In December 2021, Federal Parliament passed a bill ushering in cybersecurity obligations for “critical infrastructure” organisations, including financial services, health care and higher education organisations. The government has also previously canvassed the idea of mandatory and voluntary governance standards for large companies.
But while cybersecurity obligations are increasing, IT decision makers and risk managers should not fixate completely on cybersecurity standards and compliance, warns Jonathan Ruckert, CEO and founder of Australian digital transformation, cloud migration and cyber security services company NovaWorks.
It is just as important that businesses move cybersecurity from its “little black box in a dark corner” and dealt with it as a business risk, Ruckert says. He explains why in the NovaWorks-sponsored podcast episode we recorded last year, which you can listen to below.
Ruckert has plenty of experience dealing with this issue. NovaWorks specialises in helping heavily regulated organisations including financial services and clinical trial companies and clients in other industries to implement cybersecurity governance.
These businesses and others are increasingly expected to meet cybersecurity standards before they can work with government. “Government organisations even within Australia are now requiring companies to either be ISO 27001 certified or they're wanting companies to proactively have penetration testing reports. They're wanting companies to actually provide their information management security framework. They're wanting them to provide all this information if you want to do business with them,” Ruckert says.
However, he warns against treating cybersecurity as only a box ticking activity. “If you're trying to get compliance with a certain framework, but that means that half your compliance parameters don't actually have anything to do with your business requirements, why are you actually trying to implement that compliance framework?” Ruckert asks.
“For example, if I was to implement application whitelisting, do I whitelist everything? We might be compliant, but are we actually managing that risk appropriately?” he says.
In the last 12 months, Ruckert says he has seen a “big shift” from cybersecurity compliance to risk management. In the podcast episode, he lays out the implications for businesses, their IT partnerships, IT contracts and the way they plan IT projects.
“I don't think it has to be overly difficult if you manage cyber as a business risk,” he comments. “If you have a good governance model you can actually successfully implement a cyber security posture that will enable your business, not actually hinder it.”
Learn more by visiting NovaWorks at www.novaworks.com.au.