Many organisations have not planned how to make effective decisions in a crisis, and many of the assumptions made by executives are false.

For better strategy and execution, it is important to understand the risk profile of organisations. Data technology can be improved as a result. 

Organisations need to simplify due to the complexity of technology systems, duplication of capability, and thousands of suppliers. In many organisations, these details illustrate a lack of decision-making. Either they accept the risk, or they allocate money to address it. 

In this interview, David Owen – Partner – Cyber Risk Advisory at Deloitte Australia, discusses how the CISO role needs to be able to communicate effectively and talk to both the legacy of a business and the aspiration or plan to do new things, typically in a digital space.

Because the budget is fixed, the risk appetite is determined by available budget rather than by the risk appetite contained within the budget. 

A CISO is responsible for helping executives navigate the risks they face in the digital space, while providing constructive advice on how minimise them.

Additionally, they should be advisors rather than simply providing facts and records and validate the effectiveness of cyber controls. 

 

Key Takeaways: 

  • It is very complicated and expensive to mediate risk within current organisational structures. To mitigate these risks, many organisations will need to simplify. It will become increasingly important to consider the diversity of organisations and the number of things that can be accomplished at one time. 
  • To assist others in understanding the risk and provide constructive advice on how to mitigate it, the CISO needs to be able to communicate effectively with the executive and the Board. The decision to tolerate risk ultimately rests with the executive. 
  • False assumptions are the biggest concern in cyber security. The control of an asset is assumed to be covered by a control or detection capability. We assume our disaster recovery or backup restoration will work effectively. Most incidents expose the uncomfortable truth about false assumptions.
Contributors
Shane Hill Principal Research Analyst at ADAPT
Shane manages ADAPT’s research agenda and is responsible for driving survey evolution.​ He has over 20 years of experience in technology delivery... More

Shane manages ADAPT’s research agenda and is responsible for driving survey evolution.

He has over 20 years of experience in technology delivery and market intelligence roles. This includes over six years serving technology and services providers at Gartner.

Shane has deep knowledge of the UK and Australian markets, across financial services, government, professional services and energy/utilities sectors.

As an IT services expert, he is equipped to advise organisations as they commoditise technology foundations to then differentiate through world-class experiences.

Shane builds on this expertise to advise on practical ESG, data & AI, and the application modernisation strategies required to realise those aims.

Less
David Owen Cyber Risk Advisory at Deloitte Australia
Earlier in my career, I spent 8 years working in the defence industry, which was the first commercial industry to have cyber... More

Earlier in my career, I spent 8 years working in the defence industry, which was the first commercial industry to have cyber regulation and oversight by government. This period included 5 years as the Head of Information Security for MBDA Missile Systems (their UK CISO role), which designs and manufacturers most of the guided missiles used by UK armed forces, and more recently for BAE Systems, leading their regional strategy in the Asia-Pacific and Middle East regions for the cyber, financial crime and lawful interception business unit.

Less
Security