Before we delve into the whys and hows of building a cyber security culture in the Land Down Under, it’s useful to spell out the difference of digitalisation from digitisation and digital transformation; and define exactly the kind of culture that CISOs want.
What is digitalisation?
Digitalisation, the process of moving to a digital business, is the use of digital technologies to change a business model and provide new revenue and value-producing opportunities. It refers to enabling or improving processes by leveraging digital technologies and digitised data. In this way, it increases efficiency and productivity while reducing costs. It augments an existing business process without necessarily undergoing a huge transformation. It takes a process from a human-driven event to a software-driven one. A good example of this is automation.
On the other hand, digitisation is about creating a digital representation of physical attributes. We can scan a paper document and save it on our device. It is an enabler for all kinds of processes that provide business value because of the need for consumable data.
Meanwhile, digital transformation in actuality is business transformation enabled by digitalisation. The “digital” moniker is a little bit of a misnomer because the essence of digital transformation is the changing of business processes enabled (more often, forced) by digitalisation technologies. Consider the shift from local control of physical processes to remote monitoring and control of those very same processes. A more ambitious example would be the integration of your customers’ sales orders into your company’s raw material vendors’ systems, thus integrating the supply chain for greater efficiency and response. In depth, you can read about the topic here.
What is cyber security culture?
Cyber security culture refers to the attitudes, beliefs, knowledge, norms, and values of people regarding cyber security and how they manifest in human behaviour with IT. Encompassing familiar topics like cyber security awareness and infosec frameworks, it’s broader in application and scope; it’s concerned about making infosec considerations an integral part of an employee’s work, personal habits, and conduct, embedding them in activities of daily living.
Cyber Security in Australia
2022 was definitely a rough year for Australia, with around 76,000 reports of cyber crime activities as reported by Statista. You'd think that cyber criminals might take a break during the holidays, but no, we can't have that.
As digital infrastructures continue to grow and expand, the risk of online crime, stolen information, and exploitation has grown, with eight out of 10 Australians accessing the internet daily. Estimated at $1 Billion USD annually, the national price of cyber crime is steep, placing increasing importance on the Australian government to develop a vigorous IT security sector which allows individuals and companies to safely conduct business online.
In 2022, reports of cyber crime in Australia jumped 13% in a year. This translates to one every seven minutes, even before a series of high-profile privacy breaches hit the headlines. These threats are imposing an increasingly heavy cost on businesses, with the average loss per cyber crime rising by 14% to $39,000 USD for a small business and $62,000 USD for a large enterprise.
Gearing towards Organisational Security and Strategies to Increase Resilience
The Australian government maintains a push towards cyber security training in the workforce. In particular, the country’s Department of Industry, Science and Resources has taken up measures to support upskilling and diversifying Australia’s cyber security workforce. Organisations are encouraged to invest in the creation of a cyber security incident response plan, and to reward employees who find threats. These and more contribute to a robust cyber security culture.
Tackling Talent Gap through Cyber Security Skills and Training
When adopting robust cyber security measures, Australian organisations must support workforce training. A company’s internal processes and workforce are the last lines of defence in protecting its business from cyber security threats. Naturally, employees make mistakes. Only adequate workforce training will help a company to put a cyber security incident response plan in place, which can help improve the habits and behaviours of staff and create a sense of shared accountability in keeping a business secure. It educates staff how to recognise, avoid, report, remove, and recover from an attack.
Cyber security is continuously evolving. Regular training keeps everyone up to date, which could be the difference whether a criminal is able to access your money or data.
Australian Government and Industries Partnering Up for Cyber Security Success
In November 2022, 18 projects have been awarded funding to improve the quality, quantity, and diversity of Australia’s cyber security workforce. In total, up to $25.4 Million AUD was awarded to address barriers to entry, and to improve the state of Australia’s cyber security workforce.
Boosting the participation of women, First Nations Australians, people in regional and remote areas, and people with neurodiverse backgrounds, the projects will provide scholarships and discounts, paid internships and placements, targeted outreach and mentoring programs, and flexible learning options.
This is the second round of the $70 Million AUD Cyber Security Skills Partnership Innovation Fund. After funding 8 successful grantees in round one, the programme’s guidelines were revised for round two to prioritise increasing the diversity of the cyber security workforce.
CEOs Working with CISOs to Build a Cyber Security Culture
How CISOs will Respond in 2023
CISOs will focus inward. As IT spending slows down, CISOs are assessing their existing security programmes with a fine-toothed comb. This will lead them to concentrate their efforts in security hygiene and improving existing processes and controls, which will include process automation and more frequent security testing. Posture management initiatives will include discovering, analysing, and monitoring all IT assets. To consolidate security and IT operations is of high importance.
Investments will be more tactical than strategic. Long-term contracts are now a thing of the old; CISOs are postponing complex, resource-intensive projects. They’re breaking initiatives into digestible bites that feed only high-priority needs. Instead of zero trust plans, security and IT teams are focusing on access policies, application and data classification, network segmentation, and policy enforcement. While economic downturns usually lead to training budget cuts, the trend won’t be observed in 2023. To drive employee retention and improved productivity, CISOs plan to increase investments in staff training.
Services spending will dominate budgets. 45% of organisations say they have a problematic shortage of cyber security skills. They don’t have an adequately sized staff; they lack essential cyber security skills. Despite global layoffs, cyber security professionals will remain in high demand. CISOs have no choice but to augment internal staff and skills with service providers in areas like Identity as a Service, managed detection and response, and managed threat intelligence programmes.
Consolidation will give way to federation. Yes, organisations will continue to consolidate vendors and integrate technologies, but at a more gradual pace. Meanwhile, they’ll focus their efforts on individual security domains—cloud, email, endpoint, network, etc.
Protect from Spear Phishing and CEO Fraud with GlobalSign’s AEG 7.6 and Ready S/MIME
Spear phishing and CEO fraud are two of the most common types of phishing attack. They attempt to confuse employees by impersonating co-workers and C-level executives. Digitally signed emails counter this threat by clearly presenting the email sender's verified identity information. Recipients can be sure that the email came from a legitimate, verified source, and not a cyber attacker.
GlobalSign’s Auto Enrollment Gateway (AEG) 7.6 breaks down the barrier that prevents many organisations from protecting against such dangerous cyber attacks. Fairly recently, this AEG 7.6 version introduced a new feature, Ready S/MIME™, taking the silent installation of Secure/Multipurpose Internet Mail Extensions certificates a step further by automatically configuring certificates in Outlook for Windows.
How CISOs Report Cyber Security Risks to Board
Presented to the board of directors, a CISO board report is a detailed summary of an organisation’s cyber security risks. This helps the board understand potential cyber threats so they can take a proactive approach to infosec for the company and its clients.
A CISO board report helps to explain why investment in security is a vital component in an organisation’s success. It highlights the threats that matter most to the organisation. It contains a cyber security plan, a risk quantification with potential costs of security breaches, pertinent compliance and regulatory issues, and any necessary technologies or additional security hires.
In history, many breaches were due to three root causes: (1) failure to prioritise security; (2) failure to funnel resources towards security; and (3) failure to execute on security initiatives. The challenge was in getting senior management to understand how imperative it is to strategise and take action – and in engaging employees towards organisational change. There are ways for CISOs to get more cyber security buy-in, which involves cohesive storytelling, prioritising existential security threats, putting C.A.R.E. in leading, and connecting security plans to business objectives.
Shape a compelling narrative around cyber security.
To set the vision, values, and agenda of cyber security, CISOs are well-advised to tell a powerful story to alleviate cyber security concerns and further the organisation's mission. It’s important to set the context right from the start. Lead the story with the risks, and the kind of attackers that might be motivated to harm your business. This is not to create fear, uncertainty, or doubt, but to offer a realistic view of the current threat landscape. It should also include the ways you're trying to slow attackers down, and how your systems neutralise them. If you do not have stories of how attackers have come after your organisation, you can borrow real stories from other organisations that are like yours.
Lead the story with the kind of attackers and risks that might be motivated to harm your business. This is not to create fear, uncertainty, or doubt, but to offer a realistic view of the current threat landscape. It should also include the ways you're trying to slow attackers down, and how your systems neutralise them. If you do not have stories of how attackers have come after your organisation, you can borrow real stories from other organisations that are like yours.
Make your narrative a lot less technical, else you will bore your board members. If you were able to stop or prevent the villains of your story from wreaking havoc through a new tool that your CEO had recently approved, then that makes him or her your hero. Basically, include the technology as a plot device, but make sure that it’s not the highlight.
Focus on existential security risks first.
Organisations come with endless risks, and that’s why CISOs must focus on existential risks first, as these should never be allowed to materialise. For some businesses, intellectual property theft may be the most significant existential threat. If the villains you are up against can steal million-dollar blueprints, designs, or source codes that required years of R&D, your company proprietary products can be produced by them at a fraction of the cost.
Similarly, online consumer services that rely on consumer information could lose credibility if data is stolen in bulk, therefore threatening the existence of an e-commerce site, for example.
C.A.R.E.: Are security controls Consistent, Adequate, Reasonable, and Effective?
As your board members start to care more about cyber security (in part, due to regulatory fines increasing) it pays to understand how regulators think about cyber security. The acronym C.A.R.E. can be applied when putting yourself into an evaluator’s shoes. This is how they evaluate security controls and determine if your infosec programme will survive scrutiny. Check if your security controls are:
- Consistent – marked by steady continuity or regularity?
- Adequate – enough for a specific requirement or need?
- Reasonable – not excessive, extreme, or underwhelming?
- Effective – producing the intended (decided, decisive, or desired) effect?
Connect the dots between security initiatives and business outcomes.
In your presentation, be sure to emphasise the link between your business strategy and the security programme. Results from a cyber security team are a lot more compelling when projects connect well to business goals that are focused on enabling or achieving.
For example, instead of stating the goal as "achieve ISO accreditation," the goal is better stated as "solidify the credibility of the organisation in its focus markets by achieving multiple ISO accreditations.”
Awareness is Not Enough; a Holistic Cyber Security Culture Enables Growth
CISOs are expected to create risk awareness and build a cyber security-driven culture. Fostering this kind of holistic environment only builds a very pleasant and inspiring atmosphere of accountability and credibility. A good CISO makes stakeholders aware of present and possible risks to their organisation, without ever sugarcoating the truth.
Harnessing cyber awareness only puts your company at an advantage. It prevents data breaches and phishing attacks towards building a culture of security, making technological defences against cyber threats more robust.
Best of all, it gives your customers high confidence, which only wins new businesses. As a true growth enabler, and as a function that supports your business to deliver key strategic goals, stronger cyber security practices only really support business progress.
Becoming Future-Ready in the Modern Cyber Space
Embracing business growth comes with adopting the convergence of privacy, regulations, and secure innovation in 2023. This is at the very core of a good CISO’s strategies. Ticking all the checkboxes that come with this triad of priorities mitigates risks in the software supply chain. Moreover, the successful practice of combining cyber security and data protection enables an organisation to comply with the ever-increasing data privacy regulations not only in Australia, but all over the world.
It is rather simple, in theory, to embed the necessary guardrails into your identity verification systems. Though, management teams in general are looking for experts to hold their hands through this maze of a landscape. Mitigating privacy rights risks and adopting a secure digital identity play a huge role in becoming future-ready, and that’s where GlobalSign comes in. As a leading industry expert, we have other solutions to offer you, apart from the ones mentioned above. We hope that these make it a lot easier and more effective for CISOs in Australia to fortify their cyber security processes.
GlobalSign’s Future-Proof Digital Signing Service (DSS)
It’s never been easier to enable secure document signing across enterprises. As Australia becomes one of the fastest growing markets for electronic signature adoption, GlobalSign offers Digital Signing Service (DSS), which combines electronic signature with trusted digital ID. It’s the best way to sign critical paperwork like contracts and invoices, without the legwork.
With DSS, you don’t just protect your documents—you also cut 75% of costs and 80% of the turnaround time. You also get to optimise efficiency and cut scanning errors by 92%. Sign hundreds of documents digitally and rest easy knowing your documents and emails are safe at rest and in transit with GlobalSign’s digital signatures.
As with the last two years, GlobalSign’s digital signature and timestamp business continue to rapidly expand. In 2022, our customers all over the world have used our DSS for more than 30 million signatures to apply nearly 30 million timestamps.
Create Trusted Digitally Signed Documents On-Premises with AATL on HSM
For Australian organisations that are required to: (1) keep their security operations on-premises, and (2) operate and manage their Hardware Security Module (HSM) internally, GlobalSign offers the Adobe Approved Trust (AATL) on HSM. This solution enables document signing certificates for high-volume deployments and off-the-shelf integrations; ideal for organisations using automated PDF generation software to create and manage large volumes of documents.
Prove Content Source and Integrity with Code Signing
Code Signing identifies that the software or application is coming from a specific source (a developer or signer). When a “non-code signed” software is downloaded from the internet, browsers will either: (1) exhibit a warning message stating the possible dangers of downloading data; or (2) display an “unknown publisher” warning. GlobalSign’s Code Signing solution identifies the publisher’s name (i.e., organisation or individual developer’s name) and removes the need for “unknown publisher” security warnings.
Furthermore, Code Signing also ensures that a piece of code has not been altered and determines whether the code is trustworthy for a specific purpose. If the application/software code is tampered with after being digitally signed, the signature will appear invalid and untrusted.
Code Signing is beneficial not just for users downloading applications but also developers, with which users are assured about the source of their downloads and can decide whether to trust that source. For the developers, it allows them to mark their brand and protect their software from undesired changes. That ready trust also means an increased number of downloads, i.e., more success.
At GlobalSign, we’ve always committed to continuously updating our infrastructure towards becoming future proof. In this journey, we hope to be aligned with the cyber security visions of CISOs and CEOs and be relied upon as trusted identity service partners. GlobalSign's ability to meet high volume, large scale, and automated identity and security requirements for the billions of devices, people, and things makes it the preferred choice for the many new IoT/IoE use cases.