Organisational culture is probably one of the most important aspects of cybersecurity maturity and readiness.
Jacqui Kernot leads Accenture’s security business for Australia and New Zealand.
Within critical infrastructure, we find enormous cultural divides between people running the corporate networks and those running industrial or operational networks.
This is because they are approaching the problem from two very different philosophies.
You have security professionals who are focused on data system integrity to protect personally identifiable information or intellectual property, and then you have those who are managing operational networks, prioritising safety, reliability and availability, above all else.
This cultural divide creates different internal practices, priorities and beliefs about how to protect the assets involved, which makes standardisation across sectors enormously challenging for governments.
We believe this can only be fixed through encouraging open collaboration among leaders, keeping them engaged and accountable, and creating policies, governance and training across all sectors of government.
Mick Willing APM is National Security and Safety lead, Accenture.
The second major challenge is in what we call “people, process and policy”. It is a myth that cybersecurity is mostly about technology. You can’t optimise technology or your cybersecurity enterprise unless you have the right people, with the right training, who are in the right roles and who have the right authority.
Equally, the right people can only succeed if you also have the optimum processes and tight governance in place. So we group those three things together: people, process and policy, because they are so completely interdependent by nature.
The third key challenge is visibility. The way we think about it is, “If you can’t see it, you can’t protect it”. This is especially important when you consider the critical nature of Australia’s supply chains. We experienced some disruption during the pandemic, and felt first-hand the unsettling effect on the nation of panic buying, but this was just a mild experience of what could happen if our supply chains are breached.
Supply chain visibility helps us know not only our suppliers, but our suppliers’ suppliers. Given there can be up to 10,000 companies involved in a single supply chain, understanding where the “break points” may be ahead of time can help a company or government organisation adjust and adapt to an unexpected disruption in the chain.
At Accenture, we use predictive forms of technology to help our clients gain this visibility, which may involve building a “digital twin”, which can help model the effects of disruption at different parts of the chain, or “control towers” to have the ability to intervene proactively or after an event when necessary.
Visibility across enterprises and government agencies is also essential to allow common goals, training and governance to be implemented, and to reduce duplicated efforts.
We often see security professionals in one part of a government or corporate network, not really talking to security professionals in other parts of the network, yet they are often engaged on the same challenges. Visibility across networks is key to channelling resources and talent efficiently.
It is only when those three elements are in place and working well – organisational culture, “people process and policy”, and visibility – that we can adequately protect our nation from the threat of cyberattack.
Jacqui Kernot leads Accenture’s security business for Australia and New Zealand.
Mick Willing APM is National Security and Safety lead, Accenture.
