Ahead of his address at the 2022 Australian Governance Summit, in March in Melbourne, NBN Co chief security officer, Darren Kane GAICD, spoke with Company Director magazine about policing emerging risks for organisations in 2022 and beyond. Register now to attend AGS 2022.
As chief security officer at NBN Co, the remit of Darren Kane GAICD, a former police detective, is to manage all forms of security risks that face the nation's wholesale broadband provider. As well as ensuring NBN’s many physical sites around Australia are adequately guarded, Kane oversees the background and screening checks of thousands of personnel at the publicly owned corporation and the chief privacy officer reports directly to him.
The most prominent risk that Kane manages relates to cybersecurity. With cyber attacks more prevalent and sophisticated every year, cybersecurity is swiftly becoming one of the most senior business operational risks. Kane’s expertise is in more demand than ever from the board, who are keen to be across potential cybersecurity issues.
“There's a high degree of interest and caution around cybersecurity because it is now such a prominent issue,” says Kane. “There is a requirement on me to help the board and C-suite understand how we are managing that risk, and to manage their expectations on risk appetite. The single most important thing for any organisation is to understand the risk appetite around cybersecurity.”
Delicate balancing act
As Kane sees it, risk and reward work in tandem, and forming an appropriate risk appetite necessarily takes commerciality into consideration. “There may be areas where you can afford to accept risks, because you've got compensatory controls in place, or because you've taken a risk-based approach to it,” he says. “There may be good opportunities to grow and be productive and high-performing. The flipside is when you cannot accept the risk, either because the level of risk is too high or the risk is outside your appetite. It will then cost money to put mitigation processes around it to reduce the risk.”
Kane attends twice-yearly board meetings and reports as required to the board, previously chaired by former Telstra CEO Dr Ziggy Switkowski AO FAICD. On 1 January this year, Kate McKenzie MAICD took over as chair.
Kane spends a significant amount of time with the board’s audit risk committee but does not initiate contact with the board. “It's very rare I will go directly to the board for anything, but they certainly know that they can come direct to me,” he says. “I like to make sure I’m not seen as someone who independently interacts with the board without the C-suite or my executive members understanding I'm having that interaction. That's the primary way to manage interactions with the board.”
An inherently complex task
As the world becomes more interconnected and globalised, supply chain risks are growing. Threats such as ransomware attacks represent an unprecedented potential for causing widespread business disruption. Arguably the highest-profile case of a supply chain cyber attack took place in 2020 against American IT infrastructure company SolarWinds. The hackers successfully compromised the data, networks and systems of thousands of SolarWind’s customers, which included US federal government institutions.
Kane says that managing risks relating to third parties is inherently complex and fraught. “It's a challenge because you've got third-party providers who use their own suppliers. We have a really strong concentration of effort in ensuring our supply chain understands what the contractual arrangements are, our expectations around security and our ongoing vigilance against risk.”
Part of continuously monitoring against any potential vulnerability involves undertaking assurance checks on suppliers. These checks can be carried out on the suppliers of NBN’s suppliers, as extended contracts are in place. A great deal of work goes into ensuring risks are managed in accordance with policy standards and guidelines.
Putting people first
Kane notes that while staving off cyber attacks may appear highly technical and complex, it is ultimately a human problem, with a human solution — a strong and effective team. “One of the big issues for us at the moment is the importance of soft skills in leading and managing teams in a tight marketplace,” he says. “My job is to manage the people who manage security risks — and managing people is significantly undervalued in the security space right now.”
He adds that the past couple of years during the pandemic have been incredibly challenging, and he has found that managing remote teams requires a heightened focus on soft skills. “I've had to become a more talented and innovative leader, and it’s taught me to understand peoples’ different responses to the situation and what motivates my team. I've concentrated a lot of my efforts over the past two years on doing the very best I can to ensure my people are okay.”
Kane drew on the skills he acquired spending 12 years as a detective sergeant with the Australian Federal Police. “I had a wonderful career as a detective,” he says. “It gave me early lessons in life skills and helped me understand that if you're tasked in leading and managing, you've got to have a degree of empathy and respect for all. In certain situations, you have to rely enormously on different individuals. I had the benefit of having so many different experiences and it made me a far better leader.”
In October, Kane attended the first meeting of the federal government’s Cyber Security Industry Advisory Committee, of which he is a board member. The committee is tasked with helping the federal government improve cybersecurity across the public and private sectors and was formed to guide the implementation of the 2020 Cyber Security Strategy. Its chair is Telstra CEO Andrew Penn.
“It's basically an opportunity for industry to have a voice into government,” says Kane. “The government is implementing different portions of the strategy and the Industry Advisory Committee advises the government as to whether it has been effective or suggest it may be changed.”
He feels most public and private organisations in Australia are now acutely aware of the risks posed by the scourge of cybercrime. “Broadly, understanding the risk represented by cybersecurity is good in Australia. Everyone knows what the problem is. The downside is that I'm not sure everyone understands what the solution can be.”
Darren Kane GAICD will speak at an AGS2022 session in March 2022: Cyber Security Risk: Taking Action Before It’s Too Late. Register now to attend AGS 2022.