NBN Co is working to a new five-year security strategy that will help the network operator comply with the government’s cyber security strategy, while also maintaining the internal positioning of the security function as a business enabler.
Image credit: NBN Co.
Speaking to the iTnews Podcast, chief security officer Darren Kane also highlighted risk quantification efforts that aim to communicate security risk to the executive and board in dollar terms.
Kane provided a high-level view of NBN Co’s security strategy and approach, which is documented in the new five-year strategy.
“We have a five-year security strategy, and we’ve just commenced a new one,” he said.
“The mission at the NBN is to lift the digital capability of all Australians, so our five-year security strategy is obviously aligned quite closely. to that mission.
“I’m also a huge believer in the fact that the strategy must be a living document. There’s a capability for it to actually be nimble, flexible, and meet different opportunities, threats and risks that we may not have perceived when we were actually formulating the strategy.”
NBN Co runs a converged security function of both physical and cyber security, with the strategy detailing the shared responsibility model internally, along with key risk and governance structures.
One of the goals is to demonstrate alignment to the government’s Protective Security Policy Framework (PSPF), the ASD’s Essential 8, as well as the NIST cyber security framework.
The strategy also factors in how NBN Co is addressing its requirements under the Security of Critical Infrastructure (SoCI) Act, and the government’s 2023-30 cyber security strategy.
“We’re very aware and trying to actually be fully compliant and guided by that,” Kane said.
He added that the new strategy also dealt with third-party risk management and people-related challenges – and that one of the overarching aims was to continue to position security as a business enabler.
“If you actually treat security as an opportunity and not necessarily concentrate on the catastrophising of the risk of security, you can actually almost take competitive advantage out of it,” Kane said.
Converged security
NBN Co was one of the first major organisations in Australia to pursue a converged security model, with physical, people/HR and IT security sitting in a single function and under a single executive.
Kane noted the structure meant that one person had ultimate control “of all the data” that each part of security generated.
“That gives you a more complete picture of security risk and how best to control it,” he said.
“If you don’t have ownership of all that data, you actually have to seek ownership, or you don’t get a complete picture.
“Now, that doesn’t matter so much until you’re actually fighting for budget and resourcing. And it doesn’t matter so much until there’s a PIR [post-incident report], when you’re trying to actually identify what went wrong and why you’ve had a breach.
“If you have one accountable owner, it’s that person’s responsibility. If you have multiple accountable owners, you actually have to work through a process of why it didn’t work.”
Kane’s stated preference is to “have the authority and control to actually manage security risk to a level that is expected of me by the company, the board, and the owners of the organisation, which is the Australian community.”
Risk quantification
Kane also discussed his interest in quantifying security risk in financial or dollar terms, consistent with the language used by other C-suite executives to communicate risk.
While noting that broadly in business, executives and boards are now highly engaged when it comes to security, Kane saw a responsibility to be able to communicate more clearly.
“I think there’s also an onus on me to actually ensure the way I communicate to them is simple and not complex,” he said.
“It helps them really understand what the risk is and what I’d require from them in the way of support to help manage the risk.
“I don’t think the industry does that particularly well. I think we use acronyms and funky names … like ‘bad actor’, ‘attack surface’, and the one I love at the moment – I’ve spent 20 years trying to convince people to trust me, and then I’m actually up at the C-suite trying to explain the concept of zero trust.
“I just think that we almost make it hard for ourselves by being too smart by half.”
Kane said that the emphasis of communicating security should be on “everyday language” or “even the language of commerce, such as financials.”
“That’s why I’m a big proponent of risk quantification, in actually identifying security risk. I haven’t perfected that yet, but I’m well on the way to that,” he said.
“I’m a firm believer that the C-suite now has a very good understanding of what the risks and the potential downside is.
“They actually want to understand what that’s going to look like in a dollar figure – and with risk quantification that can be provided.
“I think by actually using the language of commerce, the CEO, the CFO, the COO, and chief customer officer will actually understand exactly what I’ve just said and how I’ve explained it.
“I haven’t had to say what the effective control is, how it works, use funky acronyms or use other specific security language that only those within the industry pretty much understands.
“It’s all in dollars and cents.”