The Hon. Chris Pearce discusses cybersecurity with The Informer's Michael Ray.
Michael Ray: More and more businesses moving operations online, due to either necessity or for what enhancements technological advancements can bring, cybersecurity has become a critical part of overall business management and while many businesses are dealing with a risk on a daily basis, many of us don't know where to even begin. To give us some guidance on cybersecurity and where we're at with it, I'm joined by the honorable Chris Pearce. Now, Chris has held senior executive roles both within Australia and internationally in the telecommunications, information technology and entertainment industries, together with having been a member of the Australian Parliament in the House of Representatives in the Federal Government Ministry. Chris is the Chief Operating Officer at the global digital business DB Results, and he joins me to discuss what businesses should be looking at doing to avoid becoming victims of a cyberattack. Welcome, Chris.
Chris Pearce: Good to be with you, Michael.
MR: Now, Chris, can you give me a summary of what businesses need to be doing as far as cybersecurity goes as far as the risk, the problems and the opportunities that are there?
CP: Michael, cybersecurity is becoming more of a risk for businesses each and every day. The truth of the matter is that the whole threat landscape has really escalated at really rapid speed, particularly I think over the last 12-18 months or two years. I think when it comes to cybersecurity risks for organisations today, it's not a question of "Will we have a threat?" or "Are we at risk?". It's a matter of "When is it going to happen?". And so really the question I think that organisations need to be asking themselves is "Are we ready? Are we fit for purpose to be able to manage and attack when it hits?" Because it's inevitable at some point of time, it's going to. Now, I think, Michael, there are a set of things that organisations can do.
I think the very first thing that organisations should think about doing, is performing or undertaking if you like a risk assessment. They need to step back and they need to assess their IT landscape. They need to be able to identify where their vulnerabilities are, and where are their gaps where they need to take serious action. So doing this audit for one of the better term of your IT environment, I think is the very first thing that you can do.
I think secondly, you need to as an organisation put in place continuous monitoring, in and around security and cybersecurity. Now, there are various ways to do that. One way, the way we've worked with organisations is around putting in place a security operations centre. That's available as a service, where organisations like DB Results can provide that service. And this is a continuous monitoring service, because Michael, the truth of the matter is, is that cybersecurity attackers, they work 24 by 7, and they're not going to give you notice as to when they're going to attack you. So you need to have this continuous monitoring capability, as I think a very important second step.
I think thirdly, all of that is meaningless if you don't have a training and development plan for your staff. Staff need to become aware of what are the best practices in cybersecurity management and handling if you like. So I think that's a really important third step and then again I'd say to you, by way of the next action, Michael is that, you can do all of those three things but the truth of the matter is, it never stops. You have to have this continuous, repeat process, it has to become part of your standard business practice to be undertaking an audit, an assessment, making sure that you've got the monitoring, keeping the staff training up to date, it's a continuous process. It's not a matter Michael of just doing it once and ticking the box. It's that being on enabling you to be on the front foot means making this part of the way you do business.
MR: Now at a board level, Chris, what do directors need to be doing to make sure that they're operating in the best interest of their shareholders because obviously, that obligation of the director is to maximize the profit for the shareholders. But how do they convey the extra costs associated with this? So we come in, there's a meeting, right? We want to allow so much more in the budget to facilitate this. How do they get that over the shareholders when it's going to eat into profit? How do they frame that?
CP: Yeah, well it's about sustaining the business. It's about the sustainability and the longevity of the business, Michael, and it is interesting, isn't it? I think the whole topic of cybersecurity at board level is greater now than it's probably ever been. If I think about some of my own board experiences, you know, there are times when it's been on the agenda and it may not have been on the agenda for whatever reason, but today, I think it is a standing item on the agenda and I think that's a good thing, it needs to be. It’s not just a matter for the staff, it's not just a matter for the executive management, it is now matter for the board. So I think a couple of principles around this topic, Michael, I think the first thing is, as I say it needs to be a standing item. It is a critical issue around risk. I mean most organisations that have boards, have a risk function around a risk management audit committee, and so I think making it a standard item in the risk management committee is the second most important thing. It's one thing to have it as an agenda item at the whole board, but I think it needs to become a principal element of the risk audit function at board level. If that happens, then by default almost it becomes a serious reporting item, and therefore I would say to you that the executive leadership team of the of the organisation in question, needs to be actually incented around this, it should be part of their incentives. If they do it, they get incented, if they don't, they don't get incented, just like other KPIs if you like so, I think adding that into the overall requirements of the management team is also important. And through that process, I think it enables the executive management to legitimately bring up to the board proposals to fill the cybersecurity gap. I think if you put in place those sorts of principles at board level where it's a standing item of the agenda, it's part of the risk management oversight function of the of the Risk and Audit Committee, then you've got a legitimate process for management to be able to put submissions forward, asking for funding, asking for resources to be able to fill the gaps in order to mitigate the risk for the organisation.
MR: Now, DB have obviously got some experience, great experience and have good offerings in this. If I'm a small employer, so zero to 19, I have a good online presence, 90% of my business is online, I don't know where to go with cybersecurity, can I outsource this to somebody like DB rather than going, right, well I need to hire a chief technology or security officer? Is that the sort of thing that DB Result offers?
CP: Yes, Michael it is and the answer is that there are ways to do that. We have a very experienced team of people in and around cybersecurity. We have people that are highly qualified in and around this area. Part of the Advisory Services that we offer, do that precisely. Organisations can come to us and they can say look, could you come and sit with us and have a look at what we've got? Work with us and help us identify what our gaps are and most importantly, what an appropriate strategy for the size of our organisation is? And we can do that, Michael, in and around things like capability assessment that I talked about before. We can do it in around implementing an actual cybersecurity risk management plan. And importantly, we can do it around educating the individuals that are in that organisation. They're all important services, that we offer DB Results.
MR: That's great Chris, cybersecurity has never been more important than anything else. It's like a lock on the door at your old storefront, you wouldn't have it without it. Cybersecurity obviously shouldn't be skipped on, so Chris Pearce from DB Results, thanks so much for your time and insights today.
CP: Good to be with you.