Many organisations have not planned how to make effective decisions in a crisis, and many of the assumptions made by executives are false.

For better strategy and execution, it is important to understand the risk profile of organisations. Data technology can be improved as a result. 

Organisations need to simplify due to the complexity of technology systems, duplication of capability, and thousands of suppliers. In many organisations, these details illustrate a lack of decision-making. Either they accept the risk, or they allocate money to address it. 

In this interview, David Owen – Partner – Cyber Risk Advisory at Deloitte Australia, discusses how the CISO role needs to be able to communicate effectively and talk to both the legacy of a business and the aspiration or plan to do new things, typically in a digital space.

Because the budget is fixed, the risk appetite is determined by available budget rather than by the risk appetite contained within the budget. 

A CISO is responsible for helping executives navigate the risks they face in the digital space, while providing constructive advice on how minimise them.

Additionally, they should be advisors rather than simply providing facts and records and validate the effectiveness of cyber controls. 

 

Key Takeaways: 

  • It is very complicated and expensive to mediate risk within current organisational structures. To mitigate these risks, many organisations will need to simplify. It will become increasingly important to consider the diversity of organisations and the number of things that can be accomplished at one time. 
  • To assist others in understanding the risk and provide constructive advice on how to mitigate it, the CISO needs to be able to communicate effectively with the executive and the Board. The decision to tolerate risk ultimately rests with the executive. 
  • False assumptions are the biggest concern in cyber security. The control of an asset is assumed to be covered by a control or detection capability. We assume our disaster recovery or backup restoration will work effectively. Most incidents expose the uncomfortable truth about false assumptions.
Contributors
Shane Hill Principal Research Analyst
Shane Hill is part of ADAPT’s Strategic Research and Advisory team. As Principal Research Analyst, he produces pragmatic insights tailored to the... More

Shane Hill is part of ADAPT’s Strategic Research and Advisory team. As Principal Research Analyst, he produces pragmatic insights tailored to the specific needs of technology leaders in Australia and New Zealand.

Hill has worked in technology delivery and market intelligence roles for the past 15 years. His expertise encompasses automation, data science, and machine learning domains. He focuses on how emerging technologies will impact the business models, frameworks, and operations of end-user and vendor organisations.

Formerly of Gartner and with IT services experience across multiple jurisdictions, Shane has led business transformation, technology modernisation, vendor management, and advisory programs for leading consultancies, major corporates, government agencies, and boutique firms.

Less
David Owen Cyber Risk Advisory at Deloitte Australia
Earlier in my career, I spent 8 years working in the defence industry, which was the first commercial industry to have cyber... More

Earlier in my career, I spent 8 years working in the defence industry, which was the first commercial industry to have cyber regulation and oversight by government. This period included 5 years as the Head of Information Security for MBDA Missile Systems (their UK CISO role), which designs and manufacturers most of the guided missiles used by UK armed forces, and more recently for BAE Systems, leading their regional strategy in the Asia-Pacific and Middle East regions for the cyber, financial crime and lawful interception business unit.

Less
Security