Highlights
Highlights From Previous CIO Cyber and Risk Network Gatherings
October 2024
On todays call, the CIOs discussed:
- How vendors are pushing AI in everything, and whether anyone on the call was actually using AI to help sift through the data in their SIEM.
- How vendor price increases are unaligned with the reality of what’s happening in ICT budgets, and how the CIOs are noting a substantial increase in the number of cyber security vendor sales people trying to get in touch with them.
- Two participants spoke about where they each are on their journey of migrating between third party SOC providers.
- The call participants had an extensive discussion about budgets, and how their ICT and security budgets were under scrutiny. All noted that budgets are very tight, and for both government and private sector, “they’re as tight as I’ve ever seen them” was a common sentiment.
- Two call participants shared that they were struggling to get approval for additional headcount, and they were each concerned about their ability to find the right talent if the headcount is approved.
September 2024
During this months call, there were 3 items on the agenda:
Approaches that others are taking on BYOD and security
How are others determining how long they are retaining their back ups for – i.e. has this business driven or is it a bit of a mix of legacy approaches and business requirements etc.
Vendor price increases (we’ve heard that VMware is going up between 7-15 times), Citrix, etc., and how this is going to play out in their security budgets.
BYOD and Security – most CIOs discussed that if they had a BYOD policy it was more about Mobile phones and tablets, generally EUC was not able to be BYOD. Some key takeaways;
- Mobile allowed using intune
- No external device can join the domain
The CIOs spoke about having 2 policies
- company provided device fully managed by intune (IOS, Android, tablets)
- BYOD policy only on acceptable device list – e.g. no huawei
- Have to enrol intune to get access to email – but not managed
- This provided more control not managed due to privacy
- The Apps managed by company
Other organisations have a similar policy
- Containerised with 0365 apps
- No BYOD computers only company provided laptops
- Also considering ios agent for crowdstrike
- 2 additional controls – can view documents in devices but not download
- One other CIO mentioned a scan that pickups up whether the BYOD device is automatically up to date and if not is unenrolled from inTune
One CIO mentioned that they use Kandji MDM for Apple devices and that ooit was an awesome product
One CIO asks how to manage SAAS applications
- Conditional policies with SSO
- Can’t buy cheap or free licences so they get SSO
- Implemented new processes recently so its very controlled
- SSO and MFA mandatory otherwise vendors not considered
- Classification also helps
- Can’t stop everyone
One CIO has just been purpleteamed
- Netscape, Sentinel 1 and defender all doing a great job
- Great exercise
Data Retention and Backup – Managing Risk – Big topic at the AFR conference
One CIO – haven’t done back burning, just started archiving
- Use their NAP to make a decision (took a long time)
- Once data has been touched this is the date that says it is active
One CIO increasing amount of ownership of information, trying to make it a data ownership discussion not an ICT problem
- Edge policies – retention of casual chat and SMS – everything typed is a record and classification will determine what ios worth
- Embarking on an information strategy
Information classification will determine how long to keep information
- Everyone probably keeps information too long
- Consolidated information ownership
- Big problem with information sharing in Sharepoint and Teams
- Records management system not across all information
Trying to get to one repository and lock it down
File naming standard will do the classification
If you don’t name a file it will alert you
One CIO
- 3 months worth of backup (data we still have)
- If a BCP/DRP incident only 3 months required
- Archiving is a different issue (need to retrieve data)
- Archival on tape where there is no equipment able to read
- Retention critical – stop hoarding the data
- The question was asked: What drives the 3 month mark?
- Cost – simple as that
- Analyse what you have (system/finance)
- Cloud storage vs own infrastructure
- BCP perspective
- Disaster event 1 days worth of work
- Ransomware event – data locked down and can’t be changed – CommVault
- Need to test rigour of events longer than 1 day
Example major SAP issue
- Had to go back 6 months to find relevant backups
Licensing Costs
CISO benchmark found
- Budgets were shown to be stable for the next 2 years
- Factoring the rising cost of doing business
- Increased pressure is more with less
- Some vendors exponential price rises (7-15 fold increase)
What are the CIOs doing regarding licensing costs?
- One CIO decommissioned Citrix
- Has seen 300% increase of VMware
- One tried to create longer term agreements – multi year to reduce complexity and lock in pricing
- Monday.com SaaS 9% a year increase
- Three CIO have contract clauses dictating how much pricing can increase
- One caps the increase at CPI
- One CIO spoke about going to market for competitive pricing and got a 25% reduction in pricing
- One CIO had a win
- One CIO doing a s/w rationalising program, already saved $200k on savings
- Not easy to do but worthwhile
August 2024
In this months face to face event, the agenda included:
- News, agenda updates, logistics, final agreement on topics for sessions.
ICT resilience: A discussion around the room on how all members are preparing an ICT resiliency approach; the risks being identified including the likelihood and impact and, how ICT can support broader BCP outcomes.
AI and transcription: An area of growing awareness in enterprise is the potential for AI transcription bots to harvest potentially sensitive dialogue from internal calls (or calls with third parties, such as law firms) and store transcriptions ‘somewhere’ and also feed this text into large language models. This session will go around the room asking the members to share how their organisation views this risk, and what steps – if any – the organisation is taking.
Data classification and retention: A facilitated discussion on the challenges faced on generating agreement with business units on retention periods/classification categories and manual vs automated approaches. Tool recommendations warmly welcomed!
- What’s working: Each member to share a win; projects, suppliers, business engagement.
July 2024
This month, the CIOs spoke about:
CIO/CISO’s with accountability for OT – policy and tactics.
There were only a few CIOs on the call that have OT responsibility. Some of the areas that were discussed were:
- OT – initially 2 different worlds, no assumed commonality
- Reporting of OT not at the same level of maturity
- 5 year journey still ongoing
- Dealing with legacy technology and trying to apply contemporary views across OT
- Not cultural anymore – more about legacy technology
- One approach that works – no approval for new or change policy unless it can be articulated how it will change OT
- A lot of work with leaders
- Change control process important
Assuring outsourced arrangements, beyond the contract towards demonstrable compliance.
- One CIO who had experience of both ends brought up the need to categorise the transactional vs strategic partner
- Questioning the value of the provider is difficult
- One CIO moved SOC as was looking for a strategic relationship. The vendor they selected was able to demonstrate value and was invited to board meetings
- Outsourced arrangements need to be strategic – especially in cyber
- Getting visibility of verison levels from vendors difficult
- It was suggested that boutique vendors were better to work with, larger players more transactional
- It pays to look behind the curtain and understand how your vendor delivers the service, and whether that’s what you paid for
Approaches to building stronger organisational security culture – with a focus on what works and lessons learned from past experience:
- Communications is very important
- 5 years ago test/phish/metrics\education – now seeing less of an appetite for these approaches
- General community uplifted in their awareness of cyber risk
- Really need to develop messages that have cut-through, as we’re competing with so many other messages received by staff
- Minimal viable communication on cyber but the maximum impact
- It was mentioned that some CIOs were making efforts into becoming more efficient
- Reviewed awareness program – training staff is changing – make it more relevant
- Data classification more relevant
- Automate more things
- Targeted training for different teams
- Target teams who are non compliant
- Partner with different business teams – HR/Finance
- Support and also different budgets
- Planning to remove links from emails to lessen the risk
- Use workbot tool
- Ramping up on repeat offenders – face to face intervention/training sessions/financial consequences
June 2024
On this months call the CIOs discussed:
- Everyone on the call agreed that that AI can produce productivity gains, however the concern was how to ensure that AI is rolled out in a secure fashion.
- A number of CIOs have used Data 3 to do a security review around the adoption of AI, Microsoft contributed 50% of funds for such initiatives with the overall cost to the organisation being around $20K.
- A number of CIOs were also running POC with github/co-pilot with one CIO stating that there was definite ROI (in the region of an additional FTE out of the productivity gains). Another CIO agreed stating a 5 productivity increase.
- One CIO spoke about the policies they have in place for AI, which included such guard rails as:
- Human in the loop
- Data not training the models
- Support these through appropriate processes
- One CIO brought up the issue of prompt engineering, everyone agreed that there was still a lot of training required for effective use of AI.
- Snyk was also mentioned as being a worthwhile technology to look at for scanning code.
- Another CIO brought up Synthesia as an interesting tool for converting text to video using AI.
Overall there are a lot of organisations running POCs of AI with most of these being with copilot. There is still a lot of training required and the emphasis on guardrails was often repeated.
Lastly one CIO brought up the recent presentation by IBRS advisor Dr. Joe Sweeney on the wording of the T&Cs by Microsoft stating that they can offload processing to offshore if the workload gets too heavy . CIOs will take this on board when reviewing MS contracts.
The above lead to the questions regarding third party services and AI:
- Reviewing contract clauses
- Any AI that’s part of the platform would not train on our data
It was agreed that this would would put to the CISO community to get some feedback on what others are doing in relation to this.
May 2024
On the call on Wednesday the main discussion point was how organisations manage security risk in outsourced environments. The participants covered the following themes:
- One participant fully outsourced their IT, and highlighted the importance of vendor management and the risk management learning curve their own organisation went through.
- Another participant integrated cyber as BAU and brought in a strategic cyber partner to manage risk, emphasising no data breaches in their KPIs and augmenting pen testing with automated testing.
- A hybrid approach was taken by one participant, combining an outsourced Trustwave SOC with an intense red team exercise, stressing the need for dedicated staff to avoid fatigue.
- Another participant focused on total insourcing, modernising their network with a zero trust model and building internal skills.
- One participant outsourced their SOC to CrowdStrike, and shared their experiences.
- One participant also shared about dealing with significant internal threats, noting 28% of staff clicked on a phishing email.
April 2024
Thanks to those who made the roundtable yesterday, it was an excellent session. Thanks to Daniel, Joe and Dave for their input and thank you James for the facilitation of what were some very interesting discussions.
- National Partnership Program – https://www.cyber.gov.au/
become-asd-partner#no-back - Secure Blueprint – www.blueprint.asd.gov.au
- Artificial Intelligence Guidance – https://www.cyber.gov.au/
resources-business-and- government/governance-and- user-education/artificial- intelligence - ASD’s latest AI Product on considerations when implementing AI within your business – https://www.cyber.gov.au/
resources-business-and- government/governance-and- user-education/artificial- intelligence/deploying-ai- systems-securely - Exercise in a Box – https://www.cyber.gov.au/
resources-business-and- government/exercise-in-a-box - Microsoft’s Essential Eight Documentation – https://learn.microsoft.com/
en-us/compliance/essential- eight/e8-overview - CTIS Connector – https://www.cyber.gov.au/
about-us/view-all-content/ news-and-media/join-the-cyber- threat-intelligence-sharing- service-through-sentinel - ASD’s Annual Cyber Threat Report – https://www.cyber.gov.au/
about-us/view-all-content/ reports-and-statistics/asd- cyber-threat-report-july-2022- june-2023 - ASD’s Business Continuity in a Box – https://www.cyber.gov.au/
smallbusiness/business- continuity-in-a-box - ASD’s Guidance Translated in to 27 Languages – https://www.cyber.gov.au/
translated - ASD’s Incident Response Guidance – https://www.cyber.gov.au/
resources-business-and- government/governance-and- user-education/incident- response - Cyber Supply Chain and MSP Guidance – https://www.cyber.gov.au/
resources-business-and- government/maintaining- devices-and-systems/ outsourcing-and-procurement
March 2024
- AI – The call participants each shared how and if, their organisation was using AI; how they were keeping their board informed of what AI was and was not capable of, how they were creating policies around the use of AI within their organisations, issues that were coming up from the ungoverned use of AI, and how their organisations were developing new business capabilities around the integration of AI.
- NDR (Network Detection and Response) tools – One of the call participants shared where they were at in their process to identify a third party security operation centre (SOC) provider, and the search for an NDR product that would work in their environment and be supported by the third party SOC provider.
February 2024
On today’s call the CIOs discussed;
- Who was, and how they were, exploring and preparing their organisations for deploying Office Copilot.
- Several members shared where they were up to with these initiatives.
- A key lesson was that data backburning was crucial before unleashing an LLM on some of the structured and unstructured data sets.
- ShareGate was recommended by some of the CIOs.
- The conversation then moved on to what key initiatives the CIOs were aiming to complete in 2024. A common goal was either alignment to, or compliance with, ISO27001. Interestingly, a number of the CIOs shared that their organisation’s Essential Eight initiatives were being rolled up into these ISO27001 projects.
Ciso Lens also gave us a high level overview of what the CISO Lens team are working on in terms of engaging with Government and the Industry on Cyber response. We are hoping that by the April roundtable Ciso Lens can provide us with some feedback on that work and the outcomes.