Australian industrial electrical contractor Stowe Australia is pursuing a strategy of simplification as part of its ongoing investment in strengthening its cyber defence capabilities.
Image credit: Stowe Australia
According to group technology officer Karl Houseman, the company is closely examining the delivered value of previous investments before renewing them, with the goal of replacing individual systems with more capable technology platforms.
“It’s really important to go back and review, as we’re doing budgets and as contracts come to an end, whether historic investment is still relevant, or whether we can invest in a slightly different area and achieve the same result but possibly with a little bit more benefit,” Houseman said.
“Years ago, we might have gone and put in a malware solution, and then a systems management solution, and now we might look at XDR and EDR and those sorts of things.”
Houseman said this approach also paid dividends when it came to developing Stowe Australia’s cyber security team.
“As security becomes more complex, and as the threats become more sophisticated, you end up with a fairly large mishmash of technologies,” Houseman said.
“The skills to support those become very specialist and very expensive. To train them in one platform is much easier than training them in 15.
“While you may not get the best-of-breed, you certainly do get a much more integrated platform, and I think holistically it’s a better outcome.”
The cost of cyber spending in Australia has been rising constantly. Gartner recently reported that cyber security spending had increased by 11.5 per cent in 2022 to reach $7.74 billion, with 42 percent of CISOs expecting cyber security budgets to increase over and above inflation rates.
According to Gartner’s senior director analyst for security and risk management, Richard Addiscott, the growing cyber literacy of boards is leading CISOs to face more sophisticated questions in terms of how they were spending cyber budgets.
“This is something CISOs are asking for help on, as the traditional, operational-centric metrics approach is no longer providing executive audiences and boards of directors with the insights needed to make defensible information risk investment decisions,” Addiscott said.
Hence, he said, many organisations are taking an outcome-driven approach that aligns control performance to the level of investment allocated by the business, which is often a measure of an agreed or implicit cyber security risk appetite.
“Whilst delivering the controls environment in accordance with the business’ risk appetite is the CISO’s role, there is increasing recognition that the downstream implications of a significant cyber security incident are going to be felt through reduced revenue and ability to realise profit forecasts conveyed to investors,” Addiscott said.
These losses could arise through reputational damage that caused customer churn but also include other possibilities such as legal costs associated with defending against class actions, fines from regulators, and other compliance implications.
“It is the C-suite that usually are accountable for delivering the outcomes associated with these elements to their boards and or wider stakeholder groups, so they have to be involved in deciding the levels of protection they’re willing to pay for to protect those outcomes,” Addiscott said.
“Using an outcome-driven approach allows the security team to demonstrate how the performance of their control environment is protecting their organisation from incidents that can materially impact the business’ ability to achieve strategic objectives.”
These downstream considerations are very much on the mind of Houseman, who described Stowe’s perspective on cyber spending as being tied directly to its appetite for risk, which is highly conservative.
“It is absolutely an investment in security of the business, the reputation, the ability to trade, and to support our partners upstream and downstream in normal business activities, and a responsibility to the ecosystem of the other companies you work with,” Houseman said.
As the boundaries between Stowe and its partners’ systems blurred, with sensitive data being stored in a wider variety of locations and systems, Houseman said he would continue simplifying the cyber security environment by investing in overarching technologies such as Secure Access Service Edge (SASE) to create outcomes that were managed in a unified way.
“We’ve committed to doing that and we’re very early in the journey,” Houseman said.
“We’ll continue to invest in that always-on, always-connected, safe from anywhere, work from anywhere kind of a mindset.”
Houseman added that Stowe’s conservative culture also means that whenever the company evaluates any new technology it considers the security ramifications at the outset.
“We are one of those risk-averse companies that looks at reputation and security before we look at delivering a service internally,” Houseman said.
“We have a responsibility to shareholders, to ourselves, and to our employees and customers to keep that paramount.”