Highlights

Highlights From Previous CIO Cyber and Risk Network Gatherings

July 2024

This month, the CIOs spoke about:

CIO/CISO’s with accountability for OT – policy and tactics.

There were only a few CIOs on the call that have OT responsibility. Some of the areas that were discussed were:

  • OT – initially 2 different worlds, no assumed commonality
  • Reporting of OT not at the same level of maturity
  • 5 year journey still ongoing
  • Dealing with legacy technology and trying to apply contemporary views across OT
  • Not cultural anymore – more about legacy technology
  • One approach that works – no approval for new or change policy unless it can be articulated how it will change OT
  • A lot of work with leaders
  • Change control process important

Assuring outsourced arrangements, beyond the contract towards demonstrable compliance.

  • One CIO who had experience of both ends brought up the need to categorise the transactional vs strategic partner
  • Questioning the value of the provider is difficult
  • One CIO moved SOC as was looking for a strategic relationship. The vendor they selected was able to demonstrate value and was invited to board meetings
  • Outsourced arrangements need to be strategic – especially in cyber
  • Getting visibility of verison levels from vendors difficult
  • It was suggested that boutique vendors were better to work with, larger players more transactional
  • It pays to look behind the curtain and understand how your vendor delivers the service, and whether that’s what you paid for

Approaches to building stronger organisational security culture – with a focus on what works and lessons learned from past experience:

  • Communications is very important
  • 5 years ago test/phish/metrics\education – now seeing less of an appetite for these approaches
  • General community uplifted in their awareness of cyber risk
  • Really need to develop messages that have cut-through, as we’re competing with so many other messages received by staff
  • Minimal viable communication on cyber but the maximum impact
  • It was mentioned that some CIOs were making efforts into becoming more efficient
  • Reviewed awareness program – training staff is changing – make it more relevant
  • Data classification more relevant
  • Automate more things
  • Targeted training for different teams
  • Target teams who are non compliant
  • Partner with different business teams – HR/Finance
  • Support and also different budgets
  • Planning to remove links from emails to lessen the risk
  • Use workbot tool
  • Ramping up on repeat offenders – face to face intervention/training sessions/financial consequences

June 2024

On this months call the CIOs discussed:

  • Everyone on the call agreed that that AI can produce productivity gains, however the concern was how to ensure that AI is rolled out in a secure fashion.
  • A number of CIOs have used Data 3 to do a security review around the adoption of AI, Microsoft contributed 50% of funds for such initiatives with the overall cost to the organisation being around $20K. 
  • A number of CIOs were also running POC with github/co-pilot with one CIO stating that there was definite ROI (in the region of an additional FTE out of the productivity gains). Another CIO agreed stating a 5 productivity increase.
  • One CIO spoke about the policies they have in place for AI, which included such guard rails as:
    • Human in the loop
    • Data not training the models
    • Support these through appropriate processes
  • One CIO brought up the issue of prompt engineering, everyone agreed that there was still a lot of training required for effective use of AI.
  • Snyk was also mentioned as being a worthwhile technology to look at for scanning code.
  • Another CIO brought up Synthesia as an interesting tool for converting text to video using AI.

Overall there are a lot of organisations running POCs of AI with most of these being with copilot. There is still a lot of training required and the emphasis on guardrails was often repeated.

Lastly one CIO brought up the recent presentation by IBRS advisor Dr. Joe Sweeney on the wording of the T&Cs by Microsoft stating that they can offload processing to offshore if the workload gets too heavy . CIOs will take this on board when reviewing MS contracts.

The above lead to the questions regarding third party services and AI:

  • Reviewing contract clauses
  • Any AI that’s part of the platform would not train on our data

It was agreed that this would would put to the CISO community to get some feedback on what others are doing in relation to this.

May 2024

On the call on Wednesday the main discussion point was how organisations manage security risk in outsourced environments. The participants covered the following themes: 

  • One participant fully outsourced their IT, and highlighted the importance of vendor management and the risk management learning curve their own organisation went through. 
  • Another participant integrated cyber as BAU and brought in a strategic cyber partner to manage risk, emphasising no data breaches in their KPIs and augmenting pen testing with automated testing. 
  • A hybrid approach was taken by one participant, combining an outsourced Trustwave SOC with an intense red team exercise, stressing the need for dedicated staff to avoid fatigue. 
  • Another participant focused on total insourcing, modernising their network with a zero trust model and building internal skills. 
  • One participant outsourced their SOC to CrowdStrike, and shared their experiences. 
  • One participant also shared about dealing with significant internal threats, noting 28% of staff clicked on a phishing email. 
The readiness of AI to support security through tools like Co-pilot was also discussed on the call.

April 2024

Thanks to those who made the roundtable yesterday, it was an excellent session. Thanks to Daniel, Joe and Dave for their input and thank you James for the facilitation of what were some very interesting discussions. 

I have provided below some of the links that were recommended:

March 2024

On today’s call, the CIOs spoke about: 
  • AI – The call participants each shared how and if, their organisation was using AI; how they were keeping their board informed of what AI was and was not capable of, how they were creating policies around the use of AI within their organisations, issues that were coming up from the ungoverned use of AI, and how their organisations were developing new business capabilities around the integration of AI.
  • NDR (Network Detection and Response) tools – One of the call participants shared where they were at in their process to identify a third party security operation centre (SOC) provider, and the search for an NDR product that would work in their environment and be supported by the third party SOC provider. 
Also, our next discussion will be a physical roundtable in Sydney on the 17th April. At this roundtable we will be hearing from David Cullen on the outcomes of Project Robust and IBRS Advisor Dr Joe Sweeney will be providing his perspective on the state of the market on AI.

February 2024

On today’s call the CIOs discussed;

  • Who was, and how they were, exploring and preparing their organisations for deploying Office Copilot.
    • Several members shared where they were up to with these initiatives.
    • A key lesson was that data backburning was crucial before unleashing an LLM on some of the structured and unstructured data sets.
    • ShareGate was recommended by some of the CIOs. 
  • The conversation then moved on to what key initiatives the CIOs were aiming to complete in 2024. A common goal was either alignment to, or compliance with, ISO27001. Interestingly, a number of the CIOs shared that their organisation’s Essential Eight initiatives were being rolled up into these ISO27001 projects.

Ciso Lens also gave us a high level overview of what the CISO Lens team are working on in terms of engaging with Government and the Industry on Cyber response. We are hoping that by the April roundtable Ciso Lens can provide us with some feedback on that work and the outcomes.

December 2023

For the final Cyber and Risk Network call for 2023, the CIOs discussed:

  • Dealing with employee end of year burn out, a number of organisation had programs in place to deal with this
    • Including forcing employees to take leave
    • A couple of organisations had engaged Cybermindz
    • Almost all organisations had put in place change freezes
    • The idea of better meeting practices was discussed, including allowing staff to excuse themselves from meetings
    • Improving processes in general – not immediate effect (more structure around tasks and resourcing)
  • Security concerns and general discussion around AI
    • Most organisations agreed that MS Co-Pilot was not worth the cost, although Federal Government has done a deal with MS for a period of time for cheaper access
    • Some organisations still grappling with ethics and privacy; and basic guardrails for safe use of AI
    • One CIO mentioned they had introduced an AI working group – to work towards managing how it is use
    • One CIO mentioned BING chat enterprise is available and a good option
    • One organisation has developed a learning program for users
    • All agreed that getting practical use cases from the business was not easy
    • Training people on acceptable use of AI proving difficult
    • A couple of CIOs mentioned they were developing in GitHub
  • Australian Cyber Strategy feedback
    • A good step forward and progress on the original strategy (released only a few years ago)
    • Sets out a bold ambition, mapped to six ‘cyber shields’
    • Formalised new responsibilities for the National Cyber Security Coordinator, who is now responsible for improving maturity across Commonwealth Government agencies
    • Some are critical of a lack of detail about when and how action items will be delivered, although this is common of government cyber strategies
    • Keen to see the government engage closely with industry to co-design and jointly support the delivery of action items.

November 2023

On this months call the CIOs discussed the Optus outage with a view to how to build resilience.

  1. One CIO was discussing how they are now tracking down who uses what connections for both business and private use
  2. It was agreed that organisations need diversity with their communications platforms, usually resulting in a mix of telco partners rather than a strategic vendor relationship
  3. All CIOs voiced their disappointment at the Government’s response, it was used for political grandstanding

What has changed;

  • One CIO quite mature with diversity/redundancy
  • Drive whether they need to push harder around diversity of multiple carriers
  • Improved SLAs – with providers
  • Optus will never agree to SLAs with 100% uptime
  • With technology being so pervasive this has emphasised the risk

The DP world breach was also discussed

  • The CIOs noted the changed tone from Govt regarding DP world versus Optus
  • Supply chain an issue once again, opening up vulnerabilities of supply chains
  • One CIO recommended patching Citrix vulnerabilities, this was first published July

Dave also shared hot issues being discussed across the cyber community

  1. Supply chain – critical that we know what we’ve got and where it is
  2. Suppliers/vendors in Middle East and Ukraine
    • SLAs not being met
    • Looking for alternative suppliers due to conflict
    • Taking a long time to map their supply chains
    • Staff once available at vendor are now fighting on frontlines
  3. Israeli company support channels affected by the war – staff and support no longer available

Dave also shared details of the latest ACSC annual threat report. More incidents and greater impacts observed nationally. Exec talking points have been attached – to assist with briefing boards.

October 2023

On Wednesday 11th October, we held our CIO Cyber and Risk Network roundtable in Sydney. The CIOs got to receive a TLP:RED briefing from a government agency on what this agency is seeing online from both criminals and nation state actors, as well as how adversaries are using AI as a force multiplier. (TL;DR, “It’s not Skynet, it’s just a bunch of people who can do stuff faster.”)

David Cullen from CISO Lens delivered a session on lessons learnt from the 2019 Victorian hospital ransomware attack. Also, a guest security executive from a large organisation which had suffered a recent public breach shared their perspectives on the aftermath of an incident and what that means for the staff of the company.

One of the CIOs shared the results of a red team exercise conducted against the company’s 100 most senior executives. The data from this exercise helped the executives realise that they were an easy way in, and that they needed to tighten up their policies and practices.

The CIOs also spoke about cyber insurance, Microsoft’s performance as a security vendor, and which vendors are producing good awareness content.

Some Key Takeaways

  1. All tech projects should include a 10 percent allocation for security. This allocation should be for: time, effort, cost, and headcount. Some projects may be less, some will be more, but 10 percent for all projects should equal out over time.
  2. If a platform or service is important, it must have multi-factor authentication (MFA).
  3. Phishing is a key avenue of attack for most organisations, so the HR consequences of failing phishing simulations need to be agreed on and adhered to. One participant shared that after two failed phishing simulations, that became a component of their performance review, but after three failed phishing simulations it became a key component and could result in zero payrise and/or performance bonus.

September 2023

On our call this month, the participants shared their variuos approaches to vulnerability management:

  1. The discussion centred on both their own patching policies (and the different SLAs for Critical and High versus Medium or Low, as well as internet facing, or not); as well as their concerns around the hidden vulnerabilities from SaaS providers.
  2. This moved into a discussion on how the participants went about assuring themselves on alerts, and ensuring that filtering out false positives did not potentially scoop up important alerts.
  3. One of the participants shared a recent incident where a staff member’s access has been compromised via an emailed QR code, and the resulting effects within the organisation.
  4. This moved the conversation into a discussion on awareness training, and another of the call participants shared that they were doing an intensive campaign against their executives ahead of a leadership offsite so they could present the results at this offsite.
  5. We also spoke a little about this incident, and will carry it over to the next call to talk in more depth.
    – ‘Microsoft’s slow outage recovery in Sydney due to insufficient staff on site’, DCD, 4th September 2023

August 2023

This month on our call, the discussions were focused on:

  1. AI and business impact, experiences and perspectives. From the discussion, it appears that most organisations are still working out how best to use LLMs (like ChatGPT). There was general agreement that putting a popup on the screen when users went to the OpenAI website to warn them against posting sensitive information was a pragmatic approach. The AI discussion was in response to one of the CIOs being asked to brief their board on this AICD discussion paper.
    Links shared:
    – What Are the Risks of Artificial Intelligence?
    – A Voice Deepfake Was Used to Scam a CEO Out of $243,000
    – What is Worm GPT? The New AI Behind the Recent Wave of Cyberattacks
  2. Changes in Zoom’s terms and conditions and what this could mean for sensitive calls. It was noted that apparently enterprise customers are being given the option to turn off their calls being monitored by Zoom; but this raised the question of how a third party using the free version would go when having a call with an enterprise version. It seems reasonable to assume that the enterprise version settings would take priority, but this is an assumption. 
    – Zoom’s Updated Terms of Service Permit Training AI on User Content Without Opt-Out
  3. A brief discussion was also had on Microsoft security on the back of a threat actor, alleged to be Chinese, managing to force authentication tokens.
    – Schneier On Security: Microsoft Signing Key Stolen by Chinese 
  4. An extensive conversation about the HWLE data breach, and specifically around the government response to this.
  5. A brief discussion on the corporate use of a keylogger in a recent case in Australia.
    – IAG Used Keystroke Logging to Investigate Productivity of Remote Worker

July 2023

This month on our call, the particpants:

  1. Shared their organisations’ responses to ChatGPT. Depending almost entirely on the nature of the business, ChatGPT was either blocked outright, or was permitted but with cautions to not paste sensitive information into it.
  2. Discussed their views on the efficacy of third party assessments. Various approaches were shared; ranging from including the right to audit in contracts, through to ensuring that the most senior stakeholders were in alignment that the business would not use a supplier which did not pass a security assessment.
    – “Not doing a third party assessment is worse than doing one and relying on it.”
    – “It’s hard enough to bring Shadow IT into the IT tent, nevermind getting them up to our cyber security requirements.”
    – UpGuard was mentioned by some of the call participants as the platform they used to help with third party assessments; while noting that it is still very manual.
  3.  Briefly discussed their views on cyber insurance.

Resources mentioned in the call: