Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

December 2024

On Wednesday we discussed two agenda items;

  1. Whether to pursue a third party to help with domain takedown requests given the number of lookalike domains out there and the risk of these being used for malicious activity
  2. Cyber Security Act – how well have industry been consulted
  • The CIOs discussed the benefit of crowdstrike on end devices, the fact that once a domain is protected you can buy it
  • It was also agreed that tools can only get you so far and there is still a need for manual intervention. Where there is some value its not an easy journey
  • One CIO mentioned they use Link Busters. This was a value for money service with no additional resources required
  • We also discussed privacy and content and a number of CIOs mentioned that this area was owned by their legal teams 
  • In regards to the Cyber Act – all participants agreed that the Federal Government had done a good job in consulting industry and believed they were getting better at engaging
  • We then asked the CIOs what good wins were had during 2024. Most of the feedback was around audits;
    • Most CIOs had good audit results 
    • Improved relationships with the audit and risk committees in particular changing their views on ICT 
    • Resilience getting a better look in

November 2024

On our call in November, we discussed the impact of the Government’s Cyber Security Act. We were keen to understand;

  • Which of the reforms will impact you the most
  • Do you have a view on the proposed reforms
  • How are you preparing your organisation for change

One CIO mentioned there were concerns from their legal department, and another suggested there needed to be more formalisation around minimum standards. However it was noted that it is advantageous to have mandatory standards driven through mandates and legislation.

It was also agreed that whilst it is good to have legislation it is creating more red tape.

Organisations with IOT devices also brought up concerns that there are a lot of always connected devices that are continuously tracked and scanned that will be a major issue.

We then went through the latest ASD threat report. It was mentioned that the ASD have improved their support over the past 18 months and getting them to report to the board was a good idea, it could sometimes take a while to get this scheduled. This feedback has been shared with the ASD.

In closing it was agreed that too often staff assume IT systems will be available during a crisis. We need to get them thinking about manual workarounds when Teams, Outlook etc aren’t available. E.g., BCP team ask people to generate a new Confluence form to report an issue and request help – that’s useless if the entire network is down

In closing I have also added some useful links, as requested by one CIO, that have been provided by ASD previously.

October 2024

On todays call, the CIOs discussed:

  • How vendors are pushing AI in everything, and whether anyone on the call was actually using AI to help sift through the data in their SIEM. 
  • How vendor price increases are unaligned with the reality of what’s happening in ICT budgets, and how the CIOs are noting a substantial increase in the number of cyber security vendor sales people trying to get in touch with them. 
  • Two participants spoke about where they each are on their journey of migrating between third party SOC providers. 
  • The call participants had an extensive discussion about budgets, and how their ICT and security budgets were under scrutiny. All noted that budgets are very tight, and for both government and private sector, “they’re as tight as I’ve ever seen them” was a common sentiment. 
  • Two call participants shared that they were struggling to get approval for additional headcount, and they were each concerned about their ability to find the right talent if the headcount is approved. 

September 2024

During this months call, there were 3 items on the agenda:

  1. Approaches that others are taking on BYOD and security

  2. How are others determining how long they are retaining their back ups for – i.e. has this business driven or is it a bit of a mix of legacy approaches and business requirements etc.

  3. Vendor price increases (we’ve heard that VMware is going up between 7-15 times), Citrix, etc., and how this is going to play out in their security budgets.

BYOD and Security – most CIOs discussed that if they had a BYOD policy it was more about Mobile phones and tablets, generally EUC was not able to be BYOD. Some key takeaways;

  • Mobile allowed using intune
  • No external device can join the domain

The CIOs spoke about having 2 policies

  • company provided device fully managed by intune (IOS, Android, tablets)
  • BYOD policy only on acceptable device list – e.g. no huawei
  • Have to enrol intune to get access to email – but not managed
    • This provided more control not managed due to privacy
    • The Apps managed by company

Other organisations have a similar policy

  • Containerised with 0365 apps
  • No BYOD computers only company provided laptops
  • Also considering ios agent for crowdstrike 
  • 2 additional controls – can view documents in devices but not download
  • One other CIO mentioned a scan that pickups up whether the BYOD device is automatically up to date and if not is unenrolled from inTune

One CIO mentioned that they use Kandji MDM for Apple devices and that ooit was an awesome product

One CIO asks how to manage SAAS applications

  • Conditional policies with SSO
  • Can’t buy cheap or free licences so they get SSO
  • Implemented new processes recently so its very controlled
  • SSO and MFA mandatory otherwise vendors not considered
  • Classification also helps
  • Can’t stop everyone

One CIO has just been purpleteamed

  • Netscape, Sentinel 1 and defender all doing a great job
  • Great exercise

Data Retention and Backup – Managing Risk – Big topic at the AFR conference

One CIO – haven’t done back burning, just started archiving

  • Use their NAP to make a decision (took a long time)
  • Once data has been touched this is the date that says it is active

One CIO increasing amount of ownership of information, trying to make it a data ownership discussion not an ICT problem

  • Edge policies – retention of casual chat and SMS – everything typed is a record and classification will determine what ios worth
  • Embarking on an information strategy

Information classification will determine how long to keep information

  • Everyone probably keeps information too long
  • Consolidated information ownership 
  • Big problem with information sharing in Sharepoint and Teams
  • Records management system not across all information

Trying to get to one repository and lock it down
File naming standard will do the classification
If you don’t name a file it will alert you
One CIO

  • 3 months worth of backup (data we still have)
  • If a BCP/DRP incident only 3 months required
  • Archiving is a different issue (need to retrieve data)
  • Archival on tape where there is no equipment able to read
  • Retention critical – stop hoarding the data
  • The question was asked: What drives the 3 month mark?
    • Cost – simple as that
    • Analyse what you have (system/finance)
    • Cloud storage vs own infrastructure
    • BCP perspective
    • Disaster event 1 days worth of work
    • Ransomware event – data locked down and can’t be changed – CommVault
    • Need to test rigour of events longer than 1 day

Example major SAP issue

  • Had to go back 6 months to find relevant backups

Licensing Costs

CISO benchmark found

  • Budgets were shown to be stable for the next 2 years
  • Factoring the rising cost of doing business
  • Increased pressure is more with less
  • Some vendors exponential price rises (7-15 fold increase)

What are the CIOs doing regarding licensing costs?

  • One CIO decommissioned Citrix
  • Has seen 300% increase of VMware
  • One tried to create longer term agreements – multi year to reduce complexity and lock in pricing
  • Monday.com SaaS 9% a year increase
  • Three CIO have contract clauses dictating how much pricing can increase
  • One caps the increase at CPI
  • One CIO spoke about going to market for competitive pricing and got a 25% reduction in pricing
  • One CIO had a win
  • One CIO doing a s/w rationalising program, already saved $200k on savings
    • Not easy to do but worthwhile

August 2024

In this months face to face event, the agenda included:

  • News, agenda updates, logistics, final agreement on topics for sessions.

  • ICT resilience: A discussion around the room on how all members are preparing an ICT resiliency approach; the risks being identified including the likelihood and impact and, how ICT can support broader BCP outcomes.

  • AI and transcription: An area of growing awareness in enterprise is the potential for AI transcription bots to harvest potentially sensitive dialogue from internal calls (or calls with third parties, such as law firms) and store transcriptions ‘somewhere’ and also feed this text into large language models. This session will go around the room asking the members to share how their organisation views this risk, and what steps – if any – the organisation is taking.

  • Data classification and retention: A facilitated discussion on the challenges faced on generating agreement with business units on retention periods/classification categories and manual vs automated approaches. Tool recommendations warmly welcomed!

  • What’s working: Each member to share a win; projects, suppliers, business engagement.

July 2024

This month, the CIOs spoke about:

CIO/CISO’s with accountability for OT – policy and tactics.

There were only a few CIOs on the call that have OT responsibility. Some of the areas that were discussed were:

  • OT – initially 2 different worlds, no assumed commonality
  • Reporting of OT not at the same level of maturity
  • 5 year journey still ongoing
  • Dealing with legacy technology and trying to apply contemporary views across OT
  • Not cultural anymore – more about legacy technology
  • One approach that works – no approval for new or change policy unless it can be articulated how it will change OT
  • A lot of work with leaders
  • Change control process important

Assuring outsourced arrangements, beyond the contract towards demonstrable compliance.

  • One CIO who had experience of both ends brought up the need to categorise the transactional vs strategic partner
  • Questioning the value of the provider is difficult
  • One CIO moved SOC as was looking for a strategic relationship. The vendor they selected was able to demonstrate value and was invited to board meetings
  • Outsourced arrangements need to be strategic – especially in cyber
  • Getting visibility of verison levels from vendors difficult
  • It was suggested that boutique vendors were better to work with, larger players more transactional
  • It pays to look behind the curtain and understand how your vendor delivers the service, and whether that’s what you paid for

Approaches to building stronger organisational security culture – with a focus on what works and lessons learned from past experience:

  • Communications is very important
  • 5 years ago test/phish/metrics\education – now seeing less of an appetite for these approaches
  • General community uplifted in their awareness of cyber risk
  • Really need to develop messages that have cut-through, as we’re competing with so many other messages received by staff
  • Minimal viable communication on cyber but the maximum impact
  • It was mentioned that some CIOs were making efforts into becoming more efficient
  • Reviewed awareness program – training staff is changing – make it more relevant
  • Data classification more relevant
  • Automate more things
  • Targeted training for different teams
  • Target teams who are non compliant
  • Partner with different business teams – HR/Finance
  • Support and also different budgets
  • Planning to remove links from emails to lessen the risk
  • Use workbot tool
  • Ramping up on repeat offenders – face to face intervention/training sessions/financial consequences