The Mandarin publisher Tom Burton talks to John Ellis — chief security strategist across Asia-Pacific for Akamai, the global leader in content delivery network services — about the opportunities and cybersecurity threats in the digital space for Australian government agencies …
Tom Burton: John, today you talked about the resilient organisation, and the need to tailor your organisation to be resilient for security. What did you mean by that?
John Ellis: I think historically a lot of organisations, when they look at security, they typically look at investing in a lot of security technologies, and processes and controls. It’s very much focused on mitigation. We keep seeing so many examples of data breaches that are happening around the world, security incidents and so forth. There’s also another train of thought that’s been evolving the last couple of years, focusing very much on incident response. Saying look, the breach or the security incident’s inevitable, you need to focus on the incident response strategy. What I’m sort of saying is that there needs to be a blending together. Security incidents are inevitable, but we need to be looking at the right investments. We need to be looking at the right organisational constructs, the processes and also the people to be able to build an organization that can adapt, respond and also withstand a lot of the disruptive events that are happening out there at the moment so they can still keep moving forward to achieve their objective. Whatever that may be.
Tom Burton: When you spoke about aligning, or asked the question of aligning your security investments with the threat environment, what were you leaning at there?
John Ellis: If you ask a lot of people about what you invested in the last year, in terms of security, did that really achieve the objective of what you’re looking to achieve? Did you improve your security posture? A lot of people look at you with blank faces. They don’t really know if the money they’ve been spending is actually improving their security. The treat landscape that we have today is very different than what we had, say, ten years ago. Interestingly enough, also of the issues we were dealing with ten years ago haven’t gone away. Patch management, software still fundamentally has vulnerabilities in it. People need to patch it. You still need to look at your patch management regime. But also, now we have a lot of different threats out there like DDoS attacks and all these web attacks have really been growing in sophistication that people need to start thinking about. Essentially, it’s coming back and saying, what’s important to you? Where are your investments being made? Are they actually delivering value to you? If not, maybe redirecting your investment in areas that are actually going to yield some benefit.
Tom Burton: You talked about the various levels of spending various governments make. You travel around, you get a sense of that. You also acquired some numbers. What are the numbers? Is there a magic percentage they should be spending on security?
John Ellis: That’s a tough question. The numbers that I talked about in the presentation was eight percent is mandated by the Israeli government for the government agencies. Ten percent is the benchmark in Singapore.
Tom Burton: For security?
John Ellis: For security spent. Ten percent of your ICT budget should be spent on security in Singapore. That’s what the government is saying. The numbers vary. Some of the small, medium sized business are spending upwards of 15%. The thing for me is that it’s not so much how much money you’re spending. It’s where you’re spending it to be able to improve the maturity of your organization. If you’re spending all this money in the technology space, but you’re not really improving the maturity of your security capability, then you could be saying that you’re throwing money at the problem. Verses, say, you are spending wisely, you are improving security then you could say look, we’ve got some alignment that’s happening here and we’re able to move forward with a degree of confidence.
Tom Burton: Is that what you meant when you said security really is a business issue not a technology issue?
John Ellis: Absolutely. You talk to a senior business leader and you ask them: Do you understand about business risk, commercial risk, financial risk? The answer to all these questions is yes, yes yes. They have to. If they’re a business leader, they have to understand these things. You ask them, do you understand about cyber risk? Invariably, they’ll turn around to you and say look, I have a CIO, maybe I have a CISO so they understand. That’s not good enough. They also need to understand this is another form of risk in their business and also technology underpins a lot of what organizations are doing now. There’s a lot of organizations essentially being born in the cloud. You look at AirBnB, Uber, but also you look at the existing banks. How many of these banks could be successful without using technology? They couldn’t. Getting them to understand this sink or cyber risk is something that’s important to them. Then we see a flow down from there.
Tom Burton: The movement to digital delivery of services, to me, says this becomes so much more important. And proves it because we’ve had digital delivery for quite a while. But if we move industrially to provide government services though that main channel then this really underlines a need for security.
John Ellis: Absolutely. You don’t want security to be the driving force behind a lot of these things. You want it to be about what’s the enabling qualities, what’s technology, things like that. Around the world, different governments look at it very differently. If you look at the benefits that are to be had, the constituents will want to feel comfortable that the government is doing the right thing by them. In terms of protecting their personal information, the services that they have then come to rely on depend on are available when they need them to be available, things like that. Security’s absolutely critical to being able to win that confidence and the trust. An institution that already struggles with winning the confidence and trust of many people.
Tom Burton: One of the things you said today was in interesting concept of seeing security as an enabler that’ll allow you to go faster. I think you used the analogy of a car. If you’ve got a car that’s well maintained it will go faster. What did you mean by that concept?
John Ellis: If I use the analogy of the car. Are the brakes on the car designed to make the car go faster or slower? The truth is that with the quality of brakes you can go faster because you know that when something’s going to happen you can stop in time. All analogies at some point do break down. But if you look at investment and technology in supporting whatever the mission of the organisation is, whether it’s a government agency a commercial entity, whatever it may be, you also need to also feel that there’s a degree of confidence that the investment you made is protected. If I’m investing here I need to also insure that I’m hedging against some of the risks that may also disrupt my organisation. Security gives you that confidence. If you’re in a position where you can confidently say, yeah we’ve suffered a data breach but we know that data’s encrypted and we know where the keys are to that data. We know who’s accessed those keys. We can say with absolute certainty and confidence that those keys have not been accessed by an external third party, cyber adversary, whatever it may be, you’re in a stronger position. So, you can actually ask those the tough questions when those tough questions actually arise.