iTnews
  • Home
  • Videos
  • Digital Nation
  • Governance
Digital Nation

Case Study: Keeping CPA's board up to date about cybersecurity risks

By Andrew Birmingham
Tom Duvall
Nov 9 2021 7:00AM

Boards need better information on cybersecurity, but processes are often manual.

A period of accelerated digitalisation has heightened the importance of providing information about cyber security to boards and management teams


Digital Nation spoke to Nigel Hedges, head of information security for CPA Australia, which provides credential and education needs to its 268,000 members in the accounting sector domestically and abroad.

  • Subscribe to Digital Nation Australia's twice-weekly newsletter

Hedges says that the business' security posture has changed over the past two years as hackers have come together in groups to target businesses across sectors, with all industries fair game. This resulted in new challenges across the threat landscape.

Additionally, the need to manage all transitional activities throughout the work-from-home arrangement added to the challenge.

“That whole transition, introduced another set of risk because you're moving to new suppliers, and you need to make sure you're investing with the right suppliers, you have to go through security due diligence,” says Hedges.

These changes were done under extreme time pressures, with work that might otherwise have involved months of planning, needing completion in just days.

“It did require a lot more resources to spend on all the various different aspects of pivoting and transitioning to remote working all the online systems,” he says.

“Using those agile philosophies to make steps towards things, I think, certainly allowed us to move at speed.”

Given its purpose, the CPA board is well versed in cybersecurity issues, but the speed of change does raise interesting issues about the learning curve of boards generally.

Hedges believes that many board members still don’t fully understand the nuances of the cyber risk posed to their companies, despite an increase in ransomware attacks over the past 12 months.

When he spoke to his peers in the cybersecurity industry it was also clear there were myriad ways of reporting to boards, and many of them were substandard.

Fortuitously for CPA, the organisation started a process in 2019 to improve how it reported to the board and to management.

"The first challenge I had was that managing or reporting to management and the board was quite manual. So you're digging into PowerPoint presentations and trying to get the right images and things like that."

Instead what he wanted was an approach that allowed for a consistent reporting style covering the whole gamut of the risk. "What's the program? What's actually happening out there? When they hear about Colonial Pipeline, they want to know, could that happen to us? What are we doing to solve that today? What are our gaps?"

He wanted a way to track the past, present and future maturity of the cybersecurity program.

"The trap I think that some boards can fall into is relying on this annual IT general controls assessment that a lot of people do. And it's more or less like playing Whack a Mole with a set of problems and then waiting 12 months to see what the new set of problems are."

The goal was to make it easy for the board to visualise what was being done, the level of maturity across certain domains, and the change over time.

"Being able to visualise that was a big problem."

He also wanted a way of clearly articulating the risk factors. "And that includes the supplier risk because we're all having to move to the cloud and that introduces new sets of supply risk concerns, and SaaS providers."

All of this added up to the need to introduce a streamlined third-party cyber risk process to replace the inefficient manual processes which were no longer fit for purpose anymore.

"The company saw the need to track and visualise the past, current, and future maturity of the programs they were using, and settled on a solution from Avertro CyberHQ.

According to Hedges, "They developed a platform where it was easy to put in the information, and then have a consistent way of presenting information back to a board level."

It also met CPA's need to describe the organisation's maturity against a variety of best practice frameworks. 

"Everyone's got a different flavour. Some use a NIST cybersecurity framework. Some are using ISO 27,001, some are using APRA, Some are using the Essential Eight from the Australian Government. So being able to pivot across all those things also was quite a useful part of the platform."

Choosing Avertro also came with its own risk, as the business was still relatively immature at that stage.

“With Avertro being a start-up a couple of years ago, there's the typical learning curve of building the product. So we worked really closely with them from that customer advisory perspective and giving them feedback on the technology,” says Hedges.

“We were quite fortunate that we had regular catch-ups with the development team, and what was proven pretty quickly is they had a very good ability to resolve these issues as we went along.”

Got a news tip for our journalists? Share it with us anonymously here.
Digital Nation

You just read a Digital Nation story.

There are many others like it. Subscribe to our new weekly Digital Nation e-newsletter for more HR, finance, marketing, risk and emerging technology news and discussions.

SUBSCRIBE
© Digital Nation
Tags:
avertro cyberhqcpacybersecuritygovernance

Related Articles

  • The Northern Beaches Women's Shelter hones focus on tech-enabled abuse The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
  • Lawyers face sanctions for citing fake cases with AI Lawyers face sanctions for citing fake cases with AI
  • King & Wood Mallesons Australia to give Gen AI tool to 1200 lawyers King & Wood Mallesons Australia to give Gen AI tool to 1200 lawyers
  • Transport for NSW expands SAP Ariba usage Transport for NSW expands SAP Ariba usage

Partner Content

Australian organisations must act on security – or risk AI ambitions falling flat
Partner Content Australian organisations must act on security – or risk AI ambitions falling flat
AI and quantum computing widen the machine identity security gap
Partner Content AI and quantum computing widen the machine identity security gap
What Embracing the AI Platform Shift Really Means
Partner Content What Embracing the AI Platform Shift Really Means
Microsoft Copilot Partner Hub
Microsoft Copilot Partner Hub

Sponsored Whitepapers

Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
Service Over Signatures: The Truth About No Lock-In IT
Service Over Signatures: The Truth About No Lock-In IT
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.

Events

  • Tech in Gov 2025 Tech in Gov 2025
  • Forrester's Technology & Innovation Summit APAC 2025 Forrester's Technology & Innovation Summit APAC 2025
  • Security Exhibition & Conference 2025 Security Exhibition & Conference 2025
  • Integrate Expo 2025 Integrate Expo 2025
  • Digital As Usual Cybersecurity Roadshow: Brisbane edition Digital As Usual Cybersecurity Roadshow: Brisbane edition
Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Case study: Warren and Mahoney adopts digital tools to reduce its carbon footprint

Case study: Warren and Mahoney adopts digital tools to reduce its carbon footprint

King & Wood Mallesons Australia to give Gen AI tool to 1200 lawyers

King & Wood Mallesons Australia to give Gen AI tool to 1200 lawyers

ANZ continues work on data "one-stop-shop" for its Risk function

ANZ continues work on data "one-stop-shop" for its Risk function

Opinion: Sheryl Sandberg left a terrible legacy. Good riddance and goodbye

Opinion: Sheryl Sandberg left a terrible legacy. Good riddance and goodbye

techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.