ADAPT’s Peter Hind interviews Theo Nassiokas, Director, APAC Cyber and Information Security (CISO) at Barclays in Singapore. Theo began his working life as a Policeman in Victoria, first getting involved with the challenges of cyber security over twenty years ago. He has worked in major financial institutions across Asia Pacific.
Speaking at ADAPT’s CIO Edge conference, he discusses the importance of assessing cyber security threats against the context of the business in which you are working and using the appropriate language and discussion points to engage the business leaders on these matters.
Is it possible to sleep soundly with the escalating volume of cyber security threats that are emerging today?
It is possible. The way to do it is to respect and understand what cyber threats are and why they are happening. They are not a fad or a temporary phenomenon. They are part of a bigger picture many of whose components are often connected to geo-political events. Cyber-attacks don’t happen in a vacuum.
How do you think people should assess the cyber-attacks they are encountering?
You need to look at the business you are trying to protect. Everything within a cyber threat must be assessed in the context of that business. This assessment entails asking questions such as:
- Why do you think this is a threat to you?
- What impact would this have on your business, (e.g. financial consequences, loss of intellectual property etc.)?
Many people seem to apply simple categories to these threat actors such as state sponsored, criminals or hacktivists. The reality is that it is just not this simple. It is rare to find a cyber threat actor who neatly falls in to just one of these categories. What you find is that they fall in to multiple categories, (e.g. a state actor could also be undertaking a criminal activity to steal money or else they might be looking for intellectual property or for blueprints or certain information because they might get a competitive advantage from these things). As such, you need to understand the context of how cyber security and cyber threats apply to what you are trying to protect.
It is about how inquisitive you are, how fast you can learn on your feet and your ability to adapt to change very quickly.”
It is about asking the right questions, knowing when to follow processes and when to ignore them. It is about trusting the people you work with but verifying what they do because sometimes people unintentionally make mistakes.
CIOs are increasingly finding that the Board and senior leadership team and coming to them for help with cyber security. They have legislated duties of care as Director’s of an organisation to demonstrate vigilance in protecting their organisation from potential risks. What would you recommend is the appropriate cadence for these discussions and what material do you find is most helpful for these engagements to be the most effective?
The simple answer is that you need to talk to the Board or executive leadership team in a language they understand. Again, it is all about contextualising it. Therefore, the CIO should think about cyber threats and resilience in this context and terms. For example, if return on equity is important then frame cyber threats in these terms. What would be the impact on return on equity if such and such a threat occurred and then show how this can be determined by looking at what has happened elsewhere around the world?
If you can phrase things and use a dialogue familiar to the audience and what is important to them, you will have an instant connection.”
However, if you turn up to the Board and talk about how the firewall has blocked 65,000 intrusions today no one will care. If you front up to the Board and ask for monies, why will they approve whatever you want to do from a security controls perspective.
However, they will approve it if you have engaged all the right stakeholders, you have been able to determine that something is technically feasible and can happen, you have involved the business, you have determined how something could have a certain impact which has been verified by the business you are protecting and you can crunch the numbers and come up with a real quantified figure and you can say with some conviction that this will probably happen to us. In effect, the conversation is providing evidence of how we know this and here’s how much is needed to fix it and then providing the reassurance of what is being proposed is feasible from a commercial perspective. Then the decision for the Board is akin to buying an insurance policy. You need to think of your conversations with stakeholders this way.
There are very few cyber security professionals with the extensive experience of Theo Nassiokas. ADAPT events consciously seek to involve global thought leaders like Theo to equip the busiest leaders of Australian enterprises and governments with the knowledge and competencies they need to gain advantage.