AGS 2022

The essential eight

Mitigation strategies against cyber risk from the Australian Cyber Security Centre.

1. Application control: Preventing non-approved applications from running

2. Patch applications: Fixing security vulnerabilities in applications

3. Configure Microsoft Office macro settings: Preventing Microsoft Office from being used to run malicious code using web browsers

4. User application hardening: Restricting the use of popular ways to run malicious code using web browsers

5. Restrict administrative privileges: Protecting special user accounts that adversaries can use to gain full access to ICT systems

6. Patch operating systems: Fixing security vulnerabilities in operating systems

7. Multi-factor authentication: Implementing more robust ways to authenticate legitimate users

8. Regular backups: Ensuring systems and important information can be accessed following a cyber security incident.

Darren Kane MAICD will speak at the Australian Governance Summit in March 2022.

As chief security officer at NBN Co, the remit of Darren Kane MAICD is to manage all forms of security risks that face the nation’s wholesale broadband provider. As well as ensuring NBN’s many physical sites around Australia are adequately guarded, Kane oversees the background and screening checks of thousands of personnel at the publicly owned corporation, and its chief privacy officer reports directly to him.

The most prominent risk that Kane manages relates to cybersecurity. With cyber attacks more prevalent and sophisticated every year, cybersecurity is swiftly becoming one of the most senior business operational risks. Kane’s expertise is in more demand than ever from the board, who are keen to be across potential cybersecurity issues.

“There’s a high degree of interest and caution around cybersecurity because it is now such a prominent issue,” says Kane. “There is a requirement on me to help the board and C-suite understand how we are managing that risk, and to manage their expectations on risk appetite. The single most important thing for any organisation is to understand the risk appetite around cybersecurity.”

Delicate balancing act

As Kane sees it, risk and reward work in tandem, and forming an appropriate risk appetite necessarily takes commerciality into consideration. “There may be areas where you can afford to accept risks because you’ve got compensatory controls in place, or because you’ve taken a risk-based approach to it,” he says. “There may be good opportunities to grow and be productive and high-performing. The flipside is when you cannot accept the risk, either because the level of risk is too high or the risk is outside your appetite. It will then cost money to put mitigation processes around it to reduce the risk.”

Kane attends twice-yearly board meetings and reports as required to the board, chaired by Kate McKenzie MAICD. He also spends a significant amount of time with the board’s audit risk committee, but does not initiate contact with the board.

“It’s very rare I will go directly to the board for anything, but they certainly know that they can come direct to me,” he says. “I like to make sure I’m not seen as someone who independently interacts with the board without the C-suite or my executive members understanding I’m having that interaction. That’s the primary way to manage interactions with the board.”

An inherently complex task

As the world becomes more interconnected and globalised, supply chain risks are growing. Threats such as ransomware attacks represent an unprecedented potential for causing widespread business disruption. Arguably the highest-profile case of a supply chain cyber attack took place in 2020 against American IT infrastructure company SolarWinds. The hackers successfully compromised the data, networks and systems of thousands of SolarWind’s customers, which included US federal government institutions.

Kane says that managing risks relating to third parties is inherently complex and fraught. “It’s a challenge because you’ve got third-party providers who use their own suppliers. We have a really strong concentration of effort in ensuring our supply chain understands what the contractual arrangements are, our expectations around security and our ongoing vigilance against risk.”

Part of continuously monitoring against any potential vulnerability involves undertaking assurance checks on suppliers. These checks can be carried out on the suppliers of NBN’s suppliers, as extended contracts are in place. A great deal of work goes into ensuring risks are managed in accordance with policy standards and guidelines.

Putting people first

Kane notes that while staving off cyber attacks may appear highly technical and complex, it is ultimately a human problem, with a human solution — a strong and effective team. “One of the big issues for us at the moment is the importance of soft skills in leading and managing teams in a tight marketplace,” he says. “My job is to manage the people who manage security risks — and managing people is significantly undervalued in the security space right now.”

He adds that the past couple of years during the pandemic have been incredibly challenging, and he has found that managing remote teams requires a heightened focus on soft skills. “I’ve had to become a more talented and innovative leader, and it’s taught me to understand people’s different responses to the situation and what motivates my team. I’ve concentrated a lot of my efforts over the past two years on doing the very best I can to ensure my people are OK.”

Kane was able to draw on skills he acquired over 12 years as a detective sergeant with the Australian Federal Police. “I had a wonderful career as a detective,” he says. “It gave me early lessons in life skills and helped me understand that if you’re tasked in leading and managing, you’ve got to have a degree of empathy and respect for all. In certain situations, you have to rely enormously on different individuals. I had the benefit of having so many different experiences and it made me a far better leader.”

Last October, Kane attended the first meeting of the federal government’s Cyber Security Industry Advisory Committee, which is tasked with helping the federal government improve cybersecurity across the public and private sectors. The committee was formed to guide the implementation of the 2020 Cyber Security Strategy. Its chair is Telstra CEO Andrew Penn.

“It’s basically an opportunity for industry to have a voice into government,” says Kane. “The government is implementing different portions of the strategy and the Industry Advisory Committee advises the government as to whether it has been effective or suggests it may be changed.”

Kane feels most public and private organisations in Australia are now acutely aware of the risks posed by the scourge of cybercrime. “Broadly, I think the understanding of the risk that is represented by cybersecurity is good in Australia,” he says. “Everyone knows what the problem is. The downside is that I’m not sure anyone has the solution.”