CIO Cyber & Risk Network December 2020
The Cyber and Risk Network December call focused on the following areas:
1. CPS 234 - supply chain assessment is a requirement of this standard. Suppliers should have a risk approach that supports an APRA regulated entity.
2. APRA speech - big 4 audit firms going to get involved as part of the independent third party assessment.
3. One of the call participants shared that they were considering doing darkweb monitoring on their suppliers because their security team want an early warning if one of the suppliers had been breached.
4. SOC-as-a-Service: one of the call participants gave a solid testimonial for https://expel.io/
5. One CIO shared that they had used red teams to test their third party SOC effectiveness.
6. Zero trust - the call participants discussed that a vital question is “what’s the problem we’re trying to solve?” It’s a series of good security approaches, but it relies on heavy business understanding, because a core potential weakness is in over provisioning access, because then you’re back at square one.
7. So, the real question around Zero Trust is; How do you redesign the stuff you have to achieve an outcome that works for your organisation?
8. The comparative benefits of Okta versus MS Authenticator and opportunities for OPEX reduction.
9. Comments from our CIOs:
- “We’re helping more of our suppliers with their incidents than our own.”
- “One person makes a mistake, another person feels the pain”
- “You certainly don’t need a product that says Zero Trust ™ on the front.”