by Byron Connolly

Telstra’s ‘five knows of cyber security’

Aug 31, 2015
CSO and CISOGovernmentTelecommunications

Telstra lives by ‘five knows of cyber security’ when it comes to protecting information across the organisation, according to chief security officer, Mike Burgess.

Burgess – who was speaking at a cyber security event in Sydney – said although the telco pays attention to malware threats and determining who was responsible for an attack, focusing on the following five areas is crucial.

1. Know the value of your data

“You must know the value of your data – to yourself, to your competitors and to those who wish to do harm,” said Burgess.

“That’s where you get an understanding of the threat and the context of what you hold, and what is of value to others. When you do that, what you might think is important to you or to them may be two different things.

“You have to have a complete understanding of what is valuable data.”

2. Know who has access to your data

Burgess urged organisations to look deep inside their supply chain to understand who has access to data, and determine if certain individuals should have permissions that they do.

3. Know where your data is located

Organisations need to determine what information is stored locally, and what information is stored in the cloud within data centres across the globe, to determine their true security risk, Burgess said.

4. Know who is protecting your data

“In some cases, you think that it’s being protected, but it’s not,” said Burgess. “It may not be your own IT department that’s protecting data because of some business deal that’s been done.

“You’ve got to know who’s protecting your data.”

5. Know how well your data is protected

“Until you know these five things, I’d argue that you can’t really assess the risk your organisation faces properly,” he said.

Burgess added that cyber security is also not a technology risk issue and too many organisations believe it’s something that’s solely in the hands of the IT department.

“It’s a business risk issue. We [Telstra] are also of the view that this more of a human issue, not a technical one. It’s not a problem induced and solved by technology alone. This is a very much a human issue, a leadership issue and a business risk that you need to pay attention to.”

He said that corporations don’t need security ‘boffins’ on their boards because the issue of cyber security needs to be normalised.

“In the end, it’s just a crime… it might be a little bit complicated but if we think long and hard across the rest of our businesses, we have complicated risks elsewhere and we are capable as humans of dealing with those. But you do need to educate yourself.”

Telstra has around the clock monitoring of its networks to keep customer data safe and an incident response capability is ready to roll, he said.

However, despite organisations’ abilities to do “everything else right”, they still need to deal with the fact that the advantage remains with the crooks who wish to do harm.

Burgess said he was passionate about ‘discovery’, or advanced security threat detection and real time intelligence.

“Computers are very good at looking at other computers and understanding what’s normal and what’s new,” he said. “Once you’ve got every known problem sorted, if you do it really well, there’s going to be a new one coming at you and discovery helps you do that.”

Burgess is member of a panel advising the Abbott government during a six-month review to identify the strengths and weaknesses of Australia’s cyber security strategy.

The review is expected to be released soon but the private sector should act now, he said.

“But the message that we believe in at Telstra is that this is a business risk, this is not something we have to wait for a government review to land before we do something about it. It’s up to us today.”

He added that cyber security is not solely an espionage problem. In fact, the espionage piece is a relatively small but significant piece of the cyber landscape, he said.

“Most of it is just straight crime coming at you, or disgruntled staff or issue motivated groups who have a gripe about something and they are protesting through cyber means.

“All of that is for the private sector business to deal with.”

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia

Follow Byron Connolly on Twitter:@ByronConnolly