Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

March 2025

In this months call, the CIOs discussed two agenda items:

The use of AI notetakers during meetings

Concerns were raised about consent, data privacy, and the accuracy of the summaries.
Different organisations had varying policies and experiences with AI notetakers. Some were experimenting with them, while others were more cautious.
The use of internal versus external meetings and AI notetaking were also discussed, some CIOs brought up that a lot of vendors were now looking to record meetings.
The topic of consent was also discussed with some organisations seeking legal advice.

The effectiveness of all-staff phishing simulations

Some organisations were turning them off, while others were using incentives.
Some organisations have implementedd policies for repeat offenders with additional training (usually two strikes).
One organisation which is highly regulated used a stricter approach to repeat offenders.

A concern was raised that phishing campaigns are undermining user confidence and that they need to be well integrated into business practices. However one CIO suggested that this could be due to the way it was rolled out and by whom.

There was discussion about whether to extend policies about links in emails to external senders.

February 2025

Summary from Febuary’s call;

Agenda: What are organisations doing in regards to DeepSeek

Organisations are responding to Deepseek in various ways, including encouraging innovation with guidelines, banning it, or blocking it temporarily
Data privacy and security concerns are prominent, especially with Deepseek’s data storage policy
One CIO is running four pilots with different AI technologies (Co-Pilot, Gemini, OpenAi, Drop Box) and is drafting an AI policy
Some CIOs have varying approaches, with some blocking Deepseek temporarily until they know more and others developing frameworks for AI governance
One CIO mentioned the Atlassian conference and watched a demonstration on a variant to Zoom called Loom. This inferred if you need to demonstrate the value of AI look at what the tech companies are doing
It was agreed there is a need for AI training and awareness across organisations, with some opting for internal experts and lunch-and-learn sessions. In contrast, others prefer generic training followed by more focused departmental training

Related Advisory

December 2024

On Wednesday we discussed two agenda items;

Whether to pursue a third party to help with domain takedown requests given the number of lookalike domains out there and the risk of these being used for malicious activity
Cyber Security Act – how well have industry been consulted

The CIOs discussed the benefit of crowdstrike on end devices, the fact that once a domain is protected you can buy it
It was also agreed that tools can only get you so far and there is still a need for manual intervention. Where there is some value its not an easy journey
One CIO mentioned they use Link Busters. This was a value for money service with no additional resources required
We also discussed privacy and content and a number of CIOs mentioned that this area was owned by their legal teams
In regards to the Cyber Act – all participants agreed that the Federal Government had done a good job in consulting industry and believed they were getting better at engaging
We then asked the CIOs what good wins were had during 2024. Most of the feedback was around audits;
- Most CIOs had good audit results
- Improved relationships with the audit and risk committees in particular changing their views on ICT
- Resilience getting a better look in

November 2024

On our call in November, we discussed the impact of the Government’s Cyber Security Act. We were keen to understand;

Which of the reforms will impact you the most
Do you have a view on the proposed reforms
How are you preparing your organisation for change

One CIO mentioned there were concerns from their legal department, and another suggested there needed to be more formalisation around minimum standards. However it was noted that it is advantageous to have mandatory standards driven through mandates and legislation.

It was also agreed that whilst it is good to have legislation it is creating more red tape.

Organisations with IOT devices also brought up concerns that there are a lot of always connected devices that are continuously tracked and scanned that will be a major issue.

We then went through the latest ASD threat report. It was mentioned that the ASD have improved their support over the past 18 months and getting them to report to the board was a good idea, it could sometimes take a while to get this scheduled. This feedback has been shared with the ASD.

In closing it was agreed that too often staff assume IT systems will be available during a crisis. We need to get them thinking about manual workarounds when Teams, Outlook etc aren’t available. E.g., BCP team ask people to generate a new Confluence form to report an issue and request help – that’s useless if the entire network is down

In closing I have also added some useful links, as requested by one CIO, that have been provided by ASD previously.

October 2024

On todays call, the CIOs discussed:

How vendors are pushing AI in everything, and whether anyone on the call was actually using AI to help sift through the data in their SIEM.
How vendor price increases are unaligned with the reality of what’s happening in ICT budgets, and how the CIOs are noting a substantial increase in the number of cyber security vendor sales people trying to get in touch with them.
Two participants spoke about where they each are on their journey of migrating between third party SOC providers.
The call participants had an extensive discussion about budgets, and how their ICT and security budgets were under scrutiny. All noted that budgets are very tight, and for both government and private sector, “they’re as tight as I’ve ever seen them” was a common sentiment.
Two call participants shared that they were struggling to get approval for additional headcount, and they were each concerned about their ability to find the right talent if the headcount is approved.

September 2024

During this months call, there were 3 items on the agenda:

Approaches that others are taking on BYOD and security
How are others determining how long they are retaining their back ups for – i.e. has this business driven or is it a bit of a mix of legacy approaches and business requirements etc.
Vendor price increases (we’ve heard that VMware is going up between 7-15 times), Citrix, etc., and how this is going to play out in their security budgets.

BYOD and Security – most CIOs discussed that if they had a BYOD policy it was more about Mobile phones and tablets, generally EUC was not able to be BYOD. Some key takeaways;

Mobile allowed using intune
No external device can join the domain

The CIOs spoke about having 2 policies

company provided device fully managed by intune (IOS, Android, tablets)
BYOD policy only on acceptable device list – e.g. no huawei
Have to enrol intune to get access to email – but not managed
- This provided more control not managed due to privacy
- The Apps managed by company

Other organisations have a similar policy

Containerised with 0365 apps
No BYOD computers only company provided laptops
Also considering ios agent for crowdstrike
2 additional controls – can view documents in devices but not download
One other CIO mentioned a scan that pickups up whether the BYOD device is automatically up to date and if not is unenrolled from inTune

One CIO mentioned that they use Kandji MDM for Apple devices and that ooit was an awesome product

One CIO asks how to manage SAAS applications

Conditional policies with SSO
Can’t buy cheap or free licences so they get SSO
Implemented new processes recently so its very controlled
SSO and MFA mandatory otherwise vendors not considered
Classification also helps
Can’t stop everyone

One CIO has just been purpleteamed

Netscape, Sentinel 1 and defender all doing a great job
Great exercise

Data Retention and Backup – Managing Risk – Big topic at the AFR conference

One CIO – haven’t done back burning, just started archiving

Use their NAP to make a decision (took a long time)
Once data has been touched this is the date that says it is active

One CIO increasing amount of ownership of information, trying to make it a data ownership discussion not an ICT problem

Edge policies – retention of casual chat and SMS – everything typed is a record and classification will determine what ios worth
Embarking on an information strategy

Information classification will determine how long to keep information

Everyone probably keeps information too long
Consolidated information ownership
Big problem with information sharing in Sharepoint and Teams
Records management system not across all information

Trying to get to one repository and lock it down
File naming standard will do the classification
If you don’t name a file it will alert you
One CIO

3 months worth of backup (data we still have)
If a BCP/DRP incident only 3 months required
Archiving is a different issue (need to retrieve data)
Archival on tape where there is no equipment able to read
Retention critical – stop hoarding the data
The question was asked: What drives the 3 month mark?
- Cost – simple as that
- Analyse what you have (system/finance)
- Cloud storage vs own infrastructure
- BCP perspective
- Disaster event 1 days worth of work
- Ransomware event – data locked down and can’t be changed – CommVault
- Need to test rigour of events longer than 1 day

Example major SAP issue

Had to go back 6 months to find relevant backups

Licensing Costs

CISO benchmark found

Budgets were shown to be stable for the next 2 years
Factoring the rising cost of doing business
Increased pressure is more with less
Some vendors exponential price rises (7-15 fold increase)

What are the CIOs doing regarding licensing costs?

One CIO decommissioned Citrix
Has seen 300% increase of VMware
One tried to create longer term agreements – multi year to reduce complexity and lock in pricing
Monday.com SaaS 9% a year increase
Three CIO have contract clauses dictating how much pricing can increase
One caps the increase at CPI
One CIO spoke about going to market for competitive pricing and got a 25% reduction in pricing
One CIO had a win
One CIO doing a s/w rationalising program, already saved $200k on savings
- Not easy to do but worthwhile

August 2024

In this months face to face event, the agenda included:

News, agenda updates, logistics, final agreement on topics for sessions.
ICT resilience: A discussion around the room on how all members are preparing an ICT resiliency approach; the risks being identified including the likelihood and impact and, how ICT can support broader BCP outcomes.
AI and transcription: An area of growing awareness in enterprise is the potential for AI transcription bots to harvest potentially sensitive dialogue from internal calls (or calls with third parties, such as law firms) and store transcriptions ‘somewhere’ and also feed this text into large language models. This session will go around the room asking the members to share how their organisation views this risk, and what steps – if any – the organisation is taking.
Data classification and retention: A facilitated discussion on the challenges faced on generating agreement with business units on retention periods/classification categories and manual vs automated approaches. Tool recommendations warmly welcomed!
What’s working: Each member to share a win; projects, suppliers, business engagement.

July 2024

This month, the CIOs spoke about:

CIO/CISO’s with accountability for OT – policy and tactics.

There were only a few CIOs on the call that have OT responsibility. Some of the areas that were discussed were:

OT – initially 2 different worlds, no assumed commonality
Reporting of OT not at the same level of maturity
5 year journey still ongoing
Dealing with legacy technology and trying to apply contemporary views across OT
Not cultural anymore – more about legacy technology
One approach that works – no approval for new or change policy unless it can be articulated how it will change OT
A lot of work with leaders
Change control process important

Assuring outsourced arrangements, beyond the contract towards demonstrable compliance.

One CIO who had experience of both ends brought up the need to categorise the transactional vs strategic partner
Questioning the value of the provider is difficult
One CIO moved SOC as was looking for a strategic relationship. The vendor they selected was able to demonstrate value and was invited to board meetings
Outsourced arrangements need to be strategic – especially in cyber
Getting visibility of verison levels from vendors difficult
It was suggested that boutique vendors were better to work with, larger players more transactional
It pays to look behind the curtain and understand how your vendor delivers the service, and whether that’s what you paid for

Approaches to building stronger organisational security culture – with a focus on what works and lessons learned from past experience:

Communications is very important
5 years ago test/phish/metrics\education – now seeing less of an appetite for these approaches
General community uplifted in their awareness of cyber risk
Really need to develop messages that have cut-through, as we’re competing with so many other messages received by staff
Minimal viable communication on cyber but the maximum impact
It was mentioned that some CIOs were making efforts into becoming more efficient
Reviewed awareness program – training staff is changing – make it more relevant
Data classification more relevant
Automate more things
Targeted training for different teams
Target teams who are non compliant
Partner with different business teams – HR/Finance
Support and also different budgets
Planning to remove links from emails to lessen the risk
Use workbot tool
Ramping up on repeat offenders – face to face intervention/training sessions/financial consequences