I've managed to build an extensive global network throughout my career and as such I am able to draw on this to both share and gain relevant information. Though my industry is not as mature and interconnected as the banks, which is a common theme globally across various sectors, the energy industry does have mechanisms to enable sharing.
I encourage my staff to be involved in relevant industry forums such as AusCERT and the like, which often I measure them on to share information.
Interestingly enough, this is becoming more and more topical at the Board level and as a number of Non-Executive Directors are sitting on multiple Company Boards, it is encouraging more of a community to be established across sectors. This is a positive.
We are seeing more and more organisations move into the cloud, what's your view on managing these threats?
My long standing view in this area is that it pushes the controls to be more focused on the securing/handling of company information and getting stronger in the vendor/contract management space.
Organisations need to establish an effective governance mechanism to control the proliferation of cloud technologies which expose organisations to risk unnecessarily, but this is no different to a full, in house model.
Every organisation should have in place or be putting in place a mechanism to identify Critical Systems and core valuable information. Once this is clear and agreed across the business there is an opportunity to focus resources and expenditure on the areas that can expose the company to a higher level of risk. The security role has now truly evolved into one of a risk advisor and is more about protecting information.
Cloud provides business with opportunities and challenges just like anything else and the CISO's role should be to ensure the right conversations happen to understand the risks.
More mature organisations will have in place a methodology to assess risks within projects and provide for an ongoing assurance process of suppliers to ensure they are continually doing the right things in line with their contract obligations.
In my view, a lot of these things are not a lot different to a "historical" environment.
John, you have a new AGL CIO that is your new manager. What's the approach you take around orientating the boss on your domain?
I've been very fortunate with the CISO roles I have held to date, in that I have worked for someone who gets it or has an understanding of the basics. Simon Moorfield is a CIO who gets it, so it enables us to work in partnership to tackle the problems and we are often on the same page without much discussion.
Sign up for CIO Asia eNewsletters.