....with Garry Barnes
Editor’s Interview with Garry Barnes, Practice Lead, Governance Advisory, at Vital Interacts, Australia, and former ISACA Board Director According to Gartner, by 2019, 40 per cent of large enterprises will require specialised, automated tools to meet regulatory obligations in the event of a serious information security incident. Cybersecurity governance expert and former ISACA board director, Garry Barnes, presented at CeBIT in Sydney, about the business implications and benefits of automated cyber security defences, including current technology being used and best practice implementation. EDITOR: You outlined that you found it relatively hard to find proactive, supportive and enabling automation. Taking an InfoSec lens to business, you have created a credo that if you can eliminate the security budget just down to ‘your’ salary, then the business has embedded security. Can you expand on these concepts? Garry Barnes (GB): My research was not exhaustive, but the majority view was that cyber security primarily equated to threat detection and incident response and not “secure Internet-enabled business”. This means that security becomes a discrete function protecting the business against diverse threats. An information security lens, however, would highlight business value in information assets and information services and would seek to establish the appropriate control model based on those values. This means a CISO can better align security activities with the cost of doing business, and help product or service owners recognise these costs as a function of revenue, sales, growth, etc. This in turn means a security budget may be able to apportion those back into the business functions. In this way, the business is taking ownership of security and it enhances their learning about risks and opportunities and the acceptance of risk. The challenge is that there is danger in complacent acceptance of cyber risk, but the intent should be to have the business leaders making those decisions, rather than the CISO. Using a similar model to fleet management where corporate vehicle risk increases to an unacceptable level after 3 years and the fleet is replaced. Should this be a model for large enterprise to adopt with ICT Systems in total or just cyber security systems? GB: I think it is a model for ICT in general (and I have seen organisations which have a policy like this), however the challenges have been cost of upgrade and replacement, and the potential transformation activities that go with it. However, this should be assessed against cyber risk from aged technology and the economics of sustaining unsupported technologies. Automation advances anomaly detection and bad actor detection. You stated you want to shift the focus – to where exactly and in what time frame do we need it? GB: We’ve had automated tools for configuration management and systems monitoring for two decades
6 | Australian Security Magazine
yet these don’t often get credit as being key in the cybersecurity tool kit. I want to shift the focus to using automation as much towards enabling and maintaining secure architecture and configuration as threat detection and response. The former is good for business while the latter is risk mitigation. Threat actors also now have AI tools. Can good AI be trained to detect bad AI? GB: That’s a great question and I think the answer is yes. Certainly, we have tools today that can detect bad actors and potentially reconfigure systems to protect against the threat, but the AI and machine learning components are basic. It will be interesting to see how, for example, the technology in future Cyber Grand Challenge entrants evolves and what they are capable of. If we can get our language right the business leaders will better understand security. It is more difficult for the SMBs. But cloud providers may be good in this this regard to leverage their advanced architecture. Do you consider cloud computing platforms now offer a security solution than what was formally perceived as a security risk? GB: Absolutely, but there is still a need for sound controls: due diligence when selecting the provider; clarity regarding security responsibilities in contract clauses; monitoring and review of services; incident notification and response and effective exit provisions, for example. Automation is possible in asset discovery, security coding, metrics and reporting. As well as, data classification, risk data and aligning these equally to the four quadrants of protect, detect, recover, and respond. Given your 25+ years’ experience, where do you see AI and machine learning over the next decade and will the quadrants change?
GB: The broader IT (and IOT) industry has a huge role to play in building secure systems from the outset and investments in secure code, secure configuration, secure deployment, monitoring and correction will be just as critical as threat detection and response. Garry Barnes has over two decades of experience in information security, assurance, risk management and IT governance. He has worked with organisations across many industries, including the public sector, banking, health, education and transport. His achievements include delivering multi-year security partnerships, implementing numerous business-aligned security strategies, overseeing risk management during a substantial banking transformation, guiding organisations through to ISO 27001 certification, and overseeing multiple compliance, assurance and security testing programs. During his tenure in the NSW State Government, Barnes founded and served as chairman and committee member on a government forum for information security management. About ISACA ISACA® (isaca.org) helps professionals around the globe realise the positive potential of technology in an evolving digital world. By offering industry-leading knowledge, standards, credentialing and education, ISACA enables professionals to apply technology in ways that instill confidence, address threats, drive innovation and create positive momentum for their organisations. Established in 1969, ISACA is a global association with more than 140,000 members and certification holders in 188 countries. ISACA is the creator of the COBIT framework, which helps organisations effectively govern and manage their information and technology. Through its Cybersecurity Nexus (CSX), ISACA helps organisations develop skilled cyber workforces and enables individuals to grow and advance their cyber careers.