Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security, spoke to the AICD about how far business has come, where it needs to go and why cybersecurity is so much more than a negative ‘must-have’ or afterthought.
Cybersecurity is now firmly on the national policy agenda. Earlier this year, Alastair MacGibbon was appointed Special Adviser to the Prime Minister on Cyber Security where he provides national leadership and advocacy on cybersecurity policy and the implementation of the Government’s Cyber Security Strategy.
Alastair will be speaking at the inaugural ASX Sector Forum to be held on November 23 November in Sydney.
He provides seven essential insights into cybersecurity for directors:
1. Business has come a long way…
“Boards and c-suite executives have matured in the way that they approach cybersecurity. This needs to be celebrated and the progress made needs to be acknowledged. It can be very easy for us in the cyber world to be a little negative and quite frankly it is draining and impacts business’ ability to be proactive and see the business opportunities that come with cyber threats.
“Directors are aware of their duties and their obligations to the company, to their shareholders, employees and customers. We have seen that more and more audit and risk committees are looking at cyber as a legitimate risk and for some companies, cyber risk is their number one threat.”
2. …But still needs to do more
“The great thing about our interconnected world is the huge opportunities that connectedness brings. In the space of the next four to five years, we will go from approximately 5 billion connected devices globally, to 50-something billion connected devices globally. But you know what they say: “Your greatest strength is also your greatest weakness.
“To deal with this rapid expansion, the business community needs to start institutionalising behaviours such that we can cope with the huge positive aspects that are going to come from this increased connectivity, but also minimise the risks that are associated with it. The next challenge for us is trying to take what is being increasingly well done in ASX companies and drive this approach to cybersecurity to other parts of the economy; to businesses where they do not have access to the expertise or the resources to develop sound cybersecurity policies.”
3. Business and government need to collaborate
“Malcolm Turnbull has previously said that a government’s approach to the issue of cybersecurity is different to the way that it deals with other national security issues like terrorism. Government will take the lead on terrorism, but when it comes to cyber, the role of the government is more nuanced. It is one of cooperation and collaboration.
“The Government’s Cybersecurity Strategy released in April this year emphasises how government and private business can engage with each other. It looks at how we create intelligent information sharing. How do we get smarter and better at it?”
4. Recognise that your business operates within an ecosystem
“No business is an island unto itself. It’s important for businesses to recognise that they operate in an ecosystem and that they rely on others within that ecosystem.
“I like to think about business in these terms: there is no point for a business or a government entity existing in a perfectly clean, well-maintained building in an otherwise poorly-run, ungoverned neighbourhood. We have an obligation to the amenity of the area and those around us. The question is, how do we do that?”
5. Map out potential cyber threats and their motives
“The nature of cyber incidents and the profile of the people behind them have evolved. There are three types of threat actors: the nation-state, criminal groups and issue-motivated cyber groups. They are motivated by different things and use a range of tactics to threaten businesses and governments.
“It’s a very complex environment and these groups can be anarchic, so it is often difficult understanding what these groups might do. It is important for businesses to understand their environment, understand how they fit in this threat environment, recognise the weak links in their infrastructure or operations and think about what is it in their business that can be converted to money.”
6. There are a raft of commercial advantages to making cybersecurity a priority
“I urge businesses to look at the way that they approach cybersecurity and ask, how do we convert smart security thinking to be a business enabler, to allow us to do the things that we have not been able to do before?
“For businesses that really get to understand security, they can do things that their competitors cannot. They are able to move faster on innovation, they are able to take on new markets that they couldn’t before, they have and can develop new processes that are easier for their customers to engage with: all because their security is built in a different way to how it is currently done. I see cybersecurity as an integral part, the underpinning, the very fabric of the businesses that we run.”
7. Frank, open discussions on cybersecurity are key
“Maturity on the issue comes through discussion. The issue of cybersecurity isn’t necessarily a technical problem, it’s a social problem. If we accept this, we need to engage in conversations about it. I think the business community appreciates open disclosure and that goes the same with customers as well as suppliers.
“The business community learns a great deal from the lessons of those who have failed or have come out the other side of a challenge. It’s important that we get over the shame and the stigma to get businesses talking, collaborating and sharing ideas.”
Already a member?
Login to view this content