Home Sponsored Announcements RSA: Ten essential tips to reduce business risk

In our previous article in the series, we introduced three security leaders who in the last twelve months have impressed us with the way they have navigated through their own challenges to improve productivity and skills in their teams and achieve positive outcomes within their organisations.

These security leaders, in particular CISOs, have enabled transformation within their organisations through the practice of reducing risk in accordance to the overall appetite of the business, re-organised and enabled their teams.

In this third and final instalment, we want to revisit two critical lessons we have learned collectively from these three CISOs. Before we do that,it is worth reminding ourselves of some fundamental truths that organisations today are facing:

1.    Relentless cyber threat attacks against global market brands - the threats we face are real, the adversaries are determined and skilled, and the failures are far too common (for e.g., the failure of running a basic hygiene task of applying security patches)

2.    Limited visibility is deterring rapid response – The failures do not only reside in the technical process but also in the workflow and execution of remediation measures to mitigate the risks.

3.    Breaking through the silos - Security is no longer just a technology issue. While many organisations can claim they have board members now understanding and discussing security and risk, it is still a long journey for many.

4.    Overcoming FUD - CISOs are inundated with widespread industry scare tactics and influx of information. Like in a game of Buzzword Bingo– a CISO could easily spend thousands of dollars in extra budget and for every point scored in the Bingo game they could probably employ an extra security specialist every year. What then to prioritise, which risks to overcome first, which assets are more critical to protect?

The CISOs highlighted in our stories have shared successes in seeing through the FUD. Being able to clearly identify and articulate to board members about what is most important to protect within the organisation is what a business driven security approach is all about.

So, what made these CISOs exemplars to follow?  The answer is that they have each pivoted their own security programmes to enable transformation in the business through:

- The adoption of new technologies and workplace transformation
- The development of new service delivery capabilities
- Changing how their organisations measure their risk profile and appetite
Therein, lies the two critical lessons - The importance of filtering out the FUD and be driven by facts; and, the ability to enable positive transformation by reducing business risk impacts.

As we close out this series, we would like to offer our Top TEN suggestions based on the learnings of the CISOs:

1.    Know exactly what is happening in your environment. We don’t mean do a pen-test once a year, we don’t mean collect log data from your preventative controls, and we don’t mean install a magic AI-enabled black box machine that learns by itself and emits a chirpy ‘ping’ and whorls some lovely 3D graphics in the event of a perceived anomaly. We mean - to collect and analyse as much logging data as you can on your network and have an accurate inventory of all your endpoints, applications, and (network connected) non-IT devices. Gain the visibility and the ability to dive deep into all three information collection domains and investigate anomalous behaviour using the skills and behavioural analysis of a human analyst.

2.    Have a mechanism to collect and analyse evidence and the trail of breadcrumbs that show not just what happened, but when and how and what may happen next.

3.    Have a defined and agreed matrix of ownership; who is responsible for all aspects of BAU and break-fix operations.

4.    Have an agreed and tested risk register and an agreed level of risk appetite that is signed off by the business stakeholders.

5.    Know the process for investigating, resolving and learning from a breach. Include all areas of business impact like technical operations, business operations, law enforcement, regulations and policies, supply chain parties. Test the process!

6.    Know what the top business development priority is for your CEO, be ready with a gap analysis of the current and future risk state and be able to articulate your plan based on priorities of risk impacts.

7.    Identify and groom your replacement and nurture the next batch of talent.

8.    Gain a thorough understanding of the operations in your organisation - where each supply chain contributes (positively or negatively) to your own risk posture and collaborate both upstream and downstream in the supply chain to help each other.

9.    Intelligence sharing and learning - contribute to the greater good and network, network, network. Go to every industry conference you attend with the personal goal of meeting ten to fifteen new peers and learning from them, teaching them whatever you can and staying in touch.

10.    Hire new graduates and mentor them so that we help resolve the ongoing skills shortages in our country.

Always remember – we are all connected in the hyper connected world. What each individual does, will make a difference. In his book, we are all leaders – Leadership is not a position, it’s a mindset. Fredrik Arnander suggests that everyone is a leader regardless of their station in life, title on business card or position in family or community. For this to be true, we all need lean in and lead for a better and safer digital world.

Find out how to boost your security team, doing more with the team you have – Download RSA’s free ebook “5 Tools to Boost Your Security Team’s Impact”


Simon Perry,  Threat Detection and Response Business Manager, RSA
Andrew Bonehill, Threat Detection and Response Snr Technology Consultant, RSA


With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Popular News




Sponsored News