicative of what the SEC
is doing and how they'recracking down on the accurate
(25:40):
reporting in cybersecurity.
So if you tell lies, you'regoing to be held accountable,
especially with the SEC rulethat requires four days to
report a material incident.
Is there such a governing bodyin Australia, and are the rules
as strict as they are here?
Speaker 2 (25:59):
Yeah, it's a moving target, isn't it?
Globally regulations, and it'sthe same in Australia.
Josh, it's a moving target herein Australia and so there is
definitely reporting obligationshere as well, on breaches,
reporting obligations on loss ofdata and on ransomware, for
(26:21):
instance.
Is everybody reporting?
I would doubt that.
Are the rules onerous fornon-reporting?
Yeah, there is some penaltiesthere, but how do people find
out that there's non-reporting?
That would be the key question.
How do people get caught?
Yeah, I think it's a movingfeast here at the moment ASIC,
(26:46):
the Australian Security andIntelligent Security.
I can't remember what the Istands for feast here at the
moment.
Uh, asic um, the australiansecurity and intelligent uh,
security.
Um, um, I can't remember whatthe I stands for.
Basically, it's a very similarto your sec.
Um, you know, they haveprosecuted organizations for, or
cyber security standards.
Uh, they haven't thrown anyonein jail and it's normally fines
against the company, and I don'tthink there's ever been a case
(27:10):
of penalties against anyindividual.
But I think some of these thingsis going to be a matter of time
, right, like you know, there'salways going to be some poor
behaviors.
There is across all of society.
So, you know, cybersecurityactors aren't any different to
that.
Cybersecurity actors aren't anydifferent to that and more a
(27:31):
question of, as the regulationsramp up and they're only going
in one direction.
They're getting more onerousand higher standards all the
time.
I don't have any examples wherethey're being loosened, so
they're always going to gettougher and then eventually
there's going to be betterdetection methods of actually
finding these things out andthen being able to bring
(27:52):
prosecutions to bear.
So, yeah, it is probably only amatter of time, but there are
no prosecutions individuallythat I'm aware of here.
Speaker 1 (28:02):
Is there anything, before we wrap up, that you just
want to get off your chest andyou want to get out there?
I just want to get off yourchest and you want to get out
there.
I just want to give you sometime to get a pretty good rant
on um, on organizations.
Speaker 2 (28:14):
Um, you know, just trying pen testing in at the
back end and um and and thinkingthat's great, or uh, and
hopefully I weren't toojudgmental there, josh, on
talking about the maturity ofdifferent organizations, every,
every organization is on theirjourney, right?
They all have to startsomewhere.
So it's not a judgment, it'sjust an observation, and this is
(28:35):
the nature of change, right?
Is that the key part isactually recognizing where you
are and that might have been fitfor purpose for what you needed
to be at that time.
But there's always a time tomove on from that and it's
important when organizationsactually realize that.
Speaker 1 (28:52):
In order to move these conversations forward, we
have to have different opinions,and not every opinion is going
to be popular and noteverybody's going to buy into
every opinion.
But I firmly believe and thisis the mission of this show it's
to share information, sharedifferent opinions so that we
move the needle and we're allmoving in the right direction.
So I hope that no one looks atthat and goes, you know, thinks
(29:15):
for a moment that that'sjudgmental.
It's an opinion, it's a validopinion and we need more voices
like yours in the securitymarket.
So, mark, with that, Iappreciate your time today.
Thanks again for being sogracious with your time.
If people want to find you, howcan they find you?
Speaker 2 (29:34):
You can go to informprosecom very easy way and
contact us through there.
Jump onto my LinkedIn page.
Just put in Mark D Nichols andyou'll find my LinkedIn pretty
easily.
And, yeah, very happy to takeany questions or inquiries or
follow-ups.
Speaker 1 (29:52):
And you guys can find me also at LinkedIn.
So Josh Brewing or linkedincomslash Josh Brewing.
You can also find us on YouTube, the Security Market Watch
YouTube channel.
Please subscribe, hit like,drop comments, talk to me, shoot
me a message If you'd like tobe on the show as well, and your
mission as well is to furtherthese conversations in the way
(30:17):
that we've done today here, markand I.
Please feel free to drop me anote.
I'd love to have you on theshow and keep moving these
conversations forward.
Thank you for watching.
I'm Josh Bruning and Mark.
Thanks again for being heretoday.
Thanks, josh, appreciate it.
All right.
So, mark, you are on theforefront, it seems like, with
Information Professionals Group,on what's going on in the
solution space, in thetechnology space, in building
those companies, so you're theperfect person to talk to about
this topic of the roles in cybergovernance and assurance in
technology, right?
So when we're talking aboutassurance in technology, we're
(00:21):
talking about security aroundtechnology, making sure that
information is safe, that it'savailable when customers need it
, when companies need it, thattheir data is protected and all
the other stuff that werecognize in the cybersecurity
and the IT space.
Something that's been top ofmind for a lot of people and
that has been sort of on my mindthis week is the convergence of
(00:44):
IT and security.
The IT team, the guys who areexclusively almost exclusively
focused on making things runtoday right.
They set it, it works, kind ofset it and forget it, whereas
the attitude in cybersecurity isa little bit different.
It's always moving, it's anebulous concept.
The threat landscape is alwaysevolving, it's always changing,
(01:07):
so there's a little bit offriction between those two teams
.
How do you help leaders and howdo you see leaders in the field
solving that problem offriction between the IT teams
and the cybersecurity teams.
I mean, what is the fix here?
Is it a leadership issue?
(01:28):
Is it a technological issue?
How do you view this problem?
Speaker 2 (01:36):
Yeah, look, ultimately, josh, it's all of
those things right, but the keyquestion probably is, where do
you start?
And you know, like we mentionedin that brief conversation
earlier before we started thispodcast about you know, often
cybersecurity comes into playand there's a pre-go-live pen
(01:57):
test gets thrown in there right,as if that's somehow going to
be this sort of magic pudding toprotect risk at the very end of
the life cycle.
And so the first challenge ishow do you actually move some of
those actions, activities,further up the life cycle and in
doing so, how do you get thecyber perspectives and the
(02:20):
technology perspectives workingtogether?
But you know we've solved theseproblems before.
This isn't new If you look atthe history of technology.
How do you get businessinterests and technology
interests actually aligned?
How do you get architecturalstandards and enterprise
architecture direction alignedwith solving business problems
(02:43):
in technology?
All these challenges we'vedealt with, obviously, in
different organizations.
They've dealt with them tovarying degrees, right, some are
even doing that not thatsuccessfully, some more
successfully, and so they giveus a pretty good read on how to
start embedding cybersecurityback into the development
(03:03):
lifecycle and further up thelifecycle, and there's a whole
range of capabilities need toget developed.
Obviously, leadership is a keyaspect to that.
Recognizing that number one.
It's important to do this.
But, you know, throwing in thepen, test pre-go-live, yeah, it
might protect a couple of risks,but there's probably a few
things you could do in additionto that.
(03:24):
And is it even going to be themost cost-effective,
risk-effective way of dealingwith it?
Probably not.
And so that's a first isrecognition.
That's the first step of anychange is recognizing things
need to change and then movingit up the life cycle.
So, yeah, there's techniquesaround with DevSecOps and so
forth DevOps, of course, butthen DevSecOps, integrating
(03:47):
security but, yeah, I would saythat there's still quite rare
implementations of that.
Yeah, that's quite an advancedconcept and in many
organizations they're still notthere.
Where I see it, there isprobably in smaller
organizations and particularlysmaller organizations that can
(04:07):
operate greenfield really standup best practices from the
beginning.
Longer term, olderorganizations and those that are
bigger tend to be quiteentrenched in their practices
and that can be hard to change,and that's, of course, where
stronger leadership is requiredand also some persistency to be
hard to change, and that's, ofcourse, where stronger
leadership is required and alsosome persistency to be trying to
(04:27):
change these things over a longterm because not everything
will work and eventuallybuilding capability and building
new culture and new practicesand so, but right at the restart
, cybersecurity can injectthemselves if they've got
capacity.
Cybersecurity can injectthemselves if they've got
capacity.
And I would say, even with goodintent, those organizations
(04:48):
that I see struggling is becausethey just don't have the
cybersecurity capacity.
They're dealing with the backend of the life cycle, doing
what's mandatory, almostcompliance-based activity, just
to be able to write the rightboxes to get things live, and so
do they have the capacity toactually operate up in the early
(05:09):
stages of the lifecycle.
That can be really difficultfor them.
So again, there's a challengefor leaders in allocating
personnel, allocating resourcemaybe different types of
resources as well to be able toinject themselves early stages
of the life cycle.
So back when solutions are beingtalked about, when they're
being architected, there's acybersecurity element in there
(05:31):
and that can be incrediblybeneficial, of course, because
right there you can startarchitecting solutions to go
well, is there a way in which wecan isolate some of that
traffic from certainenvironments?
Or is there a way in which wecan isolate some of that traffic
from certain environments?
Or is there a way in which wecan actually move any
personalized identifiedinformation off of that solution
(05:51):
and do things in a differentway?
You can start thinking aboutcybersecurity as a design
problem or a design challengeright at the very beginning, and
by doing that then you're alsoembedding some of those
capabilities into thedevelopment and architecture
teams who are actually doingthat upfront design work.
They learn and they're buildingcapability, and so it's a
(06:11):
really beneficial thing to do iforganizations can do it.
One is do they have thecybersecurity architecture
expertise, which is a bit moresenior, to be able to apply and
do they have the capacity to doit?
But that would be the firststep that they should probably
(06:34):
try to do get in front of thelifecycle at the very beginning,
and then they can be involvedon the way through, very much
like an architecture reviewboard or an architecture
assurance board does that aroundenterprise architecture
standards.
They define cybersecurityarchitecture standards and then
they embed that into thelifecycle.
So that's really the placewhere every organization should
(06:59):
be able to get to.
Speaker 1 (07:01):
It's very efficient.
It reminds me of a conversationthat I had yesterday with a
fellow named Dave Brown, andDave brought up a really
interesting idea, and it's a wayto so he was summoned by the
Joint Chief of Staff to.
The request was to bring downthe cost of cybersecurity, right
(07:23):
.
Joint Chief of Staff saidsomething like anything in the
budget that's over 3% oranything that's over 3% of the
budget is a line item, so he hasto manage that budget.
So he said cybersecurity isright there, right over the 3%
line, and he was like okay, howdo I get that under the 3% line?
(07:45):
And similar to what you weresaying, at least what I'm
hearing.
His idea was that you embedcybersecurity into the
technology and so when you'reembedding cybersecurity into
these projects and into thesoftware, then it becomes
integrated and just as a part ofthe process right.
Then it becomes integrated andjust as just a part of the
(08:05):
process Right.
So you can streamline theprocess.
We reduce the, the, the.
You maintain the capacity forcybersecurity to operate and
function properly, but you gotthe costs Right so they're able
to get below that three percent.
It wasn't a line item and theJoint Chief of Staff didn't have
to worry about it, right?
No-transcript.
Speaker 2 (08:51):
So, yeah, it's always a good question about
governance is, you know, who hascontrol of the purse string, so
to speak, right, like who hascontrol of the budget?
And ultimately that needs to bealigned in the ideal
organization.
That needs to be aligned withthe accountabilities and the
KPIs, right, so it's fine.
(09:11):
I'm sure some of your audiencemembers have had situations
where they might be accountablefor some KPIs, but they know
that they've got a lot ofdifficulty actually controlling
that.
They may not have any budget tobe able to drive it either, and
that doesn't make it impossible, but it does make it more
challenging.
And so ideally, that's firstlyon the budget is yes, budget is
(09:35):
important, but also making sureit's aligned with KPIs and
performance expectations todrive the right behaviors.
And so I think it dependsthough, in answering that
question, I think it depends onthe maturity curve as to where
an organization is at.
So it may well be in theinitial stages, because you do
(09:56):
need a particular drive and youdo need a focus.
Then you might actually havethe CISO who has actually got
accountability for drivingcertain inputs into the software
development lifecycle earlystages of investments, for
instance and they've got to beable to have a scorecard of some
(10:18):
kind that goes yeah, we'veverified that design or we've
approved that architecture orwhatever it is.
Whatever that accountability is, you have something to verify
that they're actually injectingtheir expertise and having that
influence as early as possible.
Now, is that going to be great?
Long term, probably you want tomove to a different model.
Long term, you probably want tomove to having your software
(10:41):
developed managers, cios,potentially even much more
directly accountable for theextent to which their solutions
are maintaining standards interms of cybersecurity practice
Right, and they might get anincremental budget as part of
their KPIs to be able to do that.
(11:02):
So I think these things evolveand it's all about what's fit
for purpose for thatorganization at the time to
drive the right behaviors, andthat's going to be based on
where the weakness areas are.
But there's always a good case,when there's a key weakness and
low maturity, of actuallyhaving somebody who's very
focused and an evangelist, anadvocate, to drive that, but
(11:23):
knowing that there is a steppingstone and that this is a
stepping stone wherebyexecutives that are in place at
the moment will have additionalthings added to their
accountabilities over time, andso this is an opportunity for
them to learn and embrace thatas opposed to no.
This is something which can bedismissed over a period of time,
(11:44):
so I've just got to outlast.
That can be sometimes abehavior in some organizations
with a lot of inertia, anddifficulty to change is that
executives do try and outlastnew initiatives like this right,
and I think I'll just ignorethis problem until it goes away.
Speaker 1 (11:58):
Until it goes away, yeah.
Speaker 2 (12:03):
So that's where it has to be evolving and it has to
change over time.
But having an initial sort oftargeted pursuit by one or more
individuals, knowing that'sgoing to transition into
executives as part of theirstandard operating arrangements
has to be part of the mix.
Speaker 1 (12:21):
This is going to be a little bit controversial and I
don't want people to come afterme.
I'm just asking the question.
Okay, so, because let's assumethat we're embedding
cybersecurity more and more intosoftware and into these systems
, does that mean that the CSO,the CISO, ciso, however we want
(12:46):
to call them CISO?
Actually, I never heard CISObefore and that's why I love, I
love, I love, I love thedifferent versions of this.
I've heard CISO, ciso, ciso.
Okay, so we'll go with CISOtoday.
Should the CISO then, at thatpoint, report to the CIO Because
everything is being embeddedinto the technology, right?
(13:06):
Everything is being embeddedinto the software, into the
processes, into the tool sets.
Or should those two functionshave their own budget?
Should it be separate?
I know that's not a totallyfair.
You can say that.
You know.
A caveat with that is thatevery organization is different.
You know, all things beingequal, you know it would have a
different universe, but what doyou think about that?
Speaker 2 (13:32):
Yeah, josh, I have a very clear view on this, and I
think it's a good indicationjust where certain roles are
positioned in organizations.
It's a good indication of theirmaturity of thinking about that
function.
And so the CISO, cso, whateverwe're calling it that's another
(13:54):
good example of where you canget a read on the maturity of an
organization, not in ajudgmental way, but just where
they are in their journey.
You can get a read on thatbased on where they position
some of these roles.
And so you take a SISO numberone.
Of course, they don't have one.
That's probably the perfectexample of a low level of
maturity around informationsecurity is they don't have a
(14:18):
SISO, and so somebody elsewithin, probably the CIO's
organization, is kind of wearinganother hat as an add-on to
whatever function they're doingthere, and that could actually
be the CIO themselves, but insome cases that's what happens,
and so that's a first level ofmaturity and then the second
level yeah, they do have a SISO,and typically that's reporting
(14:41):
into the CIO.
Now what's the internalmessaging of that?
The internal messaging is thatthe SISO and that risk is very
much a technology risk andtherefore it's appropriate that
they're sitting under the CIO.
However, is cybersecurityreally a technology risk?
Yeah, it is, but at a biggerpicture, it's actually a
(15:03):
business risk, and there's a lotof business risks that
organizations face, andcybersecurity is one element of
that.
I mean, ultimately, the onlyway of assessing what you're
doing in cybersecurity whetherit's right or wrong or
well-targeted or not is how isit impacting on your business
risk, how is it impacting onyour availability, your
(15:28):
integrity and so forth of yourbusiness conditions?
And so that's the next level ofmaturity that I see in
organizations where they go,actually the SISO.
Yes, it is a technology risk,but it's also beyond that.
There's a business risk element.
We're going to move it out fromunder the CIO, because that
understates its relevance, andwe might even move it out into,
(15:50):
maybe if there's a chief auditand risk area and we might move
it out there and, in fact, riskarea and we might move it out
there and in fact, we might evenhave it as a direct dotted line
reporting through to the CEO orin some cases, it's actually
reporting directly to the boardas well, because some of these
risks that we're facing from acybersecurity perspective are
(16:13):
actually very board relevantrisks and things that we need to
be on top of as a board.
And so those reportingarrangements that you can see in
organizations, I think are areally good reflection of how
that organization thinks aboutthis risk and how mature they
are on their journey aboutthinking about it.
And then part of that, ofcourse, is what's the type of
(16:34):
CISO that they might need?
Right, because, as we talkedabout with KPIs and driving
different performance beforethen, certain roles are going to
be fit for purpose for wherethat organization is and what
they need at that time.
And so a CISO that can actuallysit within a CIO's organization
and start to build out thatinitial view around what a CISO
(16:57):
does, it's probably going to bea very different CISO that's
sitting out alongside the CIOand making regular reporting up
to the board.
And so, yeah, I think there'sagain maturity of organizations,
and by looking at organizationsyou can tell how they think
about some of these things.
Speaker 1 (17:15):
So, would you say, the greater the maturity of the
organization, the more likely itis that they will have a CISO
who is at the helm and reportingto the board, or at least
reporting to the CEO.
Speaker 2 (17:28):
Yeah, correct, okay, yeah correct and outside of the
technology.
I mean sometimes, yeah, theymight have like a chief risk and
audit type function whichreports directly into the CIO,
and I have seen CISOs sitting inthere.
I mean one organization thattook a very good maturity
journey over a number of yearsand their CISO actually helped
(17:50):
them take that journey.
They started down on the CIOand then they moved up into the
chief risk and audit role andthen they themselves became the
chief risk and audit officer aswell as SISO, so they had a
joint role and they werereporting directly to the board
as well as to the CEO, more kindof broadening our topic a
(18:10):
little bit right.
Speaker 1 (18:11):
What do you think in building policy, what is the
most appropriate measurement ofa company's or any
organization's cybersecurityposture?
(18:31):
Is it risk?
Is it maturity?
Is it some other KPI?
But how do they know thatthey're governing well and that
their policies are working?
Speaker 2 (18:41):
Yeah, it has to be ultimately business risk,
business risk assessment.
And so you know I know oneservice that we do and I know a
number of organizations do.
It is like a threat and riskassessment, and so the starting
point for that is you know whatis a risk appetite for that
(19:02):
organization, you know what istheir risk matrix, what are
their consequences andlikelihood risk matrix look like
, and you know what risks arethey not willing to tolerate and
which ones are they comfortablewith.
And then looking at theircybersecurity landscape and
going right, well, what is thethreats that they're facing here
(19:23):
, what level of controls do theyhave in place and what's the
likelihood and consequence ofthese things occurring?
And if they're all belowtolerance, fantastic Green light
, they're doing a good job.
Yeah, they could probably lookat optimization of cost and
there might be spend thatthey're misdirecting.
Potentially there could berisks there that they're pushing
(19:47):
right down to very low levelsand they might be paying a high
premium for that that they couldavoid.
There might also be things onthe future horizon that they
might be concerned aboutescalation and they might be
worthy of looking at additionalinvestment in those areas to
preemptively cut those offbefore they manifest, but, in
essence, the risk landscape iswhere every organization should
(20:10):
be focused, and that's also thebasis under which the
conversations with the board andchief executives should take
place as well.
It's not a technology issue assuch, but what does this mean to
our business?
What are the potentialscenarios here that could be
life-threatening to ourorganization and therefore be
above our risk tolerance levels?
What are those things that weneed to be focused on?
(20:33):
That should be the exact samescorecard.
If you're going to pick one,that's the one you'd pick.
Speaker 1 (20:39):
So let me get this straight.
I want to make sure that I needto visualize this a little bit,
because when we talk about riskand cybersecurity,
automatically my brain goes to aheat map or a risk register or
something like that.
Right, it would be a heat mapor a risk register, or I'm
already thinking of the way youknow our five by five grid and
all that.
Yeah, Are you saying that thebusiness should if we were to
(21:04):
picture it this way, should thebusiness have a risk register
that includes all of thebusiness risks, and
cybersecurity is a part of that?
Or are you saying that thebusiness risk is cybersecurity
risk and so there's nodistinction between the two?
Speaker 2 (21:22):
Yeah, so there will be some risks that are specific
cybersecurity related,cybersecurity events.
But a risk has two parts to it.
It has the event and it has theoutcome.
And so the event could be acybersecurity incident or it
(21:43):
could be other incidents,incidents but the outcome should
always be in some kind ofbusiness impact, because that's
how you can create a levelplaying ground for assessing
what's important and what's not.
And so, okay, we've got anoutage, for instance, or we've
got a breach, or we've got someloss of data or whatever the
(22:04):
case may be.
Well, what does that look likein terms of business
implications?
And then you've got themeasuring stick for how
important is that event and howmuch do we need to try and avoid
that event from happening andhow much are we willing to spend
on avoiding it happening?
And so, yeah, the risklandscape has to include those
(22:27):
cybersecurity events, but put inthe context of what it means
for the business areas, yeah,All right, just to wrap things
up, the last question is I guessis kind of I don't know.
Speaker 1 (22:40):
To me it's a little, it's kind of fun, I don't know,
maybe because I'm a nerd and Ilike cybersecurity and
governance and I'm reallyinterested in the differences in
governance styles betweenentities, specifically between
countries.
Right, so you're in Australiaand I'm in the US.
What is the preeminentmeasuring rod or framework or
(23:06):
standard that you're using inAustralia?
Speaker 2 (23:10):
Yep, so yeah, look, nist is referred to here.
A number of organizations douse NIST as their standard.
Probably more common would bethe ISO 27000 suite.
That would be the more commonbaseline standard.
But the most commonly promotedstandard is what's called the
essential aid.
The Australian Cyber SecurityCentre has an essential aid.
(23:34):
You would probably considerthat to be a base standard and
it's really targeted at themassive companies out there who
should be doing the minimum.
It's targeted also atgovernment departments, local
government, government-ownedentities and the minimum that
they should be doing.
(23:54):
And it's a curious mix ofspecific technical standards in
terms of admin patching, certaingovernance standards.
It's a little bit of a blend ofthings.
They're all very important, butit's not as broad and
all-encompassing as, say, an ISO27000 or a NIST.
It's very practical and I thinkin that way it makes it
(24:18):
accessible for manyorganizations to go.
Yeah, I think we can actuallyachieve that.
We understand exactly what'snecessary.
Iso 27000 and NIST.
You do need to put a lot ofinvestment into thinking about
what's appropriate for yourorganization and then filtering
it down to what is appropriate.
This is much more practical andalmost prescriptive really, and
(24:41):
so it's very common.
It's promoted by governmentagencies, as in the regulated
government agencies, it's meantto be complied with every
government agency, and also it'sencouraged that every private
company in Australia meets thatstandard as well, and so I think
, in terms of initial standards,it's actually quite a good one
(25:05):
for organizations to get to andthen build on from there, and
I'd encourage your US listenersto actually have a look.
It's very easy to accessAustralian Cyber Security Center
, central 8.
Speaker 1 (25:19):
And, coming on the heels of the SolarWinds fiasco,
we know that their CISO got inhot water right.
A lot of trouble got hauled offto jail.
I shouldn't laugh at that.
I don't even know why.
It's not funny.
It really is not funny, butit's indicative of what the SEC
is doing and how they'recracking down on the accurate
(25:40):
reporting in cybersecurity.
So if you tell lies, you'regoing to be held accountable,
especially with the SEC rulethat requires four days to
report a material incident.
Is there such a governing bodyin Australia, and are the rules
as strict as they are here?
Speaker 2 (25:59):
Yeah, it's a moving target, isn't it?
Globally regulations, and it'sthe same in Australia.
Josh, it's a moving target herein Australia and so there is
definitely reporting obligationshere as well, on breaches,
reporting obligations on loss ofdata and on ransomware, for
(26:21):
instance.
Is everybody reporting?
I would doubt that.
Are the rules onerous fornon-reporting?
Yeah, there is some penaltiesthere, but how do people find
out that there's non-reporting?
That would be the key question.
How do people get caught?
Yeah, I think it's a movingfeast here at the moment ASIC,
(26:46):
the Australian Security andIntelligent Security.
I can't remember what the Istands for feast here at the
moment.
Uh, asic um, the australiansecurity and intelligent uh,
security.
Um, um, I can't remember whatthe I stands for.
Basically, it's a very similarto your sec.
Um, you know, they haveprosecuted organizations for, or
cyber security standards.
Uh, they haven't thrown anyonein jail and it's normally fines
against the company, and I don'tthink there's ever been a case
(27:10):
of penalties against anyindividual.
But I think some of these thingsis going to be a matter of time
, right, like you know, there'salways going to be some poor
behaviors.
There is across all of society.
So, you know, cybersecurityactors aren't any different to
that.
Cybersecurity actors aren't anydifferent to that and more a
(27:31):
question of, as the regulationsramp up and they're only going
in one direction.
They're getting more onerousand higher standards all the
time.
I don't have any examples wherethey're being loosened, so
they're always going to gettougher and then eventually
there's going to be betterdetection methods of actually
finding these things out andthen being able to bring
(27:52):
prosecutions to bear.
So, yeah, it is probably only amatter of time, but there are
no prosecutions individuallythat I'm aware of here.
Speaker 1 (28:02):
Is there anything, before we wrap up, that you just
want to get off your chest andyou want to get out there?
I just want to get off yourchest and you want to get out
there.
I just want to give you sometime to get a pretty good rant
on um, on organizations.
Speaker 2 (28:14):
Um, you know, just trying pen testing in at the
back end and um and and thinkingthat's great, or uh, and
hopefully I weren't toojudgmental there, josh, on
talking about the maturity ofdifferent organizations, every,
every organization is on theirjourney, right?
They all have to startsomewhere.
So it's not a judgment, it'sjust an observation, and this is
(28:35):
the nature of change, right?
Is that the key part isactually recognizing where you
are and that might have been fitfor purpose for what you needed
to be at that time.
But there's always a time tomove on from that and it's
important when organizationsactually realize that.
Speaker 1 (28:52):
In order to move these conversations forward, we
have to have different opinions,and not every opinion is going
to be popular and noteverybody's going to buy into
every opinion.
But I firmly believe and thisis the mission of this show it's
to share information, sharedifferent opinions so that we
move the needle and we're allmoving in the right direction.
So I hope that no one looks atthat and goes, you know, thinks
(29:15):
for a moment that that'sjudgmental.
It's an opinion, it's a validopinion and we need more voices
like yours in the securitymarket.
So, mark, with that, Iappreciate your time today.
Thanks again for being sogracious with your time.
If people want to find you, howcan they find you?
Speaker 2 (29:34):
You can go to informprosecom very easy way and
contact us through there.
Jump onto my LinkedIn page.
Just put in Mark D Nichols andyou'll find my LinkedIn pretty
easily.
And, yeah, very happy to takeany questions or inquiries or
follow-ups.
Speaker 1 (29:52):
And you guys can find me also at LinkedIn.
So Josh Brewing or linkedincomslash Josh Brewing.
You can also find us on YouTube, the Security Market Watch
YouTube channel.
Please subscribe, hit like,drop comments, talk to me, shoot
me a message If you'd like tobe on the show as well, and your
mission as well is to furtherthese conversations in the way
(30:17):
that we've done today here, markand I.
Please feel free to drop me anote.
I'd love to have you on theshow and keep moving these
conversations forward.
Thank you for watching.
I'm Josh Bruning and Mark.
Thanks again for being heretoday.
Thanks, josh, appreciate it.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com