Commentary

Opinion pieces in the Australian Financial Review

  • "Boards paying cyber ransoms should quit", July 2019.
    • "There’s a saying that management is doing things right, and leadership is doing the right things. Preparation for ransomware is a great barometer of whether your organisation is doing either."




  • "Australia is still in the cyber security dark ages", June 2018.
    • "Without transparency around cyber security incidents, investors face the unpalatable proposition of investing in a company that says, "we want your money but we're not going to tell you if we have a clue with managing risk". I'm pretty sure that investing based on faith and hope is actually called gambling."


  • "How Australia must use the PageUp data breach to become stronger", June 2018.
    • "Australia has many companies similar in size and aspirations to PageUp that need to appreciate it could just as easily have been them. Think about the sensitive data held by law firms, accounting firms, real estate agents and mortgage brokers. Do you think the security of these organisations is markedly different from PageUp?"


  • "The three cyber security challenges Australian businesses can't ignore", May 2018.
    • "Commensurate sounds a lot like "due care" to me. What was foreseeable, what should you have taken the time to understand, what did your peer organisations already know, what level of responsibility is reasonable to expect? The other fun fact about commensurate in the world of cyber risk management is that what's reasonable today will be inadequate in three years."


  • "New data breach notification scheme will be a barometer for business maturity", March 2018.
    • "If your organisation is not aware of and managing the risks that come with being in a hyper-connected world, the data that you have, and the potential impact of this data being breached, then I assert you don't know what business you're in. If you want to take cyber security seriously, know that your organisation must punch through compliance to a more mature way of doing business and managing risk because that's what it takes to be doing genuine, sustainable, digital transformation."


  • "Business experience should help parents keep kids safe online", November 2017.
    • "Cyber security professionals are the natural allies of e-safety. And while it's true that often the many cyber security people can struggle in communicating the value of their domain to normal humans, this is where HR departments can step up and help bridge the gap."


  • "Is cyber insurance necessary or a racket? What to know before you sign on", September 2017.
    • "Section 21 of the Insurance Contracts Act (1984) stipulates that the party seeking an insurance contract has an obligation to disclose to the insurer anything the party knows, or could be reasonably expected to know, that may impact on the insurer's decision to accept the risk of insuring the party. Got a skeleton in your IT cupboard? If you have an enterprise of any size or complexity, you'll have many."


  • "Companies must hire a CISO to address cyber threats at the executive level", July 2017.
    • "One of the most important capabilities of a good CISO is their ability to develop relationships across the executive layer. You need your CISO and their team to have a deep understanding of your organisation and what really matters to the business. This exploration will go through layers of maturity, and takes time, resources, ongoing commitment, and trusted relationships."


  • "Small business risks being left behind in Australia's virtuous cyber security plans", May 2017.
    • "Both the top end of town and government have a vested interest in the cyber security of the SMB space. Standing back and waiting for someone else to fix it won't work. We cannot leave SMB behind. Not because it isn't an option, but because it's actually not possible for the Australian economy to thrive as a whole, while half of us are getting picked off like fish in a barrel."


  • ABS census was an IT and cyber security disaster waiting to happen”, August 2016.
    • "The ABS pushed us all strongly to use the website. Now, according to its website on the census, it expected about 15 million people to complete the census online. Most of these people were likely to address the census after they got home and had eaten dinner, but before they went to bed. So now you've got allegedly 15 million people all trying to access the site within a three to four hour window. Let's call it a five hour window, and even drop it to 10 million people. That's still 2 million people per hour. And that is double the 1 million people per hour that the ABS said the site was built to service. Planning for this level of demand is not rocket science, but it does seem that the census website was simply not designed to support a realistic level of demand."


  • "Australia is suffering a shortage of world-class cyber security teams", April 2016.
    • "I am not arguing that every organisation needs to hire a chief information security officer and a team of 200 security specialists; that's not practical. I am arguing that having an informed opinion of your organisation's exposure to cyber risk is essential to balance the "risk versus cost versus benefit" equation."