NZ IT leaders’ approach to managing security and compliance

Security, compliance and privacy are hugely topical, especially as organisations look to expand their data and analytics capability. While there is increasing scrutiny from regulators and consumers to contend with, CIOs and CISOs must also factor in challenges arising from a hybrid working environment that has come about because of the pandemic.

At a CIO roundtable with DDS-IT and Commvault, New Zealand IT leaders shared their approach to navigating through this complex environment. Many saw the convergence of security and compliance as inevitable, with privacy becoming even more to the fore following the new Privacy Act in December 2020.

Security, compliance and privacy converging

Jarden head of IT risk and security David Higgins notes that in his organisation they use similar tools to achieve both security and compliance outcomes. While his role is more aligned to security, the executives he works most closely with are the Chief Digital Officer and Chief Risk Officer.

EROAD head of security engineering Jeremy Peaks, whose company is a telematics provider offering SaaS products in the transport sector, notes that cybersecurity threats are on the increase. “I would say there is absolutely an element of security with compliance, we certainly see it with regulations that we need to adhere to for being a certified product that is able to measure distance calculations and be used for tax purposes.”

Another CIO in the transport sector — albeit on the operations side — notes that security, compliance and privacy are beginning to overlap when it comes to data and “understanding all the data we obtain, the data we store, and the data we transmit.”

Privacy is also a crucial part of the mix, with many organisations now employing a Chief Privacy Officer. It isn’t only New Zealand law that they need to be across, but privacy legislation in other jurisdictions, in particular the GDPR (General Data Protection Regulation) regulations in the European Union, which many see as the gold standard for privacy legislation globally. As Peaks from EROAD explains:

“I have personal experience in the past with adapting to GDPR, so I’m all too aware of the challenges. As most companies have realised since GDPR, it’s best to adhere to the most stringent regulations globally and not try to adapt differently to each market. We are committed to privacy by design though and make strong efforts to achieve this with our new development,” he says.

“Pen testing and software monitoring are very important, but we also do threat modelling as early as possible — often at concept stage and certainly by technical design stage. It’s important to us to identify issues early in the cycle when they are not only cheaper to address, but also form part of the design.”

Everyone’s responsible for cybersecurity and data privacy

BDO New Zealand chief technology officer Chynel James says that while there might be dedicated roles that oversee these areas, cybersecurity, compliance and privacy are the responsibility of everyone in the organisation. “Education and communication are really key, and a bit of a change programme can help with promoting awareness and the desire among all staff to be vigilant. You need to show people what’s in it for them, make them understand why everyone has a part to play,” she says.

DDS-IT general manager for sales and marketing Craig Sutton agrees that there needs to be a cultural change in organisations to security mindfulness, and “finding the right balance between imperatives and doing it the right way,” he says.

“The key is lots of user training and telling the story in a way that makes people understand why cybersecurity and protecting privacy is something everyone has to do.”

James from BDO New Zealand has also seen the issues become more elevated in the organisation, it’s no longer just the IT suite that deals with these issues, with CEOs and boards taking a more active interest in the organisation’s risk profile.

Beca chief digital officer Thomas Hyde says cybersecurity is a regular topic for board meetings, where mega trends, threats and possible risks are discussed. As part of these sessions, senior executives from organisations that have suffered major cybersecurity incidents have attended to share their experiences, and this has greatly improved the understanding of the issues.

Tips and advice for dealing with cybersecurity

David Higgins from Jarden says being able to figure out the per seat cost of your IT spend can be useful in communicating the importance and reasoning behind cybersecurity and privacy protection expenditure. “If I know that for every person that walks through the door that the cost of their digital identity is X, it becomes a lot easier to quantify how we scale our protection,” he says.

James from BDO New Zealand noted that it’s important to have a security vendor that is “plugged into those government processes and can provide you with outside input. IT is very complex, and no one can know everything, partnering with the right people can be hugely advantageous.”

Another important tip was to keep in contact with government agencies, such as CERT, who are often willing to attend board meetings and provide first-hand information to senior leaders in the organisations. Keeping up with trends and understanding how and why high-profile attacks have occurred is also a useful way of ensuring you are aware of possible threats to the organisation.

“Where I would start is understanding your adversary attack scenarios, during the past couple years, we’ve seen a prolific increase in a lot of ransomware and data thefts — in Australia and New Zealand, as well as globally. A lot of these attacks are occurring where business emails are compromised, and the attacker is quietly and persistently trying to gain access,” says Higgins from Jarden.

Many CIOs present at the roundtable also noted that being aware of the security, privacy and compliance measures taken by those in your ecosystem – from partners to clients, is also critical. As Peaks from EROAD put it: “The days of building everything yourself are gone… it is important, therefore, to ensure a high level of cyber security comfort in those companies as well as your own.