CISO Perspectives Series: On Policy & Compliance; Investigations & Forensics

June 8, 2018

ICE71 hosts our first event in the CISO Perspective series where leading CISOs share their insights on cybersecurity.

Introduction

The economic loss across Asia Pacific due to cybersecurity incidents can potentially hit a staggering US$1.745 trillion, according to a Frost & Sullivan study commissioned by Microsoft. In Singapore alone, the economic loss can reach US$17.7 billion, which is equal to 6% of Singapore’s total GDP of US$297 billion. Cybersecurity risk in Asia Pacific is not to be taken lightly.

That is why, for the first event of ICE71’s CISO Perspectives Series, we invited Mr Stuart Mort, CTO – Cybersecurity of Optus for an evening of dialogue on cybersecurity. This was a great opportunity for attendees to get up close and hear from one of the leading CISOs in Asia Pacific.

About the CISO 

Stuart Mort is a veteran in the cybersecurity landscape and has 25 years of experience working in Security, from Special Duties operational work with the British Government through to heading an international security consultancy team, and then spending 12 years as Oracle’s Global Vice President of Information Security. As Optus’s CTO Cyber Security, Stu brings extensive experience to help Optus partner with their customers as a subject matter expert, trusted advisor and thought leader to aid in addressing the security threats of today and tomorrow.

Stuart Mort, CTO – Cybersecurity at Optus and Jonathan Chua, Director of InsiderSecurity, sharing insights on policy and compliance, as well as investigations and forensics to combat cybersecurity threats of today and tomorrow.

Dialogue Highlights

The dialogue was moderated by Jonathan Chua, Director of InsiderSecurity, an award-winning Singaporean cybersecurity company. Jonathan has over 10 years of deep technical expertise in cybersecurity from both the government and private sectors. Prior to InsiderSecurity, he was in DSO National Laboratories for 12 years, where he developed innovative solutions for tough cybersecurity problems in national defense.

Attendees participated in the dialogue with their own questions for Stuart and Jonathan.

On Policy, Compliance, Investigations and Forensics

  • Cybersecurity is not the same as IT.

  • Has IT security, Policy and Compliance changed?

  • Policy is the foundation of security and this should be owned by the CISO.

  • The standards should be owned by the IT department.

  • Increasingly, this model is being implemented as organisations mature.

  • For Policy, CISOs need to work closely with all units in the organisation, they will need sponsorship from the highest levels, and need to educate across the organisation, yet ensure that employees actually understand it too.

  • Policies and standards are just the rails that organisations run on.

  • Risk-based metrics should be the baseline, with the key relevant risks being the ones reported on. This is specific to each business, but defining an incident can be difficult with no consistent views across businesses within an industry.

On Roles of the CISO

  • The CISO role is there to allow the business to make risk-based decisions.

  • Policy, Compliance and Risk are key components of the CISO role.

  • A key part of the CISO role is to help organisation Governing Boards to understand the risks they face and then for them to make the decisions on how to mitigate them.

  • CISOs face the following challenges:

    • Needs a voice on the Board, yet today generally this reports up through IT (should probably report into the Chief Risk Officer)

    • Budgets are too low, and this needs a rethink in most companies

    • CISOs need to embrace other units working with them e.g. legal

    • CISOs should not think they need to own staff, rather can be effective through other units

    • A plethora of security products makes it very hard to find the ‘jewels’

    • Very difficult to put a quantifiable dollar amount on risk

  • The CISO role should just be a guiderail helping the business, but never stopping it doing what it needs to.

How can a startup stand out

  • Need to know exactly who they are selling to, and need to understand how they think.

  • The chief privacy officer role is growing and may be a good avenue.

  • Large corporates are difficult – SMEs are a really good way in.

  • Optus is creating an umbrella MSA that startups can sign up to, shielding them from the corporate MSA.

  • Proof of concepts make it easier to gain a foothold in getting pilot projects implemented.

  • The Startup needs to guide the ‘buyer’ in terms of the solution and why it is so good for them.

  • There is a big shift to the cloud, and there are issues with hybrid installations (elastic cloud).

  • Build vs. buy – tech at Optus never builds anything, but much rather buys capability from external sources.

Growing the ICE71 community and donning hats with Stuart and Jonathan.

With the concluding remarks from Stuart and Jonathan, the audience adjourned to another round of networking at ICE71 activity lounge. We are absolutely delighted to have hosted this first edition of CISO Perspectives Series. Thank you to all attendees as well as the distinguished guests.

The CISO Perspectives Series is a series of talks by ICE71 for the start-up community. To find out more about ICE71 and its programmes and events, visit https://www.ice71.sg or drop us a note at enquiries@ice71.sg. If you have any speaker you would like to nominate for the next episode, feel free to suggest them to us! 🙂