Commentary

Opinion pieces in the Australian Financial Review

  • "Boards paying cyber ransoms should quit", July 2019.
    • "There’s a saying that management is doing things right, and leadership is doing the right things. Preparation for ransomware is a great barometer of whether your organisation is doing either."




  • "Australia is still in the cyber security dark ages", June 2018.
    • "Without transparency around cyber security incidents, investors face the unpalatable proposition of investing in a company that says, "we want your money but we're not going to tell you if we have a clue with managing risk". I'm pretty sure that investing based on faith and hope is actually called gambling."


  • "How Australia must use the PageUp data breach to become stronger", June 2018.
    • "Australia has many companies similar in size and aspirations to PageUp that need to appreciate it could just as easily have been them. Think about the sensitive data held by law firms, accounting firms, real estate agents and mortgage brokers. Do you think the security of these organisations is markedly different from PageUp?"


  • "The three cyber security challenges Australian businesses can't ignore", May 2018.
    • "Commensurate sounds a lot like "due care" to me. What was foreseeable, what should you have taken the time to understand, what did your peer organisations already know, what level of responsibility is reasonable to expect? The other fun fact about commensurate in the world of cyber risk management is that what's reasonable today will be inadequate in three years."


  • "New data breach notification scheme will be a barometer for business maturity", March 2018.
    • "If your organisation is not aware of and managing the risks that come with being in a hyper-connected world, the data that you have, and the potential impact of this data being breached, then I assert you don't know what business you're in. If you want to take cyber security seriously, know that your organisation must punch through compliance to a more mature way of doing business and managing risk because that's what it takes to be doing genuine, sustainable, digital transformation."


  • "Business experience should help parents keep kids safe online", November 2017.
    • "Cyber security professionals are the natural allies of e-safety. And while it's true that often the many cyber security people can struggle in communicating the value of their domain to normal humans, this is where HR departments can step up and help bridge the gap."


  • "Is cyber insurance necessary or a racket? What to know before you sign on", September 2017.
    • "Section 21 of the Insurance Contracts Act (1984) stipulates that the party seeking an insurance contract has an obligation to disclose to the insurer anything the party knows, or could be reasonably expected to know, that may impact on the insurer's decision to accept the risk of insuring the party. Got a skeleton in your IT cupboard? If you have an enterprise of any size or complexity, you'll have many."


  • "Companies must hire a CISO to address cyber threats at the executive level", July 2017.
    • "One of the most important capabilities of a good CISO is their ability to develop relationships across the executive layer. You need your CISO and their team to have a deep understanding of your organisation and what really matters to the business. This exploration will go through layers of maturity, and takes time, resources, ongoing commitment, and trusted relationships."